1user_selinux(8) user SELinux Policy documentation user_selinux(8)
2
3
4
6 user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
8
10 user_u is an SELinux User defined in the SELinux policy. SELinux users
11 have default roles, user_r. The default role has a default type,
12 user_t, associated with it.
13
14 The SELinux user will usually login to a system with a context that
15 looks like:
16
17 user_u:user_r:user_t:s0
18
19 Linux users are automatically assigned an SELinux users at login.
20 Login programs use the SELinux User to assign initial context to the
21 user's shell.
22
23 SELinux policy uses the context to control the user's access.
24
25 By default all users are assigned to the SELinux user via the
26 __default__ flag
27
28 On Targeted policy systems the __default__ user is assigned to the
29 unconfined_u SELinux user.
30
31 You can list all Linux User to SELinux user mapping using:
32
33 semanage login -l
34
35 If you wanted to change the default user mapping to use the user_u
36 user, you would execute:
37
38 semanage login -m -s user_u __default__
39
40
41 If you want to map the one Linux user (joe) to the SELinux user user,
42 you would execute:
43
44 $ semanage login -a -s user_u joe
45
46
47
49 The SELinux user user_u is defined in policy as a unprivileged user.
50 SELinux prevents unprivileged users from doing administration tasks
51 without transitioning to a different role.
52
53
56 The SELinux user user_u is able to X Windows login.
57
58
60 The SELinux user user_u is able to listen on the following tcp ports.
61
62 6000-6020
63
64 3689
65
66 all ports > 1024
67
68 32768-61000
69
70 all ports with out defined types
71
72
73 The SELinux user user_u is able to connect to the following tcp ports.
74
75 all ports
76
77 8955
78
79 53,853
80
81 5432,9898
82
83 389,636,3268,3269,7389
84
85 111
86
87 all ports < 1024
88
89 32768-61000
90
91 all ports with out defined types
92
93 88,750,4444
94
95 9080
96
97
98 The SELinux user user_u is able to listen on the following udp ports.
99
100 all ports with out defined types
101
102 32768-61000
103
104 all ports > 1024
105
106
107 The SELinux user user_u is able to connect to the following tcp ports.
108
109 all ports
110
111 8955
112
113 53,853
114
115 5432,9898
116
117 389,636,3268,3269,7389
118
119 111
120
121 all ports < 1024
122
123 32768-61000
124
125 all ports with out defined types
126
127 88,750,4444
128
129 9080
130
131
133 SELinux policy is customizable based on least access required. user
134 policy is extremely flexible and has several booleans that allow you to
135 manipulate the policy and run user with the tightest access possible.
136
137
138
139 If you want to allow users to resolve user passwd entries directly from
140 ldap rather then using a sssd server, you must turn on the authlo‐
141 gin_nsswitch_use_ldap boolean. Disabled by default.
142
143 setsebool -P authlogin_nsswitch_use_ldap 1
144
145
146
147 If you want to determine whether crond can execute jobs in the user
148 domain as opposed to the the generic cronjob domain, you must turn on
149 the cron_userdomain_transition boolean. Enabled by default.
150
151 setsebool -P cron_userdomain_transition 1
152
153
154
155 If you want to deny user domains applications to map a memory region as
156 both executable and writable, this is dangerous and the executable
157 should be reported in bugzilla, you must turn on the deny_execmem bool‐
158 ean. Enabled by default.
159
160 setsebool -P deny_execmem 1
161
162
163
164 If you want to deny any process from ptracing or debugging any other
165 processes, you must turn on the deny_ptrace boolean. Enabled by
166 default.
167
168 setsebool -P deny_ptrace 1
169
170
171
172 If you want to allow all domains to execute in fips_mode, you must turn
173 on the fips_mode boolean. Enabled by default.
174
175 setsebool -P fips_mode 1
176
177
178
179 If you want to determine whether calling user domains can execute Git
180 daemon in the git_session_t domain, you must turn on the git_ses‐
181 sion_users boolean. Disabled by default.
182
183 setsebool -P git_session_users 1
184
185
186
187 If you want to allow httpd cgi support, you must turn on the
188 httpd_enable_cgi boolean. Enabled by default.
189
190 setsebool -P httpd_enable_cgi 1
191
192
193
194 If you want to allow confined applications to run with kerberos, you
195 must turn on the kerberos_enabled boolean. Enabled by default.
196
197 setsebool -P kerberos_enabled 1
198
199
200
201 If you want to allow system to run with NIS, you must turn on the
202 nis_enabled boolean. Disabled by default.
203
204 setsebool -P nis_enabled 1
205
206
207
208 If you want to allow confined applications to use nscd shared memory,
209 you must turn on the nscd_use_shm boolean. Enabled by default.
210
211 setsebool -P nscd_use_shm 1
212
213
214
215 If you want to determine whether calling user domains can execute
216 Polipo daemon in the polipo_session_t domain, you must turn on the
217 polipo_session_users boolean. Disabled by default.
218
219 setsebool -P polipo_session_users 1
220
221
222
223 If you want to allow pppd to be run for a regular user, you must turn
224 on the pppd_for_user boolean. Disabled by default.
225
226 setsebool -P pppd_for_user 1
227
228
229
230 If you want to allow all unconfined executables to use libraries
231 requiring text relocation that are not labeled textrel_shlib_t, you
232 must turn on the selinuxuser_execmod boolean. Enabled by default.
233
234 setsebool -P selinuxuser_execmod 1
235
236
237
238 If you want to allow unconfined executables to make their stack exe‐
239 cutable. This should never, ever be necessary. Probably indicates a
240 badly coded executable, but could indicate an attack. This executable
241 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
242 stack boolean. Enabled by default.
243
244 setsebool -P selinuxuser_execstack 1
245
246
247
248 If you want to allow users to connect to the local mysql server, you
249 must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
250 default.
251
252 setsebool -P selinuxuser_mysql_connect_enabled 1
253
254
255
256 If you want to allow confined users the ability to execute the ping and
257 traceroute commands, you must turn on the selinuxuser_ping boolean.
258 Enabled by default.
259
260 setsebool -P selinuxuser_ping 1
261
262
263
264 If you want to allow users to connect to PostgreSQL, you must turn on
265 the selinuxuser_postgresql_connect_enabled boolean. Disabled by
266 default.
267
268 setsebool -P selinuxuser_postgresql_connect_enabled 1
269
270
271
272 If you want to allow user to r/w files on filesystems that do not have
273 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
274 uxuser_rw_noexattrfile boolean. Enabled by default.
275
276 setsebool -P selinuxuser_rw_noexattrfile 1
277
278
279
280 If you want to allow user to use ssh chroot environment, you must turn
281 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
282
283 setsebool -P selinuxuser_use_ssh_chroot 1
284
285
286
287 If you want to allow unprivileged user to create and transition to
288 svirt domains, you must turn on the unprivuser_use_svirt boolean. Dis‐
289 abled by default.
290
291 setsebool -P unprivuser_use_svirt 1
292
293
294
295 If you want to support NFS home directories, you must turn on the
296 use_nfs_home_dirs boolean. Disabled by default.
297
298 setsebool -P use_nfs_home_dirs 1
299
300
301
302 If you want to support SAMBA home directories, you must turn on the
303 use_samba_home_dirs boolean. Disabled by default.
304
305 setsebool -P use_samba_home_dirs 1
306
307
308
310 The SELinux user user_u is able execute home content files.
311
312
314 Three things can happen when user_t attempts to execute a program.
315
316 1. SELinux Policy can deny user_t from executing the program.
317
318
319
320 2. SELinux Policy can allow user_t to execute the program in the cur‐
321 rent user type.
322
323 Execute the following to see the types that the SELinux user
324 user_t can execute without transitioning:
325
326 sesearch -A -s user_t -c file -p execute_no_trans
327
328
329
330 3. SELinux can allow user_t to execute the program and transition to a
331 new type.
332
333 Execute the following to see the types that the SELinux user
334 user_t can execute and transition:
335
336 $ sesearch -A -s user_t -c process -p transition
337
338
339
341 The SELinux process type user_t can manage files labeled with the fol‐
342 lowing file types. The paths listed are the default paths for these
343 file types. Note the processes UID still need to have DAC permissions.
344
345 alsa_home_t
346
347 /home/[^/]+/.asoundrc
348
349 anon_inodefs_t
350
351
352 auth_cache_t
353
354 /var/cache/coolkey(/.*)?
355
356 bluetooth_helper_tmp_t
357
358
359 bluetooth_helper_tmpfs_t
360
361
362 cgroup_t
363
364 /sys/fs/cgroup
365
366 chrome_sandbox_tmpfs_t
367
368
369 cifs_t
370
371
372 dosfs_t
373
374
375 games_data_t
376
377 /var/games(/.*)?
378 /var/lib/games(/.*)?
379
380 gconf_tmp_t
381
382 /tmp/gconfd-[^/]+/.*
383
384 git_user_content_t
385
386 /home/[^/]+/public_git(/.*)?
387
388 gkeyringd_tmp_t
389
390 /var/run/user/[^/]*/keyring.*
391
392 gnome_home_type
393
394
395 gpg_agent_tmp_t
396
397 /home/[^/]+/.gnupg/log-socket
398
399 httpd_user_content_t
400
401 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
402
403 httpd_user_htaccess_t
404
405 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
406
407 httpd_user_ra_content_t
408
409 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
410
411 httpd_user_rw_content_t
412
413
414 httpd_user_script_exec_t
415
416 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
417
418 irc_home_t
419
420 /home/[^/]+/.irssi(/.*)?
421 /home/[^/]+/irclog(/.*)?
422 /home/[^/]+/.ircmotd
423
424 irc_tmp_t
425
426
427 irssi_home_t
428
429
430 mail_spool_t
431
432 /var/mail(/.*)?
433 /var/spool/imap(/.*)?
434 /var/spool/mail(/.*)?
435 /var/spool/smtpd(/.*)?
436
437 mpd_user_data_t
438
439
440 mqueue_spool_t
441
442 /var/spool/(client)?mqueue(/.*)?
443 /var/spool/mqueue.in(/.*)?
444
445 nfs_t
446
447
448 noxattrfs
449
450 all files on file systems which do not support extended attributes
451
452 pulseaudio_tmpfs_t
453
454
455 pulseaudio_tmpfsfile
456
457
458 sandbox_file_t
459
460
461 sandbox_tmpfs_type
462
463 all sandbox content in tmpfs file systems
464
465 screen_home_t
466
467 /root/.screen(/.*)?
468 /home/[^/]+/.screen(/.*)?
469 /home/[^/]+/.screenrc
470 /home/[^/]+/.tmux.conf
471
472 security_t
473
474 /selinux
475
476 ssh_home_t
477
478 /var/lib/[^/]+/.ssh(/.*)?
479 /root/.ssh(/.*)?
480 /var/lib/one/.ssh(/.*)?
481 /var/lib/pgsql/.ssh(/.*)?
482 /var/lib/openshift/[^/]+/.ssh(/.*)?
483 /var/lib/amanda/.ssh(/.*)?
484 /var/lib/stickshift/[^/]+/.ssh(/.*)?
485 /var/lib/gitolite/.ssh(/.*)?
486 /var/lib/nocpulse/.ssh(/.*)?
487 /var/lib/gitolite3/.ssh(/.*)?
488 /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
489 /root/.shosts
490 /home/[^/]+/.ssh(/.*)?
491 /home/[^/]+/.ansible/cp/.*
492 /home/[^/]+/.shosts
493
494 systemd_passwd_var_run_t
495
496 /var/run/systemd/ask-password(/.*)?
497 /var/run/systemd/ask-password-block(/.*)?
498
499 usbfs_t
500
501
502 user_fonts_cache_t
503
504 /root/.fontconfig(/.*)?
505 /root/.fonts/auto(/.*)?
506 /root/.fonts.cache-.*
507 /home/[^/]+/.fontconfig(/.*)?
508 /home/[^/]+/.fonts/auto(/.*)?
509 /home/[^/]+/.fonts.cache-.*
510
511 user_home_type
512
513 all user home files
514
515 user_tmp_t
516
517 /dev/shm/mono.*
518 /var/run/user(/.*)?
519 /tmp/.ICE-unix(/.*)?
520 /tmp/.X11-unix(/.*)?
521 /dev/shm/pulse-shm.*
522 /tmp/.X0-lock
523 /tmp/hsperfdata_root
524 /var/tmp/hsperfdata_root
525 /home/[^/]+/tmp
526 /home/[^/]+/.tmp
527 /tmp/gconfd-[^/]+
528
529 user_tmp_type
530
531 all user tmp files
532
533 virt_image_type
534
535 all virtual image files
536
537 xserver_tmpfs_t
538
539
540
542 semanage fcontext can also be used to manipulate default file context
543 mappings.
544
545 semanage permissive can also be used to manipulate whether or not a
546 process type is permissive.
547
548 semanage module can also be used to enable/disable/install/remove pol‐
549 icy modules.
550
551 semanage boolean can also be used to manipulate the booleans
552
553
554 system-config-selinux is a GUI tool available to customize SELinux pol‐
555 icy settings.
556
557
559 This manual page was auto-generated using sepolicy manpage .
560
561
563 selinux(8), user(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
564 setsebool(8), user_dbusd_selinux(8), user_dbusd_selinux(8),
565 user_gkeyringd_selinux(8), user_gkeyringd_selinux(8),
566 user_mail_selinux(8), user_mail_selinux(8), user_screen_selinux(8),
567 user_screen_selinux(8), user_seunshare_selinux(8), user_seun‐
568 share_selinux(8), user_ssh_agent_selinux(8), user_ssh_agent_selinux(8),
569 user_t_selinux(8), user_t_selinux(8), user_wine_selinux(8),
570 user_wine_selinux(8)
571
572
573
574mgrepl@redhat.com user user_selinux(8)