RH415 - ch08s03

Bookmark this page

Controlling Access with Confined Users

Objectives

Limit user access to the system and the root account by configuring those users as confined users.

Defining SELinux Users

The SELinux policy defines its own SELinux users, which are distinct from Linux users. When a Linux user logs in, they are mapped to exactly one SELinux user. Similar to the Audit UID, the SELinux user cannot be changed during a login session. Normally, many Linux users are mapped to the same SELinux user. The policy can place additional SELinux-enforced restrictions on what particular SELinux users can do.

You can list the SELinux users with the semanage user -l command.

[root@host ~]# semanage user -l

              Labeling  MLS/
SELinux User  Prefix    MCS Level  ...  SELinux Roles

guest_u       user      s0         ...  guest_r
root          user      s0         ...  staff_r sysadm_r system_r unconfined_r
staff_u       user      s0         ...  staff_r sysadm_r system_r unconfined_r
sysadm_u      user      s0         ...  sysadm_r
system_u      user      s0         ...  system_r unconfined_r
unconfined_u  user      s0         ...  system_r unconfined_r
user_u        user      s0         ...  user_r
xguest_u      user      s0         ...  xguest_r

Each SELinux user has access to a set of SELinux roles, which are shown in the last column. These roles ultimately define which programs an SELinux user can run. For example, the sysadm_r role allows the use of the su and sudo commands. The xguest_r role restricts the commands that the user can use and only allows network access through the Firefox web browser.

The goal of the SELinux user feature is to more tightly control the programs that a user can run.

Mapping Linux Users to SELinux Users

At login time, SELinux maps the Linux user to an SELinux user. This way, the Linux user inherits the restrictions that are assigned to their associated SELinux user.

The semanage login -l command displays the table that SELinux uses for this mapping.

[root@host ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

As shown in this output, SELinux maps the Linux root user to the unconfined_u SELinux user. The __default__ entry instructs SELinux to map all the Linux users that are not explicitly mapped to an SELinux user to the unconfined_u SELinux user. Linux users that are mapped to the unconfined_u (the unconfined user) SELinux user do not have additional user-based SELinux restrictions. Other SELinux policy restrictions still apply.

SELinux uses the system_u user for system services. Do not use it for your Linux users.

Note

By default, on a new Red Hat Enterprise Linux installation, Linux users are mapped to the unconfined_u SELinux user. This SELinux user does not have additional user-specific rules confining it.

Linux users who are logged in can retrieve their associated SELinux user with the id -Z command.

[root@host ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

To map an existing Linux user to an SELinux user, use the semanage login -a -s SELinux_user Linux_user command.

[root@host ~]# semanage login -a -s sysadm_u  operator1

To remove the mapping, use the semanage login -d -s SELinux_user Linux_user command.

[root@host ~]# semanage login -d -s sysadm_u  operator1

To modify the default mapping, use the semanage login -m -s SELinux_user -r s0 __default__ command.

[root@host ~]# semanage login -m -s user_u -r s0 __default__

Important

The __default__ name has two underscores on either side of the word "default".

You can also map a new Linux user at creation time by using the -Z option of the useradd command.

[root@host ~]# useradd -Z staff_u developer1

Comparing the SELinux Users

On Red Hat Enterprise Linux, SELinux comes with a set of predefined SELinux users. You rarely have to create new ones because these existing users cover most use cases.

The following table lists the most useful confined SELinux users for system administration.

user_u: This account is for standard, nonadministrative users. SELinux prevents Linux users that are mapped to the user_u SELinux user from becoming the root Linux user by using the su or sudo commands, or from executing most set user ID (setuid) programs.
sysadm_u: The sysadm_u SELinux user is for system administration. SELinux allows Linux users that are mapped to the sysadm_u SELinux user to use the su and sudo commands. (Whether the user can do anything useful with the sudo command depends on its configuration, in the usual way.) In addition, users that are mapped to the sysadm_u SELinux user cannot log in by using the ssh command unless the ssh_sysadm_login Boolean is set to the on value.
staff_u: Linux users that are mapped to the staff_u SELinux user can use the sudo command but not the su command. The staff_u SELinux user is for regular users who need to use the sudo command for specific tasks. For example, web developers might need to use the sudo command to restart the httpd service. By mapping a Linux user to the staff_u SELinux user, these developers can use the sudo command, but cannot get full root user access by using the su command.

SELinux User Booleans

A number of Booleans can adjust the restrictions set on confined users. The preceding list includes one Boolean: ssh_sysadm_login, which controls whether users that are mapped to the sysadm_u SELinux user can log in by using the ssh command.

Another set of Booleans restricts whether these users can run executables in their home directory or in the /tmp/ directory. These are the user_exec_content, sysadm_exec_content, and staff_exec_content Booleans for the user_u, sysadm_u, and staff_u SELinux users, respectively.

Confining User Accounts

Use the following guidelines to implement user confinement on your systems.

Update the default SELinux mapping to associate your Linux users to the user_u SELinux user.

[root@host ~]# semanage login -m -s user_u -r s0 __default__

Map the system administrators to the sysadm_u SELinux user.

[root@host ~]# semanage login -a -s sysadm_u  operator1
[root@host ~]# semanage login -a -s sysadm_u  operator2
[root@host ~]# semanage login -a -s sysadm_u  operator3

Optionally, map the Linux users who need sudo command access to the staff_u SELinux user, and configure the sudo command.

[root@host ~]# semanage login -a -s staff_u  developer1
[root@host ~]# semanage login -a -s staff_u  developer2

Confining Different User Accounts

When you decide to confine all your Linux users, you usually start by modifying the default mapping to the user_u SELinux user.

[root@host ~]# semanage login -m -s user_u -r s0 __default__

This way, SELinux confines all your Linux users to an SELinux user with minimal privileges by default. If you use the default mapping, no further configuration is needed; SELinux automatically confines all existing users that do not have a mapping on their next login.

For extra protection, you can also prevent users with the user_u SELinux user mapping from executing programs in their home directories and the /tmp/ directory. To do that, set the user_exec_content Boolean to the off value.

[root@host ~]# setsebool -P user_exec_content off

Confining System Administrators

To confine your system administrators, map their Linux account to the sysadm_u SELinux user. For existing accounts, use the semanage login -a command:

[root@host ~]# semanage login -a -s sysadm_u  operator1

For new users, you can use the -Z option of the useradd command to do the mapping at user creation time.

[root@host ~]# useradd -G wheel -Z sysadm_u operator2

The previous command uses the -G option to add the new account to the Linux wheel group to benefit from the existing sudo rule for this group.

By default, and for extra protection, users that are mapped to the sysadm_u SELinux user cannot use SSH to log in. Set the ssh_sysadm_login Boolean to the on value if you must allow SSH access.

[root@host ~]# setsebool -P ssh_sysadm_login on

Remember to remove the mapping when deleting a Linux user account.

[root@host ~]# userdel operator1
[root@host ~]# semanage login -d -s sysadm_u  operator1

You can also use the userdel -Z command to remove the mapping at the same time that you delete the user account.

[root@host ~]# userdel -Z operator2

Confining Staff Users

Some standard Linux users might need to run specific commands as the root user. Map them to the staff_u SELinux user account and configure the sudo command.

For existing accounts, use the semanage login -a command:

[root@host ~]# semanage login -a -s staff_u  developer1

For new users, you can use the -Z option of the useradd command to do the mapping at user creation time.

[root@host ~]# useradd -Z staff_u developer2

The next step is to configure the sudoers files to list the commands that these users can run as the root user.

For extra protection, you can also prevent the staff_u SELinux users from executing programs in their home directories and the /tmp/ directory. For that level of protection, set the staff_exec_content Boolean to the off value.

[root@host ~]# setsebool -P staff_exec_content off

Remember to remove the mapping when deleting the Linux user account.

[root@host ~]# userdel -Z developer1

Note

Additional confined users, such as the xguest_u and guest_u SELinux users, are more restricted than the user_u SELinux user. For more information, refer to the Using SELinux guide.

References

The semanage-login(8) and semanage-user(8) man pages

For more information, refer to the Managing Confined and Unconfined Users chapter in the Using SELinux guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/using_selinux/index#managing-confined-and-unconfined-users_using-selinux

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299