SE Linux Beginner Tutorial: Adding a new user domain

Now let's build a user domain of our own and call it second_t. We will also build a new role called Second_r. To create a second_r role first in the previous section (just assigning a user_r role and not actually creating such a user), do not run the make command in section 5.2. After you have edited/etc/selinux/user, come back here and continue to the next section, about editing the user domain file.

The reason why I don't want you to run the make command is because the previous section just assigned the default User_r role. But we're going to build a new role, and as such we need a new domain to match it. The following sections make a rough explanation.

6.1 Edit user's domain file

The configuration file for the user domain is/etc/selinux/domains/user.te. Please read it first. Add the following lines:

Full_user_role (second)

Allow System_r Second_r

Allow Sysadm_r Second_r

It doesn't matter where you add the file, add the comment above:

# If adding new user roles make throaty to edit the In_user_role macro in

# Macros/user_macros.te to match

Then edit the/etc/selinux/macros/user_macros.te file to match. Open this file and find the In_user_role (almost at the end of the file) for this line. Add "Role Second_r types $" Now this part of the file should look like this:

Undefine (' In_user_role ')

Define (' In_user_role ', '

Role User_r types $;

Role Second_r types $;

')

Go back to the first file we edited (Full_user_role (second)) so that we set up second_t domain and second_home_dir_t type and second_home_t type (the type of user home directory and the type of file in the home directory) )。 A second_tmp_t type, when a file is created in the/tmp directory. Type second_tmpfs_t is the context in which the file is established in the shared memory file system in TMPFS. Finally, the second_tty_device_t and second_devpts_t types are used to mark terminal equipment (TTY) and virtual terminal equipment respectively. Of course, the corresponding policies are also established to apply these tags.

SE Linux does not support any type of calibration internally, as well as type/domain inheritance, and so on. Of course, policy language writing does not support these features. So we use the M4 macro compiler to set up simple fields and types.

We are now going to build a user to use (second_t) in this new domain and access the Second_r role.

6.2 Create a new test user again

Use Useradd to create a new user. (Let's assume that the user is called "Spike") to add spike to the/etc/selinux/users only to give him access to second_r roles and no other permissions. And then run

Make-c/etc/selinux Load

Apply the new policy.

The next step is to set the default domain and new roles. We can edit the/etc/security/default_type file and add the following line:

second_r:second_t

We now have to manually set the/home/spike and its context. Useradd, the command does not do these things, it only supports the user_r role of flagging the user. Run the following command:

find/home/spike-print0 | xargs-0 chcon-h system_u:object_r:second_home_t;

Chcon-h System_u:object_r:second_home_dir_t/home/spike

Now try to log in as a spike user.