Default permissions and security context of new user?

Stephen Smalley sds at
Thu Feb 10 12:18:48 UTC 2005

On Wed, 2005-02-09 at 22:06, R. Jensen wrote:
> Hi. I'm wondering about the permissions new users get
> when they are created. Before SELinux I had to add users
> to 'wheel' to enable them to su to root.
> I did an adduser and it seems to be unrestricted:
> [testse at lankhmar ~]$ id -Z
> user_u:system_r:unconfined_t
> and the user is able to su to root. Is this normal?
> How would I keep the user from being able to su?
> I added:
>    user testse roles { user_r };
> to /etc/selinux/targeted/src/policy/users
> and did: make load
> This didn't seem to make any difference.
> This is on FC3 (2.6.10-1.760_FC3)
> selinux-policy-targeted-1.17.30-2.75
> [root at lankhmar ~]# sestatus
> SELinux status:         enabled
> SELinuxfs mount:        /selinux
> Current mode:           enforcing
> Mode from config file:  enforcing
> Policy version:         18
> Policy from config file:targeted
> I'm not sure if this is clear, or enough information.
> I tried searching the archives but didn't find anything.
> [I may be searching incorrectly].

The Red Hat targeted policy is only focused on confining specific
daemons, not users.  If you want to confine users and a much wider set
of programs and daemons, install and switch to the strict policy, but be
prepared for a significant change in your normal mode of operation.  See
the Fedora SELinux FAQ.

Stephen Smalley <sds at>
National Security Agency

More information about the fedora-selinux-list mailing list