[securityguide] Updated SELinux Context with new content from RHEL7.
Bara Ančincová
bancinco at fedoraproject.org
Sun Aug 10 22:59:51 UTC 2014
commit 48293267dd85294f61eb38110deb8f23f49f9741
Author: Barbora Ancincova <bancinco at redhat.com>
Date: Mon Jul 28 10:49:35 2014 +0200
Updated SELinux Context with new content from RHEL7.
en-US/Contexts_and_Attributes.xml | 397 ++++++++++++++++++++-----------------
1 files changed, 212 insertions(+), 185 deletions(-)
---
diff --git a/en-US/Contexts_and_Attributes.xml b/en-US/Contexts_and_Attributes.xml
index b4afae3..101a3f6 100644
--- a/en-US/Contexts_and_Attributes.xml
+++ b/en-US/Contexts_and_Attributes.xml
@@ -3,200 +3,227 @@
]>
<section id="sect-Security-Enhanced_Linux-SELinux_Contexts">
- <title>SELinux Contexts</title>
- <para>
- Processes and files are labeled with an SELinux context that contains additional information, such as an SELinux user, role, type, and, optionally, a level. When running SELinux, all of this information is used to make access control decisions. In &PRODUCT;, SELinux provides a combination of Role-Based Access Control (RBAC), <trademark class="registered">Type Enforcement</trademark> (TE), and, optionally, Multi-Level Security (MLS).
- </para>
- <para>
- The following is an example showing SELinux context. SELinux contexts are used on processes, Linux users, and files, on Linux operating systems that run SELinux. Use the <command>ls -Z</command> command to view the SELinux context of files and directories:
- </para>
-
-<screen>$ ls -Z file1
--rw-rw-r--. user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-</screen>
- <para>
- SELinux contexts follow the <emphasis>SELinux user:role:type:level</emphasis> syntax:
- </para>
- <variablelist>
- <varlistentry>
- <term><emphasis>SELinux user</emphasis></term>
- <listitem>
- <para>
- The SELinux user identity is an identity known to the policy that is authorized for a specific set of roles, and for a specific MLS range. Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions placed on SELinux users. The mapped SELinux user identity is used in the SELinux context for processes in that session, in order to define what roles and levels they can enter. Run the <command>semanage login -l</command> command as the Linux root user to view a list of mappings between SELinux and Linux user accounts:
- </para>
-
+ <title>SELinux Contexts</title>
+ <para>
+ Processes and files are labeled with an SELinux context that contains additional information, such as an SELinux user, role, type, and, optionally, a level. When running SELinux, all of this information is used to make access control decisions. In &PRODUCT;, SELinux provides a combination of Role-Based Access Control (RBAC), <trademark class="registered">Type Enforcement</trademark> (TE), and, optionally, Multi-Level Security (MLS).
+ </para>
+ <para>
+ The following is an example showing SELinux context. SELinux contexts are used on processes, Linux users, and files, on Linux operating systems that run SELinux. Use the following command to view the SELinux context of files and directories:
+ </para>
<screen>
-# /usr/sbin/semanage login -l
-
-Login Name SELinux User MLS/MCS Range
+<prompt>~]$</prompt> <command>ls -Z file1</command>
+-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
+</screen>
+ <para>
+ SELinux contexts follow the <emphasis>SELinux user:role:type:level</emphasis> syntax. The fields are as follows:
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term><emphasis>SELinux user</emphasis></term>
+ <listitem>
+ <para>
+ The SELinux user identity is an identity known to the policy that is authorized for a specific set of roles, and for a specific MLS/MCS range. Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions placed on SELinux users. The mapped SELinux user identity is used in the SELinux context for processes in that session, in order to define what roles and levels they can enter. Run the following command as root to view a list of mappings between SELinux and Linux user accounts (you need to have the <package>policycoreutils-python</package> package installed):
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>semanage login -l</command>
+Login Name SELinux User MLS/MCS Range Service
-__default__ unconfined_u s0-s0:c0.c1023
-root unconfined_u s0-s0:c0.c1023
-system_u system_u s0-s0:c0.c1023
+__default__ unconfined_u s0-s0:c0.c1023 *
+root unconfined_u s0-s0:c0.c1023 *
+system_u system_u s0-s0:c0.c1023 *
</screen>
- <para>
- Output may differ slightly from system to system. The <computeroutput>Login Name</computeroutput> column lists Linux users, and the <computeroutput>SELinux User</computeroutput> column lists which SELinux user the Linux user is mapped to. For processes, the SELinux user limits which roles and levels are accessible. The last column, <computeroutput>MLS/MCS Range</computeroutput>, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS). Levels are briefly discussed later.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis>role</emphasis></term>
- <listitem>
- <para>
- Part of SELinux is the Role-Based Access Control (RBAC) security model. The role is an attribute of RBAC. SELinux users are authorized for roles, and roles are authorized for domains. The role serves as an intermediary between domains and SELinux users. The roles that can be entered determine which domains can be entered - ultimately, this controls which object types can be accessed. This helps reduce vulnerability to privilege escalation attacks.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis>type</emphasis></term>
- <listitem>
- <para>
- The type is an attribute of Type Enforcement. The type defines a domain for processes, and a type for files. SELinux policy rules define how types can access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis>level</emphasis></term>
- <listitem>
- <para>
- The level is an attribute of MLS and Multi-Category Security (MCS). An MLS range is a pair of levels, written as <emphasis>lowlevel-highlevel</emphasis> if the levels differ, or <emphasis>lowlevel</emphasis> if the levels are identical (<computeroutput>s0-s0</computeroutput> is the same as <computeroutput>s0</computeroutput>). Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as <emphasis>sensitivity:category-set</emphasis>. If there are no categories, it is written as <emphasis>sensitivity</emphasis>.
- </para>
- <para>
- If the category set is a contiguous series, it can be abbreviated. For example, <computeroutput>c0.c3</computeroutput> is the same as <computeroutput>c0,c1,c2,c3</computeroutput>. The <filename>/etc/selinux/targeted/setrans.conf</filename> file maps levels (<computeroutput>s0:c0</computeroutput>) to human-readable form (ie. <computeroutput>CompanyConfidential</computeroutput>). Do not edit <filename>setrans.conf</filename> with a text editor: use <command>semanage</command> to make changes. Refer to the <citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page for further information. In &PRODUCT;, targeted policy enforces MCS, and in MCS, there is just one sensitivity, <computeroutput>s0</computeroutput>. MCS in &PRODUCT; supports 1024 different categories: <computeroutput>c0</computeroutput> through to <computeroutput>c1023</computeroutput>. <computeroutput>s0-s0:c0.c1023</computeroutput> is sensitivity <computeroutput>s0
</computeroutput> and authorized for all categories.
- </para>
- <para>
- MLS enforces the <ulink url="http://en.wikipedia.org/wiki/Bell-LaPadula_model">Bell-La Padula Mandatory Access Model</ulink>, and is used in Labeled Security Protection Profile (LSPP) environments. To use MLS restrictions, install the <package>selinux-policy-mls</package> package, and configure MLS to be the default SELinux policy via the <filename>/etc/selinux/config</filename> file. The MLS policy shipped with &PRODUCT; omits many program domains that were not part of the evaluated configuration, and therefore, MLS on a desktop workstation is unusable (no support for the X Window System); however, an MLS policy from the <ulink url="http://oss.tresys.com/projects/refpolicy">upstream SELinux Reference Policy</ulink> can be built that includes all program domains.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- <section id="sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">
- <title>Domain Transitions</title>
- <para>
- A process in one domain transitions to another domain by executing an application that has the <computeroutput>entrypoint</computeroutput> type for the new domain. The <computeroutput>entrypoint</computeroutput> permission is used in SELinux policy, and controls which applications can be used to enter a domain. The following example demonstrates a domain transition:
- </para>
- <orderedlist>
- <listitem>
- <para>
- A user wants to change their password. To do this, they run the <command>passwd</command> application. The <filename>/usr/bin/passwd</filename> executable is labeled with the <computeroutput>passwd_exec_t</computeroutput> type:
- </para>
-
-<screen>$ ls -Z /usr/bin/passwd
+ <para>
+ Output may differ slightly from system to system:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <literal>Login Name</literal> column lists Linux users.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <literal>SELinux User</literal> column lists which SELinux user the Linux user is mapped to. For processes, the SELinux user limits which roles and levels are accessible.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <literal>MLS/MCS Range</literal> column, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS).
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <literal>Service</literal> column determines the correct SELinux context, in which the Linux user is supposed to be logged in to the system. By default, the asterisk (<computeroutput>*</computeroutput>) character is used, which stands for any service.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><emphasis>role</emphasis></term>
+ <listitem>
+ <para>
+ Part of SELinux is the Role-Based Access Control (RBAC) security model. The role is an attribute of RBAC. SELinux users are authorized for roles, and roles are authorized for domains. The role serves as an intermediary between domains and SELinux users. The roles that can be entered determine which domains can be entered; ultimately, this controls which object types can be accessed. This helps reduce vulnerability to privilege escalation attacks.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><emphasis>type</emphasis></term>
+ <listitem>
+ <para>
+ The type is an attribute of Type Enforcement. The type defines a domain for processes, and a type for files. SELinux policy rules define how types can access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><emphasis>level</emphasis></term>
+ <listitem>
+ <para>
+ The level is an attribute of MLS and MCS. An MLS range is a pair of levels, written as <emphasis>lowlevel-highlevel</emphasis> if the levels differ, or <emphasis>lowlevel</emphasis> if the levels are identical (<systemitem>s0-s0</systemitem> is the same as <systemitem>s0</systemitem>). Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as <emphasis>sensitivity:category-set</emphasis>. If there are no categories, it is written as <emphasis>sensitivity</emphasis>.
+ </para>
+ <para>
+ If the category set is a contiguous series, it can be abbreviated. For example, <systemitem>c0.c3</systemitem> is the same as <systemitem>c0,c1,c2,c3</systemitem>. The <filename>/etc/selinux/targeted/setrans.conf</filename> file maps levels (<systemitem>s0:c0</systemitem>) to human-readable form (that is <computeroutput>CompanyConfidential</computeroutput>). In &PRODUCT;, targeted policy enforces MCS, and in MCS, there is just one sensitivity, <systemitem>s0</systemitem>. MCS in &PRODUCT; supports 1024 different categories: <systemitem>c0</systemitem> through to <systemitem>c1023</systemitem>. <systemitem>s0-s0:c0.c1023</systemitem> is sensitivity <systemitem>s0</systemitem> and authorized for all categories.
+ </para>
+ <para>
+ MLS enforces the Bell-La Padula Mandatory Access Model, and is used in Labeled Security Protection Profile (LSPP) environments. To use MLS restrictions, install the <package>selinux-policy-mls</package> package, and configure MLS to be the default SELinux policy. The MLS policy shipped with &PRODUCT; omits many program domains that were not part of the evaluated configuration, and therefore, MLS on a desktop workstation is unusable (no support for the X Window System); however, an MLS policy from the <ulink url="http://oss.tresys.com/projects/refpolicy">upstream SELinux Reference Policy</ulink> can be built that includes all program domains. <!--For more information on MLS configuration, see <xref linkend="mls"/>.-->
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <section id="sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">
+ <title>Domain Transitions</title>
+ <para>
+ A process in one domain transitions to another domain by executing an application that has the <systemitem>entrypoint</systemitem> type for the new domain. The <systemitem>entrypoint</systemitem> permission is used in SELinux policy and controls which applications can be used to enter a domain. The following example demonstrates a domain transition:
+ </para>
+ <procedure id="proc-domain-transition">
+ <title>An Example of a Domain Transition</title>
+ <step>
+ <para>
+ A user wants to change their password. To do this, they run the <systemitem>passwd</systemitem> utility. The <filename>/usr/bin/passwd</filename> executable is labeled with the <systemitem>passwd_exec_t</systemitem> type:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>ls -Z /usr/bin/passwd</command>
-rwsr-xr-x root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
</screen>
- <para>
- The <application>passwd</application> application accesses <filename>/etc/shadow</filename>, which is labeled with the <computeroutput>shadow_t</computeroutput> type:
- </para>
-
-<screen>$ ls -Z /etc/shadow
-----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
+ <para>
+ The <systemitem>passwd</systemitem> utility accesses <filename>/etc/shadow</filename>, which is labeled with the <systemitem>shadow_t</systemitem> type:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>ls -Z /etc/shadow</command>
+-r--------. root root system_u:object_r:shadow_t:s0 /etc/shadow
</screen>
- </listitem>
- <listitem>
- <para>
- An SELinux policy rule states that processes running in the <computeroutput>passwd_t</computeroutput> domain are allowed to read and write to files labeled with the <computeroutput>shadow_t</computeroutput> type. The <computeroutput>shadow_t</computeroutput> type is only applied to files that are required for a password change. This includes <filename>/etc/gshadow</filename>, <filename>/etc/shadow</filename>, and their backup files.
- </para>
- </listitem>
- <listitem>
- <para>
- An SELinux policy rule states that the <computeroutput>passwd_t</computeroutput> domain has <computeroutput>entrypoint</computeroutput> permission to the <computeroutput>passwd_exec_t</computeroutput> type.
- </para>
- </listitem>
- <listitem>
- <para>
- When a user runs the <command>/usr/bin/passwd</command> application, the user's shell process transitions to the <computeroutput>passwd_t</computeroutput> domain. With SELinux, since the default action is to deny, and a rule exists that allows (among other things) applications running in the <computeroutput>passwd_t</computeroutput> domain to access files labeled with the <computeroutput>shadow_t</computeroutput> type, the <application>passwd</application> application is allowed to access <filename>/etc/shadow</filename>, and update the user's password.
- </para>
- </listitem>
- </orderedlist>
- <para>
- This example is not exhaustive, and is used as a basic example to explain domain transition. Although there is an actual rule that allows subjects running in the <computeroutput>passwd_t</computeroutput> domain to access objects labeled with the <computeroutput>shadow_t</computeroutput> file type, other SELinux policy rules must be met before the subject can transition to a new domain. In this example, Type Enforcement ensures:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- the <computeroutput>passwd_t</computeroutput> domain can only be entered by executing an application labeled with the <computeroutput>passwd_exec_t</computeroutput> type; can only execute from authorized shared libraries, such as the <computeroutput>lib_t</computeroutput> type; and can not execute any other applications.
- </para>
- </listitem>
- <listitem>
- <para>
- only authorized domains, such as <computeroutput>passwd_t</computeroutput>, can write to files labeled with the <computeroutput>shadow_t</computeroutput> type. Even if other processes are running with superuser privileges, those processes can not write to files labeled with the <computeroutput>shadow_t</computeroutput> type, as they are not running in the <computeroutput>passwd_t</computeroutput> domain.
- </para>
- </listitem>
- <listitem>
- <para>
- only authorized domains can transition to the <computeroutput>passwd_t</computeroutput> domain. For example, the <systemitem class="daemon">sendmail</systemitem> process running in the <computeroutput>sendmail_t</computeroutput> domain does not have a legitimate reason to execute <command>passwd</command>; therefore, it can never transition to the <computeroutput>passwd_t</computeroutput> domain.
- </para>
- </listitem>
- <listitem>
- <para>
- processes running in the <computeroutput>passwd_t</computeroutput> domain can only read and write to authorized types, such as files labeled with the <computeroutput>etc_t</computeroutput> or <computeroutput>shadow_t</computeroutput> types. This prevents the <application>passwd</application> application from being tricked into reading or writing arbitrary files.
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">
- <title>SELinux Contexts for Processes</title>
- <para>
- Use the <command>ps -eZ</command> command to view the SELinux context for processes. For example:
- </para>
- <orderedlist>
- <listitem>
- <para>
- Open a terminal, such as <menuchoice><guimenu>Applications</guimenu><guisubmenu>System Tools</guisubmenu><guimenuitem>Terminal</guimenuitem></menuchoice>.
- </para>
- </listitem>
- <listitem>
- <para>
- Run the <command>/usr/bin/passwd</command> command. Do not enter a new password.
- </para>
- </listitem>
- <listitem>
- <para>
- Open a new tab, or another terminal, and run the <command>ps -eZ | grep passwd</command> command. The output is similar to the following:
- </para>
-
-<screen>unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
+ </step>
+ <step>
+ <para>
+ An SELinux policy rule states that processes running in the <systemitem>passwd_t</systemitem> domain are allowed to read and write to files labeled with the <systemitem>shadow_t</systemitem> type. The <systemitem>shadow_t</systemitem> type is only applied to files that are required for a password change. This includes <filename>/etc/gshadow</filename>, <filename>/etc/shadow</filename>, and their backup files.
+ </para>
+ </step>
+ <step>
+ <para>
+ An SELinux policy rule states that the <systemitem>passwd_t</systemitem> domain has <systemitem>entrypoint</systemitem> permission to the <systemitem>passwd_exec_t</systemitem> type.
+ </para>
+ </step>
+ <step>
+ <para>
+ When a user runs the <systemitem>passwd</systemitem> utility, the user's shell process transitions to the <systemitem>passwd_t</systemitem> domain. With SELinux, since the default action is to deny, and a rule exists that allows (among other things) applications running in the <systemitem>passwd_t</systemitem> domain to access files labeled with the <systemitem>shadow_t</systemitem> type, the <systemitem>passwd</systemitem> application is allowed to access <filename>/etc/shadow</filename>, and update the user's password.
+ </para>
+ </step>
+ </procedure>
+ <para>
+ This example is not exhaustive, and is used as a basic example to explain domain transition. Although there is an actual rule that allows subjects running in the <systemitem>passwd_t</systemitem> domain to access objects labeled with the <systemitem>shadow_t</systemitem> file type, other SELinux policy rules must be met before the subject can transition to a new domain. In this example, Type Enforcement ensures:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <systemitem>passwd_t</systemitem> domain can only be entered by executing an application labeled with the <systemitem>passwd_exec_t</systemitem> type; can only execute from authorized shared libraries, such as the <systemitem>lib_t</systemitem> type; and cannot execute any other applications.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Only authorized domains, such as <systemitem>passwd_t</systemitem>, can write to files labeled with the <systemitem>shadow_t</systemitem> type. Even if other processes are running with superuser privileges, those processes cannot write to files labeled with the <systemitem>shadow_t</systemitem> type, as they are not running in the <systemitem>passwd_t</systemitem> domain.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Only authorized domains can transition to the <systemitem>passwd_t</systemitem> domain. For example, the <systemitem class="daemon">sendmail</systemitem> process running in the <systemitem>sendmail_t</systemitem> domain does not have a legitimate reason to execute <command>passwd</command>; therefore, it can never transition to the <systemitem>passwd_t</systemitem> domain.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Processes running in the <systemitem>passwd_t</systemitem> domain can only read and write to authorized types, such as files labeled with the <systemitem>etc_t</systemitem> or <systemitem>shadow_t</systemitem> types. This prevents the <systemitem>passwd</systemitem> application from being tricked into reading or writing arbitrary files.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">
+ <title>SELinux Contexts for Processes</title>
+ <para>
+ Use the <command>ps -eZ</command> command to view the SELinux context for processes. For example:
+ </para>
+ <procedure id="proc-viewing-selinuc-context-for-passwd">
+ <title>View the SELinux Context for the <systemitem>passwd</systemitem> Utility</title>
+ <step>
+ <para>
+ Open a terminal, such as <menuchoice><guimenu>Applications</guimenu><guisubmenu>System Tools</guisubmenu><guimenuitem>Terminal</guimenuitem></menuchoice>.
+ </para>
+ </step>
+ <step>
+ <para>
+ Run the <systemitem>passwd</systemitem> utility. Do not enter a new password:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>passwd</command>
+Changing password for user <replaceable>user_name</replaceable>.
+Changing password for <replaceable>user_name</replaceable>.
+(current) UNIX password:
+</screen>
+ </step>
+ <step>
+ <para>
+ Open a new tab, or another terminal, and run the following command. The output is similar to the following:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>ps -eZ | grep passwd</command>
+unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
</screen>
- </listitem>
- <listitem>
- <para>
- In the first tab/terminal, press <userinput>Ctrl+C</userinput> to cancel the <application>passwd</application> application.
- </para>
- </listitem>
- </orderedlist>
- <para>
- In this example, when the <filename>/usr/bin/passwd</filename> application (labeled with the <computeroutput>passwd_exec_t</computeroutput> type) is executed, the user's shell process transitions to the <computeroutput>passwd_t</computeroutput> domain. Remember: the type defines a domain for processes, and a type for files.
- </para>
- <para>
- Use the <command>ps -eZ</command> command to view the SELinux contexts for running processes. The following is a limited example of the output, and may differ on your system:
- </para>
-
+ </step>
+ <step>
+ <para>
+ In the first tab/terminal, press <userinput>Ctrl+C</userinput> to cancel the <systemitem>passwd</systemitem> utility.
+ </para>
+ </step>
+ </procedure>
+ <para>
+ In this example, when the <systemitem>passwd</systemitem> utility (labeled with the <systemitem>passwd_exec_t</systemitem> type) is executed, the user's shell process transitions to the <systemitem>passwd_t</systemitem> domain. Remember that the type defines a domain for processes, and a type for files.
+ </para>
+ <para>
+ To view the SELinux contexts for all running processes, run the <systemitem>ps</systemitem> utility again. Note that below is a truncated example of the output, and may differ on your system:
+ </para>
<screen>
-system_u:system_r:dhcpc_t:s0 1869 ? 00:00:00 dhclient
-system_u:system_r:sshd_t:s0-s0:c0.c1023 1882 ? 00:00:00 sshd
-system_u:system_r:gpm_t:s0 1964 ? 00:00:00 gpm
-system_u:system_r:crond_t:s0-s0:c0.c1023 1973 ? 00:00:00 crond
-system_u:system_r:kerneloops_t:s0 1983 ? 00:00:05 kerneloops
-system_u:system_r:crond_t:s0-s0:c0.c1023 1991 ? 00:00:00 atd
+<prompt>]$</prompt> <command>ps -eZ</command>
+system_u:system_r:dhcpc_t:s0 1869 ? 00:00:00 dhclient
+system_u:system_r:sshd_t:s0-s0:c0.c1023 1882 ? 00:00:00 sshd
+system_u:system_r:gpm_t:s0 1964 ? 00:00:00 gpm
+system_u:system_r:crond_t:s0-s0:c0.c1023 1973 ? 00:00:00 crond
+system_u:system_r:kerneloops_t:s0 1983 ? 00:00:05 kerneloops
+system_u:system_r:crond_t:s0-s0:c0.c1023 1991 ? 00:00:00 atd
</screen>
- <para>
- The <computeroutput>system_r</computeroutput> role is used for system processes, such as daemons. Type Enforcement then separates each domain.
- </para>
- </section>
-
- <section id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">
- <title>SELinux Contexts for Users</title>
- <para>
- Use the <command>id -Z</command> command to view the SELinux context associated with your Linux user:
- </para>
-
-<screen>unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+ <para>
+ The <systemitem>system_r</systemitem> role is used for system processes, such as daemons. Type Enforcement then separates each domain.
+ </para>
+ </section>
+ <section id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">
+ <title>SELinux Contexts for Users</title>
+ <para>
+ Use the following command to view the SELinux context associated with your Linux user:
+ </para>
+<screen>
+<prompt>~]$</prompt> <command>id -Z</command>
+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
</screen>
- <para>
- In &PRODUCT;, Linux users run unconfined by default. This SELinux context shows that the Linux user is mapped to the SELinux <computeroutput>unconfined_u</computeroutput> user, running as the <computeroutput>unconfined_r</computeroutput> role, and is running in the <computeroutput>unconfined_t</computeroutput> domain. <computeroutput>s0-s0</computeroutput> is an MLS range, which in this case, is the same as just <computeroutput>s0</computeroutput>. The categories the user has access to is defined by <computeroutput>c0.c1023</computeroutput>, which is all categories (<computeroutput>c0</computeroutput> through to <computeroutput>c1023</computeroutput>).
- </para>
- </section>
-
+ <para>
+ In &PRODUCT;, Linux users run unconfined by default. This SELinux context shows that the Linux user is mapped to the SELinux <systemitem>unconfined_u</systemitem> user, running as the <systemitem>unconfined_r</systemitem> role, and is running in the <systemitem>unconfined_t</systemitem> domain. <systemitem>s0-s0</systemitem> is an MLS range, which in this case, is the same as just <systemitem>s0</systemitem>. The categories the user has access to is defined by <systemitem>c0.c1023</systemitem>, which is all categories (<systemitem>c0</systemitem> through to <systemitem>c1023</systemitem>).
+ </para>
+ </section>
</section>
More information about the docs-commits
mailing list