1sysadm_selinux(8) sysadm SELinux Policy documentation sysadm_selinux(8)
2
3
4
6 sysadm_u - General system administration role - Security Enhanced Linux
7 Policy
8
9
11 sysadm_u is an SELinux User defined in the SELinux policy. SELinux
12 users have default roles, sysadm_r. The default role has a default
13 type, sysadm_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 sysadm_u:sysadm_r:sysadm_t:s0 - s0:c0.c1023
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the sysadm_u
37 user, you would execute:
38
39 semanage login -m -s sysadm_u __default__
40
41
42
44 The SELinux user sysadm_u is an admin user. It means that a mapped
45 Linux user to this SELinux user is intended for administrative actions.
46 Usually this is assigned to a root Linux user.
47
48
50 The SELinux user sysadm can execute sudo.
51
52 You can set up sudo to allow sysadm to transition to an administrative
53 domain:
54
55 Add one or more of the following record to sudoers using visudo.
56
57
58 USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
59 sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
60
61 You might also need to add one or more of these new roles to your
62 SELinux user record.
63
64 List the SELinux roles your SELinux user can reach by executing:
65
66 $ semanage user -l |grep selinux_name
67
68 Modify the roles list and add sysadm_r to this list.
69
70 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
71 sysadm_u
72
73 For more details you can see semanage man page.
74
75
76 USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
77 sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
78
79 You might also need to add one or more of these new roles to your
80 SELinux user record.
81
82 List the SELinux roles your SELinux user can reach by executing:
83
84 $ semanage user -l |grep selinux_name
85
86 Modify the roles list and add sysadm_r to this list.
87
88 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
89 sysadm_u
90
91 For more details you can see semanage man page.
92
93
94 USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
95 sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
96
97 You might also need to add one or more of these new roles to your
98 SELinux user record.
99
100 List the SELinux roles your SELinux user can reach by executing:
101
102 $ semanage user -l |grep selinux_name
103
104 Modify the roles list and add sysadm_r to this list.
105
106 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
107 sysadm_u
108
109 For more details you can see semanage man page.
110
111
112 USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
113 sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
114
115 You might also need to add one or more of these new roles to your
116 SELinux user record.
117
118 List the SELinux roles your SELinux user can reach by executing:
119
120 $ semanage user -l |grep selinux_name
121
122 Modify the roles list and add sysadm_r to this list.
123
124 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
125 sysadm_u
126
127 For more details you can see semanage man page.
128
129
130 The SELinux type sysadm_t is not allowed to execute sudo.
131
132
134 The SELinux user sysadm_u is able to X Windows login.
135
136
138 The SELinux user sysadm_u is able to listen on the following tcp ports.
139
140 all ports with out defined types
141
142 389,636,3268,3269,7389
143
144 32768-61000
145
146 all ports > 1024
147
148
149 The SELinux user sysadm_u is able to connect to the following tcp
150 ports.
151
152 all ports
153
154 53
155
156 5432,9898
157
158 8955
159
160 9080
161
162 32768-61000
163
164 all ports < 1024
165
166 389,636,3268,3269,7389
167
168 88,750,4444
169
170 111
171
172 all ports with out defined types
173
174
175 The SELinux user sysadm_u is able to listen on the following udp ports.
176
177 all ports with out defined types
178
179 123
180
181 32768-61000
182
183 all ports > 1024
184
185
186 The SELinux user sysadm_u is able to connect to the following tcp
187 ports.
188
189 all ports
190
191 53
192
193 5432,9898
194
195 8955
196
197 9080
198
199 32768-61000
200
201 all ports < 1024
202
203 389,636,3268,3269,7389
204
205 88,750,4444
206
207 111
208
209 all ports with out defined types
210
211
213 SELinux policy is customizable based on least access required. sysadm
214 policy is extremely flexible and has several booleans that allow you to
215 manipulate the policy and run sysadm with the tightest access possible.
216
217
218
219 If you want to allow users to resolve user passwd entries directly from
220 ldap rather then using a sssd server, you must turn on the authlo‐
221 gin_nsswitch_use_ldap boolean. Disabled by default.
222
223 setsebool -P authlogin_nsswitch_use_ldap 1
224
225
226
227 If you want to determine whether crond can execute jobs in the user
228 domain as opposed to the the generic cronjob domain, you must turn on
229 the cron_userdomain_transition boolean. Enabled by default.
230
231 setsebool -P cron_userdomain_transition 1
232
233
234
235 If you want to deny user domains applications to map a memory region as
236 both executable and writable, this is dangerous and the executable
237 should be reported in bugzilla, you must turn on the deny_execmem bool‐
238 ean. Enabled by default.
239
240 setsebool -P deny_execmem 1
241
242
243
244 If you want to deny any process from ptracing or debugging any other
245 processes, you must turn on the deny_ptrace boolean. Enabled by
246 default.
247
248 setsebool -P deny_ptrace 1
249
250
251
252 If you want to allow any process to mmap any file on system with
253 attribute file_type, you must turn on the domain_can_mmap_files bool‐
254 ean. Enabled by default.
255
256 setsebool -P domain_can_mmap_files 1
257
258
259
260 If you want to allow all domains write to kmsg_device, while kernel is
261 executed with systemd.log_target=kmsg parameter, you must turn on the
262 domain_can_write_kmsg boolean. Disabled by default.
263
264 setsebool -P domain_can_write_kmsg 1
265
266
267
268 If you want to allow all domains to use other domains file descriptors,
269 you must turn on the domain_fd_use boolean. Enabled by default.
270
271 setsebool -P domain_fd_use 1
272
273
274
275 If you want to allow all domains to have the kernel load modules, you
276 must turn on the domain_kernel_load_modules boolean. Disabled by
277 default.
278
279 setsebool -P domain_kernel_load_modules 1
280
281
282
283 If you want to allow all domains to execute in fips_mode, you must turn
284 on the fips_mode boolean. Enabled by default.
285
286 setsebool -P fips_mode 1
287
288
289
290 If you want to determine whether calling user domains can execute Git
291 daemon in the git_session_t domain, you must turn on the git_ses‐
292 sion_users boolean. Disabled by default.
293
294 setsebool -P git_session_users 1
295
296
297
298 If you want to enable reading of urandom for all domains, you must turn
299 on the global_ssp boolean. Disabled by default.
300
301 setsebool -P global_ssp 1
302
303
304
305 If you want to allow confined applications to run with kerberos, you
306 must turn on the kerberos_enabled boolean. Enabled by default.
307
308 setsebool -P kerberos_enabled 1
309
310
311
312 If you want to allow logging in and using the system from /dev/console,
313 you must turn on the login_console_enabled boolean. Enabled by default.
314
315 setsebool -P login_console_enabled 1
316
317
318
319 If you want to allow system to run with NIS, you must turn on the
320 nis_enabled boolean. Disabled by default.
321
322 setsebool -P nis_enabled 1
323
324
325
326 If you want to allow confined applications to use nscd shared memory,
327 you must turn on the nscd_use_shm boolean. Disabled by default.
328
329 setsebool -P nscd_use_shm 1
330
331
332
333 If you want to determine whether calling user domains can execute
334 Polipo daemon in the polipo_session_t domain, you must turn on the
335 polipo_session_users boolean. Enabled by default.
336
337 setsebool -P polipo_session_users 1
338
339
340
341 If you want to allow database admins to execute DML statement, you must
342 turn on the postgresql_selinux_unconfined_dbadm boolean. Enabled by
343 default.
344
345 setsebool -P postgresql_selinux_unconfined_dbadm 1
346
347
348
349 If you want to disallow programs, such as newrole, from transitioning
350 to administrative user domains, you must turn on the secure_mode bool‐
351 ean. Enabled by default.
352
353 setsebool -P secure_mode 1
354
355
356
357 If you want to boolean to determine whether the system permits loading
358 policy, setting enforcing mode, and changing boolean values. Set this
359 to true and you have to reboot to set it back, you must turn on the
360 secure_mode_policyload boolean. Enabled by default.
361
362 setsebool -P secure_mode_policyload 1
363
364
365
366 If you want to allow regular users direct dri device access, you must
367 turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
368
369 setsebool -P selinuxuser_direct_dri_enabled 1
370
371
372
373 If you want to allow unconfined executables to make their stack exe‐
374 cutable. This should never, ever be necessary. Probably indicates a
375 badly coded executable, but could indicate an attack. This executable
376 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
377 stack boolean. Enabled by default.
378
379 setsebool -P selinuxuser_execstack 1
380
381
382
383 If you want to allow users to connect to the local mysql server, you
384 must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
385 default.
386
387 setsebool -P selinuxuser_mysql_connect_enabled 1
388
389
390
391 If you want to allow users to connect to PostgreSQL, you must turn on
392 the selinuxuser_postgresql_connect_enabled boolean. Disabled by
393 default.
394
395 setsebool -P selinuxuser_postgresql_connect_enabled 1
396
397
398
399 If you want to allow user to r/w files on filesystems that do not have
400 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
401 uxuser_rw_noexattrfile boolean. Disabled by default.
402
403 setsebool -P selinuxuser_rw_noexattrfile 1
404
405
406
407 If you want to allow users to run TCP servers (bind to ports and accept
408 connection from the same domain and outside users) disabling this
409 forces FTP passive mode and may change other protocols, you must turn
410 on the selinuxuser_tcp_server boolean. Disabled by default.
411
412 setsebool -P selinuxuser_tcp_server 1
413
414
415
416 If you want to allow users to run UDP servers (bind to ports and accept
417 connection from the same domain and outside users) disabling this may
418 break avahi discovering services on the network and other udp related
419 services, you must turn on the selinuxuser_udp_server boolean. Disabled
420 by default.
421
422 setsebool -P selinuxuser_udp_server 1
423
424
425
426 If you want to allow user to use ssh chroot environment, you must turn
427 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
428
429 setsebool -P selinuxuser_use_ssh_chroot 1
430
431
432
433 If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
434 the ssh_sysadm_login boolean. Disabled by default.
435
436 setsebool -P ssh_sysadm_login 1
437
438
439
440 If you want to support NFS home directories, you must turn on the
441 use_nfs_home_dirs boolean. Disabled by default.
442
443 setsebool -P use_nfs_home_dirs 1
444
445
446
447 If you want to support SAMBA home directories, you must turn on the
448 use_samba_home_dirs boolean. Disabled by default.
449
450 setsebool -P use_samba_home_dirs 1
451
452
453
454 If you want to allow the graphical login program to login directly as
455 sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Dis‐
456 abled by default.
457
458 setsebool -P xdm_sysadm_login 1
459
460
461
462 If you want to allows clients to write to the X server shared memory
463 segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
464 abled by default.
465
466 setsebool -P xserver_clients_write_xshm 1
467
468
469
470 If you want to support X userspace object manager, you must turn on the
471 xserver_object_manager boolean. Enabled by default.
472
473 setsebool -P xserver_object_manager 1
474
475
476
478 The SELinux user sysadm_u is able execute home content files.
479
480
482 Three things can happen when sysadm_t attempts to execute a program.
483
484 1. SELinux Policy can deny sysadm_t from executing the program.
485
486
487
488 2. SELinux Policy can allow sysadm_t to execute the program in the cur‐
489 rent user type.
490
491 Execute the following to see the types that the SELinux user
492 sysadm_t can execute without transitioning:
493
494 sesearch -A -s sysadm_t -c file -p execute_no_trans
495
496
497
498 3. SELinux can allow sysadm_t to execute the program and transition to
499 a new type.
500
501 Execute the following to see the types that the SELinux user
502 sysadm_t can execute and transition:
503
504 $ sesearch -A -s sysadm_t -c process -p transition
505
506
507
509 The SELinux process type sysadm_t can manage files labeled with the
510 following file types. The paths listed are the default paths for these
511 file types. Note the processes UID still need to have DAC permissions.
512
513 auditd_etc_t
514
515 /etc/audit(/.*)?
516
517 auditd_log_t
518
519 /var/log/audit(/.*)?
520 /var/log/audit.log.*
521
522 boolean_type
523
524
525 cifs_t
526
527
528 default_context_t
529
530 /etc/selinux/([^/]*/)?contexts(/.*)?
531 /root/.default_contexts
532
533 file_context_t
534
535 /etc/selinux/([^/]*/)?contexts/files(/.*)?
536
537 gconf_tmp_t
538
539 /tmp/gconfd-[^/]+/.*
540
541 git_user_content_t
542
543 /home/[^/]+/public_git(/.*)?
544
545 gnome_home_type
546
547
548 iceauth_home_t
549
550 /root/.DCOP.*
551 /root/.ICEauthority.*
552 /home/[^/]+/.DCOP.*
553 /home/[^/]+/.ICEauthority.*
554
555 irc_home_t
556
557 /home/[^/]+/.irssi(/.*)?
558 /home/[^/]+/irclog(/.*)?
559 /home/[^/]+/.ircmotd
560
561 krb5_host_rcache_t
562
563 /var/cache/krb5rcache(/.*)?
564 /var/tmp/nfs_0
565 /var/tmp/DNS_25
566 /var/tmp/host_0
567 /var/tmp/imap_0
568 /var/tmp/HTTP_23
569 /var/tmp/HTTP_48
570 /var/tmp/ldap_55
571 /var/tmp/ldap_487
572 /var/tmp/ldapmap1_0
573
574 krb5_keytab_t
575
576 /etc/krb5.keytab
577 /etc/krb5kdc/kadm5.keytab
578 /var/kerberos/krb5kdc/kadm5.keytab
579
580 non_security_file_type
581
582
583 noxattrfs
584
585 all files on file systems which do not support extended attributes
586
587 postfix_spool_type
588
589
590 screen_home_t
591
592 /root/.screen(/.*)?
593 /home/[^/]+/.screen(/.*)?
594 /home/[^/]+/.screenrc
595 /home/[^/]+/.tmux.conf
596
597 selinux_config_t
598
599 /etc/selinux(/.*)?
600 /etc/selinux/([^/]*/)?seusers
601 /etc/selinux/([^/]*/)?users(/.*)?
602 /etc/selinux/([^/]*/)?setrans.conf
603 /var/lib/sepolgen(/.*)?
604
605 selinux_login_config_t
606
607 /etc/selinux/([^/]*/)?logins(/.*)?
608
609 semanage_store_t
610
611 /etc/selinux/([^/]*/)?policy(/.*)?
612 /etc/selinux/(minimum|mls|targeted)/active(/.*)?
613 /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
614 /var/lib/selinux(/.*)?
615 /etc/share/selinux/mls(/.*)?
616 /etc/share/selinux/targeted(/.*)?
617
618 sysctl_type
619
620
621 systemd_passwd_var_run_t
622
623 /var/run/systemd/ask-password(/.*)?
624 /var/run/systemd/ask-password-block(/.*)?
625
626 systemd_unit_file_type
627
628
629 usbfs_t
630
631
632 user_fonts_cache_t
633
634 /root/.fontconfig(/.*)?
635 /root/.fonts/auto(/.*)?
636 /root/.fonts.cache-.*
637 /home/[^/]+/.fontconfig(/.*)?
638 /home/[^/]+/.fonts/auto(/.*)?
639 /home/[^/]+/.fonts.cache-.*
640
641 user_fonts_t
642
643 /root/.fonts(/.*)?
644 /tmp/.font-unix(/.*)?
645 /home/[^/]+/.fonts(/.*)?
646 /home/[^/]+/.local/share/fonts(/.*)?
647
648 user_home_t
649
650 /home/[^/]+/.+
651
652 user_home_type
653
654 all user home files
655
656 user_tmp_t
657
658 /dev/shm/mono.*
659 /var/run/user(/.*)?
660 /tmp/.X11-unix(/.*)?
661 /tmp/.ICE-unix(/.*)?
662 /dev/shm/pulse-shm.*
663 /tmp/.X0-lock
664 /tmp/hsperfdata_root
665 /var/tmp/hsperfdata_root
666 /home/[^/]+/tmp
667 /home/[^/]+/.tmp
668 /tmp/gconfd-[^/]+
669
670 user_tmp_type
671
672 all user tmp files
673
674 vmware_conf_t
675
676 /home/[^/]+/.vmware[^/]*/.*.cfg
677
678 vmware_tmp_t
679
680
681 vmware_tmpfs_t
682
683
684 wireshark_tmp_t
685
686
687 wireshark_tmpfs_t
688
689
690 xauth_home_t
691
692 /root/.xauth.*
693 /root/.Xauth.*
694 /root/.serverauth.*
695 /root/.Xauthority.*
696 /var/lib/pqsql/.xauth.*
697 /var/lib/pqsql/.Xauthority.*
698 /var/lib/nxserver/home/.xauth.*
699 /var/lib/nxserver/home/.Xauthority.*
700 /home/[^/]+/.xauth.*
701 /home/[^/]+/.Xauth.*
702 /home/[^/]+/.serverauth.*
703 /home/[^/]+/.Xauthority.*
704
705 xserver_tmpfs_t
706
707
708
710 semanage fcontext can also be used to manipulate default file context
711 mappings.
712
713 semanage permissive can also be used to manipulate whether or not a
714 process type is permissive.
715
716 semanage module can also be used to enable/disable/install/remove pol‐
717 icy modules.
718
719 semanage boolean can also be used to manipulate the booleans
720
721
722 system-config-selinux is a GUI tool available to customize SELinux pol‐
723 icy settings.
724
725
727 This manual page was auto-generated using sepolicy manpage .
728
729
731 selinux(8), sysadm(8), semanage(8), restorecon(8), chcon(1), sepol‐
732 icy(8) , setsebool(8), sysadm_gkeyringd_selinux(8),
733 sysadm_gkeyringd_selinux(8), sysadm_passwd_selinux(8),
734 sysadm_passwd_selinux(8), sysadm_screen_selinux(8),
735 sysadm_screen_selinux(8), sysadm_seunshare_selinux(8), sysadm_seun‐
736 share_selinux(8), sysadm_ssh_agent_selinux(8),
737 sysadm_ssh_agent_selinux(8), sysadm_su_selinux(8),
738 sysadm_su_selinux(8), sysadm_sudo_selinux(8), sysadm_sudo_selinux(8)
739
740
741
742mgrepl@redhat.com sysadm sysadm_selinux(8)