Creating Confined Users in SELinux

30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

In this lab, we’ll create an SELinux confined user by mapping an SELinux user to a Linux user. Confined users help us to impart restrictions on users to help protect our systems.

*This course is not approved or sponsored by Red Hat.*

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Map Linux users jhalpert and pbeesley to SELinux users
  1. Map Linux user jhalpert to SELinux user user_u:

    semanage login -a -s user_u jhalpert
  2. Map Linux user pbeesly to SELinux user staff_u:

    semanage login -a -s staff_u pbeesley  
  3. Check the user mappings:

    semanage login -l  
    • We can see our Linux users successfully mapped to the assigned SELinux users.
Ensure the SELinux user `xguest` can not mount media
  1. Check SELinux booleans for "xguest":

    getsebool -a | grep xguest
    • We see "xguest_mount_media" is an option and it is enabled, so lets disable it.
  2. Disable SELinux boolean "xguest_mount_media":

    setsebool -P xguest_mount_media off
  3. Check to make sure our changes were successful:

    getsebool -a | grep xguest
    • We can see our change was successful.
Put SELinux into enforcing mode and ensure that setting is persistent
  1. Check SELinux state:

    • It is in permissive mode, so we need to change it to enforcing mode.
  2. Put SELinux into enforcing mode:

    setenforce 1  
  3. Check to make sure SELinux is now in enforcing mode:

    • We can see our change worked and SELinux is now in enforcing mode.
  4. Ensure SELinux boots into enforcing mode:

    vi /etc/selinux/config

Additional Resources

There have been some position changes within the IT department at your organization and your supervisor has tasked you with setting up some SELinux confined users and updating settings for the SELinux xguest user. You've been tasked with the following:

  1. Map the Linux user jhalpert to the SELinux user user_u
  2. Map the Linux user pbeesley to the SELinux user staff_u
  3. Ensure the SELinux xguest user cannot mount media

Once that is completed, place SELinux into enforcing mode and ensure the host boots into enforcing mode.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?