I have written several blogs on the xguest and guest SELinux users. There are other types or SELinux users.
Today I want to describe the standard SELinux User. At Red Hat we have a distribution of RHEL that is given to all non engineers by the IS Department. Sales People, Support, Administration, Management are giving a version RHEL Boxes/Laptops without the Root Password. These are machines for people who do not want to administrate their own machines. The IT Department is in charge of updating the software on these boxes and maintaining the security, if users want to add software or modifiy their machines they have to contact the help desk for an update.
In the future these machines accounts should be setup to use the user_u SELinux user. user_u is a complete login user account, unlike xguest though it has full networking, so the user can connect to any network port. It does not have the ability to run setuid applications without a transition. Since the users of this machine have no reason to ever become root, they do not have the ability to run su, sudo, userhelper or any other application that requires setuid. This protects the user against most vulnerabilities in software which would allow a root attack.
If you have an setuid application that you want the user to be able to run, you can write policy to allow the user_u account to transition to a different domain to execute the code. For example, xlock uses pam to verify the users password. pam execs /sbin/unix_chkpwd a setuid application. Policy allows a transition from user_u:user_r:user_t -> user_u:user_r:chkpwd_t which can run as root.
Like xguest , the user_u account can be set to not allow execution of programs in the home directory or /tmp.
setsebool -P allow_user_exec_content=0
If you want to setup your system to try out the user account, you can execute the following command as root:
# semanage login -m -s user_u USERNAME
# usermod -Z user_u USERNAME
If you want to add a user with user_u, you can execute
useradd -Z user_u USERNAME
If you want all users on your system to default to user_u you would execute
# semanage login -m -s user_u __default__
Try it out...
Dan Walsh's Blog
- user_u is now available in Rawhide/Fedora 9