43.5.2. Comparing SELinux and Standard Linux User Identities

SELinux maintains its own user identity for processes, separately from Linux user identities. In the targeted policy (the default for Red Hat Enterprise Linux), only a minimal number of SELinux user identities exist:

system_u — System processes
root — System administrator
user_u — All login users

Use the semanage user -l command to list SELinux users:

[root@dhcp-133 ~]# semanage user -l
                             Labeling    MLS/                 MLS/
SELinux User        Prefix        MCS Level        MCS Range        SELinux Roles
root                      user           s0                      s0-s0:c0.c1023    system_r sysadm_r user_r
system_u              user           s0                      s0-s0:c0.c1023    system_r
user_u                  user           s0                      s0-s0:c0.c1023    system_r sysadm_r user_r

Refer to Section 43.8.3, “Understanding the Users and Roles in the Targeted Policy” for more information about SELinux users and roles.

SELinux Logins

One of the properties of targeted policy is that login users all run in the same security context. From a TE point of view, in targeted policy, they are security-equivalent. To effectivly use MCS, however, we need to be able to assign different sets of categories to different Linux users, even though they are all the same SELinux user (user_u). This is solved by introducing the concept of an SELinux login. This is used during the login process to assign MCS categories to Linux users when their shell is launched.

Use the semanage login -a command to assign Linux users to SELinux user identities:

# semanage login -a james
# semanage login -a daniel
# semanage login -a olga

Now when you list the SELinux users, you can see the Linux users assigned to a specific SELinux user identity:

# semanage login -l
Login Name                SELinux User              MLS/MCS Range
__default__               user_u                         s0
james                         user_u                         s0                       
daniel                         user_u                         s0                       
root                           root                             SystemLow-SystemHigh
olga                            user_u                         s0

Notice that at this stage only the root account is assigned to any categories. By default, the root account is configured with access to all categories.

Red Hat Enterprise Linux and SELinux are preconfigured with several default categories, but to make effective use of MCS, the system administrator typically modifies these or creates further categories to suit local requirements.