1staff_selinux(8)      staff SELinux Policy documentation      staff_selinux(8)
2
3
4

NAME

6       staff_u  -  Administrator's unprivileged user - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       staff_u is an SELinux User defined in the SELinux policy. SELinux users
12       have  default  roles,  staff_r.   The  default role has a default type,
13       staff_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       staff_u:staff_r:staff_t:s0 - s0:c0.c1023
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to  change the default user mapping to use the staff_u
37       user, you would execute:
38
39       semanage login -m -s staff_u __default__
40
41
42

USER DESCRIPTION

44       The SELinux user staff_u is defined in policy as a  unprivileged  user.
45       SELinux  prevents  unprivileged  users  from doing administration tasks
46       without transitioning to a different role.
47
48

SUDO

50       The SELinux user staff can execute sudo.
51
52       You can set up sudo to allow staff to transition to  an  administrative
53       domain:
54
55       Add one or more of the following record to sudoers using visudo.
56
57
58       USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
59       sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
60
61       You  might  also  need  to  add  one or more of these new roles to your
62       SELinux user record.
63
64       List the SELinux roles your SELinux user can reach by executing:
65
66       $ semanage user -l |grep selinux_name
67
68       Modify the roles list and add staff_r to this list.
69
70       $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r  secadm_r
71       logadm_r dbadm_r auditadm_r' staff_u
72
73       For more details you can see semanage man page.
74
75
76       USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
77       sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
78
79       You  might  also  need  to  add  one or more of these new roles to your
80       SELinux user record.
81
82       List the SELinux roles your SELinux user can reach by executing:
83
84       $ semanage user -l |grep selinux_name
85
86       Modify the roles list and add staff_r to this list.
87
88       $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r  secadm_r
89       logadm_r dbadm_r auditadm_r' staff_u
90
91       For more details you can see semanage man page.
92
93
94       USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
95       sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
96
97       You  might  also  need  to  add  one or more of these new roles to your
98       SELinux user record.
99
100       List the SELinux roles your SELinux user can reach by executing:
101
102       $ semanage user -l |grep selinux_name
103
104       Modify the roles list and add staff_r to this list.
105
106       $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r  secadm_r
107       logadm_r dbadm_r auditadm_r' staff_u
108
109       For more details you can see semanage man page.
110
111
112       USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
113       sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
114
115       You  might  also  need  to  add  one or more of these new roles to your
116       SELinux user record.
117
118       List the SELinux roles your SELinux user can reach by executing:
119
120       $ semanage user -l |grep selinux_name
121
122       Modify the roles list and add staff_r to this list.
123
124       $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r  secadm_r
125       logadm_r dbadm_r auditadm_r' staff_u
126
127       For more details you can see semanage man page.
128
129
130       USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
131       sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
132
133       You  might  also  need  to  add  one or more of these new roles to your
134       SELinux user record.
135
136       List the SELinux roles your SELinux user can reach by executing:
137
138       $ semanage user -l |grep selinux_name
139
140       Modify the roles list and add staff_r to this list.
141
142       $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r  secadm_r
143       logadm_r dbadm_r auditadm_r' staff_u
144
145       For more details you can see semanage man page.
146
147
148       USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
149       sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
150
151       You  might  also  need  to  add  one or more of these new roles to your
152       SELinux user record.
153
154       List the SELinux roles your SELinux user can reach by executing:
155
156       $ semanage user -l |grep selinux_name
157
158       Modify the roles list and add staff_r to this list.
159
160       $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r  secadm_r
161       logadm_r dbadm_r auditadm_r' staff_u
162
163       For more details you can see semanage man page.
164
165
166       USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
167       sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
168
169       You  might  also  need  to  add  one or more of these new roles to your
170       SELinux user record.
171
172       List the SELinux roles your SELinux user can reach by executing:
173
174       $ semanage user -l |grep selinux_name
175
176       Modify the roles list and add staff_r to this list.
177
178       $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r  secadm_r
179       logadm_r dbadm_r auditadm_r' staff_u
180
181       For more details you can see semanage man page.
182
183
184       The SELinux type staff_t is not allowed to execute sudo.
185
186

X WINDOWS LOGIN

188       The SELinux user staff_u is able to X Windows login.
189
190

NETWORK

192       The SELinux user staff_u is able to listen on the following tcp ports.
193
194              6000-6020
195
196              32768-61000
197
198              3689
199
200              all ports > 1024
201
202              all ports with out defined types
203
204
205       The SELinux user staff_u is able to connect to the following tcp ports.
206
207              53
208
209              all ports
210
211              8955
212
213              32768-61000
214
215              9080
216
217              all ports < 1024
218
219              389,636,3268,3269,7389
220
221              5432,9898
222
223              88,750,4444
224
225              111
226
227              all ports with out defined types
228
229
230       The SELinux user staff_u is able to listen on the following udp ports.
231
232              32768-61000
233
234              all ports with out defined types
235
236              all ports > 1024
237
238
239       The SELinux user staff_u is able to connect to the following tcp ports.
240
241              53
242
243              all ports
244
245              8955
246
247              32768-61000
248
249              9080
250
251              all ports < 1024
252
253              389,636,3268,3269,7389
254
255              5432,9898
256
257              88,750,4444
258
259              111
260
261              all ports with out defined types
262
263

BOOLEANS

265       SELinux  policy  is customizable based on least access required.  staff
266       policy is extremely flexible and has several booleans that allow you to
267       manipulate the policy and run staff with the tightest access possible.
268
269
270
271       If  you  want  to  allow  staff  user to create and transition to svirt
272       domains, you must turn on  the  staff_use_svirt  boolean.  Disabled  by
273       default.
274
275       setsebool -P staff_use_svirt 1
276
277
278
279       If you want to allow users to resolve user passwd entries directly from
280       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
281       gin_nsswitch_use_ldap boolean. Disabled by default.
282
283       setsebool -P authlogin_nsswitch_use_ldap 1
284
285
286
287       If  you  want  to  determine whether crond can execute jobs in the user
288       domain as opposed to the the generic cronjob domain, you must  turn  on
289       the cron_userdomain_transition boolean. Enabled by default.
290
291       setsebool -P cron_userdomain_transition 1
292
293
294
295       If you want to deny user domains applications to map a memory region as
296       both executable and writable, this  is  dangerous  and  the  executable
297       should be reported in bugzilla, you must turn on the deny_execmem bool‐
298       ean. Enabled by default.
299
300       setsebool -P deny_execmem 1
301
302
303
304       If you want to deny any process from ptracing or  debugging  any  other
305       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
306       default.
307
308       setsebool -P deny_ptrace 1
309
310
311
312       If you want to allow any process  to  mmap  any  file  on  system  with
313       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
314       ean. Enabled by default.
315
316       setsebool -P domain_can_mmap_files 1
317
318
319
320       If you want to allow all domains write to kmsg_device, while kernel  is
321       executed  with  systemd.log_target=kmsg parameter, you must turn on the
322       domain_can_write_kmsg boolean. Disabled by default.
323
324       setsebool -P domain_can_write_kmsg 1
325
326
327
328       If you want to allow all domains to use other domains file descriptors,
329       you must turn on the domain_fd_use boolean. Enabled by default.
330
331       setsebool -P domain_fd_use 1
332
333
334
335       If  you  want to allow all domains to have the kernel load modules, you
336       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
337       default.
338
339       setsebool -P domain_kernel_load_modules 1
340
341
342
343       If you want to allow all domains to execute in fips_mode, you must turn
344       on the fips_mode boolean. Enabled by default.
345
346       setsebool -P fips_mode 1
347
348
349
350       If you want to determine whether calling user domains can  execute  Git
351       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
352       sion_users boolean. Enabled by default.
353
354       setsebool -P git_session_users 1
355
356
357
358       If you want to enable reading of urandom for all domains, you must turn
359       on the global_ssp boolean. Disabled by default.
360
361       setsebool -P global_ssp 1
362
363
364
365       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
366       httpd_enable_cgi boolean. Enabled by default.
367
368       setsebool -P httpd_enable_cgi 1
369
370
371
372       If you want to unify HTTPD handling of all content files, you must turn
373       on the httpd_unified boolean. Disabled by default.
374
375       setsebool -P httpd_unified 1
376
377
378
379       If  you  want  to allow confined applications to run with kerberos, you
380       must turn on the kerberos_enabled boolean. Enabled by default.
381
382       setsebool -P kerberos_enabled 1
383
384
385
386       If you want to allow logging in and using the system from /dev/console,
387       you must turn on the login_console_enabled boolean. Enabled by default.
388
389       setsebool -P login_console_enabled 1
390
391
392
393       If  you  want  to  allow  system  to run with NIS, you must turn on the
394       nis_enabled boolean. Disabled by default.
395
396       setsebool -P nis_enabled 1
397
398
399
400       If you want to allow confined applications to use nscd  shared  memory,
401       you must turn on the nscd_use_shm boolean. Disabled by default.
402
403       setsebool -P nscd_use_shm 1
404
405
406
407       If  you  want  to  determine  whether  calling user domains can execute
408       Polipo daemon in the polipo_session_t domain,  you  must  turn  on  the
409       polipo_session_users boolean. Disabled by default.
410
411       setsebool -P polipo_session_users 1
412
413
414
415       If  you  want to allow unprivileged users to execute DDL statement, you
416       must turn  on  the  postgresql_selinux_users_ddl  boolean.  Enabled  by
417       default.
418
419       setsebool -P postgresql_selinux_users_ddl 1
420
421
422
423       If  you  want to allow pppd to be run for a regular user, you must turn
424       on the pppd_for_user boolean. Disabled by default.
425
426       setsebool -P pppd_for_user 1
427
428
429
430       If you want to disallow programs, such as newrole,  from  transitioning
431       to  administrative user domains, you must turn on the secure_mode bool‐
432       ean. Enabled by default.
433
434       setsebool -P secure_mode 1
435
436
437
438       If you want to allow regular users direct dri device access,  you  must
439       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
440
441       setsebool -P selinuxuser_direct_dri_enabled 1
442
443
444
445       If  you  want  to  allow  all  unconfined  executables to use libraries
446       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
447       must turn on the selinuxuser_execmod boolean. Enabled by default.
448
449       setsebool -P selinuxuser_execmod 1
450
451
452
453       If  you  want  to allow unconfined executables to make their stack exe‐
454       cutable.  This should never, ever be necessary.  Probably  indicates  a
455       badly  coded  executable, but could indicate an attack. This executable
456       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
457       stack boolean. Enabled by default.
458
459       setsebool -P selinuxuser_execstack 1
460
461
462
463       If  you  want  to allow users to connect to the local mysql server, you
464       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
465       default.
466
467       setsebool -P selinuxuser_mysql_connect_enabled 1
468
469
470
471       If  you  want to allow users to connect to PostgreSQL, you must turn on
472       the   selinuxuser_postgresql_connect_enabled   boolean.   Disabled   by
473       default.
474
475       setsebool -P selinuxuser_postgresql_connect_enabled 1
476
477
478
479       If  you want to allow user to r/w files on filesystems that do not have
480       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
481       uxuser_rw_noexattrfile boolean. Enabled by default.
482
483       setsebool -P selinuxuser_rw_noexattrfile 1
484
485
486
487       If  you  want  to allow user music sharing, you must turn on the selin‐
488       uxuser_share_music boolean. Disabled by default.
489
490       setsebool -P selinuxuser_share_music 1
491
492
493
494       If you want to allow users to run TCP servers (bind to ports and accept
495       connection  from  the  same  domain  and outside users)  disabling this
496       forces FTP passive mode and may change other protocols, you  must  turn
497       on the selinuxuser_tcp_server boolean. Disabled by default.
498
499       setsebool -P selinuxuser_tcp_server 1
500
501
502
503       If you want to allow users to run UDP servers (bind to ports and accept
504       connection from the same domain and outside users)  disabling this  may
505       break  avahi  discovering services on the network and other udp related
506       services, you must turn on the selinuxuser_udp_server boolean. Disabled
507       by default.
508
509       setsebool -P selinuxuser_udp_server 1
510
511
512
513       If you want to allow user  to use ssh chroot environment, you must turn
514       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
515
516       setsebool -P selinuxuser_use_ssh_chroot 1
517
518
519
520       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
521       the ssh_sysadm_login boolean. Disabled by default.
522
523       setsebool -P ssh_sysadm_login 1
524
525
526
527       If  you  want  to  support  NFS  home directories, you must turn on the
528       use_nfs_home_dirs boolean. Disabled by default.
529
530       setsebool -P use_nfs_home_dirs 1
531
532
533
534       If you want to support SAMBA home directories, you  must  turn  on  the
535       use_samba_home_dirs boolean. Disabled by default.
536
537       setsebool -P use_samba_home_dirs 1
538
539
540
541       If  you  want to allow the graphical login program to login directly as
542       sysadm_r:sysadm_t, you  must  turn  on  the  xdm_sysadm_login  boolean.
543       Enabled by default.
544
545       setsebool -P xdm_sysadm_login 1
546
547
548
549       If  you  want  to allows clients to write to the X server shared memory
550       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
551       abled by default.
552
553       setsebool -P xserver_clients_write_xshm 1
554
555
556
557       If you want to support X userspace object manager, you must turn on the
558       xserver_object_manager boolean. Enabled by default.
559
560       setsebool -P xserver_object_manager 1
561
562
563

HOME_EXEC

565       The SELinux user staff_u is able execute home content files.
566
567

TRANSITIONS

569       Three things can happen when staff_t attempts to execute a program.
570
571       1. SELinux Policy can deny staff_t from executing the program.
572
573
574
575       2. SELinux Policy can allow staff_t to execute the program in the  cur‐
576       rent user type.
577
578              Execute  the  following  to  see the types that the SELinux user
579              staff_t can execute without transitioning:
580
581              sesearch -A -s staff_t -c file -p execute_no_trans
582
583
584
585       3. SELinux can allow staff_t to execute the program and transition to a
586       new type.
587
588              Execute  the  following  to  see the types that the SELinux user
589              staff_t can execute and transition:
590
591              $ sesearch -A -s staff_t -c process -p transition
592
593
594

MANAGED FILES

596       The SELinux process type staff_t can manage files labeled with the fol‐
597       lowing  file  types.   The paths listed are the default paths for these
598       file types.  Note the processes UID still need to have DAC permissions.
599
600       anon_inodefs_t
601
602
603       auth_cache_t
604
605            /var/cache/coolkey(/.*)?
606
607       bluetooth_helper_tmp_t
608
609
610       bluetooth_helper_tmpfs_t
611
612
613       cgroup_t
614
615            /sys/fs/cgroup
616
617       chrome_sandbox_tmpfs_t
618
619
620       cifs_t
621
622
623       dirsrv_config_t
624
625            /etc/dirsrv(/.*)?
626
627       dirsrv_var_lib_t
628
629            /var/lib/dirsrv(/.*)?
630
631       dirsrv_var_log_t
632
633            /var/log/dirsrv(/.*)?
634
635       dirsrv_var_run_t
636
637            /var/run/slapd.*
638            /var/run/dirsrv(/.*)?
639
640       games_data_t
641
642            /var/games(/.*)?
643            /var/lib/games(/.*)?
644
645       gconf_tmp_t
646
647            /tmp/gconfd-[^/]+/.*
648
649       git_user_content_t
650
651            /home/[^/]+/public_git(/.*)?
652
653       gnome_home_type
654
655
656       gpg_agent_tmp_t
657
658            /home/[^/]+/.gnupg/log-socket
659
660       httpd_user_content_t
661
662            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
663
664       httpd_user_htaccess_t
665
666            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
667
668       httpd_user_ra_content_t
669
670            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
671
672       httpd_user_rw_content_t
673
674
675       httpd_user_script_exec_t
676
677            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
678
679       irc_home_t
680
681            /home/[^/]+/.irssi(/.*)?
682            /home/[^/]+/irclog(/.*)?
683            /home/[^/]+/.ircmotd
684
685       mail_spool_t
686
687            /var/mail(/.*)?
688            /var/spool/imap(/.*)?
689            /var/spool/mail(/.*)?
690            /var/spool/smtpd(/.*)?
691
692       mqueue_spool_t
693
694            /var/spool/(client)?mqueue(/.*)?
695            /var/spool/mqueue.in(/.*)?
696
697       noxattrfs
698
699            all files on file systems which do not support extended attributes
700
701       pulseaudio_tmpfs_t
702
703
704       pulseaudio_tmpfsfile
705
706
707       sandbox_file_t
708
709
710       sandbox_tmpfs_type
711
712            all sandbox content in tmpfs file systems
713
714       screen_home_t
715
716            /root/.screen(/.*)?
717            /home/[^/]+/.screen(/.*)?
718            /home/[^/]+/.screenrc
719            /home/[^/]+/.tmux.conf
720
721       security_t
722
723            /selinux
724
725       systemd_passwd_var_run_t
726
727            /var/run/systemd/ask-password(/.*)?
728            /var/run/systemd/ask-password-block(/.*)?
729
730       usbfs_t
731
732
733       user_fonts_cache_t
734
735            /root/.fontconfig(/.*)?
736            /root/.fonts/auto(/.*)?
737            /root/.fonts.cache-.*
738            /home/[^/]+/.fontconfig(/.*)?
739            /home/[^/]+/.fonts/auto(/.*)?
740            /home/[^/]+/.fonts.cache-.*
741
742       user_home_type
743
744            all user home files
745
746       user_tmp_t
747
748            /dev/shm/mono.*
749            /var/run/user(/.*)?
750            /tmp/.X11-unix(/.*)?
751            /tmp/.ICE-unix(/.*)?
752            /dev/shm/pulse-shm.*
753            /tmp/.X0-lock
754            /tmp/hsperfdata_root
755            /var/tmp/hsperfdata_root
756            /home/[^/]+/tmp
757            /home/[^/]+/.tmp
758            /tmp/gconfd-[^/]+
759
760       user_tmp_type
761
762            all user tmp files
763
764       virt_image_type
765
766            all virtual image files
767
768       wireshark_tmp_t
769
770
771       wireshark_tmpfs_t
772
773
774       xserver_tmpfs_t
775
776
777

COMMANDS

779       semanage fcontext can also be used to manipulate default  file  context
780       mappings.
781
782       semanage  permissive  can  also  be used to manipulate whether or not a
783       process type is permissive.
784
785       semanage module can also be used to enable/disable/install/remove  pol‐
786       icy modules.
787
788       semanage boolean can also be used to manipulate the booleans
789
790
791       system-config-selinux is a GUI tool available to customize SELinux pol‐
792       icy settings.
793
794

AUTHOR

796       This manual page was auto-generated using sepolicy manpage .
797
798

SEE ALSO

800       selinux(8), staff(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
801       ,    setsebool(8),    staff_consolehelper_selinux(8),    staff_console‐
802       helper_selinux(8),   staff_dbusd_selinux(8),    staff_dbusd_selinux(8),
803       staff_gkeyringd_selinux(8),                 staff_gkeyringd_selinux(8),
804       staff_screen_selinux(8),      staff_screen_selinux(8),      staff_seun‐
805       share_selinux(8),                           staff_seunshare_selinux(8),
806       staff_ssh_agent_selinux(8),                 staff_ssh_agent_selinux(8),
807       staff_sudo_selinux(8),   staff_sudo_selinux(8),  staff_wine_selinux(8),
808       staff_wine_selinux(8)
809
810
811
812mgrepl@redhat.com                    staff                    staff_selinux(8)
Impressum