1secadm_selinux(8) secadm SELinux Policy documentation secadm_selinux(8)
2
6 secadm_r - Security administrator role - Security Enhanced Linux Policy
7
10 SELinux supports Roles Based Access Control (RBAC), some Linux roles
11 are login roles, while other roles need to be transition into.
12 Note: Examples in this man page will use the staff_u SELinux user.
14 Non login roles are usually used for administrative tasks. For example,
16 tasks that require root privileges. Roles control which types a user
17 can run processes with. Roles often have default types assigned to
18 them.
19 The default type for the secadm_r role is secadm_t.
21 The newrole program to transition directly to this role.
23 newrole -r secadm_r -t secadm_t
25 sudo is the preferred method to do transition from one role to another.
27 You setup sudo to transition to secadm_r by adding a similar line to
28 the /etc/sudoers file.
29 USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
31 sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
33 When using a a non login role, you need to setup SELinux so that your
35 SELinux user can reach secadm_r role.
36 Execute the following to see all of the assigned SELinux roles:
38 semanage user -l
40 You need to add secadm_r to the staff_u user. You could setup the
42 staff_u user to be able to use the secadm_r role with a command like:
43 $ semanage user -m -R 'staff_r system_r secadm_r' staff_u
45 SELinux policy also controls which roles can transition to a different
49 role. You can list these rules using the following command.
50 sesearch --role_allow
52 SELinux policy allows the auditadm_r, staff_r, sysadm_r roles can tran‐
54 sition to the secadm_r role.
55
59 SELinux policy is customizable based on least access required. secadm
60 policy is extremely flexible and has several booleans that allow you to
61 manipulate the policy and run secadm with the tightest access possible.
62 If you want to allow users to resolve user passwd entries directly from
66 ldap rather then using a sssd server, you must turn on the authlo‐
67 gin_nsswitch_use_ldap boolean. Disabled by default.
68 setsebool -P authlogin_nsswitch_use_ldap 1
70 If you want to deny user domains applications to map a memory region as
74 both executable and writable, this is dangerous and the executable
75 should be reported in bugzilla, you must turn on the deny_execmem bool‐
76 ean. Enabled by default.
77 setsebool -P deny_execmem 1
79 If you want to deny any process from ptracing or debugging any other
83 processes, you must turn on the deny_ptrace boolean. Enabled by
84 default.
85 setsebool -P deny_ptrace 1
87 If you want to allow any process to mmap any file on system with
91 attribute file_type, you must turn on the domain_can_mmap_files bool‐
92 ean. Enabled by default.
93 setsebool -P domain_can_mmap_files 1
95 If you want to allow all domains write to kmsg_device, while kernel is
99 executed with systemd.log_target=kmsg parameter, you must turn on the
100 domain_can_write_kmsg boolean. Disabled by default.
101 setsebool -P domain_can_write_kmsg 1
103 If you want to allow all domains to use other domains file descriptors,
107 you must turn on the domain_fd_use boolean. Enabled by default.
108 setsebool -P domain_fd_use 1
110 If you want to allow all domains to have the kernel load modules, you
114 must turn on the domain_kernel_load_modules boolean. Disabled by
115 default.
116 setsebool -P domain_kernel_load_modules 1
118 If you want to allow all domains to execute in fips_mode, you must turn
122 on the fips_mode boolean. Enabled by default.
123 setsebool -P fips_mode 1
125 If you want to enable reading of urandom for all domains, you must turn
129 on the global_ssp boolean. Disabled by default.
130 setsebool -P global_ssp 1
132 If you want to allow confined applications to run with kerberos, you
136 must turn on the kerberos_enabled boolean. Enabled by default.
137 setsebool -P kerberos_enabled 1
139 If you want to allow logging in and using the system from /dev/console,
143 you must turn on the login_console_enabled boolean. Enabled by default.
144 setsebool -P login_console_enabled 1
146 If you want to allow system to run with NIS, you must turn on the
150 nis_enabled boolean. Disabled by default.
151 setsebool -P nis_enabled 1
153 If you want to allow confined applications to use nscd shared memory,
157 you must turn on the nscd_use_shm boolean. Disabled by default.
158 setsebool -P nscd_use_shm 1
160 If you want to disallow programs, such as newrole, from transitioning
164 to administrative user domains, you must turn on the secure_mode bool‐
165 ean. Enabled by default.
166 setsebool -P secure_mode 1
168 If you want to boolean to determine whether the system permits loading
172 policy, setting enforcing mode, and changing boolean values. Set this
173 to true and you have to reboot to set it back, you must turn on the
174 secure_mode_policyload boolean. Enabled by default.
175 setsebool -P secure_mode_policyload 1
177 If you want to allow unconfined executables to make their stack exe‐
181 cutable. This should never, ever be necessary. Probably indicates a
182 badly coded executable, but could indicate an attack. This executable
183 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
184 stack boolean. Enabled by default.
185 setsebool -P selinuxuser_execstack 1
187 If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
191 the ssh_sysadm_login boolean. Disabled by default.
192 setsebool -P ssh_sysadm_login 1
194 If you want to support NFS home directories, you must turn on the
198 use_nfs_home_dirs boolean. Disabled by default.
199 setsebool -P use_nfs_home_dirs 1
201 If you want to support SAMBA home directories, you must turn on the
205 use_samba_home_dirs boolean. Disabled by default.
206 setsebool -P use_samba_home_dirs 1
208 If you want to allow the graphical login program to login directly as
212 sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Dis‐
213 abled by default.
214 setsebool -P xdm_sysadm_login 1
216
220 The SELinux process type secadm_t can manage files labeled with the
221 following file types. The paths listed are the default paths for these
222 file types. Note the processes UID still need to have DAC permissions.
223 boolean_type
225 default_context_t
228 /etc/selinux/([^/]*/)?contexts(/.*)?
230 /root/.default_contexts
231 dosfs_t
233 etc_runtime_t
236 /[^/]+
238 /etc/mtab.*
239 /etc/blkid(/.*)?
240 /etc/nologin.*
241 /etc/.fstab.hal..+
242 /halt
243 /fastboot
244 /poweroff
245 /etc/cmtab
246 /forcefsck
247 /.autofsck
248 /.suspended
249 /fsckoptions
250 /var/.updated
251 /etc/.updated
252 /.autorelabel
253 /etc/securetty
254 /etc/nohotplug
255 /etc/killpower
256 /etc/ioctl.save
257 /etc/fstab.REVOKE
258 /etc/network/ifstate
259 /etc/sysconfig/hwconf
260 /etc/ptal/ptal-printd-like
261 /etc/sysconfig/iptables.save
262 /etc/xorg.conf.d/00-system-setup-keyboard.conf
263 /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
264 file_context_t
266 /etc/selinux/([^/]*/)?contexts/files(/.*)?
268 screen_home_t
270 /root/.screen(/.*)?
272 /home/[^/]+/.screen(/.*)?
273 /home/[^/]+/.screenrc
274 /home/[^/]+/.tmux.conf
275 selinux_config_t
277 /etc/selinux(/.*)?
279 /etc/selinux/([^/]*/)?seusers
280 /etc/selinux/([^/]*/)?users(/.*)?
281 /etc/selinux/([^/]*/)?setrans.conf
282 /var/lib/sepolgen(/.*)?
283 selinux_login_config_t
285 /etc/selinux/([^/]*/)?logins(/.*)?
287 semanage_store_t
289 /etc/selinux/([^/]*/)?policy(/.*)?
291 /etc/selinux/(minimum|mls|targeted)/active(/.*)?
292 /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
293 /var/lib/selinux(/.*)?
294 /etc/share/selinux/mls(/.*)?
295 /etc/share/selinux/targeted(/.*)?
296 systemd_passwd_var_run_t
298 /var/run/systemd/ask-password(/.*)?
300 /var/run/systemd/ask-password-block(/.*)?
301 user_tmp_type
303 all user tmp files
305
308 semanage fcontext can also be used to manipulate default file context
309 mappings.
310 semanage permissive can also be used to manipulate whether or not a
312 process type is permissive.
313 semanage module can also be used to enable/disable/install/remove pol‐
315 icy modules.
316 semanage boolean can also be used to manipulate the booleans
318 system-config-selinux is a GUI tool available to customize SELinux pol‐
321 icy settings.
322
325 This manual page was auto-generated using sepolicy manpage .
326
329 selinux(8), secadm(8), semanage(8), restorecon(8), chcon(1), sepol‐
330 icy(8) , setsebool(8), secadm_screen_selinux(8),
331 secadm_screen_selinux(8), secadm_su_selinux(8), secadm_su_selinux(8),
332 secadm_sudo_selinux(8), secadm_sudo_selinux(8)
333mgrepl@redhat.com secadm secadm_selinux(8)