1staff_selinux(8)      staff SELinux Policy documentation      staff_selinux(8)
2
3
4

NAME

6       staff_u  -  Administrator's unprivileged user - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       staff_u is an SELinux User defined in the SELinux policy. SELinux users
12       have  default  roles,  staff_r.   The  default role has a default type,
13       staff_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       staff_u:staff_r:staff_t:s0 - s0:c0.c1023
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to  change the default user mapping to use the staff_u
37       user, you would execute:
38
39       semanage login -m -s staff_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user  staff,
43       you would execute:
44
45       $ semanage login -a -s staff_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user staff_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

56       The SELinux user staff can execute sudo.
57
58       You  can  set up sudo to allow staff to transition to an administrative
59       domain:
60
61       Add one or more of the following record to sudoers using visudo.
62
63
64       USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
65       sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
66
67       You might also need to add one or more  of  these  new  roles  to  your
68       SELinux user record.
69
70       List the SELinux roles your SELinux user can reach by executing:
71
72       $ semanage user -l |grep selinux_name
73
74       Modify the roles list and add staff_r to this list.
75
76       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
77       logadm_r dbadm_r auditadm_r' staff_u
78
79       For more details you can see semanage man page.
80
81
82       USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
83       sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
84
85       You might also need to add one or more  of  these  new  roles  to  your
86       SELinux user record.
87
88       List the SELinux roles your SELinux user can reach by executing:
89
90       $ semanage user -l |grep selinux_name
91
92       Modify the roles list and add staff_r to this list.
93
94       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
95       logadm_r dbadm_r auditadm_r' staff_u
96
97       For more details you can see semanage man page.
98
99
100       USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
101       sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
102
103       You might also need to add one or more  of  these  new  roles  to  your
104       SELinux user record.
105
106       List the SELinux roles your SELinux user can reach by executing:
107
108       $ semanage user -l |grep selinux_name
109
110       Modify the roles list and add staff_r to this list.
111
112       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
113       logadm_r dbadm_r auditadm_r' staff_u
114
115       For more details you can see semanage man page.
116
117
118       USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
119       sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
120
121       You might also need to add one or more  of  these  new  roles  to  your
122       SELinux user record.
123
124       List the SELinux roles your SELinux user can reach by executing:
125
126       $ semanage user -l |grep selinux_name
127
128       Modify the roles list and add staff_r to this list.
129
130       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
131       logadm_r dbadm_r auditadm_r' staff_u
132
133       For more details you can see semanage man page.
134
135
136       USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
137       sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
138
139       You might also need to add one or more  of  these  new  roles  to  your
140       SELinux user record.
141
142       List the SELinux roles your SELinux user can reach by executing:
143
144       $ semanage user -l |grep selinux_name
145
146       Modify the roles list and add staff_r to this list.
147
148       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
149       logadm_r dbadm_r auditadm_r' staff_u
150
151       For more details you can see semanage man page.
152
153
154       USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
155       sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
156
157       You might also need to add one or more  of  these  new  roles  to  your
158       SELinux user record.
159
160       List the SELinux roles your SELinux user can reach by executing:
161
162       $ semanage user -l |grep selinux_name
163
164       Modify the roles list and add staff_r to this list.
165
166       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
167       logadm_r dbadm_r auditadm_r' staff_u
168
169       For more details you can see semanage man page.
170
171
172       USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
173       sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
174
175       You might also need to add one or more  of  these  new  roles  to  your
176       SELinux user record.
177
178       List the SELinux roles your SELinux user can reach by executing:
179
180       $ semanage user -l |grep selinux_name
181
182       Modify the roles list and add staff_r to this list.
183
184       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
185       logadm_r dbadm_r auditadm_r' staff_u
186
187       For more details you can see semanage man page.
188
189
190       The SELinux type staff_t is not allowed to execute sudo.
191
192

X WINDOWS LOGIN

194       The SELinux user staff_u is able to X Windows login.
195
196

NETWORK

198       The SELinux user staff_u is able to listen on the following tcp ports.
199
200              6000-6020
201
202              all ports > 1024
203
204              32768-60999
205
206              all ports with out defined types
207
208              3689
209
210
211       The SELinux user staff_u is able to connect to the following tcp ports.
212
213              all ports
214
215              8955
216
217              53,853
218
219              9080
220
221              5432,9898
222
223              389,636,3268,3269,7389
224
225              32768-60999
226
227              all ports with out defined types
228
229              88,750,4444
230
231              111
232
233              all ports < 1024
234
235
236       The SELinux user staff_u is able to listen on the following udp ports.
237
238              32768-60999
239
240              all ports with out defined types
241
242              all ports > 1024
243
244
245       The SELinux user staff_u is able to connect to the following tcp ports.
246
247              all ports
248
249              8955
250
251              53,853
252
253              9080
254
255              5432,9898
256
257              389,636,3268,3269,7389
258
259              32768-60999
260
261              all ports with out defined types
262
263              88,750,4444
264
265              111
266
267              all ports < 1024
268
269

BOOLEANS

271       SELinux policy is customizable based on least access  required.   staff
272       policy is extremely flexible and has several booleans that allow you to
273       manipulate the policy and run staff with the tightest access possible.
274
275
276
277       If you want to allow staff user  to  create  and  transition  to  svirt
278       domains,  you  must  turn  on  the staff_use_svirt boolean. Disabled by
279       default.
280
281       setsebool -P staff_use_svirt 1
282
283
284
285       If you want to allow users to resolve user passwd entries directly from
286       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
287       gin_nsswitch_use_ldap boolean. Disabled by default.
288
289       setsebool -P authlogin_nsswitch_use_ldap 1
290
291
292
293       If you want to determine whether crond can execute  jobs  in  the  user
294       domain  as  opposed to the the generic cronjob domain, you must turn on
295       the cron_userdomain_transition boolean. Enabled by default.
296
297       setsebool -P cron_userdomain_transition 1
298
299
300
301       If you want to deny all system processes and Linux users to  use  blue‐
302       tooth wireless technology, you must turn on the deny_bluetooth boolean.
303       Enabled by default.
304
305       setsebool -P deny_bluetooth 1
306
307
308
309       If you want to deny user domains applications to map a memory region as
310       both  executable  and  writable,  this  is dangerous and the executable
311       should be reported in bugzilla, you must turn on the deny_execmem bool‐
312       ean. Enabled by default.
313
314       setsebool -P deny_execmem 1
315
316
317
318       If  you  want  to deny any process from ptracing or debugging any other
319       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
320       default.
321
322       setsebool -P deny_ptrace 1
323
324
325
326       If you want to allow all domains to execute in fips_mode, you must turn
327       on the fips_mode boolean. Enabled by default.
328
329       setsebool -P fips_mode 1
330
331
332
333       If you want to determine whether calling user domains can  execute  Git
334       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
335       sion_users boolean. Disabled by default.
336
337       setsebool -P git_session_users 1
338
339
340
341       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
342       httpd_enable_cgi boolean. Enabled by default.
343
344       setsebool -P httpd_enable_cgi 1
345
346
347
348       If  you  want  to allow confined applications to run with kerberos, you
349       must turn on the kerberos_enabled boolean. Enabled by default.
350
351       setsebool -P kerberos_enabled 1
352
353
354
355       If you want to allow system to run with  NIS,  you  must  turn  on  the
356       nis_enabled boolean. Disabled by default.
357
358       setsebool -P nis_enabled 1
359
360
361
362       If  you  want to allow confined applications to use nscd shared memory,
363       you must turn on the nscd_use_shm boolean. Disabled by default.
364
365       setsebool -P nscd_use_shm 1
366
367
368
369       If you want to determine  whether  calling  user  domains  can  execute
370       Polipo  daemon  in  the  polipo_session_t  domain, you must turn on the
371       polipo_session_users boolean. Disabled by default.
372
373       setsebool -P polipo_session_users 1
374
375
376
377       If you want to allow pppd to be run for a regular user, you  must  turn
378       on the pppd_for_user boolean. Disabled by default.
379
380       setsebool -P pppd_for_user 1
381
382
383
384       If  you  want  to  allow  all  unconfined  executables to use libraries
385       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
386       must turn on the selinuxuser_execmod boolean. Enabled by default.
387
388       setsebool -P selinuxuser_execmod 1
389
390
391
392       If  you  want  to allow unconfined executables to make their stack exe‐
393       cutable.  This should never, ever be necessary.  Probably  indicates  a
394       badly  coded  executable, but could indicate an attack. This executable
395       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
396       stack boolean. Enabled by default.
397
398       setsebool -P selinuxuser_execstack 1
399
400
401
402       If  you  want  to allow users to connect to the local mysql server, you
403       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
404       default.
405
406       setsebool -P selinuxuser_mysql_connect_enabled 1
407
408
409
410       If  you  want to allow users to connect to PostgreSQL, you must turn on
411       the   selinuxuser_postgresql_connect_enabled   boolean.   Disabled   by
412       default.
413
414       setsebool -P selinuxuser_postgresql_connect_enabled 1
415
416
417
418       If  you want to allow user to r/w files on filesystems that do not have
419       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
420       uxuser_rw_noexattrfile boolean. Disabled by default.
421
422       setsebool -P selinuxuser_rw_noexattrfile 1
423
424
425
426       If you want to allow user  to use ssh chroot environment, you must turn
427       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
428
429       setsebool -P selinuxuser_use_ssh_chroot 1
430
431
432
433       If you want to support NFS home  directories,  you  must  turn  on  the
434       use_nfs_home_dirs boolean. Disabled by default.
435
436       setsebool -P use_nfs_home_dirs 1
437
438
439
440       If  you  want  to  support SAMBA home directories, you must turn on the
441       use_samba_home_dirs boolean. Disabled by default.
442
443       setsebool -P use_samba_home_dirs 1
444
445
446

HOME_EXEC

448       The SELinux user staff_u is able execute home content files.
449
450

TRANSITIONS

452       Three things can happen when staff_t attempts to execute a program.
453
454       1. SELinux Policy can deny staff_t from executing the program.
455
456
457
458       2. SELinux Policy can allow staff_t to execute the program in the  cur‐
459       rent user type.
460
461              Execute  the  following  to  see the types that the SELinux user
462              staff_t can execute without transitioning:
463
464              sesearch -A -s staff_t -c file -p execute_no_trans
465
466
467
468       3. SELinux can allow staff_t to execute the program and transition to a
469       new type.
470
471              Execute  the  following  to  see the types that the SELinux user
472              staff_t can execute and transition:
473
474              $ sesearch -A -s staff_t -c process -p transition
475
476
477

MANAGED FILES

479       The SELinux process type staff_t can manage files labeled with the fol‐
480       lowing  file  types.   The paths listed are the default paths for these
481       file types.  Note the processes UID still need to have DAC permissions.
482
483       alsa_home_t
484
485            /home/[^/]+/.asoundrc
486
487       anon_inodefs_t
488
489
490       auth_cache_t
491
492            /var/cache/coolkey(/.*)?
493
494       bluetooth_helper_tmp_t
495
496
497       bluetooth_helper_tmpfs_t
498
499
500       cgroup_t
501
502            /sys/fs/cgroup
503
504       chrome_sandbox_tmpfs_t
505
506
507       cifs_t
508
509
510       dirsrv_config_t
511
512            /etc/dirsrv(/.*)?
513
514       dirsrv_var_lib_t
515
516            /var/lib/dirsrv(/.*)?
517
518       dirsrv_var_log_t
519
520            /var/log/dirsrv(/.*)?
521
522       dirsrv_var_run_t
523
524            /var/run/slapd.*
525            /var/run/dirsrv(/.*)?
526
527       dosfs_t
528
529
530       games_data_t
531
532            /var/games(/.*)?
533            /var/lib/games(/.*)?
534
535       gconf_tmp_t
536
537            /tmp/gconfd-[^/]+/.*
538
539       git_user_content_t
540
541            /home/[^/]+/public_git(/.*)?
542
543       gkeyringd_tmp_t
544
545            /var/run/user/[^/]*/keyring.*
546
547       gnome_home_type
548
549
550       gpg_agent_tmp_t
551
552            /home/[^/]+/.gnupg/log-socket
553
554       httpd_user_content_t
555
556            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
557
558       httpd_user_htaccess_t
559
560            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
561
562       httpd_user_ra_content_t
563
564            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
565
566       httpd_user_rw_content_t
567
568
569       httpd_user_script_exec_t
570
571            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
572
573       irc_home_t
574
575            /home/[^/]+/.irssi(/.*)?
576            /home/[^/]+/irclog(/.*)?
577            /home/[^/]+/.ircmotd
578
579       irc_tmp_t
580
581
582       irssi_home_t
583
584
585       mail_spool_t
586
587            /var/mail(/.*)?
588            /var/spool/imap(/.*)?
589            /var/spool/mail(/.*)?
590            /var/spool/smtpd(/.*)?
591
592       mpd_user_data_t
593
594
595       mqueue_spool_t
596
597            /var/spool/(client)?mqueue(/.*)?
598            /var/spool/mqueue.in(/.*)?
599
600       nfs_t
601
602
603       noxattrfs
604
605            all files on file systems which do not support extended attributes
606
607       pulseaudio_tmpfs_t
608
609
610       pulseaudio_tmpfsfile
611
612
613       sandbox_file_t
614
615
616       sandbox_tmpfs_type
617
618            all sandbox content in tmpfs file systems
619
620       screen_home_t
621
622            /root/.screen(/.*)?
623            /home/[^/]+/.screen(/.*)?
624            /home/[^/]+/.screenrc
625            /home/[^/]+/.tmux.conf
626
627       security_t
628
629            /selinux
630
631       ssh_home_t
632
633            /var/lib/[^/]+/.ssh(/.*)?
634            /root/.ssh(/.*)?
635            /var/lib/one/.ssh(/.*)?
636            /var/lib/pgsql/.ssh(/.*)?
637            /var/lib/openshift/[^/]+/.ssh(/.*)?
638            /var/lib/amanda/.ssh(/.*)?
639            /var/lib/stickshift/[^/]+/.ssh(/.*)?
640            /var/lib/gitolite/.ssh(/.*)?
641            /var/lib/nocpulse/.ssh(/.*)?
642            /var/lib/gitolite3/.ssh(/.*)?
643            /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
644            /root/.shosts
645            /home/[^/]+/.ssh(/.*)?
646            /home/[^/]+/.ansible/cp/.*
647            /home/[^/]+/.shosts
648
649       systemd_passwd_var_run_t
650
651            /var/run/systemd/ask-password(/.*)?
652            /var/run/systemd/ask-password-block(/.*)?
653
654       systemd_unit_file_type
655
656
657       usbfs_t
658
659
660       user_fonts_cache_t
661
662            /root/.fontconfig(/.*)?
663            /root/.fonts/auto(/.*)?
664            /root/.fonts.cache-.*
665            /root/.cache/fontconfig(/.*)?
666            /home/[^/]+/.fontconfig(/.*)?
667            /home/[^/]+/.fonts/auto(/.*)?
668            /home/[^/]+/.fonts.cache-.*
669            /home/[^/]+/.cache/fontconfig(/.*)?
670
671       user_home_type
672
673            all user home files
674
675       user_tmp_t
676
677            /dev/shm/mono.*
678            /var/run/user(/.*)?
679            /tmp/.ICE-unix(/.*)?
680            /tmp/.X11-unix(/.*)?
681            /dev/shm/pulse-shm.*
682            /tmp/.X0-lock
683            /tmp/hsperfdata_root
684            /var/tmp/hsperfdata_root
685            /home/[^/]+/tmp
686            /home/[^/]+/.tmp
687            /tmp/gconfd-[^/]+
688
689       user_tmp_type
690
691            all user tmp files
692
693       virt_image_type
694
695            all virtual image files
696
697       wireshark_home_t
698
699            /home/[^/]+/.wireshark(/.*)?
700
701       wireshark_tmp_t
702
703
704       wireshark_tmpfs_t
705
706
707       xserver_tmpfs_t
708
709
710

COMMANDS

712       semanage fcontext can also be used to manipulate default  file  context
713       mappings.
714
715       semanage  permissive  can  also  be used to manipulate whether or not a
716       process type is permissive.
717
718       semanage module can also be used to enable/disable/install/remove  pol‐
719       icy modules.
720
721       semanage boolean can also be used to manipulate the booleans
722
723
724       system-config-selinux is a GUI tool available to customize SELinux pol‐
725       icy settings.
726
727

AUTHOR

729       This manual page was auto-generated using sepolicy manpage .
730
731

SEE ALSO

733       selinux(8),  staff(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
734       icy(8),  setsebool(8),  staff_consolehelper_selinux(8),  staff_console‐
735       helper_selinux(8),   staff_dbusd_selinux(8),    staff_dbusd_selinux(8),
736       staff_gkeyringd_selinux(8),                 staff_gkeyringd_selinux(8),
737       staff_screen_selinux(8),      staff_screen_selinux(8),      staff_seun‐
738       share_selinux(8),                           staff_seunshare_selinux(8),
739       staff_ssh_agent_selinux(8),                 staff_ssh_agent_selinux(8),
740       staff_sudo_selinux(8),    staff_sudo_selinux(8),    staff_t_selinux(8),
741       staff_t_selinux(8), staff_wine_selinux(8), staff_wine_selinux(8)
742
743
744
745mgrepl@redhat.com                    staff                    staff_selinux(8)
Impressum