1useradd_selinux(8) SELinux Policy useradd useradd_selinux(8)
2
3
4
6 useradd_selinux - Security Enhanced Linux Policy for the useradd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the useradd processes via flexible
11 mandatory access control.
12
13 The useradd processes execute with the useradd_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep useradd_t
20
21
22
24 The useradd_t SELinux type can be entered via the useradd_exec_t,
25 user_home_t file types.
26
27 The default entrypoint paths for the useradd_t domain are the follow‐
28 ing:
29
30 /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod,
31 /usr/sbin/newusers, /home/[^/]+/.+
32
34 SELinux defines process types (domains) for each process running on the
35 system
36
37 You can see the context of a process using the -Z option to ps
38
39 Policy governs the access confined processes have to files. SELinux
40 useradd policy is very flexible allowing users to setup their useradd
41 processes in as secure a method as possible.
42
43 The following process types are defined for useradd:
44
45 useradd_t
46
47 Note: semanage permissive -a useradd_t can be used to make the process
48 type useradd_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
52
54 SELinux policy is customizable based on least access required. useradd
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run useradd with the tightest access possi‐
57 ble.
58
59
60
61 If you want to allow users to resolve user passwd entries directly from
62 ldap rather then using a sssd server, you must turn on the authlo‐
63 gin_nsswitch_use_ldap boolean. Disabled by default.
64
65 setsebool -P authlogin_nsswitch_use_ldap 1
66
67
68
69 If you want to allow all domains to execute in fips_mode, you must turn
70 on the fips_mode boolean. Enabled by default.
71
72 setsebool -P fips_mode 1
73
74
75
76 If you want to allow confined applications to run with kerberos, you
77 must turn on the kerberos_enabled boolean. Disabled by default.
78
79 setsebool -P kerberos_enabled 1
80
81
82
83 If you want to allow system to run with NIS, you must turn on the
84 nis_enabled boolean. Disabled by default.
85
86 setsebool -P nis_enabled 1
87
88
89
90 If you want to allow confined applications to use nscd shared memory,
91 you must turn on the nscd_use_shm boolean. Disabled by default.
92
93 setsebool -P nscd_use_shm 1
94
95
96
97 If you want to allow samba to act as the domain controller, add users,
98 groups and change passwords, you must turn on the samba_domain_con‐
99 troller boolean. Disabled by default.
100
101 setsebool -P samba_domain_controller 1
102
103
104
105 If you want to support NFS home directories, you must turn on the
106 use_nfs_home_dirs boolean. Enabled by default.
107
108 setsebool -P use_nfs_home_dirs 1
109
110
111
112 If you want to support SAMBA home directories, you must turn on the
113 use_samba_home_dirs boolean. Disabled by default.
114
115 setsebool -P use_samba_home_dirs 1
116
117
118
120 The SELinux process type useradd_t can manage files labeled with the
121 following file types. The paths listed are the default paths for these
122 file types. Note the processes UID still need to have DAC permissions.
123
124 cifs_t
125
126
127 default_context_t
128
129 /etc/selinux/([^/]*/)?contexts(/.*)?
130 /root/.default_contexts
131
132 etc_runtime_t
133
134 /[^/]+
135 /etc/mtab.*
136 /etc/blkid(/.*)?
137 /etc/nologin.*
138 /etc/.fstab.hal..+
139 /halt
140 /fastboot
141 /poweroff
142 /.autofsck
143 /etc/cmtab
144 /forcefsck
145 /.suspended
146 /fsckoptions
147 /.autorelabel
148 /etc/.updated
149 /var/.updated
150 /etc/killpower
151 /etc/nohotplug
152 /etc/securetty
153 /etc/ioctl.save
154 /etc/fstab.REVOKE
155 /etc/network/ifstate
156 /etc/sysconfig/hwconf
157 /etc/ptal/ptal-printd-like
158 /etc/xorg.conf.d/00-system-setup-keyboard.conf
159 /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
160
161 etc_t
162
163 /etc/.*
164 /usr/etc(/.*)?
165 /var/ftp/etc(/.*)?
166 /var/lib/openshift/.limits.d(/.*)?
167 /var/lib/openshift/.openshift-proxy.d(/.*)?
168 /var/lib/openshift/.stickshift-proxy.d(/.*)?
169 /var/lib/stickshift/.limits.d(/.*)?
170 /var/lib/stickshift/.stickshift-proxy.d(/.*)?
171 /etc/ipsec.d/examples(/.*)?
172 /var/named/chroot/etc(/.*)?
173 /var/spool/postfix/etc(/.*)?
174 /etc
175 /run/cockpit/motd
176 /etc/cups/client.conf
177
178 faillog_t
179
180 /var/log/btmp.*
181 /var/log/faillog.*
182 /var/log/tallylog.*
183 /var/run/faillock(/.*)?
184
185 file_context_t
186
187 /etc/selinux/([^/]*/)?contexts/files(/.*)?
188
189 httpd_user_content_type
190
191
192 initrc_var_run_t
193
194 /var/run/utmp
195 /var/run/random-seed
196 /var/run/runlevel.dir
197 /var/run/setmixer_flag
198
199 krb5kdc_var_lib_t
200
201 /var/lib/kdcproxy(/.*)?
202
203 lastlog_t
204
205 /var/log/lastlog.*
206
207 mail_spool_t
208
209 /var/mail(/.*)?
210 /var/spool/imap(/.*)?
211 /var/spool/mail(/.*)?
212 /var/spool/smtpd(/.*)?
213
214 nfs_t
215
216
217 openshift_file_type
218
219
220 passwd_file_t
221
222 /etc/group[-+]?
223 /etc/passwd[-+]?
224 /etc/passwd.adjunct.*
225 /etc/ptmptmp
226 /etc/.pwd.lock
227 /etc/group.lock
228 /etc/passwd.OLD
229 /etc/passwd.lock
230
231 security_t
232
233 /selinux
234
235 selinux_config_t
236
237 /etc/selinux(/.*)?
238 /etc/selinux/([^/]*/)?seusers
239 /etc/selinux/([^/]*/)?users(/.*)?
240 /etc/selinux/([^/]*/)?setrans.conf
241 /var/lib/sepolgen(/.*)?
242
243 selinux_login_config_t
244
245 /etc/selinux/([^/]*/)?logins(/.*)?
246
247 semanage_read_lock_t
248
249 /etc/selinux/([^/]*/)?modules/semanage.read.LOCK
250 /var/lib/selinux/[^/]+/semanage.read.LOCK
251
252 semanage_store_t
253
254 /etc/selinux/([^/]*/)?policy(/.*)?
255 /etc/selinux/(minimum|mls|targeted)/active(/.*)?
256 /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
257 /var/lib/selinux(/.*)?
258 /etc/share/selinux/mls(/.*)?
259 /etc/share/selinux/targeted(/.*)?
260
261 semanage_tmp_t
262
263
264 semanage_trans_lock_t
265
266 /etc/selinux/([^/]*/)?modules/semanage.trans.LOCK
267 /var/lib/selinux/[^/]+/semanage.trans.LOCK
268
269 shadow_t
270
271 /etc/shadow.*
272 /etc/gshadow.*
273 /etc/nshadow.*
274 /var/db/shadow.*
275 /etc/security/opasswd
276 /etc/security/opasswd.old
277
278 smsd_var_lib_t
279
280 /var/lib/smstools(/.*)?
281
282 sssd_public_t
283
284 /var/lib/sss/mc(/.*)?
285 /var/lib/sss/pubconf(/.*)?
286
287 sssd_var_lib_t
288
289 /var/lib/sss(/.*)?
290
291 stapserver_var_lib_t
292
293 /var/lib/stap-server(/.*)?
294
295 user_home_type
296
297 all user home files
298
299 useradd_var_run_t
300
301
302
304 SELinux requires files to have an extended attribute to define the file
305 type.
306
307 You can see the context of a file using the -Z option to ls
308
309 Policy governs the access confined processes have to these files.
310 SELinux useradd policy is very flexible allowing users to setup their
311 useradd processes in as secure a method as possible.
312
313 STANDARD FILE CONTEXT
314
315 SELinux defines the file context types for the useradd, if you wanted
316 to store files with these types in a diffent paths, you need to execute
317 the semanage command to sepecify alternate labeling and then use
318 restorecon to put the labels on disk.
319
320 semanage fcontext -a -t useradd_var_run_t '/srv/myuseradd_con‐
321 tent(/.*)?'
322 restorecon -R -v /srv/myuseradd_content
323
324 Note: SELinux often uses regular expressions to specify labels that
325 match multiple files.
326
327 The following file types are defined for useradd:
328
329
330
331 useradd_exec_t
332
333 - Set files with the useradd_exec_t type, if you want to transition an
334 executable to the useradd_t domain.
335
336
337 Paths:
338 /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod,
339 /usr/sbin/newusers
340
341
342 useradd_var_run_t
343
344 - Set files with the useradd_var_run_t type, if you want to store the
345 useradd files under the /run or /var/run directory.
346
347
348
349 Note: File context can be temporarily modified with the chcon command.
350 If you want to permanently change the file context you need to use the
351 semanage fcontext command. This will modify the SELinux labeling data‐
352 base. You will need to use restorecon to apply the labels.
353
354
356 semanage fcontext can also be used to manipulate default file context
357 mappings.
358
359 semanage permissive can also be used to manipulate whether or not a
360 process type is permissive.
361
362 semanage module can also be used to enable/disable/install/remove pol‐
363 icy modules.
364
365 semanage boolean can also be used to manipulate the booleans
366
367
368 system-config-selinux is a GUI tool available to customize SELinux pol‐
369 icy settings.
370
371
373 This manual page was auto-generated using sepolicy manpage .
374
375
377 selinux(8), useradd(8), semanage(8), restorecon(8), chcon(1), sepol‐
378 icy(8), setsebool(8)
379
380
381
382useradd 19-12-02 useradd_selinux(8)