1user_selinux(8) user SELinux Policy documentation user_selinux(8)
2
3
4
6 user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
8
10 user_u is an SELinux User defined in the SELinux policy. SELinux users
11 have default roles, user_r. The default role has a default type,
12 user_t, associated with it.
13
14 The SELinux user will usually login to a system with a context that
15 looks like:
16
17 user_u:user_r:user_t:s0
18
19 Linux users are automatically assigned an SELinux users at login.
20 Login programs use the SELinux User to assign initial context to the
21 user's shell.
22
23 SELinux policy uses the context to control the user's access.
24
25 By default all users are assigned to the SELinux user via the
26 __default__ flag
27
28 On Targeted policy systems the __default__ user is assigned to the
29 unconfined_u SELinux user.
30
31 You can list all Linux User to SELinux user mapping using:
32
33 semanage login -l
34
35 If you wanted to change the default user mapping to use the user_u
36 user, you would execute:
37
38 semanage login -m -s user_u __default__
39
40
41 If you want to map the one Linux user (joe) to the SELinux user user,
42 you would execute:
43
44 $ semanage login -a -s user_u joe
45
46
47
49 The SELinux user user_u is defined in policy as a unprivileged user.
50 SELinux prevents unprivileged users from doing administration tasks
51 without transitioning to a different role.
52
53
56 The SELinux user user_u is able to X Windows login.
57
58
60 The SELinux user user_u is able to listen on the following tcp ports.
61
62 6000-6020
63
64 3689
65
66 all ports > 1024
67
68 32768-60999
69
70 all ports with out defined types
71
72
73 The SELinux user user_u is able to connect to the following tcp ports.
74
75 8955
76
77 all ports
78
79 53,853
80
81 5432,9898
82
83 389,636,3268,3269,7389
84
85 111
86
87 all ports < 1024
88
89 32768-60999
90
91 all ports with out defined types
92
93 88,750,4444
94
95 9080
96
97
98 The SELinux user user_u is able to listen on the following udp ports.
99
100 32768-60999
101
102 all ports with out defined types
103
104 all ports > 1024
105
106
107 The SELinux user user_u is able to connect to the following tcp ports.
108
109 8955
110
111 all ports
112
113 53,853
114
115 5432,9898
116
117 389,636,3268,3269,7389
118
119 111
120
121 all ports < 1024
122
123 32768-60999
124
125 all ports with out defined types
126
127 88,750,4444
128
129 9080
130
131
133 SELinux policy is customizable based on least access required. user
134 policy is extremely flexible and has several booleans that allow you to
135 manipulate the policy and run user with the tightest access possible.
136
137
138
139 If you want to allow users to resolve user passwd entries directly from
140 ldap rather then using a sssd server, you must turn on the authlo‐
141 gin_nsswitch_use_ldap boolean. Disabled by default.
142
143 setsebool -P authlogin_nsswitch_use_ldap 1
144
145
146
147 If you want to determine whether crond can execute jobs in the user
148 domain as opposed to the the generic cronjob domain, you must turn on
149 the cron_userdomain_transition boolean. Enabled by default.
150
151 setsebool -P cron_userdomain_transition 1
152
153
154
155 If you want to deny all system processes and Linux users to use blue‐
156 tooth wireless technology, you must turn on the deny_bluetooth boolean.
157 Enabled by default.
158
159 setsebool -P deny_bluetooth 1
160
161
162
163 If you want to deny user domains applications to map a memory region as
164 both executable and writable, this is dangerous and the executable
165 should be reported in bugzilla, you must turn on the deny_execmem bool‐
166 ean. Enabled by default.
167
168 setsebool -P deny_execmem 1
169
170
171
172 If you want to deny any process from ptracing or debugging any other
173 processes, you must turn on the deny_ptrace boolean. Enabled by
174 default.
175
176 setsebool -P deny_ptrace 1
177
178
179
180 If you want to allow all domains to execute in fips_mode, you must turn
181 on the fips_mode boolean. Enabled by default.
182
183 setsebool -P fips_mode 1
184
185
186
187 If you want to determine whether calling user domains can execute Git
188 daemon in the git_session_t domain, you must turn on the git_ses‐
189 sion_users boolean. Disabled by default.
190
191 setsebool -P git_session_users 1
192
193
194
195 If you want to allow httpd cgi support, you must turn on the
196 httpd_enable_cgi boolean. Enabled by default.
197
198 setsebool -P httpd_enable_cgi 1
199
200
201
202 If you want to allow confined applications to run with kerberos, you
203 must turn on the kerberos_enabled boolean. Disabled by default.
204
205 setsebool -P kerberos_enabled 1
206
207
208
209 If you want to allow system to run with NIS, you must turn on the
210 nis_enabled boolean. Disabled by default.
211
212 setsebool -P nis_enabled 1
213
214
215
216 If you want to allow confined applications to use nscd shared memory,
217 you must turn on the nscd_use_shm boolean. Disabled by default.
218
219 setsebool -P nscd_use_shm 1
220
221
222
223 If you want to determine whether calling user domains can execute
224 Polipo daemon in the polipo_session_t domain, you must turn on the
225 polipo_session_users boolean. Disabled by default.
226
227 setsebool -P polipo_session_users 1
228
229
230
231 If you want to allow pppd to be run for a regular user, you must turn
232 on the pppd_for_user boolean. Disabled by default.
233
234 setsebool -P pppd_for_user 1
235
236
237
238 If you want to allow all unconfined executables to use libraries
239 requiring text relocation that are not labeled textrel_shlib_t, you
240 must turn on the selinuxuser_execmod boolean. Disabled by default.
241
242 setsebool -P selinuxuser_execmod 1
243
244
245
246 If you want to allow unconfined executables to make their stack exe‐
247 cutable. This should never, ever be necessary. Probably indicates a
248 badly coded executable, but could indicate an attack. This executable
249 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
250 stack boolean. Disabled by default.
251
252 setsebool -P selinuxuser_execstack 1
253
254
255
256 If you want to allow users to connect to the local mysql server, you
257 must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
258 default.
259
260 setsebool -P selinuxuser_mysql_connect_enabled 1
261
262
263
264 If you want to allow confined users the ability to execute the ping and
265 traceroute commands, you must turn on the selinuxuser_ping boolean.
266 Disabled by default.
267
268 setsebool -P selinuxuser_ping 1
269
270
271
272 If you want to allow users to connect to PostgreSQL, you must turn on
273 the selinuxuser_postgresql_connect_enabled boolean. Disabled by
274 default.
275
276 setsebool -P selinuxuser_postgresql_connect_enabled 1
277
278
279
280 If you want to allow user to r/w files on filesystems that do not have
281 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
282 uxuser_rw_noexattrfile boolean. Disabled by default.
283
284 setsebool -P selinuxuser_rw_noexattrfile 1
285
286
287
288 If you want to allow user to use ssh chroot environment, you must turn
289 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
290
291 setsebool -P selinuxuser_use_ssh_chroot 1
292
293
294
295 If you want to allow unprivileged user to create and transition to
296 svirt domains, you must turn on the unprivuser_use_svirt boolean. Dis‐
297 abled by default.
298
299 setsebool -P unprivuser_use_svirt 1
300
301
302
303 If you want to support NFS home directories, you must turn on the
304 use_nfs_home_dirs boolean. Enabled by default.
305
306 setsebool -P use_nfs_home_dirs 1
307
308
309
310 If you want to support SAMBA home directories, you must turn on the
311 use_samba_home_dirs boolean. Disabled by default.
312
313 setsebool -P use_samba_home_dirs 1
314
315
316
318 The SELinux user user_u is able execute home content files.
319
320
322 Three things can happen when user_t attempts to execute a program.
323
324 1. SELinux Policy can deny user_t from executing the program.
325
326
327
328 2. SELinux Policy can allow user_t to execute the program in the cur‐
329 rent user type.
330
331 Execute the following to see the types that the SELinux user
332 user_t can execute without transitioning:
333
334 sesearch -A -s user_t -c file -p execute_no_trans
335
336
337
338 3. SELinux can allow user_t to execute the program and transition to a
339 new type.
340
341 Execute the following to see the types that the SELinux user
342 user_t can execute and transition:
343
344 $ sesearch -A -s user_t -c process -p transition
345
346
347
349 The SELinux process type user_t can manage files labeled with the fol‐
350 lowing file types. The paths listed are the default paths for these
351 file types. Note the processes UID still need to have DAC permissions.
352
353 alsa_home_t
354
355 /home/[^/]+/.asoundrc
356
357 anon_inodefs_t
358
359
360 auth_cache_t
361
362 /var/cache/coolkey(/.*)?
363
364 bluetooth_helper_tmp_t
365
366
367 bluetooth_helper_tmpfs_t
368
369
370 cgroup_t
371
372 /sys/fs/cgroup
373
374 chrome_sandbox_tmpfs_t
375
376
377 cifs_t
378
379
380 dosfs_t
381
382
383 faillog_t
384
385 /var/log/btmp.*
386 /var/log/faillog.*
387 /var/log/tallylog.*
388 /var/run/faillock(/.*)?
389
390 games_data_t
391
392 /var/games(/.*)?
393 /var/lib/games(/.*)?
394
395 gconf_tmp_t
396
397 /tmp/gconfd-[^/]+/.*
398
399 git_user_content_t
400
401 /home/[^/]+/public_git(/.*)?
402
403 gkeyringd_tmp_t
404
405 /var/run/user/[^/]*/keyring.*
406
407 gnome_home_type
408
409
410 gpg_agent_tmp_t
411
412 /home/[^/]+/.gnupg/log-socket
413
414 httpd_user_content_t
415
416 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
417
418 httpd_user_htaccess_t
419
420 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
421
422 httpd_user_ra_content_t
423
424 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
425
426 httpd_user_rw_content_t
427
428
429 httpd_user_script_exec_t
430
431 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
432
433 irc_home_t
434
435 /home/[^/]+/.irssi(/.*)?
436 /home/[^/]+/irclog(/.*)?
437 /home/[^/]+/.ircmotd
438
439 irc_tmp_t
440
441
442 irssi_home_t
443
444
445 mail_spool_t
446
447 /var/mail(/.*)?
448 /var/spool/imap(/.*)?
449 /var/spool/mail(/.*)?
450 /var/spool/smtpd(/.*)?
451
452 mpd_user_data_t
453
454
455 mqueue_spool_t
456
457 /var/spool/(client)?mqueue(/.*)?
458 /var/spool/mqueue.in(/.*)?
459
460 nfs_t
461
462
463 noxattrfs
464
465 all files on file systems which do not support extended attributes
466
467 pulseaudio_tmpfs_t
468
469
470 pulseaudio_tmpfsfile
471
472
473 sandbox_file_t
474
475
476 sandbox_tmpfs_type
477
478 all sandbox content in tmpfs file systems
479
480 screen_home_t
481
482 /root/.screen(/.*)?
483 /home/[^/]+/.screen(/.*)?
484 /home/[^/]+/.screenrc
485 /home/[^/]+/.tmux.conf
486
487 security_t
488
489 /selinux
490
491 session_dbusd_tmp_t
492
493 /var/run/user(/.*)?/dbus-[0-9]*(/.*)?
494 /var/run/user/[^/]*/systemd(/.*)?
495
496 ssh_home_t
497
498 /var/lib/[^/]+/.ssh(/.*)?
499 /root/.ssh(/.*)?
500 /var/lib/one/.ssh(/.*)?
501 /var/lib/pgsql/.ssh(/.*)?
502 /var/lib/openshift/[^/]+/.ssh(/.*)?
503 /var/lib/amanda/.ssh(/.*)?
504 /var/lib/stickshift/[^/]+/.ssh(/.*)?
505 /var/lib/gitolite/.ssh(/.*)?
506 /var/lib/nocpulse/.ssh(/.*)?
507 /var/lib/gitolite3/.ssh(/.*)?
508 /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
509 /root/.shosts
510 /home/[^/]+/.ssh(/.*)?
511 /home/[^/]+/.ansible/cp/.*
512 /home/[^/]+/.shosts
513
514 systemd_passwd_var_run_t
515
516 /var/run/systemd/ask-password(/.*)?
517 /var/run/systemd/ask-password-block(/.*)?
518
519 usbfs_t
520
521
522 user_cron_spool_t
523
524 /var/spool/at(/.*)?
525 /var/spool/cron
526 /var/spool/cron/[^/]+
527
528 user_fonts_cache_t
529
530 /root/.fontconfig(/.*)?
531 /root/.fonts/auto(/.*)?
532 /root/.fonts.cache-.*
533 /root/.cache/fontconfig(/.*)?
534 /home/[^/]+/.fontconfig(/.*)?
535 /home/[^/]+/.fonts/auto(/.*)?
536 /home/[^/]+/.fonts.cache-.*
537 /home/[^/]+/.cache/fontconfig(/.*)?
538
539 user_home_type
540
541 all user home files
542
543 user_tmp_t
544
545 /dev/shm/mono.*
546 /var/run/user(/.*)?
547 /tmp/.ICE-unix(/.*)?
548 /tmp/.X11-unix(/.*)?
549 /dev/shm/pulse-shm.*
550 /tmp/.X0-lock
551 /tmp/hsperfdata_root
552 /var/tmp/hsperfdata_root
553 /home/[^/]+/tmp
554 /home/[^/]+/.tmp
555 /tmp/gconfd-[^/]+
556
557 user_tmp_type
558
559 all user tmp files
560
561 var_auth_t
562
563 /var/ace(/.*)?
564 /var/rsa(/.*)?
565 /var/lib/abl(/.*)?
566 /var/lib/rsa(/.*)?
567 /var/lib/pam_ssh(/.*)?
568 /var/run/pam_ssh(/.*)?
569 /var/lib/pam_shield(/.*)?
570 /var/opt/quest/vas/vasd(/.*)?
571 /var/lib/google-authenticator(/.*)?
572
573 virt_image_type
574
575 all virtual image files
576
577 xserver_tmpfs_t
578
579
580
582 semanage fcontext can also be used to manipulate default file context
583 mappings.
584
585 semanage permissive can also be used to manipulate whether or not a
586 process type is permissive.
587
588 semanage module can also be used to enable/disable/install/remove pol‐
589 icy modules.
590
591 semanage boolean can also be used to manipulate the booleans
592
593
594 system-config-selinux is a GUI tool available to customize SELinux pol‐
595 icy settings.
596
597
599 This manual page was auto-generated using sepolicy manpage .
600
601
603 selinux(8), user(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
604 setsebool(8), user_dbusd_selinux(8), user_dbusd_selinux(8),
605 user_gkeyringd_selinux(8), user_gkeyringd_selinux(8),
606 user_mail_selinux(8), user_mail_selinux(8), user_screen_selinux(8),
607 user_screen_selinux(8), user_seunshare_selinux(8), user_seun‐
608 share_selinux(8), user_ssh_agent_selinux(8), user_ssh_agent_selinux(8),
609 user_wine_selinux(8), user_wine_selinux(8)
610
611
612
613mgrepl@redhat.com user user_selinux(8)