What is the difference between unconfined_u and system_u in CentOS Linux release 8.2.2004?

Nona asked:

So I’m a bit confused trying to figure out how to tell if a user has read/write/executable permissions on files and/or directories in CentOS.

When I see:

-rw-r--r--.    john john2 unconfined_u:object_r:user_home_t:s0   .config
-rw-r--r--.    john john2 system_u:object_r:default_t:s0.   .bashrc

after running ls -laZ,

that means the user "john" in group "john2" should have read/write permissions in both .confing and .bashrc? But what is unconfined_u and system_u have to do with it?

My answer:

If you’re just running the default targeted policy and haven’t associated any user accounts with SELinux users, then all users will run unconfined and have a SELinux user unconfined_u. This includes the root user when root logs in or a user uses su/sudo. System processes run as the SELinux user system_u. By default the targeted policy only confines system services, not users.

You can, if you wish, confine users by associating their accounts with SELinux users, but this is not often done. It also may require some attention to setting or resetting the SELinux user on existing files.

The RHEL documentation has a lengthy explanation of the existing SELinux users, what those users are allowed to do, and the commands necessary to manage them. While you didn’t ask, it also explains roles, which are complementary to users and allow users in that role to engage in specific activities, usually related to managing SELinux itself.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.