sysadm_selinux(8)

1sysadm_selinux(8)     sysadm SELinux Policy documentation    sysadm_selinux(8)
2
3
4

NAME

6       sysadm_u - General system administration role - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       sysadm_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  sysadm_r.  The default role has a default
13       type, sysadm_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       sysadm_u:sysadm_r:sysadm_t:s0 - s0:c0.c1023
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the sysadm_u
37       user, you would execute:
38
39       semanage login -m -s sysadm_u __default__
40
41
42

USER DESCRIPTION

44       The SELinux user sysadm_u is an admin user.  It  means  that  a  mapped
45       Linux user to this SELinux user is intended for administrative actions.
46       Usually this is assigned to a root Linux user.
47
48

SUDO

50       The SELinux user sysadm can execute sudo.
51
52       You can set up sudo to allow sysadm to transition to an  administrative
53       domain:
54
55       Add one or more of the following record to sudoers using visudo.
56
57
58       USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
59       sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
60
61       You  might  also  need  to  add  one or more of these new roles to your
62       SELinux user record.
63
64       List the SELinux roles your SELinux user can reach by executing:
65
66       $ semanage user -l |grep selinux_name
67
68       Modify the roles list and add sysadm_r to this list.
69
70       $ semanage user -m -R 'sysadm_r  user_r  staff_r  secadm_r  auditadm_r'
71       sysadm_u
72
73       For more details you can see semanage man page.
74
75
76       USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
77       sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
78
79       You  might  also  need  to  add  one or more of these new roles to your
80       SELinux user record.
81
82       List the SELinux roles your SELinux user can reach by executing:
83
84       $ semanage user -l |grep selinux_name
85
86       Modify the roles list and add sysadm_r to this list.
87
88       $ semanage user -m -R 'sysadm_r  user_r  staff_r  secadm_r  auditadm_r'
89       sysadm_u
90
91       For more details you can see semanage man page.
92
93
94       USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
95       sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
96
97       You  might  also  need  to  add  one or more of these new roles to your
98       SELinux user record.
99
100       List the SELinux roles your SELinux user can reach by executing:
101
102       $ semanage user -l |grep selinux_name
103
104       Modify the roles list and add sysadm_r to this list.
105
106       $ semanage user -m -R 'sysadm_r  user_r  staff_r  secadm_r  auditadm_r'
107       sysadm_u
108
109       For more details you can see semanage man page.
110
111
112       USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
113       sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
114
115       You  might  also  need  to  add  one or more of these new roles to your
116       SELinux user record.
117
118       List the SELinux roles your SELinux user can reach by executing:
119
120       $ semanage user -l |grep selinux_name
121
122       Modify the roles list and add sysadm_r to this list.
123
124       $ semanage user -m -R 'sysadm_r  user_r  staff_r  secadm_r  auditadm_r'
125       sysadm_u
126
127       For more details you can see semanage man page.
128
129
130       The SELinux type sysadm_t is not allowed to execute sudo.
131
132

X WINDOWS LOGIN

134       The SELinux user sysadm_u is able to X Windows login.
135
136

NETWORK

138       The SELinux user sysadm_u is able to listen on the following tcp ports.
139
140              all ports with out defined types
141
142              389,636,3268,3269,7389
143
144              32768-61000
145
146              all ports > 1024
147
148
149       The  SELinux  user  sysadm_u  is  able  to connect to the following tcp
150       ports.
151
152              all ports
153
154              53
155
156              5432,9898
157
158              8955
159
160              9080
161
162              32768-61000
163
164              all ports < 1024
165
166              389,636,3268,3269,7389
167
168              88,750,4444
169
170              111
171
172              all ports with out defined types
173
174
175       The SELinux user sysadm_u is able to listen on the following udp ports.
176
177              all ports with out defined types
178
179              123
180
181              32768-61000
182
183              all ports > 1024
184
185
186       The SELinux user sysadm_u is able  to  connect  to  the  following  tcp
187       ports.
188
189              all ports
190
191              53
192
193              5432,9898
194
195              8955
196
197              9080
198
199              32768-61000
200
201              all ports < 1024
202
203              389,636,3268,3269,7389
204
205              88,750,4444
206
207              111
208
209              all ports with out defined types
210
211

BOOLEANS

213       SELinux  policy is customizable based on least access required.  sysadm
214       policy is extremely flexible and has several booleans that allow you to
215       manipulate the policy and run sysadm with the tightest access possible.
216
217
218
219       If you want to allow users to resolve user passwd entries directly from
220       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
221       gin_nsswitch_use_ldap boolean. Disabled by default.
222
223       setsebool -P authlogin_nsswitch_use_ldap 1
224
225
226
227       If  you  want  to  determine whether crond can execute jobs in the user
228       domain as opposed to the the generic cronjob domain, you must  turn  on
229       the cron_userdomain_transition boolean. Enabled by default.
230
231       setsebool -P cron_userdomain_transition 1
232
233
234
235       If you want to deny user domains applications to map a memory region as
236       both executable and writable, this  is  dangerous  and  the  executable
237       should be reported in bugzilla, you must turn on the deny_execmem bool‐
238       ean. Enabled by default.
239
240       setsebool -P deny_execmem 1
241
242
243
244       If you want to deny any process from ptracing or  debugging  any  other
245       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
246       default.
247
248       setsebool -P deny_ptrace 1
249
250
251
252       If you want to allow any process  to  mmap  any  file  on  system  with
253       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
254       ean. Enabled by default.
255
256       setsebool -P domain_can_mmap_files 1
257
258
259
260       If you want to allow all domains write to kmsg_device, while kernel  is
261       executed  with  systemd.log_target=kmsg parameter, you must turn on the
262       domain_can_write_kmsg boolean. Disabled by default.
263
264       setsebool -P domain_can_write_kmsg 1
265
266
267
268       If you want to allow all domains to use other domains file descriptors,
269       you must turn on the domain_fd_use boolean. Enabled by default.
270
271       setsebool -P domain_fd_use 1
272
273
274
275       If  you  want to allow all domains to have the kernel load modules, you
276       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
277       default.
278
279       setsebool -P domain_kernel_load_modules 1
280
281
282
283       If you want to allow all domains to execute in fips_mode, you must turn
284       on the fips_mode boolean. Enabled by default.
285
286       setsebool -P fips_mode 1
287
288
289
290       If you want to determine whether calling user domains can  execute  Git
291       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
292       sion_users boolean. Disabled by default.
293
294       setsebool -P git_session_users 1
295
296
297
298       If you want to enable reading of urandom for all domains, you must turn
299       on the global_ssp boolean. Disabled by default.
300
301       setsebool -P global_ssp 1
302
303
304
305       If  you  want  to allow confined applications to run with kerberos, you
306       must turn on the kerberos_enabled boolean. Enabled by default.
307
308       setsebool -P kerberos_enabled 1
309
310
311
312       If you want to allow logging in and using the system from /dev/console,
313       you must turn on the login_console_enabled boolean. Enabled by default.
314
315       setsebool -P login_console_enabled 1
316
317
318
319       If  you  want  to  allow  system  to run with NIS, you must turn on the
320       nis_enabled boolean. Disabled by default.
321
322       setsebool -P nis_enabled 1
323
324
325
326       If you want to allow confined applications to use nscd  shared  memory,
327       you must turn on the nscd_use_shm boolean. Disabled by default.
328
329       setsebool -P nscd_use_shm 1
330
331
332
333       If  you  want  to  determine  whether  calling user domains can execute
334       Polipo daemon in the polipo_session_t domain,  you  must  turn  on  the
335       polipo_session_users boolean. Enabled by default.
336
337       setsebool -P polipo_session_users 1
338
339
340
341       If you want to allow database admins to execute DML statement, you must
342       turn on the  postgresql_selinux_unconfined_dbadm  boolean.  Enabled  by
343       default.
344
345       setsebool -P postgresql_selinux_unconfined_dbadm 1
346
347
348
349       If  you  want to disallow programs, such as newrole, from transitioning
350       to administrative user domains, you must turn on the secure_mode  bool‐
351       ean. Enabled by default.
352
353       setsebool -P secure_mode 1
354
355
356
357       If  you want to boolean to determine whether the system permits loading
358       policy, setting enforcing mode, and changing boolean values.  Set  this
359       to  true  and  you  have to reboot to set it back, you must turn on the
360       secure_mode_policyload boolean. Enabled by default.
361
362       setsebool -P secure_mode_policyload 1
363
364
365
366       If you want to allow regular users direct dri device access,  you  must
367       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
368
369       setsebool -P selinuxuser_direct_dri_enabled 1
370
371
372
373       If  you  want  to allow unconfined executables to make their stack exe‐
374       cutable.  This should never, ever be necessary.  Probably  indicates  a
375       badly  coded  executable, but could indicate an attack. This executable
376       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
377       stack boolean. Enabled by default.
378
379       setsebool -P selinuxuser_execstack 1
380
381
382
383       If  you  want  to allow users to connect to the local mysql server, you
384       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
385       default.
386
387       setsebool -P selinuxuser_mysql_connect_enabled 1
388
389
390
391       If  you  want to allow users to connect to PostgreSQL, you must turn on
392       the   selinuxuser_postgresql_connect_enabled   boolean.   Disabled   by
393       default.
394
395       setsebool -P selinuxuser_postgresql_connect_enabled 1
396
397
398
399       If  you want to allow user to r/w files on filesystems that do not have
400       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
401       uxuser_rw_noexattrfile boolean. Disabled by default.
402
403       setsebool -P selinuxuser_rw_noexattrfile 1
404
405
406
407       If you want to allow users to run TCP servers (bind to ports and accept
408       connection from the same domain  and  outside  users)   disabling  this
409       forces  FTP  passive mode and may change other protocols, you must turn
410       on the selinuxuser_tcp_server boolean. Disabled by default.
411
412       setsebool -P selinuxuser_tcp_server 1
413
414
415
416       If you want to allow users to run UDP servers (bind to ports and accept
417       connection  from the same domain and outside users)  disabling this may
418       break avahi discovering services on the network and other  udp  related
419       services, you must turn on the selinuxuser_udp_server boolean. Disabled
420       by default.
421
422       setsebool -P selinuxuser_udp_server 1
423
424
425
426       If you want to allow user  to use ssh chroot environment, you must turn
427       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
428
429       setsebool -P selinuxuser_use_ssh_chroot 1
430
431
432
433       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
434       the ssh_sysadm_login boolean. Disabled by default.
435
436       setsebool -P ssh_sysadm_login 1
437
438
439
440       If you want to support NFS home  directories,  you  must  turn  on  the
441       use_nfs_home_dirs boolean. Disabled by default.
442
443       setsebool -P use_nfs_home_dirs 1
444
445
446
447       If  you  want  to  support SAMBA home directories, you must turn on the
448       use_samba_home_dirs boolean. Disabled by default.
449
450       setsebool -P use_samba_home_dirs 1
451
452
453
454       If you want to allow the graphical login program to login  directly  as
455       sysadm_r:sysadm_t,  you must turn on the xdm_sysadm_login boolean. Dis‐
456       abled by default.
457
458       setsebool -P xdm_sysadm_login 1
459
460
461
462       If you want to allows clients to write to the X  server  shared  memory
463       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
464       abled by default.
465
466       setsebool -P xserver_clients_write_xshm 1
467
468
469
470       If you want to support X userspace object manager, you must turn on the
471       xserver_object_manager boolean. Enabled by default.
472
473       setsebool -P xserver_object_manager 1
474
475
476

HOME_EXEC

478       The SELinux user sysadm_u is able execute home content files.
479
480

TRANSITIONS

482       Three things can happen when sysadm_t attempts to execute a program.
483
484       1. SELinux Policy can deny sysadm_t from executing the program.
485
486
487
488       2. SELinux Policy can allow sysadm_t to execute the program in the cur‐
489       rent user type.
490
491              Execute the following to see the types  that  the  SELinux  user
492              sysadm_t can execute without transitioning:
493
494              sesearch -A -s sysadm_t -c file -p execute_no_trans
495
496
497
498       3.  SELinux can allow sysadm_t to execute the program and transition to
499       a new type.
500
501              Execute the following to see the types  that  the  SELinux  user
502              sysadm_t can execute and transition:
503
504              $ sesearch -A -s sysadm_t -c process -p transition
505
506
507

MANAGED FILES

509       The  SELinux  process  type  sysadm_t can manage files labeled with the
510       following file types.  The paths listed are the default paths for these
511       file types.  Note the processes UID still need to have DAC permissions.
512
513       auditd_etc_t
514
515            /etc/audit(/.*)?
516
517       auditd_log_t
518
519            /var/log/audit(/.*)?
520            /var/log/audit.log.*
521
522       boolean_type
523
524
525       cifs_t
526
527
528       default_context_t
529
530            /etc/selinux/([^/]*/)?contexts(/.*)?
531            /root/.default_contexts
532
533       file_context_t
534
535            /etc/selinux/([^/]*/)?contexts/files(/.*)?
536
537       gconf_tmp_t
538
539            /tmp/gconfd-[^/]+/.*
540
541       git_user_content_t
542
543            /home/[^/]+/public_git(/.*)?
544
545       gnome_home_type
546
547
548       iceauth_home_t
549
550            /root/.DCOP.*
551            /root/.ICEauthority.*
552            /home/[^/]+/.DCOP.*
553            /home/[^/]+/.ICEauthority.*
554
555       irc_home_t
556
557            /home/[^/]+/.irssi(/.*)?
558            /home/[^/]+/irclog(/.*)?
559            /home/[^/]+/.ircmotd
560
561       krb5_host_rcache_t
562
563            /var/cache/krb5rcache(/.*)?
564            /var/tmp/nfs_0
565            /var/tmp/DNS_25
566            /var/tmp/host_0
567            /var/tmp/imap_0
568            /var/tmp/HTTP_23
569            /var/tmp/HTTP_48
570            /var/tmp/ldap_55
571            /var/tmp/ldap_487
572            /var/tmp/ldapmap1_0
573
574       krb5_keytab_t
575
576            /etc/krb5.keytab
577            /etc/krb5kdc/kadm5.keytab
578            /var/kerberos/krb5kdc/kadm5.keytab
579
580       non_security_file_type
581
582
583       noxattrfs
584
585            all files on file systems which do not support extended attributes
586
587       postfix_spool_type
588
589
590       screen_home_t
591
592            /root/.screen(/.*)?
593            /home/[^/]+/.screen(/.*)?
594            /home/[^/]+/.screenrc
595            /home/[^/]+/.tmux.conf
596
597       selinux_config_t
598
599            /etc/selinux(/.*)?
600            /etc/selinux/([^/]*/)?seusers
601            /etc/selinux/([^/]*/)?users(/.*)?
602            /etc/selinux/([^/]*/)?setrans.conf
603            /var/lib/sepolgen(/.*)?
604
605       selinux_login_config_t
606
607            /etc/selinux/([^/]*/)?logins(/.*)?
608
609       semanage_store_t
610
611            /etc/selinux/([^/]*/)?policy(/.*)?
612            /etc/selinux/(minimum|mls|targeted)/active(/.*)?
613            /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
614            /var/lib/selinux(/.*)?
615            /etc/share/selinux/mls(/.*)?
616            /etc/share/selinux/targeted(/.*)?
617
618       sysctl_type
619
620
621       systemd_passwd_var_run_t
622
623            /var/run/systemd/ask-password(/.*)?
624            /var/run/systemd/ask-password-block(/.*)?
625
626       systemd_unit_file_type
627
628
629       usbfs_t
630
631
632       user_fonts_cache_t
633
634            /root/.fontconfig(/.*)?
635            /root/.fonts/auto(/.*)?
636            /root/.fonts.cache-.*
637            /home/[^/]+/.fontconfig(/.*)?
638            /home/[^/]+/.fonts/auto(/.*)?
639            /home/[^/]+/.fonts.cache-.*
640
641       user_fonts_t
642
643            /root/.fonts(/.*)?
644            /tmp/.font-unix(/.*)?
645            /home/[^/]+/.fonts(/.*)?
646            /home/[^/]+/.local/share/fonts(/.*)?
647
648       user_home_t
649
650            /home/[^/]+/.+
651
652       user_home_type
653
654            all user home files
655
656       user_tmp_t
657
658            /dev/shm/mono.*
659            /var/run/user(/.*)?
660            /tmp/.X11-unix(/.*)?
661            /tmp/.ICE-unix(/.*)?
662            /dev/shm/pulse-shm.*
663            /tmp/.X0-lock
664            /tmp/hsperfdata_root
665            /var/tmp/hsperfdata_root
666            /home/[^/]+/tmp
667            /home/[^/]+/.tmp
668            /tmp/gconfd-[^/]+
669
670       user_tmp_type
671
672            all user tmp files
673
674       vmware_conf_t
675
676            /home/[^/]+/.vmware[^/]*/.*.cfg
677
678       vmware_tmp_t
679
680
681       vmware_tmpfs_t
682
683
684       wireshark_tmp_t
685
686
687       wireshark_tmpfs_t
688
689
690       xauth_home_t
691
692            /root/.xauth.*
693            /root/.Xauth.*
694            /root/.serverauth.*
695            /root/.Xauthority.*
696            /var/lib/pqsql/.xauth.*
697            /var/lib/pqsql/.Xauthority.*
698            /var/lib/nxserver/home/.xauth.*
699            /var/lib/nxserver/home/.Xauthority.*
700            /home/[^/]+/.xauth.*
701            /home/[^/]+/.Xauth.*
702            /home/[^/]+/.serverauth.*
703            /home/[^/]+/.Xauthority.*
704
705       xserver_tmpfs_t
706
707
708

COMMANDS

710       semanage  fcontext  can also be used to manipulate default file context
711       mappings.
712
713       semanage permissive can also be used to manipulate  whether  or  not  a
714       process type is permissive.
715
716       semanage  module can also be used to enable/disable/install/remove pol‐
717       icy modules.
718
719       semanage boolean can also be used to manipulate the booleans
720
721
722       system-config-selinux is a GUI tool available to customize SELinux pol‐
723       icy settings.
724
725

AUTHOR

727       This manual page was auto-generated using sepolicy manpage .
728
729