selinux/policycoreutils/sepolicy/sepolicy/help/users.txt - nest-cam/4320010/selinux - Git at Google

 By Default on a SELinux Targeted Policy system, all users login using the unconfined_t user.

 SELinux has a very powerful concept called confined users.  You can setup individual users on your system to login with different SELinux user types.  This SELinux User Screen allows you to create/modify SELinux Users and map them to SELinux Roles and MLS/MCS Ranges

 Default SELinux Users:

 * Terminal user/ssh - guest_u
   - No Network, No setuid, no exec in homedir

 * Browser user/kiosk - xguest_u
   - Web access ports only.  No setuid, no exec in homedir

 * Full Desktop user - User_u
   - Full Network, No SETUID.

 * Confined Admin/Desktop User - Staff_u
   - Full Network, sudo to admin only, no root password.  Usually a confined admin

 * Unconfined user - unconfined_u (Default)
   - SELinux does not block access.
	By Default on a SELinux Targeted Policy system, all users login using the unconfined_t user.

	SELinux has a very powerful concept called confined users. You can setup individual users on your system to login with different SELinux user types. This SELinux User Screen allows you to create/modify SELinux Users and map them to SELinux Roles and MLS/MCS Ranges

	Default SELinux Users:

	* Terminal user/ssh - guest_u
	- No Network, No setuid, no exec in homedir

	* Browser user/kiosk - xguest_u
	- Web access ports only. No setuid, no exec in homedir

	* Full Desktop user - User_u
	- Full Network, No SETUID.

	* Confined Admin/Desktop User - Staff_u
	- Full Network, sudo to admin only, no root password. Usually a confined admin

	* Unconfined user - unconfined_u (Default)
	- SELinux does not block access.