unconfined_u
user run in the unconfined_t
domain. This is seen by running the id -Z
command while logged-in as a Linux user mapped to unconfined_u
:
~]$
id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
unconfined_t
domain, SELinux policy rules are applied, but policy rules exist that allow Linux users running in the unconfined_t
domain almost all access. If unconfined Linux users execute an application that SELinux policy defines can transition from the unconfined_t
domain to its own confined domain, unconfined Linux users are still subject to the restrictions of that confined domain. The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined, and therefore, the exploitation of a flaw in the application can be limited by policy.
Note
useradd
command, use the -Z
option to specify which SELinux user they are mapped to. The following example creates a new Linux user, useruuser
, and maps that user to the SELinux user_u
user. Linux users mapped to the SELinux user_u
user run in the user_t
domain. In this domain, Linux users are unable to run setuid applications unless SELinux policy permits it (such as passwd
), and cannot run the su
or sudo
command, preventing them from becoming the root user with these commands.
Procedure 10.27. Confining a New Linux User to user_u
SELinux User
useruuser
) that is mapped to the SELinux user_u
user.
~]#
useradd -Z user_u useruuser
useruuser
and user_u
, run the following command as root:
~]#
semanage login -l
Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * useruuser user_u s0 *
useruuser
user:
~]#
passwd useruuser
Changing password for user useruuser. New password: Enter a password Retype new password: Enter the same password again passwd: all authentication tokens updated successfully.
useruuser
user. When you log in, the pam_selinux
module maps the Linux user to an SELinux user (in this case, user_u
), and sets up the resulting SELinux context. The Linux user's shell is then launched with this context. Run the following command to view the context of a Linux user:
~]$
id -Z
user_u:user_r:user_t:s0
useruuser
's session, and log back in with your account. If you do not want the Linux useruuser
user, run the following command as root to remove it, along with its home directory:
~]#
userdel -r useruuser