(Featured image is a screenshot of java class PS2PDF’s uses to execute external executables)
Linux users are mapped to SELinux users via a policy. This allow inheriting rules that would restrict things they can do in a system. Following command will give you all the mapping and users on a CentOS/RHEL system
# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *
Note that all users by default mapped to unconfined_u since that are considered __default__ linux users unless specified with a user mapping.
If you are an unconfined user and you execute and program that defined a policy that transition unconfined_t domain to a confined_t. Then you are subject to restriction on that domain. This is to prevent unconfined users from exploiting flow in confined applications.
See all roles
# seinfo -r