1staff_selinux(8) staff SELinux Policy documentation staff_selinux(8)
2
3
4
6 staff_u - Administrator's unprivileged user - Security Enhanced Linux
7 Policy
8
9
11 staff_u is an SELinux User defined in the SELinux policy. SELinux users
12 have default roles, staff_r. The default role has a default type,
13 staff_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 staff_u:staff_r:staff_t:s0 - s0:c0.c1023
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the staff_u
37 user, you would execute:
38
39 semanage login -m -s staff_u __default__
40
41
42
44 The SELinux user staff_u is defined in policy as a unprivileged user.
45 SELinux prevents unprivileged users from doing administration tasks
46 without transitioning to a different role.
47
48
50 The SELinux user staff can execute sudo.
51
52 You can set up sudo to allow staff to transition to an administrative
53 domain:
54
55 Add one or more of the following record to sudoers using visudo.
56
57
58 USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
59 sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
60
61 You might also need to add one or more of these new roles to your
62 SELinux user record.
63
64 List the SELinux roles your SELinux user can reach by executing:
65
66 $ semanage user -l |grep selinux_name
67
68 Modify the roles list and add staff_r to this list.
69
70 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
71 logadm_r dbadm_r auditadm_r' staff_u
72
73 For more details you can see semanage man page.
74
75
76 USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
77 sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
78
79 You might also need to add one or more of these new roles to your
80 SELinux user record.
81
82 List the SELinux roles your SELinux user can reach by executing:
83
84 $ semanage user -l |grep selinux_name
85
86 Modify the roles list and add staff_r to this list.
87
88 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
89 logadm_r dbadm_r auditadm_r' staff_u
90
91 For more details you can see semanage man page.
92
93
94 USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
95 sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
96
97 You might also need to add one or more of these new roles to your
98 SELinux user record.
99
100 List the SELinux roles your SELinux user can reach by executing:
101
102 $ semanage user -l |grep selinux_name
103
104 Modify the roles list and add staff_r to this list.
105
106 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
107 logadm_r dbadm_r auditadm_r' staff_u
108
109 For more details you can see semanage man page.
110
111
112 USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
113 sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
114
115 You might also need to add one or more of these new roles to your
116 SELinux user record.
117
118 List the SELinux roles your SELinux user can reach by executing:
119
120 $ semanage user -l |grep selinux_name
121
122 Modify the roles list and add staff_r to this list.
123
124 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
125 logadm_r dbadm_r auditadm_r' staff_u
126
127 For more details you can see semanage man page.
128
129
130 USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
131 sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
132
133 You might also need to add one or more of these new roles to your
134 SELinux user record.
135
136 List the SELinux roles your SELinux user can reach by executing:
137
138 $ semanage user -l |grep selinux_name
139
140 Modify the roles list and add staff_r to this list.
141
142 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
143 logadm_r dbadm_r auditadm_r' staff_u
144
145 For more details you can see semanage man page.
146
147
148 USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
149 sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
150
151 You might also need to add one or more of these new roles to your
152 SELinux user record.
153
154 List the SELinux roles your SELinux user can reach by executing:
155
156 $ semanage user -l |grep selinux_name
157
158 Modify the roles list and add staff_r to this list.
159
160 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
161 logadm_r dbadm_r auditadm_r' staff_u
162
163 For more details you can see semanage man page.
164
165
166 USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
167 sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
168
169 You might also need to add one or more of these new roles to your
170 SELinux user record.
171
172 List the SELinux roles your SELinux user can reach by executing:
173
174 $ semanage user -l |grep selinux_name
175
176 Modify the roles list and add staff_r to this list.
177
178 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
179 logadm_r dbadm_r auditadm_r' staff_u
180
181 For more details you can see semanage man page.
182
183
184 The SELinux type staff_t is not allowed to execute sudo.
185
186
188 The SELinux user staff_u is able to X Windows login.
189
190
192 The SELinux user staff_u is able to listen on the following tcp ports.
193
194 6000-6020
195
196 32768-61000
197
198 3689
199
200 all ports > 1024
201
202 all ports with out defined types
203
204
205 The SELinux user staff_u is able to connect to the following tcp ports.
206
207 53
208
209 all ports
210
211 8955
212
213 32768-61000
214
215 9080
216
217 all ports < 1024
218
219 389,636,3268,3269,7389
220
221 5432,9898
222
223 88,750,4444
224
225 111
226
227 all ports with out defined types
228
229
230 The SELinux user staff_u is able to listen on the following udp ports.
231
232 32768-61000
233
234 all ports with out defined types
235
236 all ports > 1024
237
238
239 The SELinux user staff_u is able to connect to the following tcp ports.
240
241 53
242
243 all ports
244
245 8955
246
247 32768-61000
248
249 9080
250
251 all ports < 1024
252
253 389,636,3268,3269,7389
254
255 5432,9898
256
257 88,750,4444
258
259 111
260
261 all ports with out defined types
262
263
265 SELinux policy is customizable based on least access required. staff
266 policy is extremely flexible and has several booleans that allow you to
267 manipulate the policy and run staff with the tightest access possible.
268
269
270
271 If you want to allow staff user to create and transition to svirt
272 domains, you must turn on the staff_use_svirt boolean. Disabled by
273 default.
274
275 setsebool -P staff_use_svirt 1
276
277
278
279 If you want to allow users to resolve user passwd entries directly from
280 ldap rather then using a sssd server, you must turn on the authlo‐
281 gin_nsswitch_use_ldap boolean. Disabled by default.
282
283 setsebool -P authlogin_nsswitch_use_ldap 1
284
285
286
287 If you want to determine whether crond can execute jobs in the user
288 domain as opposed to the the generic cronjob domain, you must turn on
289 the cron_userdomain_transition boolean. Enabled by default.
290
291 setsebool -P cron_userdomain_transition 1
292
293
294
295 If you want to deny user domains applications to map a memory region as
296 both executable and writable, this is dangerous and the executable
297 should be reported in bugzilla, you must turn on the deny_execmem bool‐
298 ean. Enabled by default.
299
300 setsebool -P deny_execmem 1
301
302
303
304 If you want to deny any process from ptracing or debugging any other
305 processes, you must turn on the deny_ptrace boolean. Enabled by
306 default.
307
308 setsebool -P deny_ptrace 1
309
310
311
312 If you want to allow any process to mmap any file on system with
313 attribute file_type, you must turn on the domain_can_mmap_files bool‐
314 ean. Enabled by default.
315
316 setsebool -P domain_can_mmap_files 1
317
318
319
320 If you want to allow all domains write to kmsg_device, while kernel is
321 executed with systemd.log_target=kmsg parameter, you must turn on the
322 domain_can_write_kmsg boolean. Disabled by default.
323
324 setsebool -P domain_can_write_kmsg 1
325
326
327
328 If you want to allow all domains to use other domains file descriptors,
329 you must turn on the domain_fd_use boolean. Enabled by default.
330
331 setsebool -P domain_fd_use 1
332
333
334
335 If you want to allow all domains to have the kernel load modules, you
336 must turn on the domain_kernel_load_modules boolean. Disabled by
337 default.
338
339 setsebool -P domain_kernel_load_modules 1
340
341
342
343 If you want to allow all domains to execute in fips_mode, you must turn
344 on the fips_mode boolean. Enabled by default.
345
346 setsebool -P fips_mode 1
347
348
349
350 If you want to determine whether calling user domains can execute Git
351 daemon in the git_session_t domain, you must turn on the git_ses‐
352 sion_users boolean. Enabled by default.
353
354 setsebool -P git_session_users 1
355
356
357
358 If you want to enable reading of urandom for all domains, you must turn
359 on the global_ssp boolean. Disabled by default.
360
361 setsebool -P global_ssp 1
362
363
364
365 If you want to allow httpd cgi support, you must turn on the
366 httpd_enable_cgi boolean. Enabled by default.
367
368 setsebool -P httpd_enable_cgi 1
369
370
371
372 If you want to unify HTTPD handling of all content files, you must turn
373 on the httpd_unified boolean. Disabled by default.
374
375 setsebool -P httpd_unified 1
376
377
378
379 If you want to allow confined applications to run with kerberos, you
380 must turn on the kerberos_enabled boolean. Enabled by default.
381
382 setsebool -P kerberos_enabled 1
383
384
385
386 If you want to allow logging in and using the system from /dev/console,
387 you must turn on the login_console_enabled boolean. Enabled by default.
388
389 setsebool -P login_console_enabled 1
390
391
392
393 If you want to allow system to run with NIS, you must turn on the
394 nis_enabled boolean. Disabled by default.
395
396 setsebool -P nis_enabled 1
397
398
399
400 If you want to allow confined applications to use nscd shared memory,
401 you must turn on the nscd_use_shm boolean. Disabled by default.
402
403 setsebool -P nscd_use_shm 1
404
405
406
407 If you want to determine whether calling user domains can execute
408 Polipo daemon in the polipo_session_t domain, you must turn on the
409 polipo_session_users boolean. Disabled by default.
410
411 setsebool -P polipo_session_users 1
412
413
414
415 If you want to allow unprivileged users to execute DDL statement, you
416 must turn on the postgresql_selinux_users_ddl boolean. Enabled by
417 default.
418
419 setsebool -P postgresql_selinux_users_ddl 1
420
421
422
423 If you want to allow pppd to be run for a regular user, you must turn
424 on the pppd_for_user boolean. Disabled by default.
425
426 setsebool -P pppd_for_user 1
427
428
429
430 If you want to disallow programs, such as newrole, from transitioning
431 to administrative user domains, you must turn on the secure_mode bool‐
432 ean. Enabled by default.
433
434 setsebool -P secure_mode 1
435
436
437
438 If you want to allow regular users direct dri device access, you must
439 turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
440
441 setsebool -P selinuxuser_direct_dri_enabled 1
442
443
444
445 If you want to allow all unconfined executables to use libraries
446 requiring text relocation that are not labeled textrel_shlib_t, you
447 must turn on the selinuxuser_execmod boolean. Enabled by default.
448
449 setsebool -P selinuxuser_execmod 1
450
451
452
453 If you want to allow unconfined executables to make their stack exe‐
454 cutable. This should never, ever be necessary. Probably indicates a
455 badly coded executable, but could indicate an attack. This executable
456 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
457 stack boolean. Enabled by default.
458
459 setsebool -P selinuxuser_execstack 1
460
461
462
463 If you want to allow users to connect to the local mysql server, you
464 must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
465 default.
466
467 setsebool -P selinuxuser_mysql_connect_enabled 1
468
469
470
471 If you want to allow users to connect to PostgreSQL, you must turn on
472 the selinuxuser_postgresql_connect_enabled boolean. Disabled by
473 default.
474
475 setsebool -P selinuxuser_postgresql_connect_enabled 1
476
477
478
479 If you want to allow user to r/w files on filesystems that do not have
480 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
481 uxuser_rw_noexattrfile boolean. Enabled by default.
482
483 setsebool -P selinuxuser_rw_noexattrfile 1
484
485
486
487 If you want to allow user music sharing, you must turn on the selin‐
488 uxuser_share_music boolean. Disabled by default.
489
490 setsebool -P selinuxuser_share_music 1
491
492
493
494 If you want to allow users to run TCP servers (bind to ports and accept
495 connection from the same domain and outside users) disabling this
496 forces FTP passive mode and may change other protocols, you must turn
497 on the selinuxuser_tcp_server boolean. Disabled by default.
498
499 setsebool -P selinuxuser_tcp_server 1
500
501
502
503 If you want to allow users to run UDP servers (bind to ports and accept
504 connection from the same domain and outside users) disabling this may
505 break avahi discovering services on the network and other udp related
506 services, you must turn on the selinuxuser_udp_server boolean. Disabled
507 by default.
508
509 setsebool -P selinuxuser_udp_server 1
510
511
512
513 If you want to allow user to use ssh chroot environment, you must turn
514 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
515
516 setsebool -P selinuxuser_use_ssh_chroot 1
517
518
519
520 If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
521 the ssh_sysadm_login boolean. Disabled by default.
522
523 setsebool -P ssh_sysadm_login 1
524
525
526
527 If you want to support NFS home directories, you must turn on the
528 use_nfs_home_dirs boolean. Disabled by default.
529
530 setsebool -P use_nfs_home_dirs 1
531
532
533
534 If you want to support SAMBA home directories, you must turn on the
535 use_samba_home_dirs boolean. Disabled by default.
536
537 setsebool -P use_samba_home_dirs 1
538
539
540
541 If you want to allow the graphical login program to login directly as
542 sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
543 Enabled by default.
544
545 setsebool -P xdm_sysadm_login 1
546
547
548
549 If you want to allows clients to write to the X server shared memory
550 segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
551 abled by default.
552
553 setsebool -P xserver_clients_write_xshm 1
554
555
556
557 If you want to support X userspace object manager, you must turn on the
558 xserver_object_manager boolean. Enabled by default.
559
560 setsebool -P xserver_object_manager 1
561
562
563
565 The SELinux user staff_u is able execute home content files.
566
567
569 Three things can happen when staff_t attempts to execute a program.
570
571 1. SELinux Policy can deny staff_t from executing the program.
572
573
574
575 2. SELinux Policy can allow staff_t to execute the program in the cur‐
576 rent user type.
577
578 Execute the following to see the types that the SELinux user
579 staff_t can execute without transitioning:
580
581 sesearch -A -s staff_t -c file -p execute_no_trans
582
583
584
585 3. SELinux can allow staff_t to execute the program and transition to a
586 new type.
587
588 Execute the following to see the types that the SELinux user
589 staff_t can execute and transition:
590
591 $ sesearch -A -s staff_t -c process -p transition
592
593
594
596 The SELinux process type staff_t can manage files labeled with the fol‐
597 lowing file types. The paths listed are the default paths for these
598 file types. Note the processes UID still need to have DAC permissions.
599
600 anon_inodefs_t
601
602
603 auth_cache_t
604
605 /var/cache/coolkey(/.*)?
606
607 bluetooth_helper_tmp_t
608
609
610 bluetooth_helper_tmpfs_t
611
612
613 cgroup_t
614
615 /sys/fs/cgroup
616
617 chrome_sandbox_tmpfs_t
618
619
620 cifs_t
621
622
623 dirsrv_config_t
624
625 /etc/dirsrv(/.*)?
626
627 dirsrv_var_lib_t
628
629 /var/lib/dirsrv(/.*)?
630
631 dirsrv_var_log_t
632
633 /var/log/dirsrv(/.*)?
634
635 dirsrv_var_run_t
636
637 /var/run/slapd.*
638 /var/run/dirsrv(/.*)?
639
640 games_data_t
641
642 /var/games(/.*)?
643 /var/lib/games(/.*)?
644
645 gconf_tmp_t
646
647 /tmp/gconfd-[^/]+/.*
648
649 git_user_content_t
650
651 /home/[^/]+/public_git(/.*)?
652
653 gnome_home_type
654
655
656 gpg_agent_tmp_t
657
658 /home/[^/]+/.gnupg/log-socket
659
660 httpd_user_content_t
661
662 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
663
664 httpd_user_htaccess_t
665
666 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
667
668 httpd_user_ra_content_t
669
670 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
671
672 httpd_user_rw_content_t
673
674
675 httpd_user_script_exec_t
676
677 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
678
679 irc_home_t
680
681 /home/[^/]+/.irssi(/.*)?
682 /home/[^/]+/irclog(/.*)?
683 /home/[^/]+/.ircmotd
684
685 mail_spool_t
686
687 /var/mail(/.*)?
688 /var/spool/imap(/.*)?
689 /var/spool/mail(/.*)?
690 /var/spool/smtpd(/.*)?
691
692 mqueue_spool_t
693
694 /var/spool/(client)?mqueue(/.*)?
695 /var/spool/mqueue.in(/.*)?
696
697 noxattrfs
698
699 all files on file systems which do not support extended attributes
700
701 pulseaudio_tmpfs_t
702
703
704 pulseaudio_tmpfsfile
705
706
707 sandbox_file_t
708
709
710 sandbox_tmpfs_type
711
712 all sandbox content in tmpfs file systems
713
714 screen_home_t
715
716 /root/.screen(/.*)?
717 /home/[^/]+/.screen(/.*)?
718 /home/[^/]+/.screenrc
719 /home/[^/]+/.tmux.conf
720
721 security_t
722
723 /selinux
724
725 systemd_passwd_var_run_t
726
727 /var/run/systemd/ask-password(/.*)?
728 /var/run/systemd/ask-password-block(/.*)?
729
730 usbfs_t
731
732
733 user_fonts_cache_t
734
735 /root/.fontconfig(/.*)?
736 /root/.fonts/auto(/.*)?
737 /root/.fonts.cache-.*
738 /home/[^/]+/.fontconfig(/.*)?
739 /home/[^/]+/.fonts/auto(/.*)?
740 /home/[^/]+/.fonts.cache-.*
741
742 user_home_type
743
744 all user home files
745
746 user_tmp_t
747
748 /dev/shm/mono.*
749 /var/run/user(/.*)?
750 /tmp/.X11-unix(/.*)?
751 /tmp/.ICE-unix(/.*)?
752 /dev/shm/pulse-shm.*
753 /tmp/.X0-lock
754 /tmp/hsperfdata_root
755 /var/tmp/hsperfdata_root
756 /home/[^/]+/tmp
757 /home/[^/]+/.tmp
758 /tmp/gconfd-[^/]+
759
760 user_tmp_type
761
762 all user tmp files
763
764 virt_image_type
765
766 all virtual image files
767
768 wireshark_tmp_t
769
770
771 wireshark_tmpfs_t
772
773
774 xserver_tmpfs_t
775
776
777
779 semanage fcontext can also be used to manipulate default file context
780 mappings.
781
782 semanage permissive can also be used to manipulate whether or not a
783 process type is permissive.
784
785 semanage module can also be used to enable/disable/install/remove pol‐
786 icy modules.
787
788 semanage boolean can also be used to manipulate the booleans
789
790
791 system-config-selinux is a GUI tool available to customize SELinux pol‐
792 icy settings.
793
794
796 This manual page was auto-generated using sepolicy manpage .
797
798
800 selinux(8), staff(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
801 , setsebool(8), staff_consolehelper_selinux(8), staff_console‐
802 helper_selinux(8), staff_dbusd_selinux(8), staff_dbusd_selinux(8),
803 staff_gkeyringd_selinux(8), staff_gkeyringd_selinux(8),
804 staff_screen_selinux(8), staff_screen_selinux(8), staff_seun‐
805 share_selinux(8), staff_seunshare_selinux(8),
806 staff_ssh_agent_selinux(8), staff_ssh_agent_selinux(8),
807 staff_sudo_selinux(8), staff_sudo_selinux(8), staff_wine_selinux(8),
808 staff_wine_selinux(8)
809
810
811
812mgrepl@redhat.com staff staff_selinux(8)