|
Chris PeBenito |
31b7c0 |
##################################
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# User configuration.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# This file defines each user recognized by the system security policy.
|
|
Chris PeBenito |
31b7c0 |
# Only the user identities defined in this file may be used as the
|
|
Chris PeBenito |
31b7c0 |
# user attribute in a security context.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Each user has a set of roles that may be entered by processes
|
|
Chris PeBenito |
31b7c0 |
# with the users identity. The syntax of a user declaration is:
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# user username roles role_set [ level default_level range allowed_range ] level s0 range s0 - s15:c0.c255;
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# The MLS default level and allowed range should only be specified if
|
|
Chris PeBenito |
31b7c0 |
# MLS was enabled in the policy.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# system_u is the user identity for system processes and objects.
|
|
Chris PeBenito |
31b7c0 |
# There should be no corresponding Unix user identity for system_u,
|
|
Chris PeBenito |
31b7c0 |
# and a user process should never be assigned the system_u user
|
|
Chris PeBenito |
31b7c0 |
# identity.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
user system_u roles system_r level s0 range s0 - s15:c0.c255;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# user_u is a generic user identity for Linux users who have no
|
|
Chris PeBenito |
31b7c0 |
# SELinux user identity defined. The modified daemons will use
|
|
Chris PeBenito |
31b7c0 |
# this user identity in the security context if there is no matching
|
|
Chris PeBenito |
31b7c0 |
# SELinux user identity for a Linux user. If you do not want to
|
|
Chris PeBenito |
31b7c0 |
# permit any access to such users, then remove this entry.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
user user_u roles { user_r } level s0 range s0 - s0;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# The following users correspond to Unix identities.
|
|
Chris PeBenito |
31b7c0 |
# These identities are typically assigned as the user attribute
|
|
Chris PeBenito |
31b7c0 |
# when login starts the user shell. Users with access to the sysadm_r
|
|
Chris PeBenito |
31b7c0 |
# role should use the staff_r role instead of the user_r role when
|
|
Chris PeBenito |
31b7c0 |
# not in the sysadm_r.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# The sysadm_r user also needs to be permitted system_r if we are to allow
|
|
Chris PeBenito |
31b7c0 |
# direct execution of daemons
|
|
Chris PeBenito |
31b7c0 |
user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') } level s0 range s0 - s15:c0.c255;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# sample for administrative user
|
|
Chris PeBenito |
31b7c0 |
#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') } level s0 range s0 - s15:c0.c255;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# sample for regular user
|
|
Chris PeBenito |
31b7c0 |
#user jdoe roles { user_r } level s0 range s0 - s15:c0.c255;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# The following users correspond to special Unix identities
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
ifdef(`nx_server.te', `
|
|
Chris PeBenito |
31b7c0 |
user nx roles nx_server_r level s0 range s0 - s15:c0.c255;
|
|
Chris PeBenito |
31b7c0 |
')
|