1sysadm_selinux(8) sysadm SELinux Policy documentation sysadm_selinux(8)
2
3
4
6 sysadm_u - General system administration role - Security Enhanced Linux
7 Policy
8
9
11 sysadm_u is an SELinux User defined in the SELinux policy. SELinux
12 users have default roles, sysadm_r. The default role has a default
13 type, sysadm_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 sysadm_u:sysadm_r:sysadm_t:s0 - s0:c0.c1023
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the sysadm_u
37 user, you would execute:
38
39 semanage login -m -s sysadm_u __default__
40
41
42 If you want to map the one Linux user (joe) to the SELinux user sysadm,
43 you would execute:
44
45 $ semanage login -a -s sysadm_u joe
46
47
48
50 The SELinux user sysadm_u is an admin user. It means that a mapped
51 Linux user to this SELinux user is intended for administrative actions.
52 Usually this is assigned to a root Linux user.
53
54
56 The SELinux user sysadm can execute sudo.
57
58 You can set up sudo to allow sysadm to transition to an administrative
59 domain:
60
61 Add one or more of the following record to sudoers using visudo.
62
63
64 USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
65 sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
66
67 You might also need to add one or more of these new roles to your
68 SELinux user record.
69
70 List the SELinux roles your SELinux user can reach by executing:
71
72 $ semanage user -l |grep selinux_name
73
74 Modify the roles list and add sysadm_r to this list.
75
76 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
77 sysadm_u
78
79 For more details you can see semanage man page.
80
81
82 USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
83 sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
84
85 You might also need to add one or more of these new roles to your
86 SELinux user record.
87
88 List the SELinux roles your SELinux user can reach by executing:
89
90 $ semanage user -l |grep selinux_name
91
92 Modify the roles list and add sysadm_r to this list.
93
94 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
95 sysadm_u
96
97 For more details you can see semanage man page.
98
99
100 USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
101 sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
102
103 You might also need to add one or more of these new roles to your
104 SELinux user record.
105
106 List the SELinux roles your SELinux user can reach by executing:
107
108 $ semanage user -l |grep selinux_name
109
110 Modify the roles list and add sysadm_r to this list.
111
112 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
113 sysadm_u
114
115 For more details you can see semanage man page.
116
117
118 USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
119 sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
120
121 You might also need to add one or more of these new roles to your
122 SELinux user record.
123
124 List the SELinux roles your SELinux user can reach by executing:
125
126 $ semanage user -l |grep selinux_name
127
128 Modify the roles list and add sysadm_r to this list.
129
130 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
131 sysadm_u
132
133 For more details you can see semanage man page.
134
135
136 The SELinux type sysadm_t is not allowed to execute sudo.
137
138
140 The SELinux user sysadm_u is able to X Windows login.
141
142
144 The SELinux user sysadm_u is able to listen on the following tcp ports.
145
146 389,636,3268,3269,7389
147
148 all ports with out defined types
149
150 32768-60999
151
152 all ports > 1024
153
154
155 The SELinux user sysadm_u is able to connect to the following tcp
156 ports.
157
158 all ports
159
160 5432,9898
161
162 8955
163
164 53,853
165
166 389,636,3268,3269,7389
167
168 32768-60999
169
170 all ports with out defined types
171
172 111
173
174 9080
175
176 88,750,4444
177
178 all ports < 1024
179
180
181 The SELinux user sysadm_u is able to listen on the following udp ports.
182
183 123
184
185 32768-60999
186
187 all ports with out defined types
188
189 all ports > 1024
190
191
192 The SELinux user sysadm_u is able to connect to the following tcp
193 ports.
194
195 all ports
196
197 5432,9898
198
199 8955
200
201 53,853
202
203 389,636,3268,3269,7389
204
205 32768-60999
206
207 all ports with out defined types
208
209 111
210
211 9080
212
213 88,750,4444
214
215 all ports < 1024
216
217
219 SELinux policy is customizable based on least access required. sysadm
220 policy is extremely flexible and has several booleans that allow you to
221 manipulate the policy and run sysadm with the tightest access possible.
222
223
224
225 If you want to allow users to resolve user passwd entries directly from
226 ldap rather then using a sssd server, you must turn on the authlo‐
227 gin_nsswitch_use_ldap boolean. Disabled by default.
228
229 setsebool -P authlogin_nsswitch_use_ldap 1
230
231
232
233 If you want to determine whether crond can execute jobs in the user
234 domain as opposed to the the generic cronjob domain, you must turn on
235 the cron_userdomain_transition boolean. Enabled by default.
236
237 setsebool -P cron_userdomain_transition 1
238
239
240
241 If you want to deny user domains applications to map a memory region as
242 both executable and writable, this is dangerous and the executable
243 should be reported in bugzilla, you must turn on the deny_execmem bool‐
244 ean. Enabled by default.
245
246 setsebool -P deny_execmem 1
247
248
249
250 If you want to deny any process from ptracing or debugging any other
251 processes, you must turn on the deny_ptrace boolean. Enabled by
252 default.
253
254 setsebool -P deny_ptrace 1
255
256
257
258 If you want to allow all domains to execute in fips_mode, you must turn
259 on the fips_mode boolean. Enabled by default.
260
261 setsebool -P fips_mode 1
262
263
264
265 If you want to determine whether calling user domains can execute Git
266 daemon in the git_session_t domain, you must turn on the git_ses‐
267 sion_users boolean. Disabled by default.
268
269 setsebool -P git_session_users 1
270
271
272
273 If you want to allow confined applications to run with kerberos, you
274 must turn on the kerberos_enabled boolean. Enabled by default.
275
276 setsebool -P kerberos_enabled 1
277
278
279
280 If you want to allow system to run with NIS, you must turn on the
281 nis_enabled boolean. Disabled by default.
282
283 setsebool -P nis_enabled 1
284
285
286
287 If you want to allow confined applications to use nscd shared memory,
288 you must turn on the nscd_use_shm boolean. Disabled by default.
289
290 setsebool -P nscd_use_shm 1
291
292
293
294 If you want to determine whether calling user domains can execute
295 Polipo daemon in the polipo_session_t domain, you must turn on the
296 polipo_session_users boolean. Disabled by default.
297
298 setsebool -P polipo_session_users 1
299
300
301
302 If you want to allow unconfined executables to make their stack exe‐
303 cutable. This should never, ever be necessary. Probably indicates a
304 badly coded executable, but could indicate an attack. This executable
305 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
306 stack boolean. Enabled by default.
307
308 setsebool -P selinuxuser_execstack 1
309
310
311
312 If you want to allow users to connect to the local mysql server, you
313 must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
314 default.
315
316 setsebool -P selinuxuser_mysql_connect_enabled 1
317
318
319
320 If you want to allow users to connect to PostgreSQL, you must turn on
321 the selinuxuser_postgresql_connect_enabled boolean. Disabled by
322 default.
323
324 setsebool -P selinuxuser_postgresql_connect_enabled 1
325
326
327
328 If you want to allow user to r/w files on filesystems that do not have
329 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
330 uxuser_rw_noexattrfile boolean. Disabled by default.
331
332 setsebool -P selinuxuser_rw_noexattrfile 1
333
334
335
336 If you want to allow users to run TCP servers (bind to ports and accept
337 connection from the same domain and outside users) disabling this
338 forces FTP passive mode and may change other protocols, you must turn
339 on the selinuxuser_tcp_server boolean. Disabled by default.
340
341 setsebool -P selinuxuser_tcp_server 1
342
343
344
345 If you want to allow users to run UDP servers (bind to ports and accept
346 connection from the same domain and outside users) disabling this may
347 break avahi discovering services on the network and other udp related
348 services, you must turn on the selinuxuser_udp_server boolean. Disabled
349 by default.
350
351 setsebool -P selinuxuser_udp_server 1
352
353
354
355 If you want to allow user to use ssh chroot environment, you must turn
356 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
357
358 setsebool -P selinuxuser_use_ssh_chroot 1
359
360
361
362 If you want to support NFS home directories, you must turn on the
363 use_nfs_home_dirs boolean. Disabled by default.
364
365 setsebool -P use_nfs_home_dirs 1
366
367
368
369 If you want to support SAMBA home directories, you must turn on the
370 use_samba_home_dirs boolean. Disabled by default.
371
372 setsebool -P use_samba_home_dirs 1
373
374
375
377 The SELinux user sysadm_u is able execute home content files.
378
379
381 Three things can happen when sysadm_t attempts to execute a program.
382
383 1. SELinux Policy can deny sysadm_t from executing the program.
384
385
386
387 2. SELinux Policy can allow sysadm_t to execute the program in the cur‐
388 rent user type.
389
390 Execute the following to see the types that the SELinux user
391 sysadm_t can execute without transitioning:
392
393 sesearch -A -s sysadm_t -c file -p execute_no_trans
394
395
396
397 3. SELinux can allow sysadm_t to execute the program and transition to
398 a new type.
399
400 Execute the following to see the types that the SELinux user
401 sysadm_t can execute and transition:
402
403 $ sesearch -A -s sysadm_t -c process -p transition
404
405
406
408 The SELinux process type sysadm_t can manage files labeled with the
409 following file types. The paths listed are the default paths for these
410 file types. Note the processes UID still need to have DAC permissions.
411
412 adjtime_t
413
414 /etc/adjtime
415
416 admin_home_t
417
418 /root(/.*)?
419
420 anon_inodefs_t
421
422
423 auditd_etc_t
424
425 /etc/audit(/.*)?
426
427 auditd_log_t
428
429 /var/log/audit(/.*)?
430 /var/log/audit.log.*
431
432 auth_cache_t
433
434 /var/cache/coolkey(/.*)?
435
436 boolean_type
437
438
439 cgroup_t
440
441 /sys/fs/cgroup
442
443 chrome_sandbox_tmpfs_t
444
445
446 cifs_t
447
448
449 default_context_t
450
451 /etc/selinux/([^/]*/)?contexts(/.*)?
452 /root/.default_contexts
453
454 dirsrv_config_t
455
456 /etc/dirsrv(/.*)?
457
458 dirsrv_var_lib_t
459
460 /var/lib/dirsrv(/.*)?
461
462 dirsrv_var_log_t
463
464 /var/log/dirsrv(/.*)?
465
466 dirsrv_var_run_t
467
468 /var/run/slapd.*
469 /var/run/dirsrv(/.*)?
470
471 dosfs_t
472
473
474 etc_aliases_t
475
476 /etc/mail/.*.db
477 /etc/mail/aliases.*
478 /etc/postfix/aliases.*
479 /etc/aliases
480 /etc/aliases.db
481
482 etc_runtime_t
483
484 /[^/]+
485 /etc/mtab.*
486 /etc/blkid(/.*)?
487 /etc/nologin.*
488 /etc/.fstab.hal..+
489 /halt
490 /fastboot
491 /poweroff
492 /.autofsck
493 /etc/cmtab
494 /forcefsck
495 /.suspended
496 /fsckoptions
497 /.autorelabel
498 /etc/.updated
499 /var/.updated
500 /etc/killpower
501 /etc/nohotplug
502 /etc/securetty
503 /etc/ioctl.save
504 /etc/fstab.REVOKE
505 /etc/network/ifstate
506 /etc/sysconfig/hwconf
507 /etc/ptal/ptal-printd-like
508 /etc/sysconfig/iptables.save
509 /etc/xorg.conf.d/00-system-setup-keyboard.conf
510 /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
511
512 file_context_t
513
514 /etc/selinux/([^/]*/)?contexts/files(/.*)?
515
516 gconf_tmp_t
517
518 /tmp/gconfd-[^/]+/.*
519
520 git_user_content_t
521
522 /home/[^/]+/public_git(/.*)?
523
524 gkeyringd_tmp_t
525
526 /var/run/user/[^/]*/keyring.*
527
528 gnome_home_type
529
530
531 hwloc_var_run_t
532
533 /var/run/hwloc(/.*)?
534
535 iceauth_home_t
536
537 /root/.DCOP.*
538 /root/.ICEauthority.*
539 /home/[^/]+/.DCOP.*
540 /home/[^/]+/.ICEauthority.*
541
542 irc_home_t
543
544 /home/[^/]+/.irssi(/.*)?
545 /home/[^/]+/irclog(/.*)?
546 /home/[^/]+/.ircmotd
547
548 irc_tmp_t
549
550
551 irssi_home_t
552
553
554 krb5_host_rcache_t
555
556 /var/cache/krb5rcache(/.*)?
557 /var/tmp/nfs_0
558 /var/tmp/DNS_25
559 /var/tmp/host_0
560 /var/tmp/imap_0
561 /var/tmp/HTTP_23
562 /var/tmp/HTTP_48
563 /var/tmp/ldap_55
564 /var/tmp/ldap_487
565 /var/tmp/ldapmap1_0
566
567 krb5_keytab_t
568
569 /etc/krb5.keytab
570 /etc/krb5kdc/kadm5.keytab
571 /var/kerberos/krb5kdc/kadm5.keytab
572
573 mail_spool_t
574
575 /var/mail(/.*)?
576 /var/spool/imap(/.*)?
577 /var/spool/mail(/.*)?
578 /var/spool/smtpd(/.*)?
579
580 mpd_user_data_t
581
582
583 mqueue_spool_t
584
585 /var/spool/(client)?mqueue(/.*)?
586 /var/spool/mqueue.in(/.*)?
587
588 nfs_t
589
590
591 non_security_file_type
592
593
594 noxattrfs
595
596 all files on file systems which do not support extended attributes
597
598 ntp_drift_t
599
600 /var/lib/ntp(/.*)?
601 /etc/ntp/data(/.*)?
602 /var/lib/sntp(/.*)?
603 /var/lib/sntp-kod(/.*)?
604
605 ntpd_key_t
606
607 /etc/ntp/crypto(/.*)?
608 /etc/ntp/keys
609
610 ntpd_log_t
611
612 /var/log/ntp.*
613 /var/log/xntpd.*
614 /var/log/ntpstats(/.*)?
615
616 ntpd_tmp_t
617
618
619 ntpd_unit_file_t
620
621 /usr/lib/systemd/system/ntpd.*
622
623 ntpd_var_run_t
624
625 /var/run/ntpd.pid
626
627 policy_src_t
628
629 /usr/lib/selinux(/.*)?
630
631 postfix_data_t
632
633 /var/lib/postfix.*
634
635 postfix_etc_t
636
637 /etc/postfix.*
638
639 postfix_map_tmp_t
640
641
642 postfix_prng_t
643
644 /etc/postfix/prng_exch
645
646 postfix_public_t
647
648 /var/spool/postfix/public(/.*)?
649
650 postfix_spool_type
651
652
653 postfix_var_run_t
654
655 /var/spool/postfix/pid/.*
656
657 postgresql_db_t
658
659 /var/lib/pgsql(/.*)?
660 /var/lib/sepgsql(/.*)?
661 /var/lib/postgres(ql)?(/.*)?
662 /usr/share/jonas/pgsql(/.*)?
663 /usr/lib/pgsql/test/regress(/.*)?
664
665 postgresql_etc_t
666
667 /etc/postgresql(/.*)?
668 /etc/sysconfig/pgsql(/.*)?
669
670 postgresql_log_t
671
672 /var/lib/pgsql/.*.log
673 /var/log/rhdb/rhdb(/.*)?
674 /var/log/postgresql(/.*)?
675 /var/log/postgres.log.*
676 /var/lib/pgsql/logfile(/.*)?
677 /var/lib/pgsql/data/log(/.*)?
678 /var/log/sepostgresql.log.*
679 /var/lib/pgsql/data/pg_log(/.*)?
680 /var/lib/sepgsql/pgstartup.log
681
682 postgresql_tmp_t
683
684
685 postgresql_var_run_t
686
687 /var/run/postgresql(/.*)?
688
689 screen_home_t
690
691 /root/.screen(/.*)?
692 /home/[^/]+/.screen(/.*)?
693 /home/[^/]+/.screenrc
694 /home/[^/]+/.tmux.conf
695
696 security_t
697
698 /selinux
699
700 selinux_config_t
701
702 /etc/selinux(/.*)?
703 /etc/selinux/([^/]*/)?seusers
704 /etc/selinux/([^/]*/)?users(/.*)?
705 /etc/selinux/([^/]*/)?setrans.conf
706 /var/lib/sepolgen(/.*)?
707
708 selinux_login_config_t
709
710 /etc/selinux/([^/]*/)?logins(/.*)?
711
712 semanage_store_t
713
714 /etc/selinux/([^/]*/)?policy(/.*)?
715 /etc/selinux/(minimum|mls|targeted)/active(/.*)?
716 /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
717 /var/lib/selinux(/.*)?
718 /etc/share/selinux/mls(/.*)?
719 /etc/share/selinux/targeted(/.*)?
720
721 slapd_cert_t
722
723 /etc/openldap/certs(/.*)?
724
725 slapd_db_t
726
727 /var/lib/ldap(/.*)?
728 /etc/openldap/slapd.d(/.*)?
729 /var/lib/openldap-data(/.*)?
730 /var/lib/openldap-ldbm(/.*)?
731 /var/lib/openldap-slurpd(/.*)?
732
733 slapd_etc_t
734
735 /etc/ldap/slapd.conf
736
737 slapd_keytab_t
738
739
740 slapd_lock_t
741
742 /var/lock/subsys/ldap
743 /var/lock/subsys/slapd
744
745 slapd_replog_t
746
747 /var/lib/ldap/replog(/.*)?
748
749 slapd_tmp_t
750
751
752 slapd_unit_file_t
753
754 /usr/lib/systemd/system/slapd.*
755
756 slapd_var_run_t
757
758 /var/run/openldap(/.*)?
759 /var/run/ldapi
760 /var/run/slapd.pid
761 /var/run/slapd.args
762
763 ssh_home_t
764
765 /var/lib/[^/]+/.ssh(/.*)?
766 /root/.ssh(/.*)?
767 /var/lib/one/.ssh(/.*)?
768 /var/lib/pgsql/.ssh(/.*)?
769 /var/lib/openshift/[^/]+/.ssh(/.*)?
770 /var/lib/amanda/.ssh(/.*)?
771 /var/lib/stickshift/[^/]+/.ssh(/.*)?
772 /var/lib/gitolite/.ssh(/.*)?
773 /var/lib/nocpulse/.ssh(/.*)?
774 /var/lib/gitolite3/.ssh(/.*)?
775 /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
776 /root/.shosts
777 /home/[^/]+/.ssh(/.*)?
778 /home/[^/]+/.ansible/cp/.*
779 /home/[^/]+/.shosts
780
781 sysctl_type
782
783
784 systemd_passwd_var_run_t
785
786 /var/run/systemd/ask-password(/.*)?
787 /var/run/systemd/ask-password-block(/.*)?
788
789 systemd_unit_file_type
790
791
792 tracefs_t
793
794
795 usbfs_t
796
797
798 user_fonts_cache_t
799
800 /root/.fontconfig(/.*)?
801 /root/.fonts/auto(/.*)?
802 /root/.fonts.cache-.*
803 /home/[^/]+/.fontconfig(/.*)?
804 /home/[^/]+/.fonts/auto(/.*)?
805 /home/[^/]+/.fonts.cache-.*
806
807 user_fonts_config_t
808
809 /root/.fonts.d(/.*)?
810 /root/.fonts.conf
811 /home/[^/]+/.fonts.d(/.*)?
812 /home/[^/]+/.fonts.conf
813
814 user_fonts_t
815
816 /root/.fonts(/.*)?
817 /tmp/.font-unix(/.*)?
818 /home/[^/]+/.fonts(/.*)?
819 /home/[^/]+/.local/share/fonts(/.*)?
820
821 user_home_t
822
823 /home/[^/]+/.+
824
825 user_home_type
826
827 all user home files
828
829 user_tmp_t
830
831 /dev/shm/mono.*
832 /var/run/user(/.*)?
833 /tmp/.ICE-unix(/.*)?
834 /tmp/.X11-unix(/.*)?
835 /dev/shm/pulse-shm.*
836 /tmp/.X0-lock
837 /tmp/hsperfdata_root
838 /var/tmp/hsperfdata_root
839 /home/[^/]+/tmp
840 /home/[^/]+/.tmp
841 /tmp/gconfd-[^/]+
842
843 user_tmp_type
844
845 all user tmp files
846
847 vmware_conf_t
848
849 /home/[^/]+/.vmware[^/]*/.*.cfg
850
851 vmware_file_t
852
853 /home/[^/]+/vmware(/.*)?
854 /home/[^/]+/.vmware(/.*)?
855
856 vmware_tmp_t
857
858
859 vmware_tmpfs_t
860
861
862 wireshark_home_t
863
864 /home/[^/]+/.wireshark(/.*)?
865
866 wireshark_tmp_t
867
868
869 wireshark_tmpfs_t
870
871
872 xauth_home_t
873
874 /root/.Xauth.*
875 /root/.xauth.*
876 /root/.Xauthority.*
877 /root/.serverauth.*
878 /var/lib/pqsql/.xauth.*
879 /var/lib/pqsql/.Xauthority.*
880 /var/lib/nxserver/home/.xauth.*
881 /var/lib/nxserver/home/.Xauthority.*
882 /home/[^/]+/.Xauth.*
883 /home/[^/]+/.xauth.*
884 /home/[^/]+/.Xauthority.*
885 /home/[^/]+/.serverauth.*
886
887 xserver_tmpfs_t
888
889
890
892 semanage fcontext can also be used to manipulate default file context
893 mappings.
894
895 semanage permissive can also be used to manipulate whether or not a
896 process type is permissive.
897
898 semanage module can also be used to enable/disable/install/remove pol‐
899 icy modules.
900
901 semanage boolean can also be used to manipulate the booleans
902
903
904 system-config-selinux is a GUI tool available to customize SELinux pol‐
905 icy settings.
906
907
909 This manual page was auto-generated using sepolicy manpage .
910
911
913 selinux(8), sysadm(8), semanage(8), restorecon(8), chcon(1), sepol‐
914 icy(8), setsebool(8), sysadm_dbusd_selinux(8), sysadm_dbusd_selinux(8),
915 sysadm_gkeyringd_selinux(8), sysadm_gkeyringd_selinux(8),
916 sysadm_passwd_selinux(8), sysadm_passwd_selinux(8),
917 sysadm_screen_selinux(8), sysadm_screen_selinux(8), sysadm_seun‐
918 share_selinux(8), sysadm_seunshare_selinux(8),
919 sysadm_ssh_agent_selinux(8), sysadm_ssh_agent_selinux(8),
920 sysadm_su_selinux(8), sysadm_su_selinux(8), sysadm_sudo_selinux(8),
921 sysadm_sudo_selinux(8), sysadm_t_selinux(8), sysadm_t_selinux(8)
922
923
924
925mgrepl@redhat.com sysadm sysadm_selinux(8)