1useradd_selinux(8) SELinux Policy useradd useradd_selinux(8)
2
6 useradd_selinux - Security Enhanced Linux Policy for the useradd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the useradd processes via flexible
11 mandatory access control.
12 The useradd processes execute with the useradd_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep useradd_t
20
24 The useradd_t SELinux type can be entered via the useradd_exec_t,
25 user_home_t file types.
26 The default entrypoint paths for the useradd_t domain are the follow‐
28 ing:
29 /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod,
31 /usr/sbin/newusers, /home/[^/]+/.+
32
34 SELinux defines process types (domains) for each process running on the
35 system
36 You can see the context of a process using the -Z option to ps
38 Policy governs the access confined processes have to files. SELinux
40 useradd policy is very flexible allowing users to setup their useradd
41 processes in as secure a method as possible.
42 The following process types are defined for useradd:
44 useradd_t
46 Note: semanage permissive -a useradd_t can be used to make the process
48 type useradd_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
54 SELinux policy is customizable based on least access required. useradd
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run useradd with the tightest access possi‐
57 ble.
58 If you want to allow users to resolve user passwd entries directly from
62 ldap rather then using a sssd server, you must turn on the authlo‐
63 gin_nsswitch_use_ldap boolean. Disabled by default.
64 setsebool -P authlogin_nsswitch_use_ldap 1
66 If you want to allow all daemons the ability to read/write terminals,
70 you must turn on the daemons_use_tty boolean. Disabled by default.
71 setsebool -P daemons_use_tty 1
73 If you want to deny any process from ptracing or debugging any other
77 processes, you must turn on the deny_ptrace boolean. Enabled by
78 default.
79 setsebool -P deny_ptrace 1
81 If you want to allow any process to mmap any file on system with
85 attribute file_type, you must turn on the domain_can_mmap_files bool‐
86 ean. Enabled by default.
87 setsebool -P domain_can_mmap_files 1
89 If you want to allow all domains write to kmsg_device, while kernel is
93 executed with systemd.log_target=kmsg parameter, you must turn on the
94 domain_can_write_kmsg boolean. Disabled by default.
95 setsebool -P domain_can_write_kmsg 1
97 If you want to allow all domains to use other domains file descriptors,
101 you must turn on the domain_fd_use boolean. Enabled by default.
102 setsebool -P domain_fd_use 1
104 If you want to allow all domains to have the kernel load modules, you
108 must turn on the domain_kernel_load_modules boolean. Disabled by
109 default.
110 setsebool -P domain_kernel_load_modules 1
112 If you want to allow all domains to execute in fips_mode, you must turn
116 on the fips_mode boolean. Enabled by default.
117 setsebool -P fips_mode 1
119 If you want to enable reading of urandom for all domains, you must turn
123 on the global_ssp boolean. Disabled by default.
124 setsebool -P global_ssp 1
126 If you want to allow confined applications to run with kerberos, you
130 must turn on the kerberos_enabled boolean. Enabled by default.
131 setsebool -P kerberos_enabled 1
133 If you want to allow system to run with NIS, you must turn on the
137 nis_enabled boolean. Disabled by default.
138 setsebool -P nis_enabled 1
140 If you want to allow confined applications to use nscd shared memory,
144 you must turn on the nscd_use_shm boolean. Disabled by default.
145 setsebool -P nscd_use_shm 1
147 If you want to allow samba to act as the domain controller, add users,
151 groups and change passwords, you must turn on the samba_domain_con‐
152 troller boolean. Disabled by default.
153 setsebool -P samba_domain_controller 1
155 If you want to support NFS home directories, you must turn on the
159 use_nfs_home_dirs boolean. Disabled by default.
160 setsebool -P use_nfs_home_dirs 1
162 If you want to support SAMBA home directories, you must turn on the
166 use_samba_home_dirs boolean. Disabled by default.
167 setsebool -P use_samba_home_dirs 1
169
173 The SELinux process type useradd_t can manage files labeled with the
174 following file types. The paths listed are the default paths for these
175 file types. Note the processes UID still need to have DAC permissions.
176 cifs_t
178 default_context_t
181 /etc/selinux/([^/]*/)?contexts(/.*)?
183 /root/.default_contexts
184 etc_runtime_t
186 /[^/]+
188 /etc/mtab.*
189 /etc/blkid(/.*)?
190 /etc/nologin.*
191 /etc/.fstab.hal..+
192 /halt
193 /fastboot
194 /poweroff
195 /etc/cmtab
196 /forcefsck
197 /.autofsck
198 /.suspended
199 /fsckoptions
200 /var/.updated
201 /etc/.updated
202 /.autorelabel
203 /etc/securetty
204 /etc/nohotplug
205 /etc/killpower
206 /etc/ioctl.save
207 /etc/fstab.REVOKE
208 /etc/network/ifstate
209 /etc/sysconfig/hwconf
210 /etc/ptal/ptal-printd-like
211 /etc/sysconfig/iptables.save
212 /etc/xorg.conf.d/00-system-setup-keyboard.conf
213 /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
214 etc_t
216 /etc/.*
218 /usr/etc(/.*)?
219 /var/ftp/etc(/.*)?
220 /var/lib/openshift/.limits.d(/.*)?
221 /var/lib/openshift/.openshift-proxy.d(/.*)?
222 /var/lib/openshift/.stickshift-proxy.d(/.*)?
223 /var/lib/stickshift/.limits.d(/.*)?
224 /var/lib/stickshift/.stickshift-proxy.d(/.*)?
225 /var/named/chroot/etc(/.*)?
226 /etc/ipsec.d/examples(/.*)?
227 /var/spool/postfix/etc(/.*)?
228 /etc
229 /etc/cups/client.conf
230 faillog_t
232 /var/log/btmp.*
234 /var/log/faillog.*
235 /var/log/tallylog.*
236 /var/run/faillock(/.*)?
237 file_context_t
239 /etc/selinux/([^/]*/)?contexts/files(/.*)?
241 httpd_user_content_type
243 httpd_user_script_exec_type
246 initrc_var_run_t
249 /var/run/utmp
251 /var/run/random-seed
252 /var/run/runlevel.dir
253 /var/run/setmixer_flag
254 krb5kdc_var_lib_t
256 /var/lib/kdcproxy(/.*)?
258 lastlog_t
260 /var/log/lastlog.*
262 mail_spool_t
264 /var/mail(/.*)?
266 /var/spool/imap(/.*)?
267 /var/spool/mail(/.*)?
268 /var/spool/smtpd(/.*)?
269 nfs_t
271 openshift_file_type
274 passwd_file_t
277 /etc/group[-+]?
279 /etc/passwd[-+]?
280 /etc/passwd.adjunct.*
281 /etc/ptmptmp
282 /etc/.pwd.lock
283 /etc/group.lock
284 /etc/passwd.OLD
285 /etc/passwd.lock
286 security_t
288 /selinux
290 selinux_config_t
292 /etc/selinux(/.*)?
294 /etc/selinux/([^/]*/)?seusers
295 /etc/selinux/([^/]*/)?users(/.*)?
296 /etc/selinux/([^/]*/)?setrans.conf
297 /var/lib/sepolgen(/.*)?
298 selinux_login_config_t
300 /etc/selinux/([^/]*/)?logins(/.*)?
302 semanage_read_lock_t
304 /etc/selinux/([^/]*/)?modules/semanage.read.LOCK
306 /var/lib/selinux/[^/]+/semanage.read.LOCK
307 semanage_store_t
309 /etc/selinux/([^/]*/)?policy(/.*)?
311 /etc/selinux/(minimum|mls|targeted)/active(/.*)?
312 /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
313 /var/lib/selinux(/.*)?
314 /etc/share/selinux/mls(/.*)?
315 /etc/share/selinux/targeted(/.*)?
316 semanage_tmp_t
318 semanage_trans_lock_t
321 /etc/selinux/([^/]*/)?modules/semanage.trans.LOCK
323 /var/lib/selinux/[^/]+/semanage.trans.LOCK
324 shadow_t
326 /etc/shadow.*
328 /etc/gshadow.*
329 /etc/nshadow.*
330 /var/db/shadow.*
331 /etc/security/opasswd
332 /etc/security/opasswd.old
333 smsd_var_lib_t
335 /var/lib/smstools(/.*)?
337 stapserver_var_lib_t
339 /var/lib/stap-server(/.*)?
341 user_home_type
343 all user home files
345 useradd_var_run_t
347
351 SELinux requires files to have an extended attribute to define the file
352 type.
353 You can see the context of a file using the -Z option to ls
355 Policy governs the access confined processes have to these files.
357 SELinux useradd policy is very flexible allowing users to setup their
358 useradd processes in as secure a method as possible.
359 STANDARD FILE CONTEXT
361 SELinux defines the file context types for the useradd, if you wanted
363 to store files with these types in a diffent paths, you need to execute
364 the semanage command to sepecify alternate labeling and then use
365 restorecon to put the labels on disk.
366 semanage fcontext -a -t useradd_var_run_t '/srv/myuseradd_con‐
368 tent(/.*)?'
369 restorecon -R -v /srv/myuseradd_content
370 Note: SELinux often uses regular expressions to specify labels that
372 match multiple files.
373 The following file types are defined for useradd:
375 useradd_exec_t
379 - Set files with the useradd_exec_t type, if you want to transition an
381 executable to the useradd_t domain.
382 Paths:
385 /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod,
386 /usr/sbin/newusers
387 useradd_var_run_t
390 - Set files with the useradd_var_run_t type, if you want to store the
392 useradd files under the /run or /var/run directory.
393 Note: File context can be temporarily modified with the chcon command.
397 If you want to permanently change the file context you need to use the
398 semanage fcontext command. This will modify the SELinux labeling data‐
399 base. You will need to use restorecon to apply the labels.
400
403 semanage fcontext can also be used to manipulate default file context
404 mappings.
405 semanage permissive can also be used to manipulate whether or not a
407 process type is permissive.
408 semanage module can also be used to enable/disable/install/remove pol‐
410 icy modules.
411 semanage boolean can also be used to manipulate the booleans
413 system-config-selinux is a GUI tool available to customize SELinux pol‐
416 icy settings.
417
420 This manual page was auto-generated using sepolicy manpage .
421
424 selinux(8), useradd(8), semanage(8), restorecon(8), chcon(1), sepol‐
425 icy(8) , setsebool(8)
426useradd 19-04-25 useradd_selinux(8)