Next Previous Contents

7. Creating user accounts

Now for the fun stuff! We will create an SE Linux user and assign them a role and then set a default security context for users. Firstly though, we will discuss some wrapper programs for common user account related functions.

7.1 Wrappers for password and account related programs

We've already covered using the spasswd command to change your own password, and the sadminpasswd command for a user in the sysadm_t domain to change other user passwords.

7.1.1 schsh

schsh is a wrapper for the chsh (change login shell) program. It does not let you supply any paramters. You will be prompted as follows:

faye@kaos:~$ schsh
Changing the login shell for faye
Enter the new value, or press return for the default
        Login Shell [/bin/bash]:

7.1.2 schfn

schfn is a wrapper for the chfn (change username and information) program. schfn also does not allow you to supply parameters and prompts you as follows:

faye@kaos:~$ schfn
Changing the user information for faye
Enter the new value, or press ENTER for the default
        Full Name: Faye Coker
        Room Number []:
        Work Phone []:
        Home Phone []:

7.1.3 svipw

svipw is a wrapper for the vipw (edit password file) command. Functionality is the same as the regular vipw. You can only run this command when in the sysadm_t domain.

7.1.4 suseradd

The suseradd command is a wrapper for the useradd command. It also provides transitional rules to assign the correct types to files, as well as allowing write access to /etc/shadow when the new user is added. Check the man page for useradd for the proper syntax. Note that suseradd only works for user_r (i.e. it is only used when creating a user who will have the user_r role).

7.2 Creating a new user

We'll now create our new user. Let's call him setest.

Switch to the sysadm_r:sysadm_t role:domain. Now use the suseradd command to add user setest:

root@kaos:~# id
uid=0(root) gid=0(root) groups=0(root) context=faye:sysadm_r:sysadm_t sid=398
Run id as above to check that your uid is 0 and that you are in the sysadm_r:sysadm_t role:domain. If your uid is that of your regular account, then from your regular account su to root first, then run the newrole -r command.

root@kaos:~# suseradd -c "SE Linux test user" -m -d /home/setest -g users -s /bin/bash -u 1005 setest
root@kaos:~# finger setest
Login: setest                           Name: SE Linux test user
Directory: /home/setest                 Shell: /bin/bash
Never logged in.
No mail.
No Plan.
root@kaos:~# sadminpasswd setest
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
So the setest user has now been added. The suseradd command allows the identity user_u to take effect. The user_u identity is only allowed to have access to the user_r role. But if a user has an identity of user_u they won't be able to change their own password. Recall that in order to change your password, your Unix username and SE Linux identity must match. So if we have an identity of user_u and a Unix account name of setest, the two won't match.

7.3 Assigning roles to users and applying the changes

Now we want to assign a role to user setest. Let's say we want him to have access to the user_r role. The configuration file concerned with this is /etc/selinux/users so open it up with your favourite editor and take a quick read through it.

At the end of the file, add the following line:

user setest roles { user_r };
This line means that user setest is authorised to enter the user_r role. If you want user setest to also have access to the sysadm_r role as well, you would instead add
user setest roles { user_r sysadm_r };
We now have to apply the changes we made to the /etc/selinux/users file. To do this, run the following command when in sysadm_r:sysadm_t role:domain:
make -C /etc/selinux load
This takes a little while as a policy database is being created then compressed with gzip. When the command finishes executing, you will see something like this towards the end:
touch tmp/load
make: Leaving directory `/usr/share/selinux/policy/current'
With a default role of user_r, the user does not specifically have to be added to /etc/selinux/users. Only add them to this file if you want them to: have access to a user role other than user_r; be able to change their own password, or to have SE Linux log messages that contain their username where applicable.

We now have to define a default security context.

7.4 Setting the default security context for users

After adding the new user to /etc/selinux/users, a default security context must be assigned to their login sessions. The configuration file for this is /etc/security/default_context so take a look at it. You'll see the following line:

system_r:local_login_t  user_r:user_t
When a user logs in locally (i.e. at the console), the /bin/login program will run in the domain local_login_t and will then assign a user role and domain of user_r and user_t respectively. If the line above was actually
system_r:local_login_t  sysadm_r:sysadm_t user_r:user_t
and the user logging in is authorised to enter the sysadm_t domain, then they will land in the sysadm_t domain upon logging in. If not, the user_t domain will be used.

Look at the line

system_r:sshd_t         user_r:user_t
This means that for all logins done via ssh, the user will land in the user_r:user_t role:domain.

7.5 Relabelling the user's home directory

If you have used suseradd to add a new user with the user_r role, then the relabelling will have been taken care of. If however, you've used something like svipw to create the user, or the user role was *not* user_r, then no relabelling has taken place and you will have to run the following command:

find /home/setest | xargs chcon -h system_u:object_r:user_home_t ; chcon -h system_u:object_r:user_home_dir_t /home/setest 
This command takes all the files in /home/setest and runs the chcon (change file security context) command on them. The user's home directory is assigned the type user_home_dir_t and files underneath the user's home directory are assigned the type user_home_t. Sometimes, a process may be granted access to a user's home directory, but not to any files or directories below, hence the two different types.
Next Previous Contents