Now let's do something interesting! We will create an SE Linux user and assign him a role and then set the default security context for the user. In the old SE Linux environment, the encapsulation program was set up with VIPW (SVIPW), for example, Useradd (Suseradd), passwd (SPASSWD), CHFN (SCHFN), and so on, in the new SE linux environment, These programs have other names.
5.1 Create a new user
We now build a new user. We call it setest.
Convert to sysadm_r:sysadm_t role: User. Now add the user setest with the useradd command:
root@kaos:~# ID
Uid=0 (Root) gid=0 (root) groups=0 (root) context=faye:sysadm_r:sysadm_t sid=398
The Run ID command check confirms that your UID is 0 and that your identity is in the sysadm_r:sysadm_t role: domain. If your UID is one of your other users, convert to root by using the SU command, and then run the newrole-r command.
root@kaos:~# useradd-c "SE Linux test User"-m-d/home/setest-g users-s/bin/bash-u 1005 setest
root@kaos:~# Finger Setest
Login:setest name:se Linux Test user
Directory:/home/setest Shell:/bin/bash
implies logged in.
No Mail.
No plan.
root@kaos:~# passwd Setest
Enter New UNIX Password:
Retype new UNIX Password:
Passwd:password updated successfully
The Setest user has now been added.
5.2 Assigning roles and applying changes to users
Now we want to set a role for the setest user. We want him to have access to the user_r role. The file you need to configure is/etc/selinux/users, and you can now open it with your favorite editor and browse through it first.
At the end of the file, add the following:
User setest roles {user_r};
This line is meant to allow setest users to enter the User_r role. If you also want setest users to be able to access the Sysadm_r role, you can add:
User setest Roles {user_r sysadm_r};
We are now going to have our settings in effect, so we can run the following command in the sysadm_r:sysadm_t role: domain:
Make-c/etc/selinux Load
This will take a while, during which the policy's data files will be created and the gzip compressed. If the command executes successfully and exits, you will see the following prompt:
Success
Touch Tmp/load
make:leahttp://www.aliyun.com/zixun/aggregation/18902.html ">ving directory '/usr/share/selinux/policy/current '
Users under the default role User_r are not allowed to add content to the/etc/selinux/users file. If you want them to be able to use a user role other than user_r or to allow them to change their own password, they need to join the file or add their username to the appropriate part of the SE Linux records information.
Now let's set up a default security context.