Let's now create a user domain of our own, and call it second_t . We'll also create a new role called second_r . Create the second_r role first following the steps in the previous section (which just assigned the user_r role and did not actually create it) but don't run the make command in Section 5.2. Instead, after you've edited /etc/selinux/users come back to this part and read the next section on editing the user domains file.
The reason why I don't want you to run the make command is because the previous section just assigned a role of user_r which is the default. But we will be creating a new role, and as such we need a new domain to go with it as outlined in the next few sections.
The configuration file concerned with user domains is /etc/selinux/domains/user.te . Have a read through it. Now add the lines
full_user_role(second)
allow system_r second_r
allow sysadm_r second_r
It doesn't matter where you add them, towards the top is okay. Take note of this comment:
# if adding new user roles make sure you edit the in_user_role macro in
# macros/user_macros.te to match
So now we edit
/etc/selinux/macros/user_macros.te to match. Open that file for editing and search for the string in_user_role (it's near the end of the file). Add in "role second_r types $1;" so this portion of the file now looks like
undefine(`in_user_role')
define(`in_user_role', `
role user_r types $1;
role second_r types $1;
')
Going back to the first line of configuration code at the start of this section (full_user_role(second)), this creates the domain second_t and the types second_home_dir_t and second_home_t (for the home directory and files under the home directory respectively). A type of second_tmp_t is created for files created under /tmp. Type second_tmpfs_t is created for shared memory created when in the tmpfs context. Finally, types of second_tty_device_t and second_devpts_t are created for user labelling of tty devices and pseudo tty devices respectively. It also creates the basic policy rules for using these types.
SE Linux does not internally support any type of object orientation, inheritance of domains/types, etc. Also there is currently no policy language that supports such features (one could be written, but nobody has done so yet). So to get the features we need for easily creating new domains, we use M4 macros.
We'll now create yet another user for use in this new domain (second_t) and access to the second_r role.
Using useradd, create a new user (let's say the new user is called "spike"). Add spike to /etc/selinux/users with an entry that only gives him access to the second_r role and no others. Then run
make -C /etc/selinux load
to apply the new policy.
The next thing to do is set the default domain for the new role. To do this, we edit the file /etc/security/default_type and add the line
second_r:second_t
We now have to manually relabel /home/spike and its contents. The useradd command did not do this, as it only supports relabelling for user_r roles. Run the following command:
find /home/spike -print0 | xargs -0 chcon -h system_u:object_r:second_home_t ;
chcon -h system_u:object_r:second_home_dir_t /home/spike
Now try logging in as spike.
