The next section describes the system login and explains more about the user security context. The last section of this chapter discusses permissive and enforcing patterns.
4.1 Providing user context at logon
At this stage, you should reboot the system and wait for the login prompt. When you install the SELinux Default Policy pack (Fedora is the source code package for the policy), the installation of policy files allows you to log in to the system with a default user role. (When we have not yet added a user belonging to our own)
Log on to your system as root. Your security context is root:user_r:user_t by default. The ID command display type and your security context display should be the same, as shown below we need to look at the security context section, so don't care about the other fields:
Uid=0 (Root) gid=0 (root) groups=0 (root) context=root:user_r:user_t
So the security context is
root:user_r:user_t
Now let's assume that you have previously set your own account to another role. You can refer to Chapter Fifth: Setting up user accounts. There are two ways to change roles. The first is when you log in. Assume that the user Faye is admitted into the sysadm_t domain. The user Faye on the console. On that "Your default" is faye:user_r:user_t. Do your want to choose a different one? [n] "This is the hint, she chooses, Y and presses the carriage return." She will see the following message:
[1] faye:user_r:user_t
[2] faye:sysadm_r:sysadm_t
Enter Number of choice:
In this case, you can see that the user identity "Faye" has previously been allowed access to sysadm_r roles and sysadm_t domains. The options that will be shown here are those that your user identity has been allowed to access. Please note that this has been implemented in the old SE Linux and will be set as configurable in the New SE Linux (which is not available when writing this document), and the default setting is off.
If the user Faye selects option two (becomes Sysadm_r) and then runs the ID command, she will meet the contents of the security context as:
context=faye:sysadm_r:sysadm_t
It means that he is now a sysadm_r character.
Next is the second way to change the user's security context.
4.2 Changing context with newrole-r command
The second method of changing your security context will use the newrole-r instruction. Grammar is
Newrole-r role
This role replaces what you want to convert to. The assumption is sysadm_r. Then you can run:
Newrole-r Sysadm_r
You will be asked to provide a password for your user identity, and you can run the ID command check. If you are not authorized to enter a new role, you will see this display (assuming that the user Fred is trying to run the instructions)
Fred:sysadm_r:sysadm_t is isn't a valid context
This information means that Fred user cannot enter the sysadm_r:sysadm_t role: domain because he is not authorized to do so.
After successfully changing the role, run the ID command to check your security context.