user_selinux(8)

1user_selinux(8)        user SELinux Policy documentation       user_selinux(8)
2
3
4

NAME

6       user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       user_u  is an SELinux User defined in the SELinux policy. SELinux users
11       have default roles, user_r.  The  default  role  has  a  default  type,
12       user_t, associated with it.
13
14       The  SELinux  user  will  usually login to a system with a context that
15       looks like:
16
17       user_u:user_r:user_t:s0
18
19       Linux users are automatically  assigned  an  SELinux  users  at  login.
20       Login  programs  use  the SELinux User to assign initial context to the
21       user's shell.
22
23       SELinux policy uses the context to control the user's access.
24
25       By default  all  users  are  assigned  to  the  SELinux  user  via  the
26       __default__ flag
27
28       On  Targeted  policy  systems  the  __default__ user is assigned to the
29       unconfined_u SELinux user.
30
31       You can list all Linux User to SELinux user mapping using:
32
33       semanage login -l
34
35       If you wanted to change the default user  mapping  to  use  the  user_u
36       user, you would execute:
37
38       semanage login -m -s user_u __default__
39
40
41       If  you  want to map the one Linux user (joe) to the SELinux user user,
42       you would execute:
43
44       $ semanage login -a -s user_u joe
45
46
47

USER DESCRIPTION

49       The SELinux user user_u is defined in policy as  a  unprivileged  user.
50       SELinux  prevents  unprivileged  users  from doing administration tasks
51       without transitioning to a different role.
52
53

SUDO

X WINDOWS LOGIN

56       The SELinux user user_u is able to X Windows login.
57
58

NETWORK

60       The SELinux user user_u is able to listen on the following tcp ports.
61
62              6000-6020
63
64              3689
65
66              all ports > 1024
67
68              32768-61000
69
70              all ports with out defined types
71
72
73       The SELinux user user_u is able to connect to the following tcp ports.
74
75              all ports
76
77              8955
78
79              53,853
80
81              5432,9898
82
83              389,636,3268,3269,7389
84
85              111
86
87              all ports < 1024
88
89              32768-61000
90
91              all ports with out defined types
92
93              88,750,4444
94
95              9080
96
97
98       The SELinux user user_u is able to listen on the following udp ports.
99
100              all ports with out defined types
101
102              32768-61000
103
104              all ports > 1024
105
106
107       The SELinux user user_u is able to connect to the following tcp ports.
108
109              all ports
110
111              8955
112
113              53,853
114
115              5432,9898
116
117              389,636,3268,3269,7389
118
119              111
120
121              all ports < 1024
122
123              32768-61000
124
125              all ports with out defined types
126
127              88,750,4444
128
129              9080
130
131

BOOLEANS

133       SELinux policy is customizable based on least  access  required.   user
134       policy is extremely flexible and has several booleans that allow you to
135       manipulate the policy and run user with the tightest access possible.
136
137
138
139       If you want to allow users to resolve user passwd entries directly from
140       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
141       gin_nsswitch_use_ldap boolean. Disabled by default.
142
143       setsebool -P authlogin_nsswitch_use_ldap 1
144
145
146
147       If you want to determine whether crond can execute  jobs  in  the  user
148       domain  as  opposed to the the generic cronjob domain, you must turn on
149       the cron_userdomain_transition boolean. Enabled by default.
150
151       setsebool -P cron_userdomain_transition 1
152
153
154
155       If you want to deny user domains applications to map a memory region as
156       both  executable  and  writable,  this  is dangerous and the executable
157       should be reported in bugzilla, you must turn on the deny_execmem bool‐
158       ean. Enabled by default.
159
160       setsebool -P deny_execmem 1
161
162
163
164       If  you  want  to deny any process from ptracing or debugging any other
165       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
166       default.
167
168       setsebool -P deny_ptrace 1
169
170
171
172       If you want to allow all domains to execute in fips_mode, you must turn
173       on the fips_mode boolean. Enabled by default.
174
175       setsebool -P fips_mode 1
176
177
178
179       If you want to determine whether calling user domains can  execute  Git
180       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
181       sion_users boolean. Disabled by default.
182
183       setsebool -P git_session_users 1
184
185
186
187       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
188       httpd_enable_cgi boolean. Enabled by default.
189
190       setsebool -P httpd_enable_cgi 1
191
192
193
194       If  you  want  to allow confined applications to run with kerberos, you
195       must turn on the kerberos_enabled boolean. Enabled by default.
196
197       setsebool -P kerberos_enabled 1
198
199
200
201       If you want to allow system to run with  NIS,  you  must  turn  on  the
202       nis_enabled boolean. Disabled by default.
203
204       setsebool -P nis_enabled 1
205
206
207
208       If  you  want to allow confined applications to use nscd shared memory,
209       you must turn on the nscd_use_shm boolean. Enabled by default.
210
211       setsebool -P nscd_use_shm 1
212
213
214
215       If you want to determine  whether  calling  user  domains  can  execute
216       Polipo  daemon  in  the  polipo_session_t  domain, you must turn on the
217       polipo_session_users boolean. Disabled by default.
218
219       setsebool -P polipo_session_users 1
220
221
222
223       If you want to allow pppd to be run for a regular user, you  must  turn
224       on the pppd_for_user boolean. Disabled by default.
225
226       setsebool -P pppd_for_user 1
227
228
229
230       If  you  want  to  allow  all  unconfined  executables to use libraries
231       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
232       must turn on the selinuxuser_execmod boolean. Enabled by default.
233
234       setsebool -P selinuxuser_execmod 1
235
236
237
238       If  you  want  to allow unconfined executables to make their stack exe‐
239       cutable.  This should never, ever be necessary.  Probably  indicates  a
240       badly  coded  executable, but could indicate an attack. This executable
241       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
242       stack boolean. Enabled by default.
243
244       setsebool -P selinuxuser_execstack 1
245
246
247
248       If  you  want  to allow users to connect to the local mysql server, you
249       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
250       default.
251
252       setsebool -P selinuxuser_mysql_connect_enabled 1
253
254
255
256       If you want to allow confined users the ability to execute the ping and
257       traceroute commands, you must turn  on  the  selinuxuser_ping  boolean.
258       Enabled by default.
259
260       setsebool -P selinuxuser_ping 1
261
262
263
264       If  you  want to allow users to connect to PostgreSQL, you must turn on
265       the   selinuxuser_postgresql_connect_enabled   boolean.   Disabled   by
266       default.
267
268       setsebool -P selinuxuser_postgresql_connect_enabled 1
269
270
271
272       If  you want to allow user to r/w files on filesystems that do not have
273       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
274       uxuser_rw_noexattrfile boolean. Enabled by default.
275
276       setsebool -P selinuxuser_rw_noexattrfile 1
277
278
279
280       If you want to allow user  to use ssh chroot environment, you must turn
281       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
282
283       setsebool -P selinuxuser_use_ssh_chroot 1
284
285
286
287       If you want to allow unprivileged user  to  create  and  transition  to
288       svirt  domains, you must turn on the unprivuser_use_svirt boolean. Dis‐
289       abled by default.
290
291       setsebool -P unprivuser_use_svirt 1
292
293
294
295       If you want to support NFS home  directories,  you  must  turn  on  the
296       use_nfs_home_dirs boolean. Disabled by default.
297
298       setsebool -P use_nfs_home_dirs 1
299
300
301
302       If  you  want  to  support SAMBA home directories, you must turn on the
303       use_samba_home_dirs boolean. Disabled by default.
304
305       setsebool -P use_samba_home_dirs 1
306
307
308

HOME_EXEC

310       The SELinux user user_u is able execute home content files.
311
312

TRANSITIONS

314       Three things can happen when user_t attempts to execute a program.
315
316       1. SELinux Policy can deny user_t from executing the program.
317
318
319
320       2. SELinux Policy can allow user_t to execute the program in  the  cur‐
321       rent user type.
322
323              Execute  the  following  to  see the types that the SELinux user
324              user_t can execute without transitioning:
325
326              sesearch -A -s user_t -c file -p execute_no_trans
327
328
329
330       3. SELinux can allow user_t to execute the program and transition to  a
331       new type.
332
333              Execute  the  following  to  see the types that the SELinux user
334              user_t can execute and transition:
335
336              $ sesearch -A -s user_t -c process -p transition
337
338
339

MANAGED FILES

341       The SELinux process type user_t can manage files labeled with the  fol‐
342       lowing  file  types.   The paths listed are the default paths for these
343       file types.  Note the processes UID still need to have DAC permissions.
344
345       alsa_home_t
346
347            /home/[^/]+/.asoundrc
348
349       anon_inodefs_t
350
351
352       auth_cache_t
353
354            /var/cache/coolkey(/.*)?
355
356       bluetooth_helper_tmp_t
357
358
359       bluetooth_helper_tmpfs_t
360
361
362       cgroup_t
363
364            /sys/fs/cgroup
365
366       chrome_sandbox_tmpfs_t
367
368
369       cifs_t
370
371
372       dosfs_t
373
374
375       games_data_t
376
377            /var/games(/.*)?
378            /var/lib/games(/.*)?
379
380       gconf_tmp_t
381
382            /tmp/gconfd-[^/]+/.*
383
384       git_user_content_t
385
386            /home/[^/]+/public_git(/.*)?
387
388       gkeyringd_tmp_t
389
390            /var/run/user/[^/]*/keyring.*
391
392       gnome_home_type
393
394
395       gpg_agent_tmp_t
396
397            /home/[^/]+/.gnupg/log-socket
398
399       httpd_user_content_t
400
401            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
402
403       httpd_user_htaccess_t
404
405            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
406
407       httpd_user_ra_content_t
408
409            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
410
411       httpd_user_rw_content_t
412
413
414       httpd_user_script_exec_t
415
416            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
417
418       irc_home_t
419
420            /home/[^/]+/.irssi(/.*)?
421            /home/[^/]+/irclog(/.*)?
422            /home/[^/]+/.ircmotd
423
424       irc_tmp_t
425
426
427       irssi_home_t
428
429
430       mail_spool_t
431
432            /var/mail(/.*)?
433            /var/spool/imap(/.*)?
434            /var/spool/mail(/.*)?
435            /var/spool/smtpd(/.*)?
436
437       mpd_user_data_t
438
439
440       mqueue_spool_t
441
442            /var/spool/(client)?mqueue(/.*)?
443            /var/spool/mqueue.in(/.*)?
444
445       nfs_t
446
447
448       noxattrfs
449
450            all files on file systems which do not support extended attributes
451
452       pulseaudio_tmpfs_t
453
454
455       pulseaudio_tmpfsfile
456
457
458       sandbox_file_t
459
460
461       sandbox_tmpfs_type
462
463            all sandbox content in tmpfs file systems
464
465       screen_home_t
466
467            /root/.screen(/.*)?
468            /home/[^/]+/.screen(/.*)?
469            /home/[^/]+/.screenrc
470            /home/[^/]+/.tmux.conf
471
472       security_t
473
474            /selinux
475
476       ssh_home_t
477
478            /var/lib/[^/]+/.ssh(/.*)?
479            /root/.ssh(/.*)?
480            /var/lib/one/.ssh(/.*)?
481            /var/lib/pgsql/.ssh(/.*)?
482            /var/lib/openshift/[^/]+/.ssh(/.*)?
483            /var/lib/amanda/.ssh(/.*)?
484            /var/lib/stickshift/[^/]+/.ssh(/.*)?
485            /var/lib/gitolite/.ssh(/.*)?
486            /var/lib/nocpulse/.ssh(/.*)?
487            /var/lib/gitolite3/.ssh(/.*)?
488            /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
489            /root/.shosts
490            /home/[^/]+/.ssh(/.*)?
491            /home/[^/]+/.ansible/cp/.*
492            /home/[^/]+/.shosts
493
494       systemd_passwd_var_run_t
495
496            /var/run/systemd/ask-password(/.*)?
497            /var/run/systemd/ask-password-block(/.*)?
498
499       usbfs_t
500
501
502       user_fonts_cache_t
503
504            /root/.fontconfig(/.*)?
505            /root/.fonts/auto(/.*)?
506            /root/.fonts.cache-.*
507            /home/[^/]+/.fontconfig(/.*)?
508            /home/[^/]+/.fonts/auto(/.*)?
509            /home/[^/]+/.fonts.cache-.*
510
511       user_home_type
512
513            all user home files
514
515       user_tmp_t
516
517            /dev/shm/mono.*
518            /var/run/user(/.*)?
519            /tmp/.ICE-unix(/.*)?
520            /tmp/.X11-unix(/.*)?
521            /dev/shm/pulse-shm.*
522            /tmp/.X0-lock
523            /tmp/hsperfdata_root
524            /var/tmp/hsperfdata_root
525            /home/[^/]+/tmp
526            /home/[^/]+/.tmp
527            /tmp/gconfd-[^/]+
528
529       user_tmp_type
530
531            all user tmp files
532
533       virt_image_type
534
535            all virtual image files
536
537       xserver_tmpfs_t
538
539
540

COMMANDS

542       semanage fcontext can also be used to manipulate default  file  context
543       mappings.
544
545       semanage  permissive  can  also  be used to manipulate whether or not a
546       process type is permissive.
547
548       semanage module can also be used to enable/disable/install/remove  pol‐
549       icy modules.
550
551       semanage boolean can also be used to manipulate the booleans
552
553
554       system-config-selinux is a GUI tool available to customize SELinux pol‐
555       icy settings.
556
557

AUTHOR

559       This manual page was auto-generated using sepolicy manpage .
560
561