1user_selinux(8) user SELinux Policy documentation user_selinux(8)
2
6 user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
10 user_u is an SELinux User defined in the SELinux policy. SELinux users
11 have default roles, user_r. The default role has a default type,
12 user_t, associated with it.
13 The SELinux user will usually login to a system with a context that
15 looks like:
16 user_u:user_r:user_t:s0
18 Linux users are automatically assigned an SELinux users at login.
20 Login programs use the SELinux User to assign initial context to the
21 user's shell.
22 SELinux policy uses the context to control the user's access.
24 By default all users are assigned to the SELinux user via the
26 __default__ flag
27 On Targeted policy systems the __default__ user is assigned to the
29 unconfined_u SELinux user.
30 You can list all Linux User to SELinux user mapping using:
32 semanage login -l
34 If you wanted to change the default user mapping to use the user_u
36 user, you would execute:
37 semanage login -m -s user_u __default__
39 If you want to map the one Linux user (joe) to the SELinux user user,
42 you would execute:
43 $ semanage login -a -s user_u joe
45
49 The SELinux user user_u is defined in policy as a unprivileged user.
50 SELinux prevents unprivileged users from doing administration tasks
51 without transitioning to a different role.
52
56 The SELinux user user_u is able to X Windows login.
57
60 The SELinux user user_u is able to listen on the following tcp ports.
61 6000-6020
63 32768-60999
65 all ports with out defined types
67 3689
69 all ports > 1024
71 The SELinux user user_u is able to connect to the following tcp ports.
74 8955
76 all ports
78 53,853
80 88,750,4444
82 389,636,3268,3269,7389
84 32768-60999
86 5432,9898
88 all ports with out defined types
90 111
92 9080
94 all ports < 1024
96 The SELinux user user_u is able to listen on the following udp ports.
99 32768-60999
101 all ports with out defined types
103 all ports > 1024
105 The SELinux user user_u is able to connect to the following tcp ports.
108 8955
110 all ports
112 53,853
114 88,750,4444
116 389,636,3268,3269,7389
118 32768-60999
120 5432,9898
122 all ports with out defined types
124 111
126 9080
128 all ports < 1024
130
133 SELinux policy is customizable based on least access required. user
134 policy is extremely flexible and has several booleans that allow you to
135 manipulate the policy and run user with the tightest access possible.
136 If you want to allow users to resolve user passwd entries directly from
140 ldap rather then using a sssd server, you must turn on the authlo‐
141 gin_nsswitch_use_ldap boolean. Disabled by default.
142 setsebool -P authlogin_nsswitch_use_ldap 1
144 If you want to determine whether crond can execute jobs in the user
148 domain as opposed to the the generic cronjob domain, you must turn on
149 the cron_userdomain_transition boolean. Enabled by default.
150 setsebool -P cron_userdomain_transition 1
152 If you want to deny user domains applications to map a memory region as
156 both executable and writable, this is dangerous and the executable
157 should be reported in bugzilla, you must turn on the deny_execmem bool‐
158 ean. Enabled by default.
159 setsebool -P deny_execmem 1
161 If you want to deny any process from ptracing or debugging any other
165 processes, you must turn on the deny_ptrace boolean. Enabled by
166 default.
167 setsebool -P deny_ptrace 1
169 If you want to allow all domains to execute in fips_mode, you must turn
173 on the fips_mode boolean. Enabled by default.
174 setsebool -P fips_mode 1
176 If you want to determine whether calling user domains can execute Git
180 daemon in the git_session_t domain, you must turn on the git_ses‐
181 sion_users boolean. Disabled by default.
182 setsebool -P git_session_users 1
184 If you want to allow httpd cgi support, you must turn on the
188 httpd_enable_cgi boolean. Enabled by default.
189 setsebool -P httpd_enable_cgi 1
191 If you want to allow confined applications to run with kerberos, you
195 must turn on the kerberos_enabled boolean. Enabled by default.
196 setsebool -P kerberos_enabled 1
198 If you want to allow system to run with NIS, you must turn on the
202 nis_enabled boolean. Disabled by default.
203 setsebool -P nis_enabled 1
205 If you want to allow confined applications to use nscd shared memory,
209 you must turn on the nscd_use_shm boolean. Disabled by default.
210 setsebool -P nscd_use_shm 1
212 If you want to determine whether calling user domains can execute
216 Polipo daemon in the polipo_session_t domain, you must turn on the
217 polipo_session_users boolean. Enabled by default.
218 setsebool -P polipo_session_users 1
220 If you want to allow pppd to be run for a regular user, you must turn
224 on the pppd_for_user boolean. Disabled by default.
225 setsebool -P pppd_for_user 1
227 If you want to allow all unconfined executables to use libraries
231 requiring text relocation that are not labeled textrel_shlib_t, you
232 must turn on the selinuxuser_execmod boolean. Enabled by default.
233 setsebool -P selinuxuser_execmod 1
235 If you want to allow unconfined executables to make their stack exe‐
239 cutable. This should never, ever be necessary. Probably indicates a
240 badly coded executable, but could indicate an attack. This executable
241 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
242 stack boolean. Enabled by default.
243 setsebool -P selinuxuser_execstack 1
245 If you want to allow users to connect to the local mysql server, you
249 must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
250 default.
251 setsebool -P selinuxuser_mysql_connect_enabled 1
253 If you want to allow confined users the ability to execute the ping and
257 traceroute commands, you must turn on the selinuxuser_ping boolean.
258 Enabled by default.
259 setsebool -P selinuxuser_ping 1
261 If you want to allow users to connect to PostgreSQL, you must turn on
265 the selinuxuser_postgresql_connect_enabled boolean. Disabled by
266 default.
267 setsebool -P selinuxuser_postgresql_connect_enabled 1
269 If you want to allow user to r/w files on filesystems that do not have
273 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
274 uxuser_rw_noexattrfile boolean. Disabled by default.
275 setsebool -P selinuxuser_rw_noexattrfile 1
277 If you want to allow user to use ssh chroot environment, you must turn
281 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
282 setsebool -P selinuxuser_use_ssh_chroot 1
284 If you want to allow unprivileged user to create and transition to
288 svirt domains, you must turn on the unprivuser_use_svirt boolean. Dis‐
289 abled by default.
290 setsebool -P unprivuser_use_svirt 1
292 If you want to support NFS home directories, you must turn on the
296 use_nfs_home_dirs boolean. Disabled by default.
297 setsebool -P use_nfs_home_dirs 1
299 If you want to support SAMBA home directories, you must turn on the
303 use_samba_home_dirs boolean. Disabled by default.
304 setsebool -P use_samba_home_dirs 1
306
310 The SELinux user user_u is able execute home content files.
311
314 Three things can happen when user_t attempts to execute a program.
315 1. SELinux Policy can deny user_t from executing the program.
317 2. SELinux Policy can allow user_t to execute the program in the cur‐
321 rent user type.
322 Execute the following to see the types that the SELinux user
324 user_t can execute without transitioning:
325 sesearch -A -s user_t -c file -p execute_no_trans
327 3. SELinux can allow user_t to execute the program and transition to a
331 new type.
332 Execute the following to see the types that the SELinux user
334 user_t can execute and transition:
335 $ sesearch -A -s user_t -c process -p transition
337
341 The SELinux process type user_t can manage files labeled with the fol‐
342 lowing file types. The paths listed are the default paths for these
343 file types. Note the processes UID still need to have DAC permissions.
344 alsa_home_t
346 /home/[^/]+/.asoundrc
348 anon_inodefs_t
350 auth_cache_t
353 /var/cache/coolkey(/.*)?
355 bluetooth_helper_tmp_t
357 bluetooth_helper_tmpfs_t
360 cgroup_t
363 /sys/fs/cgroup
365 chrome_sandbox_tmpfs_t
367 cifs_t
370 dosfs_t
373 games_data_t
376 /var/games(/.*)?
378 /var/lib/games(/.*)?
379 gconf_tmp_t
381 /tmp/gconfd-[^/]+/.*
383 git_user_content_t
385 /home/[^/]+/public_git(/.*)?
387 gkeyringd_tmp_t
389 /var/run/user/[^/]*/keyring.*
391 gnome_home_type
393 gpg_agent_tmp_t
396 /home/[^/]+/.gnupg/log-socket
398 httpd_user_content_t
400 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
402 httpd_user_htaccess_t
404 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
406 httpd_user_ra_content_t
408 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
410 httpd_user_rw_content_t
412 httpd_user_script_exec_t
415 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
417 irc_home_t
419 /home/[^/]+/.irssi(/.*)?
421 /home/[^/]+/irclog(/.*)?
422 /home/[^/]+/.ircmotd
423 irc_tmp_t
425 irssi_home_t
428 mail_spool_t
431 /var/mail(/.*)?
433 /var/spool/imap(/.*)?
434 /var/spool/mail(/.*)?
435 /var/spool/smtpd(/.*)?
436 mpd_user_data_t
438 mqueue_spool_t
441 /var/spool/(client)?mqueue(/.*)?
443 /var/spool/mqueue.in(/.*)?
444 nfs_t
446 noxattrfs
449 all files on file systems which do not support extended attributes
451 pulseaudio_tmpfs_t
453 pulseaudio_tmpfsfile
456 sandbox_file_t
459 sandbox_tmpfs_type
462 all sandbox content in tmpfs file systems
464 screen_home_t
466 /root/.screen(/.*)?
468 /home/[^/]+/.screen(/.*)?
469 /home/[^/]+/.screenrc
470 /home/[^/]+/.tmux.conf
471 security_t
473 /selinux
475 ssh_home_t
477 /var/lib/[^/]+/.ssh(/.*)?
479 /root/.ssh(/.*)?
480 /var/lib/one/.ssh(/.*)?
481 /var/lib/pgsql/.ssh(/.*)?
482 /var/lib/openshift/[^/]+/.ssh(/.*)?
483 /var/lib/amanda/.ssh(/.*)?
484 /var/lib/stickshift/[^/]+/.ssh(/.*)?
485 /var/lib/gitolite/.ssh(/.*)?
486 /var/lib/nocpulse/.ssh(/.*)?
487 /var/lib/gitolite3/.ssh(/.*)?
488 /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
489 /root/.shosts
490 /home/[^/]+/.ssh(/.*)?
491 /home/[^/]+/.ansible/cp/.*
492 /home/[^/]+/.shosts
493 systemd_passwd_var_run_t
495 /var/run/systemd/ask-password(/.*)?
497 /var/run/systemd/ask-password-block(/.*)?
498 usbfs_t
500 user_fonts_cache_t
503 /root/.fontconfig(/.*)?
505 /root/.fonts/auto(/.*)?
506 /root/.fonts.cache-.*
507 /home/[^/]+/.fontconfig(/.*)?
508 /home/[^/]+/.fonts/auto(/.*)?
509 /home/[^/]+/.fonts.cache-.*
510 user_home_type
512 all user home files
514 user_tmp_t
516 /dev/shm/mono.*
518 /var/run/user(/.*)?
519 /tmp/.ICE-unix(/.*)?
520 /tmp/.X11-unix(/.*)?
521 /dev/shm/pulse-shm.*
522 /tmp/.X0-lock
523 /tmp/hsperfdata_root
524 /var/tmp/hsperfdata_root
525 /home/[^/]+/tmp
526 /home/[^/]+/.tmp
527 /tmp/gconfd-[^/]+
528 user_tmp_type
530 all user tmp files
532 virt_image_type
534 all virtual image files
536 xserver_tmpfs_t
538
542 semanage fcontext can also be used to manipulate default file context
543 mappings.
544 semanage permissive can also be used to manipulate whether or not a
546 process type is permissive.
547 semanage module can also be used to enable/disable/install/remove pol‐
549 icy modules.
550 semanage boolean can also be used to manipulate the booleans
552 system-config-selinux is a GUI tool available to customize SELinux pol‐
555 icy settings.
556
559 This manual page was auto-generated using sepolicy manpage .
560
563 selinux(8), user(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
564 setsebool(8), user_dbusd_selinux(8), user_dbusd_selinux(8),
565 user_gkeyringd_selinux(8), user_gkeyringd_selinux(8),
566 user_mail_selinux(8), user_mail_selinux(8), user_screen_selinux(8),
567 user_screen_selinux(8), user_seunshare_selinux(8), user_seun‐
568 share_selinux(8), user_ssh_agent_selinux(8), user_ssh_agent_selinux(8),
569 user_t_selinux(8), user_t_selinux(8), user_wine_selinux(8),
570 user_wine_selinux(8)
571mgrepl@redhat.com user user_selinux(8)