1staff_selinux(8) staff SELinux Policy documentation staff_selinux(8)
2
3
4
6 staff_u - Administrator's unprivileged user - Security Enhanced Linux
7 Policy
8
9
11 staff_u is an SELinux User defined in the SELinux policy. SELinux users
12 have default roles, staff_r. The default role has a default type,
13 staff_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 staff_u:staff_r:staff_t:s0 - s0:c0.c1023
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the staff_u
37 user, you would execute:
38
39 semanage login -m -s staff_u __default__
40
41
42 If you want to map the one Linux user (joe) to the SELinux user staff,
43 you would execute:
44
45 $ semanage login -a -s staff_u joe
46
47
48
50 The SELinux user staff_u is defined in policy as a unprivileged user.
51 SELinux prevents unprivileged users from doing administration tasks
52 without transitioning to a different role.
53
54
56 The SELinux user staff can execute sudo.
57
58 You can set up sudo to allow staff to transition to an administrative
59 domain:
60
61 Add one or more of the following record to sudoers using visudo.
62
63
64 USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
65 sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
66
67 You might also need to add one or more of these new roles to your
68 SELinux user record.
69
70 List the SELinux roles your SELinux user can reach by executing:
71
72 $ semanage user -l |grep selinux_name
73
74 Modify the roles list and add staff_r to this list.
75
76 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
77 logadm_r dbadm_r auditadm_r' staff_u
78
79 For more details you can see semanage man page.
80
81
82 USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
83 sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
84
85 You might also need to add one or more of these new roles to your
86 SELinux user record.
87
88 List the SELinux roles your SELinux user can reach by executing:
89
90 $ semanage user -l |grep selinux_name
91
92 Modify the roles list and add staff_r to this list.
93
94 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
95 logadm_r dbadm_r auditadm_r' staff_u
96
97 For more details you can see semanage man page.
98
99
100 USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
101 sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
102
103 You might also need to add one or more of these new roles to your
104 SELinux user record.
105
106 List the SELinux roles your SELinux user can reach by executing:
107
108 $ semanage user -l |grep selinux_name
109
110 Modify the roles list and add staff_r to this list.
111
112 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
113 logadm_r dbadm_r auditadm_r' staff_u
114
115 For more details you can see semanage man page.
116
117
118 USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
119 sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
120
121 You might also need to add one or more of these new roles to your
122 SELinux user record.
123
124 List the SELinux roles your SELinux user can reach by executing:
125
126 $ semanage user -l |grep selinux_name
127
128 Modify the roles list and add staff_r to this list.
129
130 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
131 logadm_r dbadm_r auditadm_r' staff_u
132
133 For more details you can see semanage man page.
134
135
136 USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
137 sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
138
139 You might also need to add one or more of these new roles to your
140 SELinux user record.
141
142 List the SELinux roles your SELinux user can reach by executing:
143
144 $ semanage user -l |grep selinux_name
145
146 Modify the roles list and add staff_r to this list.
147
148 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
149 logadm_r dbadm_r auditadm_r' staff_u
150
151 For more details you can see semanage man page.
152
153
154 USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
155 sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
156
157 You might also need to add one or more of these new roles to your
158 SELinux user record.
159
160 List the SELinux roles your SELinux user can reach by executing:
161
162 $ semanage user -l |grep selinux_name
163
164 Modify the roles list and add staff_r to this list.
165
166 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
167 logadm_r dbadm_r auditadm_r' staff_u
168
169 For more details you can see semanage man page.
170
171
172 USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
173 sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
174
175 You might also need to add one or more of these new roles to your
176 SELinux user record.
177
178 List the SELinux roles your SELinux user can reach by executing:
179
180 $ semanage user -l |grep selinux_name
181
182 Modify the roles list and add staff_r to this list.
183
184 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
185 logadm_r dbadm_r auditadm_r' staff_u
186
187 For more details you can see semanage man page.
188
189
190 The SELinux type staff_t is not allowed to execute sudo.
191
192
194 The SELinux user staff_u is able to X Windows login.
195
196
198 The SELinux user staff_u is able to listen on the following tcp ports.
199
200 6000-6020
201
202 all ports > 1024
203
204 32768-60999
205
206 all ports with out defined types
207
208 3689
209
210
211 The SELinux user staff_u is able to connect to the following tcp ports.
212
213 all ports
214
215 8955
216
217 53,853
218
219 9080
220
221 5432,9898
222
223 389,636,3268,3269,7389
224
225 32768-60999
226
227 all ports with out defined types
228
229 88,750,4444
230
231 111
232
233 all ports < 1024
234
235
236 The SELinux user staff_u is able to listen on the following udp ports.
237
238 32768-60999
239
240 all ports with out defined types
241
242 all ports > 1024
243
244
245 The SELinux user staff_u is able to connect to the following tcp ports.
246
247 all ports
248
249 8955
250
251 53,853
252
253 9080
254
255 5432,9898
256
257 389,636,3268,3269,7389
258
259 32768-60999
260
261 all ports with out defined types
262
263 88,750,4444
264
265 111
266
267 all ports < 1024
268
269
271 SELinux policy is customizable based on least access required. staff
272 policy is extremely flexible and has several booleans that allow you to
273 manipulate the policy and run staff with the tightest access possible.
274
275
276
277 If you want to allow staff user to create and transition to svirt
278 domains, you must turn on the staff_use_svirt boolean. Disabled by
279 default.
280
281 setsebool -P staff_use_svirt 1
282
283
284
285 If you want to allow users to resolve user passwd entries directly from
286 ldap rather then using a sssd server, you must turn on the authlo‐
287 gin_nsswitch_use_ldap boolean. Disabled by default.
288
289 setsebool -P authlogin_nsswitch_use_ldap 1
290
291
292
293 If you want to determine whether crond can execute jobs in the user
294 domain as opposed to the the generic cronjob domain, you must turn on
295 the cron_userdomain_transition boolean. Enabled by default.
296
297 setsebool -P cron_userdomain_transition 1
298
299
300
301 If you want to deny all system processes and Linux users to use blue‐
302 tooth wireless technology, you must turn on the deny_bluetooth boolean.
303 Enabled by default.
304
305 setsebool -P deny_bluetooth 1
306
307
308
309 If you want to deny user domains applications to map a memory region as
310 both executable and writable, this is dangerous and the executable
311 should be reported in bugzilla, you must turn on the deny_execmem bool‐
312 ean. Enabled by default.
313
314 setsebool -P deny_execmem 1
315
316
317
318 If you want to deny any process from ptracing or debugging any other
319 processes, you must turn on the deny_ptrace boolean. Enabled by
320 default.
321
322 setsebool -P deny_ptrace 1
323
324
325
326 If you want to allow all domains to execute in fips_mode, you must turn
327 on the fips_mode boolean. Enabled by default.
328
329 setsebool -P fips_mode 1
330
331
332
333 If you want to determine whether calling user domains can execute Git
334 daemon in the git_session_t domain, you must turn on the git_ses‐
335 sion_users boolean. Disabled by default.
336
337 setsebool -P git_session_users 1
338
339
340
341 If you want to allow httpd cgi support, you must turn on the
342 httpd_enable_cgi boolean. Enabled by default.
343
344 setsebool -P httpd_enable_cgi 1
345
346
347
348 If you want to allow confined applications to run with kerberos, you
349 must turn on the kerberos_enabled boolean. Enabled by default.
350
351 setsebool -P kerberos_enabled 1
352
353
354
355 If you want to allow system to run with NIS, you must turn on the
356 nis_enabled boolean. Disabled by default.
357
358 setsebool -P nis_enabled 1
359
360
361
362 If you want to allow confined applications to use nscd shared memory,
363 you must turn on the nscd_use_shm boolean. Disabled by default.
364
365 setsebool -P nscd_use_shm 1
366
367
368
369 If you want to determine whether calling user domains can execute
370 Polipo daemon in the polipo_session_t domain, you must turn on the
371 polipo_session_users boolean. Disabled by default.
372
373 setsebool -P polipo_session_users 1
374
375
376
377 If you want to allow pppd to be run for a regular user, you must turn
378 on the pppd_for_user boolean. Disabled by default.
379
380 setsebool -P pppd_for_user 1
381
382
383
384 If you want to allow all unconfined executables to use libraries
385 requiring text relocation that are not labeled textrel_shlib_t, you
386 must turn on the selinuxuser_execmod boolean. Enabled by default.
387
388 setsebool -P selinuxuser_execmod 1
389
390
391
392 If you want to allow unconfined executables to make their stack exe‐
393 cutable. This should never, ever be necessary. Probably indicates a
394 badly coded executable, but could indicate an attack. This executable
395 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
396 stack boolean. Enabled by default.
397
398 setsebool -P selinuxuser_execstack 1
399
400
401
402 If you want to allow users to connect to the local mysql server, you
403 must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
404 default.
405
406 setsebool -P selinuxuser_mysql_connect_enabled 1
407
408
409
410 If you want to allow users to connect to PostgreSQL, you must turn on
411 the selinuxuser_postgresql_connect_enabled boolean. Disabled by
412 default.
413
414 setsebool -P selinuxuser_postgresql_connect_enabled 1
415
416
417
418 If you want to allow user to r/w files on filesystems that do not have
419 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
420 uxuser_rw_noexattrfile boolean. Disabled by default.
421
422 setsebool -P selinuxuser_rw_noexattrfile 1
423
424
425
426 If you want to allow user to use ssh chroot environment, you must turn
427 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
428
429 setsebool -P selinuxuser_use_ssh_chroot 1
430
431
432
433 If you want to support NFS home directories, you must turn on the
434 use_nfs_home_dirs boolean. Disabled by default.
435
436 setsebool -P use_nfs_home_dirs 1
437
438
439
440 If you want to support SAMBA home directories, you must turn on the
441 use_samba_home_dirs boolean. Disabled by default.
442
443 setsebool -P use_samba_home_dirs 1
444
445
446
448 The SELinux user staff_u is able execute home content files.
449
450
452 Three things can happen when staff_t attempts to execute a program.
453
454 1. SELinux Policy can deny staff_t from executing the program.
455
456
457
458 2. SELinux Policy can allow staff_t to execute the program in the cur‐
459 rent user type.
460
461 Execute the following to see the types that the SELinux user
462 staff_t can execute without transitioning:
463
464 sesearch -A -s staff_t -c file -p execute_no_trans
465
466
467
468 3. SELinux can allow staff_t to execute the program and transition to a
469 new type.
470
471 Execute the following to see the types that the SELinux user
472 staff_t can execute and transition:
473
474 $ sesearch -A -s staff_t -c process -p transition
475
476
477
479 The SELinux process type staff_t can manage files labeled with the fol‐
480 lowing file types. The paths listed are the default paths for these
481 file types. Note the processes UID still need to have DAC permissions.
482
483 alsa_home_t
484
485 /home/[^/]+/.asoundrc
486
487 anon_inodefs_t
488
489
490 auth_cache_t
491
492 /var/cache/coolkey(/.*)?
493
494 bluetooth_helper_tmp_t
495
496
497 bluetooth_helper_tmpfs_t
498
499
500 cgroup_t
501
502 /sys/fs/cgroup
503
504 chrome_sandbox_tmpfs_t
505
506
507 cifs_t
508
509
510 dirsrv_config_t
511
512 /etc/dirsrv(/.*)?
513
514 dirsrv_var_lib_t
515
516 /var/lib/dirsrv(/.*)?
517
518 dirsrv_var_log_t
519
520 /var/log/dirsrv(/.*)?
521
522 dirsrv_var_run_t
523
524 /var/run/slapd.*
525 /var/run/dirsrv(/.*)?
526
527 dosfs_t
528
529
530 games_data_t
531
532 /var/games(/.*)?
533 /var/lib/games(/.*)?
534
535 gconf_tmp_t
536
537 /tmp/gconfd-[^/]+/.*
538
539 git_user_content_t
540
541 /home/[^/]+/public_git(/.*)?
542
543 gkeyringd_tmp_t
544
545 /var/run/user/[^/]*/keyring.*
546
547 gnome_home_type
548
549
550 gpg_agent_tmp_t
551
552 /home/[^/]+/.gnupg/log-socket
553
554 httpd_user_content_t
555
556 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
557
558 httpd_user_htaccess_t
559
560 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
561
562 httpd_user_ra_content_t
563
564 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
565
566 httpd_user_rw_content_t
567
568
569 httpd_user_script_exec_t
570
571 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
572
573 irc_home_t
574
575 /home/[^/]+/.irssi(/.*)?
576 /home/[^/]+/irclog(/.*)?
577 /home/[^/]+/.ircmotd
578
579 irc_tmp_t
580
581
582 irssi_home_t
583
584
585 mail_spool_t
586
587 /var/mail(/.*)?
588 /var/spool/imap(/.*)?
589 /var/spool/mail(/.*)?
590 /var/spool/smtpd(/.*)?
591
592 mpd_user_data_t
593
594
595 mqueue_spool_t
596
597 /var/spool/(client)?mqueue(/.*)?
598 /var/spool/mqueue.in(/.*)?
599
600 nfs_t
601
602
603 noxattrfs
604
605 all files on file systems which do not support extended attributes
606
607 pulseaudio_tmpfs_t
608
609
610 pulseaudio_tmpfsfile
611
612
613 sandbox_file_t
614
615
616 sandbox_tmpfs_type
617
618 all sandbox content in tmpfs file systems
619
620 screen_home_t
621
622 /root/.screen(/.*)?
623 /home/[^/]+/.screen(/.*)?
624 /home/[^/]+/.screenrc
625 /home/[^/]+/.tmux.conf
626
627 security_t
628
629 /selinux
630
631 ssh_home_t
632
633 /var/lib/[^/]+/.ssh(/.*)?
634 /root/.ssh(/.*)?
635 /var/lib/one/.ssh(/.*)?
636 /var/lib/pgsql/.ssh(/.*)?
637 /var/lib/openshift/[^/]+/.ssh(/.*)?
638 /var/lib/amanda/.ssh(/.*)?
639 /var/lib/stickshift/[^/]+/.ssh(/.*)?
640 /var/lib/gitolite/.ssh(/.*)?
641 /var/lib/nocpulse/.ssh(/.*)?
642 /var/lib/gitolite3/.ssh(/.*)?
643 /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
644 /root/.shosts
645 /home/[^/]+/.ssh(/.*)?
646 /home/[^/]+/.ansible/cp/.*
647 /home/[^/]+/.shosts
648
649 systemd_passwd_var_run_t
650
651 /var/run/systemd/ask-password(/.*)?
652 /var/run/systemd/ask-password-block(/.*)?
653
654 systemd_unit_file_type
655
656
657 usbfs_t
658
659
660 user_fonts_cache_t
661
662 /root/.fontconfig(/.*)?
663 /root/.fonts/auto(/.*)?
664 /root/.fonts.cache-.*
665 /root/.cache/fontconfig(/.*)?
666 /home/[^/]+/.fontconfig(/.*)?
667 /home/[^/]+/.fonts/auto(/.*)?
668 /home/[^/]+/.fonts.cache-.*
669 /home/[^/]+/.cache/fontconfig(/.*)?
670
671 user_home_type
672
673 all user home files
674
675 user_tmp_t
676
677 /dev/shm/mono.*
678 /var/run/user(/.*)?
679 /tmp/.ICE-unix(/.*)?
680 /tmp/.X11-unix(/.*)?
681 /dev/shm/pulse-shm.*
682 /tmp/.X0-lock
683 /tmp/hsperfdata_root
684 /var/tmp/hsperfdata_root
685 /home/[^/]+/tmp
686 /home/[^/]+/.tmp
687 /tmp/gconfd-[^/]+
688
689 user_tmp_type
690
691 all user tmp files
692
693 virt_image_type
694
695 all virtual image files
696
697 wireshark_home_t
698
699 /home/[^/]+/.wireshark(/.*)?
700
701 wireshark_tmp_t
702
703
704 wireshark_tmpfs_t
705
706
707 xserver_tmpfs_t
708
709
710
712 semanage fcontext can also be used to manipulate default file context
713 mappings.
714
715 semanage permissive can also be used to manipulate whether or not a
716 process type is permissive.
717
718 semanage module can also be used to enable/disable/install/remove pol‐
719 icy modules.
720
721 semanage boolean can also be used to manipulate the booleans
722
723
724 system-config-selinux is a GUI tool available to customize SELinux pol‐
725 icy settings.
726
727
729 This manual page was auto-generated using sepolicy manpage .
730
731
733 selinux(8), staff(8), semanage(8), restorecon(8), chcon(1), sepol‐
734 icy(8), setsebool(8), staff_consolehelper_selinux(8), staff_console‐
735 helper_selinux(8), staff_dbusd_selinux(8), staff_dbusd_selinux(8),
736 staff_gkeyringd_selinux(8), staff_gkeyringd_selinux(8),
737 staff_screen_selinux(8), staff_screen_selinux(8), staff_seun‐
738 share_selinux(8), staff_seunshare_selinux(8),
739 staff_ssh_agent_selinux(8), staff_ssh_agent_selinux(8),
740 staff_sudo_selinux(8), staff_sudo_selinux(8), staff_t_selinux(8),
741 staff_t_selinux(8), staff_wine_selinux(8), staff_wine_selinux(8)
742
743
744
745mgrepl@redhat.com staff staff_selinux(8)