SELinux includes several confined users that are restricted to different security domains and that have predefined security rules and mechanisms to control what a user is allowed to do. SELinux policies include rules that apply to the different roles that a user can belong to, and these are used to enforce what operations are allowed to for each SELinux user.

By convention, SELinux users have the suffix _u, such as user_u.

Oracle Linux includes several SELinux users that are already set up through which you can restrict system access immediately:

unconfined_u

A largely unrestricted SELinux user often set as the default SELinux user mapping for system user accounts on new systems in a less restrictive environment. In a hardened environment, no system user accounts must map to this user.

root

The SELinux user meant for the root account.

sysadm_u

The SELinux user with direct system administrative role assigned. This user isn't intended to run nonadministrative commands.

staff_u

The SELinux user for users that need to run both nonadministrative commands (through the staff_r role) and administrative commands (through the sysadm_r role).

user_u

The SELinux user for nonprivileged accounts that don't need to run any administrative commands.

system_u

The SELinux user for system services.

xguest_u

The SELinux user for guest access to a system and provisioned with limited access.

Users are confined to their SELinux domains, and policies control the types of things that they can do on the system. The following table illustrates how certain predefined security rules work for different users.

SELinux users are distinct and managed separately from standard Oracle Linux system users within SELinux. You can map Oracle Linux system user accounts to different SELinux users to apply a more restrictive security policy framework to any of the system user accounts.