Comparing SELinux and Standard Linux User Identities

SELinux maintains its own user identity for processes, separately from Linux user identities. In the targeted policy (the default for Community Enterprise Linux), only a minimal number of SELinux user identities exist:

system_u - System processes

root - System administrator
user_u - All login users

Use the semanage user -l command to list SELinux users:

~]# semanage user -l
                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range            SELinux Roles
root            user       s0         s0-s0:c0.c1023       system_r sysadm_r user_r
system_u        user       s0         s0-s0:c0.c1023       system_r
user_u          user       s0         s0-s0:c0.c1023       system_r sysadm_r user_r

Refer to "Understanding the Users and Roles in the Targeted Policy" for more information about SELinux users and roles.

SELinux Logins

One of the properties of targeted policy is that login users all run in the same security context. From a TE point of view, in targeted policy, they are security-equivalent. To effectively use MCS, however, we need to be able to assign different sets of categories to different Linux users, even though they are all the same SELinux user (user_u). This is solved by introducing the concept of an SELinux login. This is used during the login process to assign MCS categories to Linux users when their shell is launched.

Use the semanage login -a command to assign Linux users to SELinux user identities:

~]# semanage login -a james
~]# semanage login -a daniel
~]# semanage login -a olga

Now when you list the SELinux users, you can see the Linux users assigned to a specific SELinux user identity:

~]# semanage login -l
Login Name                SELinux User              MLS/MCS Range
__default__               user_u                    s0
james                     user_u                    s0
daniel                    user_u                    s0
root                      root                      s0-s0:c0.c1023
olga                      user_u                    s0

Notice that at this stage only the root account is assigned to any categories. By default, the root account is configured with access to all categories.

Community Enterprise Linux and SELinux are preconfigured with several default categories, but to make effective use of MCS, the system administrator typically modifies these or creates further categories to suit local requirements.