user_selinux(8)

1user_selinux(8)        user SELinux Policy documentation       user_selinux(8)
2
3
4

NAME

6       user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       user_u  is an SELinux User defined in the SELinux policy. SELinux users
11       have default roles, user_r.  The  default  role  has  a  default  type,
12       user_t, associated with it.
13
14       The  SELinux  user  will  usually login to a system with a context that
15       looks like:
16
17       user_u:user_r:user_t:s0
18
19       Linux users are automatically  assigned  an  SELinux  users  at  login.
20       Login  programs  use  the SELinux User to assign initial context to the
21       user's shell.
22
23       SELinux policy uses the context to control the user's access.
24
25       By default  all  users  are  assigned  to  the  SELinux  user  via  the
26       __default__ flag
27
28       On  Targeted  policy  systems  the  __default__ user is assigned to the
29       unconfined_u SELinux user.
30
31       You can list all Linux User to SELinux user mapping using:
32
33       semanage login -l
34
35       If you wanted to change the default user  mapping  to  use  the  user_u
36       user, you would execute:
37
38       semanage login -m -s user_u __default__
39
40
41       If  you  want to map the one Linux user (joe) to the SELinux user user,
42       you would execute:
43
44       $ semanage login -a -s user_u joe
45
46
47

USER DESCRIPTION

49       The SELinux user user_u is defined in policy as  a  unprivileged  user.
50       SELinux  prevents  unprivileged  users  from doing administration tasks
51       without transitioning to a different role.
52
53

SUDO

X WINDOWS LOGIN

56       The SELinux user user_u is able to X Windows login.
57
58

NETWORK

60       The SELinux user user_u is able to listen on the following tcp ports.
61
62              6000-6020
63
64              32768-60999
65
66              all ports with out defined types
67
68              3689
69
70              all ports > 1024
71
72
73       The SELinux user user_u is able to connect to the following tcp ports.
74
75              8955
76
77              53,853
78
79              all ports
80
81              389,636,3268,3269,7389
82
83              32768-60999
84
85              88,750,4444
86
87              all ports with out defined types
88
89              111
90
91              5432,9898
92
93              9080
94
95              all ports < 1024
96
97
98       The SELinux user user_u is able to listen on the following udp ports.
99
100              all ports with out defined types
101
102              32768-60999
103
104              all ports > 1024
105
106
107       The SELinux user user_u is able to connect to the following tcp ports.
108
109              8955
110
111              53,853
112
113              all ports
114
115              389,636,3268,3269,7389
116
117              32768-60999
118
119              88,750,4444
120
121              all ports with out defined types
122
123              111
124
125              5432,9898
126
127              9080
128
129              all ports < 1024
130
131

BOOLEANS

133       SELinux policy is customizable based on least  access  required.   user
134       policy is extremely flexible and has several booleans that allow you to
135       manipulate the policy and run user with the tightest access possible.
136
137
138
139       If you want to allow users to resolve user passwd entries directly from
140       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
141       gin_nsswitch_use_ldap boolean. Disabled by default.
142
143       setsebool -P authlogin_nsswitch_use_ldap 1
144
145
146
147       If you want to determine whether crond can execute  jobs  in  the  user
148       domain  as  opposed to the the generic cronjob domain, you must turn on
149       the cron_userdomain_transition boolean. Enabled by default.
150
151       setsebool -P cron_userdomain_transition 1
152
153
154
155       If you want to deny all system processes and Linux users to  use  blue‐
156       tooth wireless technology, you must turn on the deny_bluetooth boolean.
157       Enabled by default.
158
159       setsebool -P deny_bluetooth 1
160
161
162
163       If you want to deny user domains applications to map a memory region as
164       both  executable  and  writable,  this  is dangerous and the executable
165       should be reported in bugzilla, you must turn on the deny_execmem bool‐
166       ean. Enabled by default.
167
168       setsebool -P deny_execmem 1
169
170
171
172       If  you  want  to deny any process from ptracing or debugging any other
173       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
174       default.
175
176       setsebool -P deny_ptrace 1
177
178
179
180       If you want to allow all domains to execute in fips_mode, you must turn
181       on the fips_mode boolean. Enabled by default.
182
183       setsebool -P fips_mode 1
184
185
186
187       If you want to determine whether calling user domains can  execute  Git
188       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
189       sion_users boolean. Enabled by default.
190
191       setsebool -P git_session_users 1
192
193
194
195       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
196       httpd_enable_cgi boolean. Enabled by default.
197
198       setsebool -P httpd_enable_cgi 1
199
200
201
202       If  you  want  to allow confined applications to run with kerberos, you
203       must turn on the kerberos_enabled boolean. Enabled by default.
204
205       setsebool -P kerberos_enabled 1
206
207
208
209       If you want to allow system to run with  NIS,  you  must  turn  on  the
210       nis_enabled boolean. Disabled by default.
211
212       setsebool -P nis_enabled 1
213
214
215
216       If  you  want to allow confined applications to use nscd shared memory,
217       you must turn on the nscd_use_shm boolean. Disabled by default.
218
219       setsebool -P nscd_use_shm 1
220
221
222
223       If you want to determine  whether  calling  user  domains  can  execute
224       Polipo  daemon  in  the  polipo_session_t  domain, you must turn on the
225       polipo_session_users boolean. Disabled by default.
226
227       setsebool -P polipo_session_users 1
228
229
230
231       If you want to allow pppd to be run for a regular user, you  must  turn
232       on the pppd_for_user boolean. Disabled by default.
233
234       setsebool -P pppd_for_user 1
235
236
237
238       If  you  want  to  allow  all  unconfined  executables to use libraries
239       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
240       must turn on the selinuxuser_execmod boolean. Enabled by default.
241
242       setsebool -P selinuxuser_execmod 1
243
244
245
246       If  you  want  to allow unconfined executables to make their stack exe‐
247       cutable.  This should never, ever be necessary.  Probably  indicates  a
248       badly  coded  executable, but could indicate an attack. This executable
249       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
250       stack boolean. Enabled by default.
251
252       setsebool -P selinuxuser_execstack 1
253
254
255
256       If  you  want  to allow users to connect to the local mysql server, you
257       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
258       default.
259
260       setsebool -P selinuxuser_mysql_connect_enabled 1
261
262
263
264       If you want to allow confined users the ability to execute the ping and
265       traceroute commands, you must turn  on  the  selinuxuser_ping  boolean.
266       Enabled by default.
267
268       setsebool -P selinuxuser_ping 1
269
270
271
272       If  you  want to allow users to connect to PostgreSQL, you must turn on
273       the   selinuxuser_postgresql_connect_enabled   boolean.   Disabled   by
274       default.
275
276       setsebool -P selinuxuser_postgresql_connect_enabled 1
277
278
279
280       If  you want to allow user to r/w files on filesystems that do not have
281       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
282       uxuser_rw_noexattrfile boolean. Enabled by default.
283
284       setsebool -P selinuxuser_rw_noexattrfile 1
285
286
287
288       If you want to allow user  to use ssh chroot environment, you must turn
289       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
290
291       setsebool -P selinuxuser_use_ssh_chroot 1
292
293
294
295       If you want to allow unprivileged user  to  create  and  transition  to
296       svirt  domains, you must turn on the unprivuser_use_svirt boolean. Dis‐
297       abled by default.
298
299       setsebool -P unprivuser_use_svirt 1
300
301
302
303       If you want to support NFS home  directories,  you  must  turn  on  the
304       use_nfs_home_dirs boolean. Disabled by default.
305
306       setsebool -P use_nfs_home_dirs 1
307
308
309
310       If  you  want  to  support SAMBA home directories, you must turn on the
311       use_samba_home_dirs boolean. Disabled by default.
312
313       setsebool -P use_samba_home_dirs 1
314
315
316

HOME_EXEC

318       The SELinux user user_u is able execute home content files.
319
320

TRANSITIONS

322       Three things can happen when user_t attempts to execute a program.
323
324       1. SELinux Policy can deny user_t from executing the program.
325
326
327
328       2. SELinux Policy can allow user_t to execute the program in  the  cur‐
329       rent user type.
330
331              Execute  the  following  to  see the types that the SELinux user
332              user_t can execute without transitioning:
333
334              sesearch -A -s user_t -c file -p execute_no_trans
335
336
337
338       3. SELinux can allow user_t to execute the program and transition to  a
339       new type.
340
341              Execute  the  following  to  see the types that the SELinux user
342              user_t can execute and transition:
343
344              $ sesearch -A -s user_t -c process -p transition
345
346
347

MANAGED FILES

349       The SELinux process type user_t can manage files labeled with the  fol‐
350       lowing  file  types.   The paths listed are the default paths for these
351       file types.  Note the processes UID still need to have DAC permissions.
352
353       alsa_home_t
354
355            /home/[^/]+/.asoundrc
356
357       anon_inodefs_t
358
359
360       auth_cache_t
361
362            /var/cache/coolkey(/.*)?
363
364       bluetooth_helper_tmp_t
365
366
367       bluetooth_helper_tmpfs_t
368
369
370       cgroup_t
371
372            /sys/fs/cgroup
373
374       chrome_sandbox_tmpfs_t
375
376
377       cifs_t
378
379
380       dosfs_t
381
382
383       games_data_t
384
385            /var/games(/.*)?
386            /var/lib/games(/.*)?
387
388       gconf_tmp_t
389
390            /tmp/gconfd-[^/]+/.*
391
392       git_user_content_t
393
394            /home/[^/]+/public_git(/.*)?
395
396       gkeyringd_tmp_t
397
398            /var/run/user/[^/]*/keyring.*
399
400       gnome_home_type
401
402
403       gpg_agent_tmp_t
404
405            /home/[^/]+/.gnupg/log-socket
406
407       httpd_user_content_t
408
409            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
410
411       httpd_user_htaccess_t
412
413            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
414
415       httpd_user_ra_content_t
416
417            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
418
419       httpd_user_rw_content_t
420
421
422       httpd_user_script_exec_t
423
424            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
425
426       irc_home_t
427
428            /home/[^/]+/.irssi(/.*)?
429            /home/[^/]+/irclog(/.*)?
430            /home/[^/]+/.ircmotd
431
432       irc_tmp_t
433
434
435       irssi_home_t
436
437
438       mail_spool_t
439
440            /var/mail(/.*)?
441            /var/spool/imap(/.*)?
442            /var/spool/mail(/.*)?
443            /var/spool/smtpd(/.*)?
444
445       mpd_user_data_t
446
447
448       mqueue_spool_t
449
450            /var/spool/(client)?mqueue(/.*)?
451            /var/spool/mqueue.in(/.*)?
452
453       nfs_t
454
455
456       noxattrfs
457
458            all files on file systems which do not support extended attributes
459
460       pulseaudio_tmpfs_t
461
462
463       pulseaudio_tmpfsfile
464
465
466       sandbox_file_t
467
468
469       sandbox_tmpfs_type
470
471            all sandbox content in tmpfs file systems
472
473       screen_home_t
474
475            /root/.screen(/.*)?
476            /home/[^/]+/.screen(/.*)?
477            /home/[^/]+/.screenrc
478            /home/[^/]+/.tmux.conf
479
480       security_t
481
482            /selinux
483
484       ssh_home_t
485
486            /var/lib/[^/]+/.ssh(/.*)?
487            /root/.ssh(/.*)?
488            /var/lib/one/.ssh(/.*)?
489            /var/lib/pgsql/.ssh(/.*)?
490            /var/lib/openshift/[^/]+/.ssh(/.*)?
491            /var/lib/amanda/.ssh(/.*)?
492            /var/lib/stickshift/[^/]+/.ssh(/.*)?
493            /var/lib/gitolite/.ssh(/.*)?
494            /var/lib/nocpulse/.ssh(/.*)?
495            /var/lib/gitolite3/.ssh(/.*)?
496            /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
497            /root/.shosts
498            /home/[^/]+/.ssh(/.*)?
499            /home/[^/]+/.ansible/cp/.*
500            /home/[^/]+/.shosts
501
502       systemd_passwd_var_run_t
503
504            /var/run/systemd/ask-password(/.*)?
505            /var/run/systemd/ask-password-block(/.*)?
506
507       usbfs_t
508
509
510       user_fonts_cache_t
511
512            /root/.fontconfig(/.*)?
513            /root/.fonts/auto(/.*)?
514            /root/.fonts.cache-.*
515            /root/.cache/fontconfig(/.*)?
516            /home/[^/]+/.fontconfig(/.*)?
517            /home/[^/]+/.fonts/auto(/.*)?
518            /home/[^/]+/.fonts.cache-.*
519            /home/[^/]+/.cache/fontconfig(/.*)?
520
521       user_home_type
522
523            all user home files
524
525       user_tmp_t
526
527            /dev/shm/mono.*
528            /var/run/user(/.*)?
529            /tmp/.ICE-unix(/.*)?
530            /tmp/.X11-unix(/.*)?
531            /dev/shm/pulse-shm.*
532            /tmp/.X0-lock
533            /tmp/hsperfdata_root
534            /var/tmp/hsperfdata_root
535            /home/[^/]+/tmp
536            /home/[^/]+/.tmp
537            /tmp/gconfd-[^/]+
538
539       user_tmp_type
540
541            all user tmp files
542
543       virt_image_type
544
545            all virtual image files
546
547       xserver_tmpfs_t
548
549
550

COMMANDS

552       semanage fcontext can also be used to manipulate default  file  context
553       mappings.
554
555       semanage  permissive  can  also  be used to manipulate whether or not a
556       process type is permissive.
557
558       semanage module can also be used to enable/disable/install/remove  pol‐
559       icy modules.
560
561       semanage boolean can also be used to manipulate the booleans
562
563
564       system-config-selinux is a GUI tool available to customize SELinux pol‐
565       icy settings.
566
567

AUTHOR

569       This manual page was auto-generated using sepolicy manpage .
570
571