The user statement declares an SELinux user identifier within the policy and associates it to one or more roles. The statement also allows an optional MLS level and range to control a users security level. It is also possible to add SELinux user id's outside the policy using the 'semanage user' command that will associate the user with roles previously declared within the policy.
The statement definition is:
user seuser_id roles role_id;
Or for MCS/MLS Policy:
user seuser_id roles role_id level mls_level range mls_range;
Where:
user
The user keyword.
seuser_id
The SELinux user identifier.
roles
The roles keyword.
role_id
One or more previously declared role or attribute_role identifiers. Multiple role identifiers consist of a space separated list enclosed in braces '{}'.
level
If MLS is configured, the MLS level keyword.
mls_level
The users default MLS security level that has been previously declared with a level statement. Note that the compiler only accepts the sensitivity component of the level (e.g. s0).
range
If MLS is configured, the MLS range keyword.
mls_range
The range of security levels that the user can run. The format is described in the "MLS range Definition" section.
The statement is valid in:
Policy Type
| Monolithic Policy | Base Policy | Module Policy |
|---|---|---|
| Yes | Yes | Yes |
Conditional Policy Statements
| if Statement | optional Statement | require Statement |
|---|---|---|
| No | Yes | Yes |
Examples:
# Using the user statement to define an SELinux user user_u that
# has been assigned the role of user_r. The SELinux user_u is a
# generic user identity for Linux users who have no specific
# SELinux user identity defined.
#
user user_u roles { user_r };
MLS Examples:
# Using the user statement to define an MLS SELinux user user_u
# that has been assigned the role of user_r and has a default
# login security level of s0 assigned, and is only allowed
# access to the s0 range of security levels:
user user_u roles { user_r } level s0 range s0;
# Using the user statement to define an MLS SELinux user
# sysadm_u that has been assigned the role of sysadm_r and has
# a default login security level of s0 assigned, and is
# allowed access to the range of security levels (low - high)
# between s0 and s15:c0.c255:
user sysadm_u roles { sysadm_r } level s0 range s0-s15:c0.c255;
semanage(8) Command example:
# Add user mque_u to SELinux and associate to the unconfined_r role:
semanage user -a -R unconfined_r mque_u
This command will produce the following files in the default <SELINUXTYPE> policy store and then activate the policy:
/var/lib/selinux/<SELINUXTYPE>/active/users.local:
# This file is auto-generated by libsemanage
# Do not edit directly.
user mque_u roles { unconfined_r } ;
/var/lib/selinux/<SELINUXTYPE>/active/users_extra:
# This file is auto-generated by libsemanage
# Do not edit directly.
user mque_u prefix user;
/var/lib/selinux/<SELINUXTYPE>/active/users_extra.local:
# This file is auto-generated by libsemanage
# Do not edit directly.
user mque_u prefix user;