user_selinux(8)

1user_selinux(8)        user SELinux Policy documentation       user_selinux(8)
2
3
4

NAME

6       user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       user_u  is an SELinux User defined in the SELinux policy. SELinux users
11       have default roles, user_r.  The  default  role  has  a  default  type,
12       user_t, associated with it.
13
14       The  SELinux  user  will  usually login to a system with a context that
15       looks like:
16
17       user_u:user_r:user_t:s0
18
19       Linux users are automatically  assigned  an  SELinux  users  at  login.
20       Login  programs  use  the SELinux User to assign initial context to the
21       user's shell.
22
23       SELinux policy uses the context to control the user's access.
24
25       By default  all  users  are  assigned  to  the  SELinux  user  via  the
26       __default__ flag
27
28       On  Targeted  policy  systems  the  __default__ user is assigned to the
29       unconfined_u SELinux user.
30
31       You can list all Linux User to SELinux user mapping using:
32
33       semanage login -l
34
35       If you wanted to change the default user  mapping  to  use  the  user_u
36       user, you would execute:
37
38       semanage login -m -s user_u __default__
39
40
41

USER DESCRIPTION

43       The  SELinux  user  user_u is defined in policy as a unprivileged user.
44       SELinux prevents unprivileged users  from  doing  administration  tasks
45       without transitioning to a different role.
46
47

SUDO

X WINDOWS LOGIN

50       The SELinux user user_u is able to X Windows login.
51
52

NETWORK

54       The SELinux user user_u is able to listen on the following tcp ports.
55
56              6000-6150
57
58              1178
59
60              8765
61
62              1720
63
64              16509,16514
65
66              9911
67
68              49152-49216
69
70              7100
71
72              8002
73
74              5404,5405
75
76              2628
77
78              6363
79
80              8081
81
82              1755
83
84              31416
85
86              11371
87
88              8099
89
90              4444
91
92              1314
93
94              all ports with out defined types
95
96              5988
97
98              5900-5999
99
100              1721,7000
101
102              1194
103
104              1213
105
106              9010
107
108              9418
109
110              27017-27019,28017-28019
111
112              5703
113
114              3493
115
116              4190
117
118              8891,8893
119
120              7390
121
122              1229
123
124              5989
125
126              6379
127
128              3261
129
130              5149,40040,50006-50008
131
132              4379
133
134              2005
135
136              3000,3001
137
138              6969,9001,9030,9051
139
140              24007-24027,38465-38469
141
142              13180,13701,13443-13446
143
144              8084
145
146              8036
147
148              9618
149
150              3128,8080,8118,8123,10001-10010
151
152              4690
153
154              7888,7889
155
156              5432
157
158              3401,4827
159
160              9080
161
162              11180,11701,11443-11446
163
164              3260
165
166              9103
167
168              7634
169
170              6667
171
172              3690
173
174              10031
175
176              51235
177
178              1433,1434
179
180              7410
181
182              2401
183
184              10050
185
186              1241
187
188              60000
189
190              5252
191
192              9696
193
194              10051
195
196              2126,3198
197
198              2600-2604,2606
199
200              11111
201
202              9090
203
204              9875
205
206              5679
207
208              3632
209
210              3874
211
212              1701
213
214              2083
215
216              6767,6769,6780-6799
217
218              6081,6082
219
220              11211
221
222              5060,5061
223
224              4713
225
226              3205
227
228              1863
229
230              1521,2483,2484
231
232              1358
233
234              1050
235
236              9050
237
238              49000
239
240              4330
241
242              5347
243
244              9191
245
246              3052
247
248              all ports > 500 and < 1024
249
250              10026
251
252              8140
253
254              1128,1129
255
256              2273
257
258              5323
259
260              4743
261
262              9225
263
264              3551
265
266              2947
267
268              3528,3529
269
270              1228
271
272              9292
273
274              5298
275
276              4500
277
278              5222,5223
279
280              2000,3905
281
282              5190-5193
283
284              1186,3306,63132-63164
285
286              3310
287
288              12888,12889
289
290              3129
291
292              1234
293
294              8021
295
296              9125
297
298              10080-10083
299
300              10024
301
302              8000,9433,16001
303
304              5335
305
306              2049,20048-20049
307
308              3636
309
310              4949
311
312              10025
313
314              8787
315
316              5445,5455
317
318              20048
319
320              5269
321
322              2040
323
324              5671,5672
325
326              6600
327
328              4712,4447,7600,9123,9990,9999,18001
329
330              25151
331
332              5000,5001,4331
333
334              1782,2207,2208,8290,50000,50002,8292,9100,9101,9102,9220,9221,9222,9280,9281,9282,9290,9291
335
336              5050
337
338              2501
339
340              7890
341
342              10180,10701,10443-10446
343
344              16851
345
346              5858
347
348              2703
349
350
351       The SELinux user user_u is able to connect to the following tcp ports.
352
353              389,636,3268
354
355              53
356
357              all ports
358
359              all ports with out defined types
360
361              all ports < 1024
362
363              5432
364
365              9080
366
367              88,750
368
369              111
370
371
372       The SELinux user user_u is able to listen on the following udp ports.
373
374              all ports with out defined types
375
376              all ports > 500 and < 1024
377
378
379       The SELinux user user_u is able to connect to the following tcp ports.
380
381              389,636,3268
382
383              53
384
385              all ports
386
387              all ports with out defined types
388
389              all ports < 1024
390
391              5432
392
393              9080
394
395              88,750
396
397              111
398
399

BOOLEANS

401       SELinux policy is customizable based on least  access  required.   user
402       policy is extremely flexible and has several booleans that allow you to
403       manipulate the policy and run user with the tightest access possible.
404
405
406
407       If you want to allow regular users direct dri device access,  you  must
408       turn on the user_direct_dri boolean. Enabled by default.
409
410       setsebool -P user_direct_dri 1
411
412
413
414       If  you  want to allow regular users direct mouse access, you must turn
415       on the user_direct_mouse boolean. Disabled by default.
416
417       setsebool -P user_direct_mouse 1
418
419
420
421       If you want to control users use of ping and traceroute, you must  turn
422       on the user_ping boolean. Enabled by default.
423
424       setsebool -P user_ping 1
425
426
427
428       If  you want to allow user to r/w files on filesystems that do not have
429       extended  attributes  (FAT,  CDROM,  FLOPPY),  you  must  turn  on  the
430       user_rw_noexattrfile boolean. Enabled by default.
431
432       setsebool -P user_rw_noexattrfile 1
433
434
435
436       If  you want to allow user processes to change their priority, you must
437       turn on the user_setrlimit boolean. Enabled by default.
438
439       setsebool -P user_setrlimit 1
440
441
442
443       If you want to allow users to run TCP servers (bind to ports and accept
444       connection  from  the  same  domain  and outside users)  disabling this
445       forces FTP passive mode and may change other protocols, you  must  turn
446       on the user_tcp_server boolean. Disabled by default.
447
448       setsebool -P user_tcp_server 1
449
450
451
452       If  you  want  to  allow  w  to  display everyone, you must turn on the
453       user_ttyfile_stat boolean. Disabled by default.
454
455       setsebool -P user_ttyfile_stat 1
456
457
458
459       If you want to allow direct login to the console device.  Required  for
460       System  390,  you must turn on the allow_console_login boolean. Enabled
461       by default.
462
463       setsebool -P allow_console_login 1
464
465
466
467       If you want to allow all domains to use other domains file descriptors,
468       you must turn on the allow_domain_fd_use boolean. Enabled by default.
469
470       setsebool -P allow_domain_fd_use 1
471
472
473
474       If  you  want to allow unconfined executables to map a memory region as
475       both executable and writable, this  is  dangerous  and  the  executable
476       should  be  reported  in  bugzilla), you must turn on the allow_execmem
477       boolean. Enabled by default.
478
479       setsebool -P allow_execmem 1
480
481
482
483       If you want to  allow  all  unconfined  executables  to  use  libraries
484       requiring  text  relocation  that are not labeled textrel_shlib_t), you
485       must turn on the allow_execmod boolean. Enabled by default.
486
487       setsebool -P allow_execmod 1
488
489
490
491       If you want to allow unconfined executables to make  their  stack  exe‐
492       cutable.   This  should  never, ever be necessary. Probably indicates a
493       badly coded executable, but could indicate an attack.  This  executable
494       should  be  reported in bugzilla), you must turn on the allow_execstack
495       boolean. Enabled by default.
496
497       setsebool -P allow_execstack 1
498
499
500
501       If you want to allow confined applications to run  with  kerberos,  you
502       must turn on the allow_kerberos boolean. Enabled by default.
503
504       setsebool -P allow_kerberos 1
505
506
507
508       If  you want to allow sysadm to debug or ptrace all processes, you must
509       turn on the allow_ptrace boolean. Disabled by default.
510
511       setsebool -P allow_ptrace 1
512
513
514
515       If you want to allow users to connect to mysql, you must  turn  on  the
516       allow_user_mysql_connect boolean. Disabled by default.
517
518       setsebool -P allow_user_mysql_connect 1
519
520
521
522       If  you  want to allow users to connect to PostgreSQL, you must turn on
523       the allow_user_postgresql_connect boolean. Disabled by default.
524
525       setsebool -P allow_user_postgresql_connect 1
526
527
528
529       If you want to allows clients to write to the X  server  shared  memory
530       segments,  you  must  turn on the allow_write_xshm boolean. Disabled by
531       default.
532
533       setsebool -P allow_write_xshm 1
534
535
536
537       If you want to allow system to run with  NIS,  you  must  turn  on  the
538       allow_ypbind boolean. Disabled by default.
539
540       setsebool -P allow_ypbind 1
541
542
543
544       If  you  want to allow all domains to have the kernel load modules, you
545       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
546       default.
547
548       setsebool -P domain_kernel_load_modules 1
549
550
551
552       If you want to allow all domains to execute in fips_mode, you must turn
553       on the fips_mode boolean. Enabled by default.
554
555       setsebool -P fips_mode 1
556
557
558
559       If you want to determine whether calling user domains can  execute  Git
560       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
561       sion_users boolean. Disabled by default.
562
563       setsebool -P git_session_users 1
564
565
566
567       If you want to enable reading of urandom for all domains, you must turn
568       on the global_ssp boolean. Disabled by default.
569
570       setsebool -P global_ssp 1
571
572
573
574       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
575       httpd_enable_cgi boolean. Enabled by default.
576
577       setsebool -P httpd_enable_cgi 1
578
579
580
581       If you want to unify HTTPD handling of all content files, you must turn
582       on the httpd_unified boolean. Disabled by default.
583
584       setsebool -P httpd_unified 1
585
586
587
588       If  you  want to allow confined applications to use nscd shared memory,
589       you must turn on the nscd_use_shm boolean. Enabled by default.
590
591       setsebool -P nscd_use_shm 1
592
593
594
595       If you want to allow pppd to be run for a regular user, you  must  turn
596       on the pppd_for_user boolean. Disabled by default.
597
598       setsebool -P pppd_for_user 1
599
600
601
602       If  you  want  to enabling secure mode disallows programs, such as new‐
603       role, from transitioning to administrative user domains, you must  turn
604       on the secure_mode boolean. Disabled by default.
605
606       setsebool -P secure_mode 1
607
608
609
610       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
611       the ssh_sysadm_login boolean. Disabled by default.
612
613       setsebool -P ssh_sysadm_login 1
614
615
616
617       If you want to support NFS home  directories,  you  must  turn  on  the
618       use_nfs_home_dirs boolean. Disabled by default.
619
620       setsebool -P use_nfs_home_dirs 1
621
622
623
624       If  you  want  to  support SAMBA home directories, you must turn on the
625       use_samba_home_dirs boolean. Disabled by default.
626
627       setsebool -P use_samba_home_dirs 1
628
629
630
631       If you want to allow xdm  logins  as  sysadm,  you  must  turn  on  the
632       xdm_sysadm_login boolean. Disabled by default.
633
634       setsebool -P xdm_sysadm_login 1
635
636
637
638       If you want to support X userspace object manager, you must turn on the
639       xserver_object_manager boolean. Disabled by default.
640
641       setsebool -P xserver_object_manager 1
642
643
644

HOME_EXEC

646       The SELinux user user_u is able execute home content files.
647
648

TRANSITIONS

650       Three things can happen when user_t attempts to execute a program.
651
652       1. SELinux Policy can deny user_t from executing the program.
653
654
655
656       2. SELinux Policy can allow user_t to execute the program in  the  cur‐
657       rent user type.
658
659              Execute  the  following  to  see the types that the SELinux user
660              user_t can execute without transitioning:
661
662              sesearch -A -s user_t -c file -p execute_no_trans
663
664
665
666       3. SELinux can allow user_t to execute the program and transition to  a
667       new type.
668
669              Execute  the  following  to  see the types that the SELinux user
670              user_t can execute and transition:
671
672              $ sesearch -A -s user_t -c process -p transition
673
674
675

MANAGED FILES

677       The SELinux process type user_t can manage files labeled with the  fol‐
678       lowing  file  types.   The paths listed are the default paths for these
679       file types.  Note the processes UID still need to have DAC permissions.
680
681       anon_inodefs_t
682
683
684       auth_cache_t
685
686            /var/cache/coolkey(/.*)?
687
688       cgroup_t
689
690            /cgroup(/.*)?
691
692       chrome_sandbox_tmpfs_t
693
694
695       cifs_t
696
697
698       games_data_t
699
700            /var/games(/.*)?
701            /var/lib/games(/.*)?
702
703       git_user_content_t
704
705            /home/[^/]*/public_git(/.*)?
706            /home/[^/]*/.gitconfig
707            /home/staff/public_git(/.*)?
708            /home/staff/.gitconfig
709
710       gpg_agent_tmp_t
711
712
713       httpd_user_content_t
714
715            /home/[^/]*/((www)|(web)|(public_html))(/.+)?
716            /home/staff/((www)|(web)|(public_html))(/.+)?
717
718       httpd_user_htaccess_t
719
720
721       httpd_user_ra_content_t
722
723
724       httpd_user_rw_content_t
725
726
727       httpd_user_script_exec_t
728
729
730       iceauth_home_t
731
732            /home/[^/]*/.DCOP.*
733            /home/[^/]*/.ICEauthority.*
734            /home/staff/.DCOP.*
735            /home/staff/.ICEauthority.*
736
737       initrc_tmp_t
738
739
740       mail_spool_t
741
742            /var/mail(/.*)?
743            /var/spool/mail(/.*)?
744            /var/spool/imap(/.*)?
745
746       mnt_t
747
748            /mnt(/[^/]*)
749            /mnt(/[^/]*)?
750            /rhev(/[^/]*)?
751            /media(/[^/]*)
752            /media(/[^/]*)?
753            /etc/rhgb(/.*)?
754            /media/.hal-.*
755            /net
756            /afs
757            /rhev
758            /misc
759
760       mqueue_spool_t
761
762            /var/spool/(client)?mqueue(/.*)?
763
764       nfsd_rw_t
765
766
767       noxattrfs
768
769            all files on file systems which do not support extended attributes
770
771       sandbox_file_t
772
773
774       sandbox_tmpfs_type
775
776            all sandbox content in tmpfs file systems
777
778       screen_home_t
779
780            /root/.screen(/.*)?
781            /home/[^/]*/.screen(/.*)?
782            /home/[^/]*/.screenrc
783            /home/staff/.screen(/.*)?
784            /home/staff/.screenrc
785
786       screen_var_run_t
787
788            /var/run/screen(/.*)?
789
790       security_t
791
792
793       tmp_t
794
795            /tmp
796            /usr/tmp
797            /var/tmp
798            /tmp-inst
799            /var/tmp-inst
800            /var/tmp/vi.recover
801
802       usbfs_t
803
804
805       user_fonts_cache_t
806
807            /home/[^/]*/.fonts/auto(/.*)?
808            /home/[^/]*/.fontconfig(/.*)?
809            /home/[^/]*/.fonts.cache-.*
810            /home/staff/.fonts/auto(/.*)?
811            /home/staff/.fontconfig(/.*)?
812            /home/staff/.fonts.cache-.*
813
814       user_fonts_t
815
816            /home/[^/]*/.fonts(/.*)?
817            /home/staff/.fonts(/.*)?
818
819       user_home_type
820
821            all user home files
822
823       user_tmp_t
824
825            /tmp/gconfd-.*
826            /tmp/gconfd-staff
827
828       user_tmpfs_t
829
830            /dev/shm/mono.*
831            /dev/shm/pulse-shm.*
832
833       xauth_home_t
834
835            /root/.Xauth.*
836            /root/.xauth.*
837            /root/.serverauth.*
838            /var/lib/pqsql/.xauth.*
839            /var/lib/pqsql/.Xauthority.*
840            /var/lib/nxserver/home/.xauth.*
841            /var/lib/nxserver/home/.Xauthority.*
842            /home/[^/]*/.xauth.*
843            /home/[^/]*/.Xauthority.*
844            /home/[^/]*/.serverauth.*
845            /home/staff/.xauth.*
846            /home/staff/.Xauthority.*
847            /home/staff/.serverauth.*
848
849       xdm_tmp_t
850
851            /tmp/.X11-unix(/.*)?
852            /tmp/.ICE-unix(/.*)?
853            /tmp/.X0-lock
854
855       xserver_tmpfs_t
856
857
858

COMMANDS

860       semanage fcontext can also be used to manipulate default  file  context
861       mappings.
862
863       semanage  permissive  can  also  be used to manipulate whether or not a
864       process type is permissive.
865
866       semanage module can also be used to enable/disable/install/remove  pol‐
867       icy modules.
868
869       semanage boolean can also be used to manipulate the booleans
870
871
872       system-config-selinux is a GUI tool available to customize SELinux pol‐
873       icy settings.
874
875

AUTHOR

877       This manual page was auto-generated using sepolicy manpage .
878
879