sysadm_selinux(8)

1sysadm_selinux(8)     sysadm SELinux Policy documentation    sysadm_selinux(8)
2
3
4

NAME

6       sysadm_u - General system administration role - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       sysadm_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  sysadm_r.  The default role has a default
13       type, sysadm_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       sysadm_u:sysadm_r:sysadm_t:s0 - s0:c0.c1023
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the sysadm_u
37       user, you would execute:
38
39       semanage login -m -s sysadm_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user sysadm,
43       you would execute:
44
45       $ semanage login -a -s sysadm_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user  sysadm_u  is  an admin user. It means that a mapped
51       Linux user to this SELinux user is intended for administrative actions.
52       Usually this is assigned to a root Linux user.
53
54

SUDO

56       The SELinux user sysadm can execute sudo.
57
58       You  can set up sudo to allow sysadm to transition to an administrative
59       domain:
60
61       Add one or more of the following record to sudoers using visudo.
62
63
64       USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
65       sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
66
67       You might also need to add one or more  of  these  new  roles  to  your
68       SELinux user record.
69
70       List the SELinux roles your SELinux user can reach by executing:
71
72       $ semanage user -l |grep selinux_name
73
74       Modify the roles list and add sysadm_r to this list.
75
76       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
77       sysadm_u
78
79       For more details you can see semanage man page.
80
81
82       USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
83       sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
84
85       You might also need to add one or more  of  these  new  roles  to  your
86       SELinux user record.
87
88       List the SELinux roles your SELinux user can reach by executing:
89
90       $ semanage user -l |grep selinux_name
91
92       Modify the roles list and add sysadm_r to this list.
93
94       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
95       sysadm_u
96
97       For more details you can see semanage man page.
98
99
100       USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
101       sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
102
103       You might also need to add one or more  of  these  new  roles  to  your
104       SELinux user record.
105
106       List the SELinux roles your SELinux user can reach by executing:
107
108       $ semanage user -l |grep selinux_name
109
110       Modify the roles list and add sysadm_r to this list.
111
112       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
113       sysadm_u
114
115       For more details you can see semanage man page.
116
117
118       USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
119       sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
120
121       You might also need to add one or more  of  these  new  roles  to  your
122       SELinux user record.
123
124       List the SELinux roles your SELinux user can reach by executing:
125
126       $ semanage user -l |grep selinux_name
127
128       Modify the roles list and add sysadm_r to this list.
129
130       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
131       sysadm_u
132
133       For more details you can see semanage man page.
134
135
136       The SELinux type sysadm_t is not allowed to execute sudo.
137
138

X WINDOWS LOGIN

140       The SELinux user sysadm_u is able to X Windows login.
141
142

NETWORK

144       The SELinux user sysadm_u is able to listen on the following tcp ports.
145
146              389,636,3268,3269,7389
147
148              32768-61000
149
150              all ports with out defined types
151
152              all ports > 1024
153
154
155       The SELinux user sysadm_u is able  to  connect  to  the  following  tcp
156       ports.
157
158              all ports
159
160              5432,9898
161
162              8955
163
164              53,853
165
166              389,636,3268,3269,7389
167
168              111
169
170              all ports < 1024
171
172              32768-61000
173
174              all ports with out defined types
175
176              88,750,4444
177
178              9080
179
180
181       The SELinux user sysadm_u is able to listen on the following udp ports.
182
183              123
184
185              all ports with out defined types
186
187              32768-61000
188
189              all ports > 1024
190
191
192       The  SELinux  user  sysadm_u  is  able  to connect to the following tcp
193       ports.
194
195              all ports
196
197              5432,9898
198
199              8955
200
201              53,853
202
203              389,636,3268,3269,7389
204
205              111
206
207              all ports < 1024
208
209              32768-61000
210
211              all ports with out defined types
212
213              88,750,4444
214
215              9080
216
217

BOOLEANS

219       SELinux policy is customizable based on least access required.   sysadm
220       policy is extremely flexible and has several booleans that allow you to
221       manipulate the policy and run sysadm with the tightest access possible.
222
223
224
225       If you want to allow users to resolve user passwd entries directly from
226       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
227       gin_nsswitch_use_ldap boolean. Disabled by default.
228
229       setsebool -P authlogin_nsswitch_use_ldap 1
230
231
232
233       If you want to determine whether crond can execute  jobs  in  the  user
234       domain  as  opposed to the the generic cronjob domain, you must turn on
235       the cron_userdomain_transition boolean. Enabled by default.
236
237       setsebool -P cron_userdomain_transition 1
238
239
240
241       If you want to deny user domains applications to map a memory region as
242       both  executable  and  writable,  this  is dangerous and the executable
243       should be reported in bugzilla, you must turn on the deny_execmem bool‐
244       ean. Enabled by default.
245
246       setsebool -P deny_execmem 1
247
248
249
250       If  you  want  to deny any process from ptracing or debugging any other
251       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
252       default.
253
254       setsebool -P deny_ptrace 1
255
256
257
258       If you want to allow all domains to execute in fips_mode, you must turn
259       on the fips_mode boolean. Enabled by default.
260
261       setsebool -P fips_mode 1
262
263
264
265       If you want to determine whether calling user domains can  execute  Git
266       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
267       sion_users boolean. Disabled by default.
268
269       setsebool -P git_session_users 1
270
271
272
273       If you want to allow confined applications to run  with  kerberos,  you
274       must turn on the kerberos_enabled boolean. Enabled by default.
275
276       setsebool -P kerberos_enabled 1
277
278
279
280       If  you  want  to  allow  system  to run with NIS, you must turn on the
281       nis_enabled boolean. Disabled by default.
282
283       setsebool -P nis_enabled 1
284
285
286
287       If you want to allow confined applications to use nscd  shared  memory,
288       you must turn on the nscd_use_shm boolean. Enabled by default.
289
290       setsebool -P nscd_use_shm 1
291
292
293
294       If  you  want  to  determine  whether  calling user domains can execute
295       Polipo daemon in the polipo_session_t domain,  you  must  turn  on  the
296       polipo_session_users boolean. Disabled by default.
297
298       setsebool -P polipo_session_users 1
299
300
301
302       If  you  want  to allow unconfined executables to make their stack exe‐
303       cutable.  This should never, ever be necessary.  Probably  indicates  a
304       badly  coded  executable, but could indicate an attack. This executable
305       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
306       stack boolean. Enabled by default.
307
308       setsebool -P selinuxuser_execstack 1
309
310
311
312       If  you  want  to allow users to connect to the local mysql server, you
313       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
314       default.
315
316       setsebool -P selinuxuser_mysql_connect_enabled 1
317
318
319
320       If  you  want to allow users to connect to PostgreSQL, you must turn on
321       the   selinuxuser_postgresql_connect_enabled   boolean.   Disabled   by
322       default.
323
324       setsebool -P selinuxuser_postgresql_connect_enabled 1
325
326
327
328       If  you want to allow user to r/w files on filesystems that do not have
329       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
330       uxuser_rw_noexattrfile boolean. Enabled by default.
331
332       setsebool -P selinuxuser_rw_noexattrfile 1
333
334
335
336       If you want to allow users to run TCP servers (bind to ports and accept
337       connection from the same domain  and  outside  users)   disabling  this
338       forces  FTP  passive mode and may change other protocols, you must turn
339       on the selinuxuser_tcp_server boolean. Disabled by default.
340
341       setsebool -P selinuxuser_tcp_server 1
342
343
344
345       If you want to allow users to run UDP servers (bind to ports and accept
346       connection  from the same domain and outside users)  disabling this may
347       break avahi discovering services on the network and other  udp  related
348       services, you must turn on the selinuxuser_udp_server boolean. Disabled
349       by default.
350
351       setsebool -P selinuxuser_udp_server 1
352
353
354
355       If you want to allow user  to use ssh chroot environment, you must turn
356       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
357
358       setsebool -P selinuxuser_use_ssh_chroot 1
359
360
361
362       If  you  want  to  support  NFS  home directories, you must turn on the
363       use_nfs_home_dirs boolean. Disabled by default.
364
365       setsebool -P use_nfs_home_dirs 1
366
367
368
369       If you want to support SAMBA home directories, you  must  turn  on  the
370       use_samba_home_dirs boolean. Disabled by default.
371
372       setsebool -P use_samba_home_dirs 1
373
374
375

HOME_EXEC

377       The SELinux user sysadm_u is able execute home content files.
378
379

TRANSITIONS

381       Three things can happen when sysadm_t attempts to execute a program.
382
383       1. SELinux Policy can deny sysadm_t from executing the program.
384
385
386
387       2. SELinux Policy can allow sysadm_t to execute the program in the cur‐
388       rent user type.
389
390              Execute the following to see the types  that  the  SELinux  user
391              sysadm_t can execute without transitioning:
392
393              sesearch -A -s sysadm_t -c file -p execute_no_trans
394
395
396
397       3.  SELinux can allow sysadm_t to execute the program and transition to
398       a new type.
399
400              Execute the following to see the types  that  the  SELinux  user
401              sysadm_t can execute and transition:
402
403              $ sesearch -A -s sysadm_t -c process -p transition
404
405
406

MANAGED FILES

408       The  SELinux  process  type  sysadm_t can manage files labeled with the
409       following file types.  The paths listed are the default paths for these
410       file types.  Note the processes UID still need to have DAC permissions.
411
412       adjtime_t
413
414            /etc/adjtime
415
416       admin_home_t
417
418            /root(/.*)?
419
420       anon_inodefs_t
421
422
423       auditd_etc_t
424
425            /etc/audit(/.*)?
426
427       auditd_log_t
428
429            /var/log/audit(/.*)?
430            /var/log/audit.log.*
431
432       auth_cache_t
433
434            /var/cache/coolkey(/.*)?
435
436       boolean_type
437
438
439       cgroup_t
440
441            /sys/fs/cgroup
442
443       chrome_sandbox_tmpfs_t
444
445
446       cifs_t
447
448
449       default_context_t
450
451            /etc/selinux/([^/]*/)?contexts(/.*)?
452            /root/.default_contexts
453
454       dirsrv_config_t
455
456            /etc/dirsrv(/.*)?
457
458       dirsrv_var_lib_t
459
460            /var/lib/dirsrv(/.*)?
461
462       dirsrv_var_log_t
463
464            /var/log/dirsrv(/.*)?
465
466       dirsrv_var_run_t
467
468            /var/run/slapd.*
469            /var/run/dirsrv(/.*)?
470
471       dosfs_t
472
473
474       etc_aliases_t
475
476            /etc/mail/.*.db
477            /etc/mail/aliases.*
478            /etc/postfix/aliases.*
479            /etc/aliases
480            /etc/aliases.db
481
482       etc_runtime_t
483
484            /[^/]+
485            /etc/mtab.*
486            /etc/blkid(/.*)?
487            /etc/nologin.*
488            /etc/.fstab.hal..+
489            /halt
490            /fastboot
491            /poweroff
492            /.autofsck
493            /etc/cmtab
494            /forcefsck
495            /.suspended
496            /fsckoptions
497            /.autorelabel
498            /etc/.updated
499            /var/.updated
500            /etc/killpower
501            /etc/nohotplug
502            /etc/securetty
503            /etc/ioctl.save
504            /etc/fstab.REVOKE
505            /etc/network/ifstate
506            /etc/sysconfig/hwconf
507            /etc/ptal/ptal-printd-like
508            /etc/sysconfig/iptables.save
509            /etc/xorg.conf.d/00-system-setup-keyboard.conf
510            /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
511
512       file_context_t
513
514            /etc/selinux/([^/]*/)?contexts/files(/.*)?
515
516       gconf_tmp_t
517
518            /tmp/gconfd-[^/]+/.*
519
520       git_user_content_t
521
522            /home/[^/]+/public_git(/.*)?
523
524       gkeyringd_tmp_t
525
526            /var/run/user/[^/]*/keyring.*
527
528       gnome_home_type
529
530
531       hwloc_var_run_t
532
533            /var/run/hwloc(/.*)?
534
535       iceauth_home_t
536
537            /root/.DCOP.*
538            /root/.ICEauthority.*
539            /home/[^/]+/.DCOP.*
540            /home/[^/]+/.ICEauthority.*
541
542       irc_home_t
543
544            /home/[^/]+/.irssi(/.*)?
545            /home/[^/]+/irclog(/.*)?
546            /home/[^/]+/.ircmotd
547
548       irc_tmp_t
549
550
551       irssi_home_t
552
553
554       krb5_host_rcache_t
555
556            /var/cache/krb5rcache(/.*)?
557            /var/tmp/nfs_0
558            /var/tmp/DNS_25
559            /var/tmp/host_0
560            /var/tmp/imap_0
561            /var/tmp/HTTP_23
562            /var/tmp/HTTP_48
563            /var/tmp/ldap_55
564            /var/tmp/ldap_487
565            /var/tmp/ldapmap1_0
566
567       krb5_keytab_t
568
569            /etc/krb5.keytab
570            /etc/krb5kdc/kadm5.keytab
571            /var/kerberos/krb5kdc/kadm5.keytab
572
573       mail_spool_t
574
575            /var/mail(/.*)?
576            /var/spool/imap(/.*)?
577            /var/spool/mail(/.*)?
578            /var/spool/smtpd(/.*)?
579
580       mpd_user_data_t
581
582
583       mqueue_spool_t
584
585            /var/spool/(client)?mqueue(/.*)?
586            /var/spool/mqueue.in(/.*)?
587
588       nfs_t
589
590
591       non_security_file_type
592
593
594       noxattrfs
595
596            all files on file systems which do not support extended attributes
597
598       ntp_drift_t
599
600            /var/lib/ntp(/.*)?
601            /etc/ntp/data(/.*)?
602            /var/lib/sntp(/.*)?
603            /var/lib/sntp-kod(/.*)?
604
605       ntpd_key_t
606
607            /etc/ntp/crypto(/.*)?
608            /etc/ntp/keys
609
610       ntpd_log_t
611
612            /var/log/ntp.*
613            /var/log/xntpd.*
614            /var/log/ntpstats(/.*)?
615
616       ntpd_tmp_t
617
618
619       ntpd_unit_file_t
620
621            /usr/lib/systemd/system/ntpd.*
622
623       ntpd_var_run_t
624
625            /var/run/ntpd.pid
626
627       policy_src_t
628
629            /usr/lib/selinux(/.*)?
630
631       postfix_data_t
632
633            /var/lib/postfix.*
634
635       postfix_etc_t
636
637            /etc/postfix.*
638
639       postfix_map_tmp_t
640
641
642       postfix_prng_t
643
644            /etc/postfix/prng_exch
645
646       postfix_public_t
647
648            /var/spool/postfix/public(/.*)?
649
650       postfix_spool_type
651
652
653       postfix_var_run_t
654
655            /var/spool/postfix/pid/.*
656
657       postgresql_db_t
658
659            /var/lib/pgsql(/.*)?
660            /var/lib/sepgsql(/.*)?
661            /var/lib/postgres(ql)?(/.*)?
662            /usr/share/jonas/pgsql(/.*)?
663            /usr/lib/pgsql/test/regress(/.*)?
664
665       postgresql_etc_t
666
667            /etc/postgresql(/.*)?
668            /etc/sysconfig/pgsql(/.*)?
669
670       postgresql_log_t
671
672            /var/lib/pgsql/.*.log
673            /var/log/rhdb/rhdb(/.*)?
674            /var/log/postgresql(/.*)?
675            /var/log/postgres.log.*
676            /var/lib/pgsql/logfile(/.*)?
677            /var/lib/pgsql/data/log(/.*)?
678            /var/log/sepostgresql.log.*
679            /var/lib/pgsql/data/pg_log(/.*)?
680            /var/lib/sepgsql/pgstartup.log
681
682       postgresql_tmp_t
683
684
685       postgresql_var_run_t
686
687            /var/run/postgresql(/.*)?
688
689       screen_home_t
690
691            /root/.screen(/.*)?
692            /home/[^/]+/.screen(/.*)?
693            /home/[^/]+/.screenrc
694            /home/[^/]+/.tmux.conf
695
696       security_t
697
698            /selinux
699
700       selinux_config_t
701
702            /etc/selinux(/.*)?
703            /etc/selinux/([^/]*/)?seusers
704            /etc/selinux/([^/]*/)?users(/.*)?
705            /etc/selinux/([^/]*/)?setrans.conf
706            /var/lib/sepolgen(/.*)?
707
708       selinux_login_config_t
709
710            /etc/selinux/([^/]*/)?logins(/.*)?
711
712       semanage_store_t
713
714            /etc/selinux/([^/]*/)?policy(/.*)?
715            /etc/selinux/(minimum|mls|targeted)/active(/.*)?
716            /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
717            /var/lib/selinux(/.*)?
718            /etc/share/selinux/mls(/.*)?
719            /etc/share/selinux/targeted(/.*)?
720
721       slapd_cert_t
722
723            /etc/openldap/certs(/.*)?
724
725       slapd_db_t
726
727            /var/lib/ldap(/.*)?
728            /etc/openldap/slapd.d(/.*)?
729            /var/lib/openldap-data(/.*)?
730            /var/lib/openldap-ldbm(/.*)?
731            /var/lib/openldap-slurpd(/.*)?
732
733       slapd_etc_t
734
735            /etc/ldap/slapd.conf
736
737       slapd_keytab_t
738
739
740       slapd_lock_t
741
742            /var/lock/subsys/ldap
743            /var/lock/subsys/slapd
744
745       slapd_replog_t
746
747            /var/lib/ldap/replog(/.*)?
748
749       slapd_tmp_t
750
751
752       slapd_unit_file_t
753
754            /usr/lib/systemd/system/slapd.*
755
756       slapd_var_run_t
757
758            /var/run/openldap(/.*)?
759            /var/run/ldapi
760            /var/run/slapd.pid
761            /var/run/slapd.args
762
763       ssh_home_t
764
765            /var/lib/[^/]+/.ssh(/.*)?
766            /root/.ssh(/.*)?
767            /var/lib/one/.ssh(/.*)?
768            /var/lib/pgsql/.ssh(/.*)?
769            /var/lib/openshift/[^/]+/.ssh(/.*)?
770            /var/lib/amanda/.ssh(/.*)?
771            /var/lib/stickshift/[^/]+/.ssh(/.*)?
772            /var/lib/gitolite/.ssh(/.*)?
773            /var/lib/nocpulse/.ssh(/.*)?
774            /var/lib/gitolite3/.ssh(/.*)?
775            /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
776            /root/.shosts
777            /home/[^/]+/.ssh(/.*)?
778            /home/[^/]+/.ansible/cp/.*
779            /home/[^/]+/.shosts
780
781       sysctl_type
782
783
784       systemd_passwd_var_run_t
785
786            /var/run/systemd/ask-password(/.*)?
787            /var/run/systemd/ask-password-block(/.*)?
788
789       systemd_unit_file_type
790
791
792       tracefs_t
793
794
795       usbfs_t
796
797
798       user_fonts_cache_t
799
800            /root/.fontconfig(/.*)?
801            /root/.fonts/auto(/.*)?
802            /root/.fonts.cache-.*
803            /home/[^/]+/.fontconfig(/.*)?
804            /home/[^/]+/.fonts/auto(/.*)?
805            /home/[^/]+/.fonts.cache-.*
806
807       user_fonts_config_t
808
809            /root/.fonts.d(/.*)?
810            /root/.fonts.conf
811            /home/[^/]+/.fonts.d(/.*)?
812            /home/[^/]+/.fonts.conf
813
814       user_fonts_t
815
816            /root/.fonts(/.*)?
817            /tmp/.font-unix(/.*)?
818            /home/[^/]+/.fonts(/.*)?
819            /home/[^/]+/.local/share/fonts(/.*)?
820
821       user_home_t
822
823            /home/[^/]+/.+
824
825       user_home_type
826
827            all user home files
828
829       user_tmp_t
830
831            /dev/shm/mono.*
832            /var/run/user(/.*)?
833            /tmp/.ICE-unix(/.*)?
834            /tmp/.X11-unix(/.*)?
835            /dev/shm/pulse-shm.*
836            /tmp/.X0-lock
837            /tmp/hsperfdata_root
838            /var/tmp/hsperfdata_root
839            /home/[^/]+/tmp
840            /home/[^/]+/.tmp
841            /tmp/gconfd-[^/]+
842
843       user_tmp_type
844
845            all user tmp files
846
847       vmware_conf_t
848
849            /home/[^/]+/.vmware[^/]*/.*.cfg
850
851       vmware_file_t
852
853            /home/[^/]+/vmware(/.*)?
854            /home/[^/]+/.vmware(/.*)?
855
856       vmware_tmp_t
857
858
859       vmware_tmpfs_t
860
861
862       wireshark_home_t
863
864            /home/[^/]+/.wireshark(/.*)?
865
866       wireshark_tmp_t
867
868
869       wireshark_tmpfs_t
870
871
872       xauth_home_t
873
874            /root/.Xauth.*
875            /root/.xauth.*
876            /root/.Xauthority.*
877            /root/.serverauth.*
878            /var/lib/pqsql/.xauth.*
879            /var/lib/pqsql/.Xauthority.*
880            /var/lib/nxserver/home/.xauth.*
881            /var/lib/nxserver/home/.Xauthority.*
882            /home/[^/]+/.Xauth.*
883            /home/[^/]+/.xauth.*
884            /home/[^/]+/.Xauthority.*
885            /home/[^/]+/.serverauth.*
886
887       xserver_tmpfs_t
888
889
890

COMMANDS

892       semanage  fcontext  can also be used to manipulate default file context
893       mappings.
894
895       semanage permissive can also be used to manipulate  whether  or  not  a
896       process type is permissive.
897
898       semanage  module can also be used to enable/disable/install/remove pol‐
899       icy modules.
900
901       semanage boolean can also be used to manipulate the booleans
902
903
904       system-config-selinux is a GUI tool available to customize SELinux pol‐
905       icy settings.
906
907

AUTHOR

909       This manual page was auto-generated using sepolicy manpage .
910
911