User Statements

user

Declares an SELinux user identifier in the current namespace.

Statement definition:

    (user user_id)

Where:

Example:

This will declare an SELinux user as unconfined.user:

    (block unconfined
        (user user)
    )

userrole

Associates a previously declared user identifier with a previously declared role identifier.

Statement definition:

    (userrole user_id role_id)

Where:

Example:

This example will associate unconfined.user to unconfined.role:

    (block unconfined
        (user user)
        (role role)
        (userrole user role)
    )

userattribute

Declares a user attribute identifier in the current namespace. The identifier may have zero or more user and userattribute identifiers associated to it via the userattributeset statement.

Statement definition:

    (userattribute userattribute_id)

Where:

Example:

This example will declare a user attribute users.user_holder that will have an empty set:

    (block users
        (userattribute user_holder)
    )

userattributeset

Allows the association of one or more previously declared user or userattribute identifiers to a userattribute identifier. Expressions may be used to refine the associations as shown in the examples.

Statement definition:

    (userattributeset userattribute_id (user_id ... | expr ...))

Where:

Example:

This example will declare three users and two user attributes, then associate all the users to them as shown:

    (block users
        (user user_1)
        (user user_2)
        (user user_3)

        (userattribute user_holder)
        (userattributeset user_holder (user_1 user_2 user_3))

        (userattribute user_holder_all)
        (userattributeset user_holder_all (all))
    )

userlevel

Associates a previously declared user identifier with a previously declared level identifier. The level may be named or anonymous.

Statement definition:

    (userlevel user_id level_id)

Where:

Example:

This example will associate unconfined.user with a named level of systemlow:

    (sensitivity s0)
    (level systemlow (s0))

    (block unconfined
        (user user)
         (userlevel user systemlow)
        ; An anonymous example:
        ;(userlevel user (s0))
    )

userrange

Associates a previously declared user identifier with a previously declared levelrange identifier. The levelrange may be named or anonymous.

Statement definition:

    (userrange user_id levelrange_id)

Where:

Example:

This example will associate unconfined.user with a named levelrange of low_high, other anonymous examples are also shown:

    (category c0)
    (category c1)
    (categoryorder (c0 c1))
    (sensitivity s0)
    (sensitivity s1)
    (sensitivityorder (s0 s1))
    (sensitivitycategory s0 (c0 c1))
    (level systemLow (s0))
    (level systemHigh (s0 (c0 c1)))
    (levelrange low_high (systemLow systemHigh))

    (block unconfined
        (user user)
        (role role)
        (userrole user role)
        ; Named example:
        (userrange user low_high)
        ; Anonymous examples:
        ;(userrange user (systemLow systemHigh))
        ;(userrange user (systemLow (s0 (c0 c1))))
        ;(userrange user ((s0) (s0 (c0 c1))))
    )

userbounds

Defines a hierarchical relationship between users where the child user cannot have more privileges than the parent.

Notes:

  • It is not possible to bind the parent to more than one child.

  • While this is added to the binary policy, it is not enforced by the SELinux kernel services.

Statement definition:

    (userbounds parent_user_id child_user_id)

Where:

Example:

The user test cannot have greater privileges than unconfined.user:

    (user test)

    (unconfined
        (user user)
        (userbounds user .test)
    )

userprefix

Declare a user prefix that will be replaced by the file labeling utilities described at http://selinuxproject.org/page/PolicyStoreConfigurationFiles that details the file_contexts entries.

Statement definition:

    (userprefix user_id prefix)

Where:

Example:

This example will associate unconfined.admin user with a prefix of “user”:

    (block unconfined
        (user admin)
        (userprefix admin user)
    )

selinuxuser

Associates a GNU/Linux user to a previously declared user identifier with a previously declared MLS userrange. Note that the userrange is required even if the policy is non-MCS/MLS.

Statement definition:

    (selinuxuser user_name user_id userrange_id)

Where:

Example:

This example will associate unconfined.admin user with a GNU / Linux user “admin_1”:

    (block unconfined
        (user admin)
        (selinuxuser admin_1 admin low_low)
    )

selinuxuserdefault

Declares the default SELinux user. Only one selinuxuserdefault statement is allowed in the policy. Note that the userrange identifier is required even if the policy is non-MCS/MLS.

Statement definition:

    (selinuxuserdefault user_id userrange_id)

Where:

Example:

This example will define the unconfined.user as the default SELinux user:

    (block unconfined
        (user user)
        (selinuxuserdefault user low_low)
    )