staff_selinux(8)

1staff_selinux(8)      staff SELinux Policy documentation      staff_selinux(8)
2
3
4

NAME

6       staff_u  -  Administrator's unprivileged user - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       staff_u is an SELinux User defined in the SELinux policy. SELinux users
12       have  default  roles,  staff_r.   The  default role has a default type,
13       staff_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       staff_u:staff_r:staff_t:s0 - s0:c0.c1023
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to  change the default user mapping to use the staff_u
37       user, you would execute:
38
39       semanage login -m -s staff_u __default__
40
41
42

USER DESCRIPTION

44       The SELinux user staff_u is defined in policy as a  unprivileged  user.
45       SELinux  prevents  unprivileged  users  from doing administration tasks
46       without transitioning to a different role.
47
48

SUDO

50       The SELinux user staff can execute sudo.
51
52       You can set up sudo to allow staff to transition to  an  administrative
53       domain:
54
55       Add one or more of the following record to sudoers using visudo.
56
57
58       USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
59       sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
60
61       You  might  also  need  to  add  one or more of these new roles to your
62       SELinux user record.
63
64       List the SELinux roles your SELinux user can reach by executing:
65
66       $ semanage user -l |grep selinux_name
67
68       Modify the roles list and add staff_r to this list.
69
70       $ semanage user -m -R 'staff_r logadm_r sysadm_r unconfined_r webadm_r'
71       staff_u
72
73       For more details you can see semanage man page.
74
75
76       USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
77       sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
78
79       You  might  also  need  to  add  one or more of these new roles to your
80       SELinux user record.
81
82       List the SELinux roles your SELinux user can reach by executing:
83
84       $ semanage user -l |grep selinux_name
85
86       Modify the roles list and add staff_r to this list.
87
88       $ semanage user -m -R 'staff_r logadm_r sysadm_r unconfined_r webadm_r'
89       staff_u
90
91       For more details you can see semanage man page.
92
93
94       USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
95       sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
96
97       You  might  also  need  to  add  one or more of these new roles to your
98       SELinux user record.
99
100       List the SELinux roles your SELinux user can reach by executing:
101
102       $ semanage user -l |grep selinux_name
103
104       Modify the roles list and add staff_r to this list.
105
106       $ semanage user -m -R 'staff_r logadm_r sysadm_r unconfined_r webadm_r'
107       staff_u
108
109       For more details you can see semanage man page.
110
111
112       USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
113       sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
114
115       You  might  also  need  to  add  one or more of these new roles to your
116       SELinux user record.
117
118       List the SELinux roles your SELinux user can reach by executing:
119
120       $ semanage user -l |grep selinux_name
121
122       Modify the roles list and add staff_r to this list.
123
124       $ semanage user -m -R 'staff_r logadm_r sysadm_r unconfined_r webadm_r'
125       staff_u
126
127       For more details you can see semanage man page.
128
129
130       The SELinux type staff_t is not allowed to execute sudo.
131
132

X WINDOWS LOGIN

134       The SELinux user staff_u is able to X Windows login.
135
136

NETWORK

138       The SELinux user staff_u is able to listen on the following tcp ports.
139
140              6000-6150
141
142              all ports with out defined types
143
144              5988
145
146              5900-5999
147
148              1721,7000
149
150              1194
151
152              1213
153
154              9010
155
156              9418
157
158              27017-27019,28017-28019
159
160              5703
161
162              3493
163
164              4190
165
166              8891,8893
167
168              7390
169
170              1229
171
172              5989
173
174              6379
175
176              3261
177
178              5149,40040,50006-50008
179
180              4379
181
182              2005
183
184              3000,3001
185
186              6969,9001,9030,9051
187
188              24007-24027,38465-38469
189
190              13180,13701,13443-13446
191
192              8084
193
194              8036
195
196              9618
197
198              3128,8080,8118,8123,10001-10010
199
200              4690
201
202              7888,7889
203
204              5432
205
206              3401,4827
207
208              9080
209
210              11180,11701,11443-11446
211
212              3260
213
214              9103
215
216              7634
217
218              6667
219
220              3690
221
222              10031
223
224              51235
225
226              1433,1434
227
228              7410
229
230              2401
231
232              10050
233
234              1241
235
236              60000
237
238              5252
239
240              9696
241
242              10051
243
244              2126,3198
245
246              2600-2604,2606
247
248              11111
249
250              9090
251
252              9875
253
254              5679
255
256              3632
257
258              3874
259
260              1701
261
262              2083
263
264              6767,6769,6780-6799
265
266              6081,6082
267
268              11211
269
270              5060,5061
271
272              4713
273
274              3205
275
276              1863
277
278              1521,2483,2484
279
280              1358
281
282              1050
283
284              9050
285
286              49000
287
288              4330
289
290              5347
291
292              9191
293
294              3052
295
296              all ports > 500 and < 1024
297
298              10026
299
300              8140
301
302              1128,1129
303
304              2273
305
306              5323
307
308              4743
309
310              9225
311
312              3551
313
314              2947
315
316              3528,3529
317
318              1228
319
320              9292
321
322              5298
323
324              4500
325
326              5222,5223
327
328              2000,3905
329
330              5190-5193
331
332              1186,3306,63132-63164
333
334              3310
335
336              12888,12889
337
338              3129
339
340              1234
341
342              8021
343
344              9125
345
346              10080-10083
347
348              10024
349
350              8000,9433,16001
351
352              5335
353
354              2049,20048-20049
355
356              3636
357
358              4949
359
360              10025
361
362              8787
363
364              5445,5455
365
366              20048
367
368              5269
369
370              2040
371
372              5671,5672
373
374              6600
375
376              4712,4447,7600,9123,9990,9999,18001
377
378              25151
379
380              5000,5001,4331
381
382              1782,2207,2208,8290,50000,50002,8292,9100,9101,9102,9220,9221,9222,9280,9281,9282,9290,9291
383
384              5050
385
386              2501
387
388              7890
389
390              10180,10701,10443-10446
391
392              16851
393
394              5858
395
396              2703
397
398              1178
399
400              8765
401
402              1720
403
404              16509,16514
405
406              9911
407
408              49152-49216
409
410              7100
411
412              8002
413
414              5404,5405
415
416              2628
417
418              6363
419
420              8081
421
422              1755
423
424              31416
425
426              11371
427
428              8099
429
430              4444
431
432              1314
433
434
435       The SELinux user staff_u is able to connect to the following tcp ports.
436
437              389,636,3268
438
439              53
440
441              all ports
442
443              all ports with out defined types
444
445              all ports < 1024
446
447              5432
448
449              9080
450
451              88,750
452
453              111
454
455
456       The SELinux user staff_u is able to listen on the following udp ports.
457
458              all ports with out defined types
459
460              all ports > 500 and < 1024
461
462
463       The SELinux user staff_u is able to connect to the following tcp ports.
464
465              389,636,3268
466
467              53
468
469              all ports
470
471              all ports with out defined types
472
473              all ports < 1024
474
475              5432
476
477              9080
478
479              88,750
480
481              111
482
483

BOOLEANS

485       SELinux policy is customizable based on least access  required.   staff
486       policy is extremely flexible and has several booleans that allow you to
487       manipulate the policy and run staff with the tightest access possible.
488
489
490
491       If you want to allow direct login to the console device.  Required  for
492       System  390,  you must turn on the allow_console_login boolean. Enabled
493       by default.
494
495       setsebool -P allow_console_login 1
496
497
498
499       If you want to allow all domains to use other domains file descriptors,
500       you must turn on the allow_domain_fd_use boolean. Enabled by default.
501
502       setsebool -P allow_domain_fd_use 1
503
504
505
506       If  you  want to allow unconfined executables to map a memory region as
507       both executable and writable, this  is  dangerous  and  the  executable
508       should  be  reported  in  bugzilla), you must turn on the allow_execmem
509       boolean. Enabled by default.
510
511       setsebool -P allow_execmem 1
512
513
514
515       If you want to  allow  all  unconfined  executables  to  use  libraries
516       requiring  text  relocation  that are not labeled textrel_shlib_t), you
517       must turn on the allow_execmod boolean. Enabled by default.
518
519       setsebool -P allow_execmod 1
520
521
522
523       If you want to allow unconfined executables to make  their  stack  exe‐
524       cutable.   This  should  never, ever be necessary. Probably indicates a
525       badly coded executable, but could indicate an attack.  This  executable
526       should  be  reported in bugzilla), you must turn on the allow_execstack
527       boolean. Enabled by default.
528
529       setsebool -P allow_execstack 1
530
531
532
533       If you want to allow confined applications to run  with  kerberos,  you
534       must turn on the allow_kerberos boolean. Enabled by default.
535
536       setsebool -P allow_kerberos 1
537
538
539
540       If  you want to allow sysadm to debug or ptrace all processes, you must
541       turn on the allow_ptrace boolean. Disabled by default.
542
543       setsebool -P allow_ptrace 1
544
545
546
547       If you want to allow users to connect to mysql, you must  turn  on  the
548       allow_user_mysql_connect boolean. Disabled by default.
549
550       setsebool -P allow_user_mysql_connect 1
551
552
553
554       If  you  want to allow users to connect to PostgreSQL, you must turn on
555       the allow_user_postgresql_connect boolean. Disabled by default.
556
557       setsebool -P allow_user_postgresql_connect 1
558
559
560
561       If you want to allows clients to write to the X  server  shared  memory
562       segments,  you  must  turn on the allow_write_xshm boolean. Disabled by
563       default.
564
565       setsebool -P allow_write_xshm 1
566
567
568
569       If you want to allow system to run with  NIS,  you  must  turn  on  the
570       allow_ypbind boolean. Disabled by default.
571
572       setsebool -P allow_ypbind 1
573
574
575
576       If  you  want to allow all domains to have the kernel load modules, you
577       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
578       default.
579
580       setsebool -P domain_kernel_load_modules 1
581
582
583
584       If you want to allow all domains to execute in fips_mode, you must turn
585       on the fips_mode boolean. Enabled by default.
586
587       setsebool -P fips_mode 1
588
589
590
591       If you want to determine whether calling user domains can  execute  Git
592       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
593       sion_users boolean. Disabled by default.
594
595       setsebool -P git_session_users 1
596
597
598
599       If you want to enable reading of urandom for all domains, you must turn
600       on the global_ssp boolean. Disabled by default.
601
602       setsebool -P global_ssp 1
603
604
605
606       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
607       httpd_enable_cgi boolean. Enabled by default.
608
609       setsebool -P httpd_enable_cgi 1
610
611
612
613       If you want to unify HTTPD handling of all content files, you must turn
614       on the httpd_unified boolean. Disabled by default.
615
616       setsebool -P httpd_unified 1
617
618
619
620       If  you  want to allow confined applications to use nscd shared memory,
621       you must turn on the nscd_use_shm boolean. Enabled by default.
622
623       setsebool -P nscd_use_shm 1
624
625
626
627       If you want to allow pppd to be run for a regular user, you  must  turn
628       on the pppd_for_user boolean. Disabled by default.
629
630       setsebool -P pppd_for_user 1
631
632
633
634       If  you  want  to enabling secure mode disallows programs, such as new‐
635       role, from transitioning to administrative user domains, you must  turn
636       on the secure_mode boolean. Disabled by default.
637
638       setsebool -P secure_mode 1
639
640
641
642       If  you  want to allow unprivileged users to execute DDL statement, you
643       must turn on the sepgsql_enable_users_ddl boolean. Enabled by default.
644
645       setsebool -P sepgsql_enable_users_ddl 1
646
647
648
649       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
650       the ssh_sysadm_login boolean. Disabled by default.
651
652       setsebool -P ssh_sysadm_login 1
653
654
655
656       If  you  want  to  support  NFS  home directories, you must turn on the
657       use_nfs_home_dirs boolean. Disabled by default.
658
659       setsebool -P use_nfs_home_dirs 1
660
661
662
663       If you want to support SAMBA home directories, you  must  turn  on  the
664       use_samba_home_dirs boolean. Disabled by default.
665
666       setsebool -P use_samba_home_dirs 1
667
668
669
670       If  you  want to allow regular users direct dri device access, you must
671       turn on the user_direct_dri boolean. Enabled by default.
672
673       setsebool -P user_direct_dri 1
674
675
676
677       If you want to allow regular users direct mouse access, you  must  turn
678       on the user_direct_mouse boolean. Disabled by default.
679
680       setsebool -P user_direct_mouse 1
681
682
683
684       If  you want to allow user to r/w files on filesystems that do not have
685       extended  attributes  (FAT,  CDROM,  FLOPPY),  you  must  turn  on  the
686       user_rw_noexattrfile boolean. Enabled by default.
687
688       setsebool -P user_rw_noexattrfile 1
689
690
691
692       If  you want to allow user processes to change their priority, you must
693       turn on the user_setrlimit boolean. Enabled by default.
694
695       setsebool -P user_setrlimit 1
696
697
698
699       If you want to allow users to run TCP servers (bind to ports and accept
700       connection  from  the  same  domain  and outside users)  disabling this
701       forces FTP passive mode and may change other protocols, you  must  turn
702       on the user_tcp_server boolean. Disabled by default.
703
704       setsebool -P user_tcp_server 1
705
706
707
708       If  you  want  to  allow  w  to  display everyone, you must turn on the
709       user_ttyfile_stat boolean. Disabled by default.
710
711       setsebool -P user_ttyfile_stat 1
712
713
714
715       If you want to allow xdm  logins  as  sysadm,  you  must  turn  on  the
716       xdm_sysadm_login boolean. Disabled by default.
717
718       setsebool -P xdm_sysadm_login 1
719
720
721
722       If you want to support X userspace object manager, you must turn on the
723       xserver_object_manager boolean. Disabled by default.
724
725       setsebool -P xserver_object_manager 1
726
727
728

HOME_EXEC

730       The SELinux user staff_u is able execute home content files.
731
732

TRANSITIONS

734       Three things can happen when staff_t attempts to execute a program.
735
736       1. SELinux Policy can deny staff_t from executing the program.
737
738
739
740       2. SELinux Policy can allow staff_t to execute the program in the  cur‐
741       rent user type.
742
743              Execute  the  following  to  see the types that the SELinux user
744              staff_t can execute without transitioning:
745
746              sesearch -A -s staff_t -c file -p execute_no_trans
747
748
749
750       3. SELinux can allow staff_t to execute the program and transition to a
751       new type.
752
753              Execute  the  following  to  see the types that the SELinux user
754              staff_t can execute and transition:
755
756              $ sesearch -A -s staff_t -c process -p transition
757
758
759

MANAGED FILES

761       The SELinux process type staff_t can manage files labeled with the fol‐
762       lowing  file  types.   The paths listed are the default paths for these
763       file types.  Note the processes UID still need to have DAC permissions.
764
765       anon_inodefs_t
766
767
768       auth_cache_t
769
770            /var/cache/coolkey(/.*)?
771
772       cgroup_t
773
774            /cgroup(/.*)?
775
776       chrome_sandbox_tmpfs_t
777
778
779       cifs_t
780
781
782       games_data_t
783
784            /var/games(/.*)?
785            /var/lib/games(/.*)?
786
787       git_user_content_t
788
789            /home/[^/]*/public_git(/.*)?
790            /home/[^/]*/.gitconfig
791            /home/staff/public_git(/.*)?
792            /home/staff/.gitconfig
793
794       gpg_agent_tmp_t
795
796
797       httpd_user_content_t
798
799            /home/[^/]*/((www)|(web)|(public_html))(/.+)?
800            /home/staff/((www)|(web)|(public_html))(/.+)?
801
802       httpd_user_htaccess_t
803
804
805       httpd_user_ra_content_t
806
807
808       httpd_user_rw_content_t
809
810
811       httpd_user_script_exec_t
812
813
814       iceauth_home_t
815
816            /home/[^/]*/.DCOP.*
817            /home/[^/]*/.ICEauthority.*
818            /home/staff/.DCOP.*
819            /home/staff/.ICEauthority.*
820
821       initrc_tmp_t
822
823
824       kerneloops_tmp_t
825
826
827       mail_spool_t
828
829            /var/mail(/.*)?
830            /var/spool/mail(/.*)?
831            /var/spool/imap(/.*)?
832
833       mnt_t
834
835            /mnt(/[^/]*)
836            /mnt(/[^/]*)?
837            /rhev(/[^/]*)?
838            /media(/[^/]*)
839            /media(/[^/]*)?
840            /etc/rhgb(/.*)?
841            /media/.hal-.*
842            /net
843            /afs
844            /rhev
845            /misc
846
847       mqueue_spool_t
848
849            /var/spool/(client)?mqueue(/.*)?
850
851       nfsd_rw_t
852
853
854       noxattrfs
855
856            all files on file systems which do not support extended attributes
857
858       sandbox_file_t
859
860
861       sandbox_tmpfs_type
862
863            all sandbox content in tmpfs file systems
864
865       screen_home_t
866
867            /root/.screen(/.*)?
868            /home/[^/]*/.screen(/.*)?
869            /home/[^/]*/.screenrc
870            /home/staff/.screen(/.*)?
871            /home/staff/.screenrc
872
873       screen_var_run_t
874
875            /var/run/screen(/.*)?
876
877       security_t
878
879
880       tmp_t
881
882            /tmp
883            /usr/tmp
884            /var/tmp
885            /tmp-inst
886            /var/tmp-inst
887            /var/tmp/vi.recover
888
889       usbfs_t
890
891
892       user_fonts_cache_t
893
894            /home/[^/]*/.fonts/auto(/.*)?
895            /home/[^/]*/.fontconfig(/.*)?
896            /home/[^/]*/.fonts.cache-.*
897            /home/staff/.fonts/auto(/.*)?
898            /home/staff/.fontconfig(/.*)?
899            /home/staff/.fonts.cache-.*
900
901       user_fonts_t
902
903            /home/[^/]*/.fonts(/.*)?
904            /home/staff/.fonts(/.*)?
905
906       user_home_type
907
908            all user home files
909
910       user_tmp_t
911
912            /tmp/gconfd-.*
913            /tmp/gconfd-staff
914
915       user_tmpfs_t
916
917            /dev/shm/mono.*
918            /dev/shm/pulse-shm.*
919
920       xauth_home_t
921
922            /root/.Xauth.*
923            /root/.xauth.*
924            /root/.serverauth.*
925            /var/lib/pqsql/.xauth.*
926            /var/lib/pqsql/.Xauthority.*
927            /var/lib/nxserver/home/.xauth.*
928            /var/lib/nxserver/home/.Xauthority.*
929            /home/[^/]*/.xauth.*
930            /home/[^/]*/.Xauthority.*
931            /home/[^/]*/.serverauth.*
932            /home/staff/.xauth.*
933            /home/staff/.Xauthority.*
934            /home/staff/.serverauth.*
935
936       xdm_tmp_t
937
938            /tmp/.X11-unix(/.*)?
939            /tmp/.ICE-unix(/.*)?
940            /tmp/.X0-lock
941
942       xserver_tmpfs_t
943
944
945

COMMANDS

947       semanage fcontext can also be used to manipulate default  file  context
948       mappings.
949
950       semanage  permissive  can  also  be used to manipulate whether or not a
951       process type is permissive.
952
953       semanage module can also be used to enable/disable/install/remove  pol‐
954       icy modules.
955
956       semanage boolean can also be used to manipulate the booleans
957
958
959       system-config-selinux is a GUI tool available to customize SELinux pol‐
960       icy settings.
961
962

AUTHOR

964       This manual page was auto-generated using sepolicy manpage .
965
966