CME-302

SELinux Confined User Mapping

Harden OS/Kernel High Confidence

Description

Maps Linux login users to SELinux confined user types instead of unconfined_u. Restricts user-level capabilities like running unconfined applications, accessing network, or executing in /tmp.

CVSS Vector Impacts

Metric Transition Rationale
Privileges Required (PR) L H Compromised user account has significantly restricted capabilities

CWE Relationships

CWE-269 CWE-284

Verification

Verify no regular users mapped to unconfined_u

$ semanage login -l | grep -v 'unconfined_u\|Login Name'
# Expected: staff_u|user_u|guest_u
Platform: rhel
← CME-301: SELinux (Enforcing Mode) CME-303: SELinux Booleans (Restrictive) →