service_seusers — The SELinux GNU/Linux user and service to SELinux user mapping configuration files

Description

These are optional files that allow services to define an SELinux user when authenticating via SELinux-aware login applications such as PAM(8).

There is one file for each GNU/Linux user name that will be required to run a service with a specific SELinux user name.

The path for each configuration file is formed by the path returned by selinux_policy_root(3) with   /logins/username appended (where username is a file representing the GNU/Linux user name). The default services directory is located at:

/etc/selinux/{SELINUXTYPE}/logins

Where {SELINUXTYPE} is the entry from the selinux configuration file config (see selinux_config(5)).

getseuser(3) reads this file to map services to an SELinux user.

File Format

Each line within the username file is formatted as follows with each component separated by a colon:

service:seuser[:range]

Where:

service

The service name used by the application.

seuser

The SELinux user name.

range

The range for MCS/MLS policies.

Examples

Example 1 - for the 'root' user:

# ./logins/root
ipa:user_u:s0
this_service:unconfined_u:s0

Example 2 - for GNU/Linux user 'rch':

# ./logins/rch
ipa:unconfined_u:s0
that_service:unconfined_u:s0

See Also

selinux(8), PAM(8), selinux_policy_root(3), getseuser(3), selinux_config(5)

Info

28-Nov-2011 Security Enhanced Linux SELinux configuration