user_selinux(8)

1user_selinux(8)        user SELinux Policy documentation       user_selinux(8)
2
3
4

NAME

6       user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       user_u  is an SELinux User defined in the SELinux policy. SELinux users
11       have default roles, user_r.  The  default  role  has  a  default  type,
12       user_t, associated with it.
13
14       The  SELinux  user  will  usually login to a system with a context that
15       looks like:
16
17       user_u:user_r:user_t:s0
18
19       Linux users are automatically  assigned  an  SELinux  users  at  login.
20       Login  programs  use  the SELinux User to assign initial context to the
21       user's shell.
22
23       SELinux policy uses the context to control the user's access.
24
25       By default  all  users  are  assigned  to  the  SELinux  user  via  the
26       __default__ flag
27
28       On  Targeted  policy  systems  the  __default__ user is assigned to the
29       unconfined_u SELinux user.
30
31       You can list all Linux User to SELinux user mapping using:
32
33       semanage login -l
34
35       If you wanted to change the default user  mapping  to  use  the  user_u
36       user, you would execute:
37
38       semanage login -m -s user_u __default__
39
40
41       If  you  want to map the one Linux user (joe) to the SELinux user user,
42       you would execute:
43
44       $ semanage login -a -s user_u joe
45
46
47

USER DESCRIPTION

49       The SELinux user user_u is defined in policy as  a  unprivileged  user.
50       SELinux  prevents  unprivileged  users  from doing administration tasks
51       without transitioning to a different role.
52
53

SUDO

X WINDOWS LOGIN

56       The SELinux user user_u is able to X Windows login.
57
58

NETWORK

60       The SELinux user user_u is able to listen on the following tcp ports.
61
62              6000-6020
63
64              3689
65
66              all ports > 1024
67
68              32768-60999
69
70              all ports with out defined types
71
72
73       The SELinux user user_u is able to connect to the following tcp ports.
74
75              8955
76
77              all ports
78
79              53,853
80
81              5432,9898
82
83              389,636,3268,3269,7389
84
85              111
86
87              all ports < 1024
88
89              32768-60999
90
91              all ports with out defined types
92
93              88,750,4444
94
95              9080
96
97
98       The SELinux user user_u is able to listen on the following udp ports.
99
100              32768-60999
101
102              all ports with out defined types
103
104              all ports > 1024
105
106
107       The SELinux user user_u is able to connect to the following tcp ports.
108
109              8955
110
111              all ports
112
113              53,853
114
115              5432,9898
116
117              389,636,3268,3269,7389
118
119              111
120
121              all ports < 1024
122
123              32768-60999
124
125              all ports with out defined types
126
127              88,750,4444
128
129              9080
130
131

BOOLEANS

133       SELinux policy is customizable based on least  access  required.   user
134       policy is extremely flexible and has several booleans that allow you to
135       manipulate the policy and run user with the tightest access possible.
136
137
138
139       If you want to allow users to resolve user passwd entries directly from
140       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
141       gin_nsswitch_use_ldap boolean. Disabled by default.
142
143       setsebool -P authlogin_nsswitch_use_ldap 1
144
145
146
147       If you want to determine whether crond can execute  jobs  in  the  user
148       domain  as  opposed to the the generic cronjob domain, you must turn on
149       the cron_userdomain_transition boolean. Enabled by default.
150
151       setsebool -P cron_userdomain_transition 1
152
153
154
155       If you want to deny all system processes and Linux users to  use  blue‐
156       tooth wireless technology, you must turn on the deny_bluetooth boolean.
157       Enabled by default.
158
159       setsebool -P deny_bluetooth 1
160
161
162
163       If you want to deny user domains applications to map a memory region as
164       both  executable  and  writable,  this  is dangerous and the executable
165       should be reported in bugzilla, you must turn on the deny_execmem bool‐
166       ean. Enabled by default.
167
168       setsebool -P deny_execmem 1
169
170
171
172       If  you  want  to deny any process from ptracing or debugging any other
173       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
174       default.
175
176       setsebool -P deny_ptrace 1
177
178
179
180       If you want to allow all domains to execute in fips_mode, you must turn
181       on the fips_mode boolean. Enabled by default.
182
183       setsebool -P fips_mode 1
184
185
186
187       If you want to determine whether calling user domains can  execute  Git
188       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
189       sion_users boolean. Disabled by default.
190
191       setsebool -P git_session_users 1
192
193
194
195       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
196       httpd_enable_cgi boolean. Enabled by default.
197
198       setsebool -P httpd_enable_cgi 1
199
200
201
202       If  you  want  to allow confined applications to run with kerberos, you
203       must turn on the kerberos_enabled boolean. Disabled by default.
204
205       setsebool -P kerberos_enabled 1
206
207
208
209       If you want to allow system to run with  NIS,  you  must  turn  on  the
210       nis_enabled boolean. Disabled by default.
211
212       setsebool -P nis_enabled 1
213
214
215
216       If  you  want to allow confined applications to use nscd shared memory,
217       you must turn on the nscd_use_shm boolean. Disabled by default.
218
219       setsebool -P nscd_use_shm 1
220
221
222
223       If you want to determine  whether  calling  user  domains  can  execute
224       Polipo  daemon  in  the  polipo_session_t  domain, you must turn on the
225       polipo_session_users boolean. Disabled by default.
226
227       setsebool -P polipo_session_users 1
228
229
230
231       If you want to allow pppd to be run for a regular user, you  must  turn
232       on the pppd_for_user boolean. Disabled by default.
233
234       setsebool -P pppd_for_user 1
235
236
237
238       If  you  want  to  allow  all  unconfined  executables to use libraries
239       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
240       must turn on the selinuxuser_execmod boolean. Disabled by default.
241
242       setsebool -P selinuxuser_execmod 1
243
244
245
246       If  you  want  to allow unconfined executables to make their stack exe‐
247       cutable.  This should never, ever be necessary.  Probably  indicates  a
248       badly  coded  executable, but could indicate an attack. This executable
249       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
250       stack boolean. Disabled by default.
251
252       setsebool -P selinuxuser_execstack 1
253
254
255
256       If  you  want  to allow users to connect to the local mysql server, you
257       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
258       default.
259
260       setsebool -P selinuxuser_mysql_connect_enabled 1
261
262
263
264       If you want to allow confined users the ability to execute the ping and
265       traceroute commands, you must turn  on  the  selinuxuser_ping  boolean.
266       Disabled by default.
267
268       setsebool -P selinuxuser_ping 1
269
270
271
272       If  you  want to allow users to connect to PostgreSQL, you must turn on
273       the   selinuxuser_postgresql_connect_enabled   boolean.   Disabled   by
274       default.
275
276       setsebool -P selinuxuser_postgresql_connect_enabled 1
277
278
279
280       If  you want to allow user to r/w files on filesystems that do not have
281       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
282       uxuser_rw_noexattrfile boolean. Disabled by default.
283
284       setsebool -P selinuxuser_rw_noexattrfile 1
285
286
287
288       If you want to allow user  to use ssh chroot environment, you must turn
289       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
290
291       setsebool -P selinuxuser_use_ssh_chroot 1
292
293
294
295       If you want to allow unprivileged user  to  create  and  transition  to
296       svirt  domains, you must turn on the unprivuser_use_svirt boolean. Dis‐
297       abled by default.
298
299       setsebool -P unprivuser_use_svirt 1
300
301
302
303       If you want to support NFS home  directories,  you  must  turn  on  the
304       use_nfs_home_dirs boolean. Enabled by default.
305
306       setsebool -P use_nfs_home_dirs 1
307
308
309
310       If  you  want  to  support SAMBA home directories, you must turn on the
311       use_samba_home_dirs boolean. Disabled by default.
312
313       setsebool -P use_samba_home_dirs 1
314
315
316

HOME_EXEC

318       The SELinux user user_u is able execute home content files.
319
320

TRANSITIONS

322       Three things can happen when user_t attempts to execute a program.
323
324       1. SELinux Policy can deny user_t from executing the program.
325
326
327
328       2. SELinux Policy can allow user_t to execute the program in  the  cur‐
329       rent user type.
330
331              Execute  the  following  to  see the types that the SELinux user
332              user_t can execute without transitioning:
333
334              sesearch -A -s user_t -c file -p execute_no_trans
335
336
337
338       3. SELinux can allow user_t to execute the program and transition to  a
339       new type.
340
341              Execute  the  following  to  see the types that the SELinux user
342              user_t can execute and transition:
343
344              $ sesearch -A -s user_t -c process -p transition
345
346
347

MANAGED FILES

349       The SELinux process type user_t can manage files labeled with the  fol‐
350       lowing  file  types.   The paths listed are the default paths for these
351       file types.  Note the processes UID still need to have DAC permissions.
352
353       alsa_home_t
354
355            /home/[^/]+/.asoundrc
356
357       anon_inodefs_t
358
359
360       auth_cache_t
361
362            /var/cache/coolkey(/.*)?
363
364       bluetooth_helper_tmp_t
365
366
367       bluetooth_helper_tmpfs_t
368
369
370       cgroup_t
371
372            /sys/fs/cgroup
373
374       chrome_sandbox_tmpfs_t
375
376
377       cifs_t
378
379
380       dosfs_t
381
382
383       faillog_t
384
385            /var/log/btmp.*
386            /var/log/faillog.*
387            /var/log/tallylog.*
388            /var/run/faillock(/.*)?
389
390       games_data_t
391
392            /var/games(/.*)?
393            /var/lib/games(/.*)?
394
395       gconf_tmp_t
396
397            /tmp/gconfd-[^/]+/.*
398
399       git_user_content_t
400
401            /home/[^/]+/public_git(/.*)?
402
403       gkeyringd_tmp_t
404
405            /var/run/user/[^/]*/keyring.*
406
407       gnome_home_type
408
409
410       gpg_agent_tmp_t
411
412            /home/[^/]+/.gnupg/log-socket
413
414       httpd_user_content_t
415
416            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
417
418       httpd_user_htaccess_t
419
420            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
421
422       httpd_user_ra_content_t
423
424            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
425
426       httpd_user_rw_content_t
427
428
429       httpd_user_script_exec_t
430
431            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
432
433       irc_home_t
434
435            /home/[^/]+/.irssi(/.*)?
436            /home/[^/]+/irclog(/.*)?
437            /home/[^/]+/.ircmotd
438
439       irc_tmp_t
440
441
442       irssi_home_t
443
444
445       mail_spool_t
446
447            /var/mail(/.*)?
448            /var/spool/imap(/.*)?
449            /var/spool/mail(/.*)?
450            /var/spool/smtpd(/.*)?
451
452       mpd_user_data_t
453
454
455       mqueue_spool_t
456
457            /var/spool/(client)?mqueue(/.*)?
458            /var/spool/mqueue.in(/.*)?
459
460       nfs_t
461
462
463       noxattrfs
464
465            all files on file systems which do not support extended attributes
466
467       pulseaudio_tmpfs_t
468
469
470       pulseaudio_tmpfsfile
471
472
473       sandbox_file_t
474
475
476       sandbox_tmpfs_type
477
478            all sandbox content in tmpfs file systems
479
480       screen_home_t
481
482            /root/.screen(/.*)?
483            /home/[^/]+/.screen(/.*)?
484            /home/[^/]+/.screenrc
485            /home/[^/]+/.tmux.conf
486
487       security_t
488
489            /selinux
490
491       session_dbusd_tmp_t
492
493            /var/run/user(/.*)?/dbus-[0-9]*(/.*)?
494            /var/run/user/[^/]*/systemd(/.*)?
495
496       ssh_home_t
497
498            /var/lib/[^/]+/.ssh(/.*)?
499            /root/.ssh(/.*)?
500            /var/lib/one/.ssh(/.*)?
501            /var/lib/pgsql/.ssh(/.*)?
502            /var/lib/openshift/[^/]+/.ssh(/.*)?
503            /var/lib/amanda/.ssh(/.*)?
504            /var/lib/stickshift/[^/]+/.ssh(/.*)?
505            /var/lib/gitolite/.ssh(/.*)?
506            /var/lib/nocpulse/.ssh(/.*)?
507            /var/lib/gitolite3/.ssh(/.*)?
508            /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
509            /root/.shosts
510            /home/[^/]+/.ssh(/.*)?
511            /home/[^/]+/.ansible/cp/.*
512            /home/[^/]+/.shosts
513
514       systemd_passwd_var_run_t
515
516            /var/run/systemd/ask-password(/.*)?
517            /var/run/systemd/ask-password-block(/.*)?
518
519       usbfs_t
520
521
522       user_cron_spool_t
523
524            /var/spool/at(/.*)?
525            /var/spool/cron
526            /var/spool/cron/[^/]+
527
528       user_fonts_cache_t
529
530            /root/.fontconfig(/.*)?
531            /root/.fonts/auto(/.*)?
532            /root/.fonts.cache-.*
533            /root/.cache/fontconfig(/.*)?
534            /home/[^/]+/.fontconfig(/.*)?
535            /home/[^/]+/.fonts/auto(/.*)?
536            /home/[^/]+/.fonts.cache-.*
537            /home/[^/]+/.cache/fontconfig(/.*)?
538
539       user_home_type
540
541            all user home files
542
543       user_tmp_t
544
545            /dev/shm/mono.*
546            /var/run/user(/.*)?
547            /tmp/.ICE-unix(/.*)?
548            /tmp/.X11-unix(/.*)?
549            /dev/shm/pulse-shm.*
550            /tmp/.X0-lock
551            /tmp/hsperfdata_root
552            /var/tmp/hsperfdata_root
553            /home/[^/]+/tmp
554            /home/[^/]+/.tmp
555            /tmp/gconfd-[^/]+
556
557       user_tmp_type
558
559            all user tmp files
560
561       var_auth_t
562
563            /var/ace(/.*)?
564            /var/rsa(/.*)?
565            /var/lib/abl(/.*)?
566            /var/lib/rsa(/.*)?
567            /var/lib/pam_ssh(/.*)?
568            /var/run/pam_ssh(/.*)?
569            /var/lib/pam_shield(/.*)?
570            /var/opt/quest/vas/vasd(/.*)?
571            /var/lib/google-authenticator(/.*)?
572
573       virt_image_type
574
575            all virtual image files
576
577       xserver_tmpfs_t
578
579
580

COMMANDS

582       semanage fcontext can also be used to manipulate default  file  context
583       mappings.
584
585       semanage  permissive  can  also  be used to manipulate whether or not a
586       process type is permissive.
587
588       semanage module can also be used to enable/disable/install/remove  pol‐
589       icy modules.
590
591       semanage boolean can also be used to manipulate the booleans
592
593
594       system-config-selinux is a GUI tool available to customize SELinux pol‐
595       icy settings.
596
597

AUTHOR

599       This manual page was auto-generated using sepolicy manpage .
600
601