The SELinux RBAC associates roles with users and domains. A given user is authorized only for specific roles, and a given role is authorized only for specific domains. Thus, a user cannot enter a domain unless the user is associated with a role authorized for the domain.
By default, the SELinux policy defines four roles:
The fact that many system processes and objects share the
system_r
role does not mean that SELinux violates
the principle of least privilege. Processes and objects generally
have discrete types that determine the operations that they can
perform and that can be performed on them. As commonly used, roles
don’t authorize operations; instead they limit the
types available to a process or object.
These roles are defined, and associated with users, by the
user
declarations appearing in the
users
file.
The Fedora Core SELinux policy defines two additional roles:
A role is defined by a role
declaration that
associates it with a domain. If multiple declarations associate a
single role with multiple domains, the role is authorized to enter
each of the domains specified. By convention, role declarations are
not centralized in a single file; instead, the role declarations for
a given domain generally appear in the TE file associated with the
domain.
It’s generally not necessary to create a new SELinux
role. However, it’s often necessary to authorize one
of the predefined roles to enter a particular domain, particularly a
customized domain. To do so, add a role
declaration to the TE file associated with the domain. The
declaration should have the form:
rolerole_name
typesdomain_name
;
where role_name
is the name of the role,
and domain_name
is the name of the domain
the role is to be authorized to enter. As explained, you can specify
any number of role declarations for a given role.