SELinux Users

(Featured image is a screenshot of java class PS2PDF’s uses to execute external executables)

Linux users are mapped to SELinux users via a policy. This allow inheriting rules that would restrict things they can do in a system. Following command will give you all the mapping and users on a CentOS/RHEL system

# semanage login -l

Login Name    SELinux User  MLS/MCS Range     Service

__default__   unconfined_u  s0-s0:c0.c1023    *
root          unconfined_u  s0-s0:c0.c1023    *
system_u      system_u      s0-s0:c0.c1023    *

Note that all users by default mapped to unconfined_u since that are considered __default__ linux users unless specified with a user mapping.

If you are an unconfined user and you execute and program that defined a policy that transition unconfined_t domain to a confined_t. Then you are subject to restriction on that domain. This is to prevent unconfined users from exploiting flow in confined applications.

See all roles

# seinfo -r