diff --git a/refpolicy/config/local.users b/refpolicy/config/local.users index 887f6f7..7e2bf7a 100644 --- a/refpolicy/config/local.users +++ b/refpolicy/config/local.users @@ -14,10 +14,6 @@ # The MLS default level and allowed range should only be specified if # MLS was enabled in the policy. -user user_u roles { user_r }; - -user root roles { sysadm_r staff_r }; - # sample for administrative user # user jadmin roles { staff_r sysadm_r }; diff --git a/refpolicy/policy/users b/refpolicy/policy/users index a7a51b1..bb9d37b 100644 --- a/refpolicy/policy/users +++ b/refpolicy/policy/users @@ -11,3 +11,21 @@ # identity. # user system_u roles system_r user_mls(s0,s0 - s9:c0.c127); + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +user user_u roles { user_r } user_mls(s0,s0 - s9:c0.c127); + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +user root roles { sysadm_r staff_r } user_mls(s0,s0 - s9:c0.c127);