sysadm_selinux(8)

1sysadm_selinux(8)     sysadm SELinux Policy documentation    sysadm_selinux(8)
2
3
4

NAME

6       sysadm_u - General system administration role - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       sysadm_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  sysadm_r.  The default role has a default
13       type, sysadm_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       sysadm_u:sysadm_r:sysadm_t:s0 - s0:c0.c1023
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the sysadm_u
37       user, you would execute:
38
39       semanage login -m -s sysadm_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user sysadm,
43       you would execute:
44
45       $ semanage login -a -s sysadm_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user  sysadm_u  is  an admin user. It means that a mapped
51       Linux user to this SELinux user is intended for administrative actions.
52       Usually this is assigned to a root Linux user.
53
54

SUDO

56       The SELinux user sysadm can execute sudo.
57
58       You  can set up sudo to allow sysadm to transition to an administrative
59       domain:
60
61       Add one or more of the following record to sudoers using visudo.
62
63
64       USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
65       sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
66
67       You might also need to add one or more  of  these  new  roles  to  your
68       SELinux user record.
69
70       List the SELinux roles your SELinux user can reach by executing:
71
72       $ semanage user -l |grep selinux_name
73
74       Modify the roles list and add sysadm_r to this list.
75
76       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
77       sysadm_u
78
79       For more details you can see semanage man page.
80
81
82       USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
83       sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
84
85       You might also need to add one or more  of  these  new  roles  to  your
86       SELinux user record.
87
88       List the SELinux roles your SELinux user can reach by executing:
89
90       $ semanage user -l |grep selinux_name
91
92       Modify the roles list and add sysadm_r to this list.
93
94       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
95       sysadm_u
96
97       For more details you can see semanage man page.
98
99
100       USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
101       sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
102
103       You might also need to add one or more  of  these  new  roles  to  your
104       SELinux user record.
105
106       List the SELinux roles your SELinux user can reach by executing:
107
108       $ semanage user -l |grep selinux_name
109
110       Modify the roles list and add sysadm_r to this list.
111
112       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
113       sysadm_u
114
115       For more details you can see semanage man page.
116
117
118       USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
119       sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
120
121       You might also need to add one or more  of  these  new  roles  to  your
122       SELinux user record.
123
124       List the SELinux roles your SELinux user can reach by executing:
125
126       $ semanage user -l |grep selinux_name
127
128       Modify the roles list and add sysadm_r to this list.
129
130       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
131       sysadm_u
132
133       For more details you can see semanage man page.
134
135
136       The SELinux type sysadm_t is not allowed to execute sudo.
137
138

X WINDOWS LOGIN

140       The SELinux user sysadm_u is able to X Windows login.
141
142

NETWORK

144       The SELinux user sysadm_u is able to listen on the following tcp ports.
145
146              32768-60999
147
148              389,636,3268,3269,7389
149
150              all ports without defined types
151
152              all ports >= 1024
153
154
155       The SELinux user sysadm_u is able  to  connect  to  the  following  tcp
156       ports.
157
158              8955
159
160              53,853
161
162              all ports
163
164              389,636,3268,3269,7389
165
166              all ports without defined types
167
168              32768-60999
169
170              all ports < 1024
171
172              9080
173
174              88,750,4444
175
176
177       The SELinux user sysadm_u is able to listen on the following udp ports.
178
179              32768-60999
180
181              all ports without defined types
182
183              123
184
185              all ports >= 1024
186
187
188       The  SELinux  user  sysadm_u  is  able  to connect to the following tcp
189       ports.
190
191              8955
192
193              53,853
194
195              all ports
196
197              389,636,3268,3269,7389
198
199              all ports without defined types
200
201              32768-60999
202
203              all ports < 1024
204
205              9080
206
207              88,750,4444
208
209

BOOLEANS

211       SELinux policy is customizable based on least access required.   sysadm
212       policy is extremely flexible and has several booleans that allow you to
213       manipulate the policy and run sysadm with the tightest access possible.
214
215
216
217       If you want to determine whether crond can execute  jobs  in  the  user
218       domain  as  opposed to the the generic cronjob domain, you must turn on
219       the cron_userdomain_transition boolean. Enabled by default.
220
221       setsebool -P cron_userdomain_transition 1
222
223
224
225       If you want to deny all system processes and Linux users to  use  blue‐
226       tooth wireless technology, you must turn on the deny_bluetooth boolean.
227       Enabled by default.
228
229       setsebool -P deny_bluetooth 1
230
231
232
233       If you want to deny user domains applications to map a memory region as
234       both  executable  and  writable,  this  is dangerous and the executable
235       should be reported in bugzilla, you must turn on the deny_execmem bool‐
236       ean. Enabled by default.
237
238       setsebool -P deny_execmem 1
239
240
241
242       If  you  want  to deny any process from ptracing or debugging any other
243       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
244       default.
245
246       setsebool -P deny_ptrace 1
247
248
249
250       If you want to allow all domains to execute in fips_mode, you must turn
251       on the fips_mode boolean. Enabled by default.
252
253       setsebool -P fips_mode 1
254
255
256
257       If you want to determine whether calling user domains can  execute  Git
258       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
259       sion_users boolean. Disabled by default.
260
261       setsebool -P git_session_users 1
262
263
264
265       If you want to determine  whether  calling  user  domains  can  execute
266       Polipo  daemon  in  the  polipo_session_t  domain, you must turn on the
267       polipo_session_users boolean. Disabled by default.
268
269       setsebool -P polipo_session_users 1
270
271
272
273       If you want to allow unconfined executables to make  their  stack  exe‐
274       cutable.   This  should  never, ever be necessary. Probably indicates a
275       badly coded executable, but could indicate an attack.  This  executable
276       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
277       stack boolean. Disabled by default.
278
279       setsebool -P selinuxuser_execstack 1
280
281
282
283       If you want to allow user to r/w files on filesystems that do not  have
284       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
285       uxuser_rw_noexattrfile boolean. Disabled by default.
286
287       setsebool -P selinuxuser_rw_noexattrfile 1
288
289
290
291       If you want to allow users to run TCP servers (bind to ports and accept
292       connection  from  the  same  domain  and outside users)  disabling this
293       forces FTP passive mode and may change other protocols, you  must  turn
294       on the selinuxuser_tcp_server boolean. Disabled by default.
295
296       setsebool -P selinuxuser_tcp_server 1
297
298
299
300       If you want to allow users to run UDP servers (bind to ports and accept
301       connection from the same domain and outside users)  disabling this  may
302       break  avahi  discovering services on the network and other udp related
303       services, you must turn on the selinuxuser_udp_server boolean. Disabled
304       by default.
305
306       setsebool -P selinuxuser_udp_server 1
307
308
309
310       If  you  want  to  support  NFS  home directories, you must turn on the
311       use_nfs_home_dirs boolean. Enabled by default.
312
313       setsebool -P use_nfs_home_dirs 1
314
315
316
317       If you want to support SAMBA home directories, you  must  turn  on  the
318       use_samba_home_dirs boolean. Disabled by default.
319
320       setsebool -P use_samba_home_dirs 1
321
322
323

HOME_EXEC

325       The SELinux user sysadm_u is able execute home content files.
326
327

TRANSITIONS

329       Three things can happen when sysadm_t attempts to execute a program.
330
331       1. SELinux Policy can deny sysadm_t from executing the program.
332
333
334
335       2. SELinux Policy can allow sysadm_t to execute the program in the cur‐
336       rent user type.
337
338              Execute the following to see the types  that  the  SELinux  user
339              sysadm_t can execute without transitioning:
340
341              sesearch -A -s sysadm_t -c file -p execute_no_trans
342
343
344
345       3.  SELinux can allow sysadm_t to execute the program and transition to
346       a new type.
347
348              Execute the following to see the types  that  the  SELinux  user
349              sysadm_t can execute and transition:
350
351              $ sesearch -A -s sysadm_t -c process -p transition
352
353
354

MANAGED FILES

356       The  SELinux  process  type  sysadm_t can manage files labeled with the
357       following file types.  The paths listed are the default paths for these
358       file types.  Note the processes UID still need to have DAC permissions.
359
360       anon_inodefs_t
361
362
363       auditd_etc_t
364
365            /etc/audit(/.*)?
366
367       auditd_log_t
368
369            /var/log/audit(/.*)?
370            /var/log/audit.log.*
371
372       boolean_type
373
374
375       cgroup_t
376
377            /sys/fs/cgroup
378
379       chrome_sandbox_tmpfs_t
380
381
382       krb5_keytab_t
383
384            /var/kerberos/krb5(/.*)?
385            /etc/krb5.keytab
386            /etc/krb5kdc/kadm5.keytab
387            /var/kerberos/krb5kdc/kadm5.keytab
388
389       mail_spool_t
390
391            /var/mail(/.*)?
392            /var/spool/imap(/.*)?
393            /var/spool/mail(/.*)?
394            /var/spool/smtpd(/.*)?
395
396       mqueue_spool_t
397
398            /var/spool/(client)?mqueue(/.*)?
399            /var/spool/mqueue.in(/.*)?
400
401       non_security_file_type
402
403
404       security_t
405
406            /selinux
407
408       selinux_login_config_t
409
410            /etc/selinux/([^/]*/)?logins(/.*)?
411
412       semanage_store_t
413
414            /etc/selinux/([^/]*/)?policy(/.*)?
415            /etc/selinux/(minimum|mls|targeted)/active(/.*)?
416            /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
417            /var/lib/selinux(/.*)?
418            /etc/share/selinux/mls(/.*)?
419            /etc/share/selinux/targeted(/.*)?
420
421       usbfs_t
422
423
424       user_fonts_cache_t
425
426            /root/.fontconfig(/.*)?
427            /root/.fonts/auto(/.*)?
428            /root/.fonts.cache-.*
429            /root/.cache/fontconfig(/.*)?
430            /home/[^/]+/.fontconfig(/.*)?
431            /home/[^/]+/.fonts/auto(/.*)?
432            /home/[^/]+/.fonts.cache-.*
433            /home/[^/]+/.cache/fontconfig(/.*)?
434
435       var_auth_t
436
437            /var/ace(/.*)?
438            /var/rsa(/.*)?
439            /var/lib/abl(/.*)?
440            /var/lib/rsa(/.*)?
441            /var/lib/pam_ssh(/.*)?
442            /var/lib/pam_shield(/.*)?
443            /var/opt/quest/vas/vasd(/.*)?
444            /var/lib/google-authenticator(/.*)?
445
446

COMMANDS

448       semanage  fcontext  can also be used to manipulate default file context
449       mappings.
450
451       semanage permissive can also be used to manipulate  whether  or  not  a
452       process type is permissive.
453
454       semanage  module can also be used to enable/disable/install/remove pol‐
455       icy modules.
456
457       semanage boolean can also be used to manipulate the booleans
458
459
460       system-config-selinux is a GUI tool available to customize SELinux pol‐
461       icy settings.
462
463

AUTHOR

465       This manual page was auto-generated using sepolicy manpage .
466
467