user_selinux(8)

1user_selinux(8)        user SELinux Policy documentation       user_selinux(8)
2
3
4

NAME

6       user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       user_u  is an SELinux User defined in the SELinux policy. SELinux users
11       have default roles, user_r.  The  default  role  has  a  default  type,
12       user_t, associated with it.
13
14       The  SELinux  user  will  usually login to a system with a context that
15       looks like:
16
17       user_u:user_r:user_t:s0
18
19       Linux users are automatically  assigned  an  SELinux  users  at  login.
20       Login  programs  use  the SELinux User to assign initial context to the
21       user's shell.
22
23       SELinux policy uses the context to control the user's access.
24
25       By default  all  users  are  assigned  to  the  SELinux  user  via  the
26       __default__ flag
27
28       On  Targeted  policy  systems  the  __default__ user is assigned to the
29       unconfined_u SELinux user.
30
31       You can list all Linux User to SELinux user mapping using:
32
33       semanage login -l
34
35       If you wanted to change the default user  mapping  to  use  the  user_u
36       user, you would execute:
37
38       semanage login -m -s user_u __default__
39
40
41

USER DESCRIPTION

43       The  SELinux  user  user_u is defined in policy as a unprivileged user.
44       SELinux prevents unprivileged users  from  doing  administration  tasks
45       without transitioning to a different role.
46
47

SUDO

X WINDOWS LOGIN

50       The SELinux user user_u is able to X Windows login.
51
52

NETWORK

54       The SELinux user user_u is able to listen on the following tcp ports.
55
56              6000-6020
57
58              3689
59
60              32768-61000
61
62              all ports > 1024
63
64              all ports with out defined types
65
66
67       The SELinux user user_u is able to connect to the following tcp ports.
68
69              all ports
70
71              53
72
73              8955
74
75              32768-61000
76
77              88,750,4444
78
79              all ports < 1024
80
81              9080
82
83              389,636,3268,3269,7389
84
85              5432,9898
86
87              111
88
89              all ports with out defined types
90
91
92       The SELinux user user_u is able to listen on the following udp ports.
93
94              all ports with out defined types
95
96              32768-61000
97
98              all ports > 1024
99
100
101       The SELinux user user_u is able to connect to the following tcp ports.
102
103              all ports
104
105              53
106
107              8955
108
109              32768-61000
110
111              88,750,4444
112
113              all ports < 1024
114
115              9080
116
117              389,636,3268,3269,7389
118
119              5432,9898
120
121              111
122
123              all ports with out defined types
124
125

BOOLEANS

127       SELinux  policy  is  customizable based on least access required.  user
128       policy is extremely flexible and has several booleans that allow you to
129       manipulate the policy and run user with the tightest access possible.
130
131
132
133       If you want to allow users to resolve user passwd entries directly from
134       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
135       gin_nsswitch_use_ldap boolean. Disabled by default.
136
137       setsebool -P authlogin_nsswitch_use_ldap 1
138
139
140
141       If  you  want  to  determine whether crond can execute jobs in the user
142       domain as opposed to the the generic cronjob domain, you must  turn  on
143       the cron_userdomain_transition boolean. Enabled by default.
144
145       setsebool -P cron_userdomain_transition 1
146
147
148
149       If you want to deny user domains applications to map a memory region as
150       both executable and writable, this  is  dangerous  and  the  executable
151       should be reported in bugzilla, you must turn on the deny_execmem bool‐
152       ean. Enabled by default.
153
154       setsebool -P deny_execmem 1
155
156
157
158       If you want to deny any process from ptracing or  debugging  any  other
159       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
160       default.
161
162       setsebool -P deny_ptrace 1
163
164
165
166       If you want to allow any process  to  mmap  any  file  on  system  with
167       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
168       ean. Enabled by default.
169
170       setsebool -P domain_can_mmap_files 1
171
172
173
174       If you want to allow all domains write to kmsg_device, while kernel  is
175       executed  with  systemd.log_target=kmsg parameter, you must turn on the
176       domain_can_write_kmsg boolean. Disabled by default.
177
178       setsebool -P domain_can_write_kmsg 1
179
180
181
182       If you want to allow all domains to use other domains file descriptors,
183       you must turn on the domain_fd_use boolean. Enabled by default.
184
185       setsebool -P domain_fd_use 1
186
187
188
189       If  you  want to allow all domains to have the kernel load modules, you
190       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
191       default.
192
193       setsebool -P domain_kernel_load_modules 1
194
195
196
197       If you want to allow all domains to execute in fips_mode, you must turn
198       on the fips_mode boolean. Enabled by default.
199
200       setsebool -P fips_mode 1
201
202
203
204       If you want to determine whether calling user domains can  execute  Git
205       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
206       sion_users boolean. Enabled by default.
207
208       setsebool -P git_session_users 1
209
210
211
212       If you want to enable reading of urandom for all domains, you must turn
213       on the global_ssp boolean. Disabled by default.
214
215       setsebool -P global_ssp 1
216
217
218
219       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
220       httpd_enable_cgi boolean. Disabled by default.
221
222       setsebool -P httpd_enable_cgi 1
223
224
225
226       If you want to unify HTTPD handling of all content files, you must turn
227       on the httpd_unified boolean. Disabled by default.
228
229       setsebool -P httpd_unified 1
230
231
232
233       If  you  want  to allow confined applications to run with kerberos, you
234       must turn on the kerberos_enabled boolean. Enabled by default.
235
236       setsebool -P kerberos_enabled 1
237
238
239
240       If you want to allow logging in and using the system from /dev/console,
241       you must turn on the login_console_enabled boolean. Enabled by default.
242
243       setsebool -P login_console_enabled 1
244
245
246
247       If  you  want  to  allow  system  to run with NIS, you must turn on the
248       nis_enabled boolean. Disabled by default.
249
250       setsebool -P nis_enabled 1
251
252
253
254       If you want to allow confined applications to use nscd  shared  memory,
255       you must turn on the nscd_use_shm boolean. Disabled by default.
256
257       setsebool -P nscd_use_shm 1
258
259
260
261       If  you  want  to  determine  whether  calling user domains can execute
262       Polipo daemon in the polipo_session_t domain,  you  must  turn  on  the
263       polipo_session_users boolean. Disabled by default.
264
265       setsebool -P polipo_session_users 1
266
267
268
269       If  you  want to allow pppd to be run for a regular user, you must turn
270       on the pppd_for_user boolean. Disabled by default.
271
272       setsebool -P pppd_for_user 1
273
274
275
276       If you want to disallow programs, such as newrole,  from  transitioning
277       to  administrative user domains, you must turn on the secure_mode bool‐
278       ean. Enabled by default.
279
280       setsebool -P secure_mode 1
281
282
283
284       If you want to allow regular users direct dri device access,  you  must
285       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
286
287       setsebool -P selinuxuser_direct_dri_enabled 1
288
289
290
291       If  you  want  to  allow  all  unconfined  executables to use libraries
292       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
293       must turn on the selinuxuser_execmod boolean. Enabled by default.
294
295       setsebool -P selinuxuser_execmod 1
296
297
298
299       If  you  want  to allow unconfined executables to make their stack exe‐
300       cutable.  This should never, ever be necessary.  Probably  indicates  a
301       badly  coded  executable, but could indicate an attack. This executable
302       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
303       stack boolean. Enabled by default.
304
305       setsebool -P selinuxuser_execstack 1
306
307
308
309       If  you  want  to allow users to connect to the local mysql server, you
310       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
311       default.
312
313       setsebool -P selinuxuser_mysql_connect_enabled 1
314
315
316
317       If you want to allow confined users the ability to execute the ping and
318       traceroute commands, you must turn  on  the  selinuxuser_ping  boolean.
319       Enabled by default.
320
321       setsebool -P selinuxuser_ping 1
322
323
324
325       If  you  want to allow users to connect to PostgreSQL, you must turn on
326       the   selinuxuser_postgresql_connect_enabled   boolean.   Disabled   by
327       default.
328
329       setsebool -P selinuxuser_postgresql_connect_enabled 1
330
331
332
333       If  you want to allow user to r/w files on filesystems that do not have
334       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
335       uxuser_rw_noexattrfile boolean. Enabled by default.
336
337       setsebool -P selinuxuser_rw_noexattrfile 1
338
339
340
341       If  you  want  to allow user music sharing, you must turn on the selin‐
342       uxuser_share_music boolean. Disabled by default.
343
344       setsebool -P selinuxuser_share_music 1
345
346
347
348       If you want to allow users to run TCP servers (bind to ports and accept
349       connection  from  the  same  domain  and outside users)  disabling this
350       forces FTP passive mode and may change other protocols, you  must  turn
351       on the selinuxuser_tcp_server boolean. Disabled by default.
352
353       setsebool -P selinuxuser_tcp_server 1
354
355
356
357       If you want to allow users to run UDP servers (bind to ports and accept
358       connection from the same domain and outside users)  disabling this  may
359       break  avahi  discovering services on the network and other udp related
360       services, you must turn on the selinuxuser_udp_server boolean. Disabled
361       by default.
362
363       setsebool -P selinuxuser_udp_server 1
364
365
366
367       If you want to allow user  to use ssh chroot environment, you must turn
368       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
369
370       setsebool -P selinuxuser_use_ssh_chroot 1
371
372
373
374       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
375       the ssh_sysadm_login boolean. Disabled by default.
376
377       setsebool -P ssh_sysadm_login 1
378
379
380
381       If  you  want  to  allow  unprivileged user to create and transition to
382       svirt domains, you must turn on the unprivuser_use_svirt boolean.  Dis‐
383       abled by default.
384
385       setsebool -P unprivuser_use_svirt 1
386
387
388
389       If  you  want  to  support  NFS  home directories, you must turn on the
390       use_nfs_home_dirs boolean. Disabled by default.
391
392       setsebool -P use_nfs_home_dirs 1
393
394
395
396       If you want to support SAMBA home directories, you  must  turn  on  the
397       use_samba_home_dirs boolean. Disabled by default.
398
399       setsebool -P use_samba_home_dirs 1
400
401
402
403       If  you  want to allow the graphical login program to login directly as
404       sysadm_r:sysadm_t, you  must  turn  on  the  xdm_sysadm_login  boolean.
405       Enabled by default.
406
407       setsebool -P xdm_sysadm_login 1
408
409
410
411       If  you  want  to allows clients to write to the X server shared memory
412       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
413       abled by default.
414
415       setsebool -P xserver_clients_write_xshm 1
416
417
418
419       If you want to support X userspace object manager, you must turn on the
420       xserver_object_manager boolean. Enabled by default.
421
422       setsebool -P xserver_object_manager 1
423
424
425

HOME_EXEC

427       The SELinux user user_u is able execute home content files.
428
429

TRANSITIONS

431       Three things can happen when user_t attempts to execute a program.
432
433       1. SELinux Policy can deny user_t from executing the program.
434
435
436
437       2. SELinux Policy can allow user_t to execute the program in  the  cur‐
438       rent user type.
439
440              Execute  the  following  to  see the types that the SELinux user
441              user_t can execute without transitioning:
442
443              sesearch -A -s user_t -c file -p execute_no_trans
444
445
446
447       3. SELinux can allow user_t to execute the program and transition to  a
448       new type.
449
450              Execute  the  following  to  see the types that the SELinux user
451              user_t can execute and transition:
452
453              $ sesearch -A -s user_t -c process -p transition
454
455
456

MANAGED FILES

458       The SELinux process type user_t can manage files labeled with the  fol‐
459       lowing  file  types.   The paths listed are the default paths for these
460       file types.  Note the processes UID still need to have DAC permissions.
461
462       anon_inodefs_t
463
464
465       auth_cache_t
466
467            /var/cache/coolkey(/.*)?
468
469       bluetooth_helper_tmp_t
470
471
472       bluetooth_helper_tmpfs_t
473
474
475       cgroup_t
476
477            /sys/fs/cgroup
478
479       chrome_sandbox_tmpfs_t
480
481
482       cifs_t
483
484
485       games_data_t
486
487            /var/games(/.*)?
488            /var/lib/games(/.*)?
489
490       gconf_tmp_t
491
492            /tmp/gconfd-[^/]+/.*
493
494       git_user_content_t
495
496            /home/[^/]+/public_git(/.*)?
497
498       gnome_home_type
499
500
501       gpg_agent_tmp_t
502
503            /home/[^/]+/.gnupg/log-socket
504
505       httpd_user_content_t
506
507            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
508
509       httpd_user_htaccess_t
510
511            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
512
513       httpd_user_ra_content_t
514
515            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
516
517       httpd_user_rw_content_t
518
519
520       httpd_user_script_exec_t
521
522            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
523
524       irc_home_t
525
526            /home/[^/]+/.irssi(/.*)?
527            /home/[^/]+/irclog(/.*)?
528            /home/[^/]+/.ircmotd
529
530       mail_spool_t
531
532            /var/mail(/.*)?
533            /var/spool/imap(/.*)?
534            /var/spool/mail(/.*)?
535            /var/spool/smtpd(/.*)?
536
537       mqueue_spool_t
538
539            /var/spool/(client)?mqueue(/.*)?
540            /var/spool/mqueue.in(/.*)?
541
542       noxattrfs
543
544            all files on file systems which do not support extended attributes
545
546       pulseaudio_tmpfs_t
547
548
549       pulseaudio_tmpfsfile
550
551
552       sandbox_file_t
553
554
555       sandbox_tmpfs_type
556
557            all sandbox content in tmpfs file systems
558
559       screen_home_t
560
561            /root/.screen(/.*)?
562            /home/[^/]+/.screen(/.*)?
563            /home/[^/]+/.screenrc
564            /home/[^/]+/.tmux.conf
565
566       security_t
567
568            /selinux
569
570       usbfs_t
571
572
573       user_fonts_cache_t
574
575            /root/.fontconfig(/.*)?
576            /root/.fonts/auto(/.*)?
577            /root/.fonts.cache-.*
578            /home/[^/]+/.fontconfig(/.*)?
579            /home/[^/]+/.fonts/auto(/.*)?
580            /home/[^/]+/.fonts.cache-.*
581
582       user_home_type
583
584            all user home files
585
586       user_tmp_t
587
588            /dev/shm/mono.*
589            /var/run/user(/.*)?
590            /tmp/.X11-unix(/.*)?
591            /tmp/.ICE-unix(/.*)?
592            /dev/shm/pulse-shm.*
593            /tmp/.X0-lock
594            /tmp/hsperfdata_root
595            /var/tmp/hsperfdata_root
596            /home/[^/]+/tmp
597            /home/[^/]+/.tmp
598            /tmp/gconfd-[^/]+
599
600       user_tmp_type
601
602            all user tmp files
603
604       virt_image_type
605
606            all virtual image files
607
608       xserver_tmpfs_t
609
610
611

COMMANDS

613       semanage fcontext can also be used to manipulate default  file  context
614       mappings.
615
616       semanage  permissive  can  also  be used to manipulate whether or not a
617       process type is permissive.
618
619       semanage module can also be used to enable/disable/install/remove  pol‐
620       icy modules.
621
622       semanage boolean can also be used to manipulate the booleans
623
624
625       system-config-selinux is a GUI tool available to customize SELinux pol‐
626       icy settings.
627
628

AUTHOR

630       This manual page was auto-generated using sepolicy manpage .
631
632