1useradd_selinux(8)          SELinux Policy useradd          useradd_selinux(8)
2
3
4

NAME

6       useradd_selinux  -  Security Enhanced Linux Policy for the useradd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  useradd  processes  via  flexible
11       mandatory access control.
12
13       The  useradd processes execute with the useradd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep useradd_t
20
21
22

ENTRYPOINTS

24       The  useradd_t  SELinux  type  can  be  entered via the useradd_exec_t,
25       user_home_t file types.
26
27       The default entrypoint paths for the useradd_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/useradd,         /usr/sbin/userdel,        /usr/sbin/usermod,
31       /usr/sbin/newusers, /home/[^/]+/.+
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       useradd policy is very flexible allowing users to setup  their  useradd
41       processes in as secure a method as possible.
42
43       The following process types are defined for useradd:
44
45       useradd_t
46
47       Note:  semanage permissive -a useradd_t can be used to make the process
48       type useradd_t permissive. SELinux does not deny access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least access required.  useradd
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run useradd with the tightest  access  possi‐
57       ble.
58
59
60
61       If you want to allow users to resolve user passwd entries directly from
62       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
63       gin_nsswitch_use_ldap boolean. Disabled by default.
64
65       setsebool -P authlogin_nsswitch_use_ldap 1
66
67
68
69       If you want to allow all domains to execute in fips_mode, you must turn
70       on the fips_mode boolean. Enabled by default.
71
72       setsebool -P fips_mode 1
73
74
75
76       If you want to allow confined applications to run  with  kerberos,  you
77       must turn on the kerberos_enabled boolean. Disabled by default.
78
79       setsebool -P kerberos_enabled 1
80
81
82
83       If  you  want  to  allow  system  to run with NIS, you must turn on the
84       nis_enabled boolean. Disabled by default.
85
86       setsebool -P nis_enabled 1
87
88
89
90       If you want to allow confined applications to use nscd  shared  memory,
91       you must turn on the nscd_use_shm boolean. Disabled by default.
92
93       setsebool -P nscd_use_shm 1
94
95
96
97       If  you want to allow samba to act as the domain controller, add users,
98       groups and change passwords, you must  turn  on  the  samba_domain_con‐
99       troller boolean. Disabled by default.
100
101       setsebool -P samba_domain_controller 1
102
103
104
105       If  you  want  to  support  NFS  home directories, you must turn on the
106       use_nfs_home_dirs boolean. Enabled by default.
107
108       setsebool -P use_nfs_home_dirs 1
109
110
111
112       If you want to support SAMBA home directories, you  must  turn  on  the
113       use_samba_home_dirs boolean. Disabled by default.
114
115       setsebool -P use_samba_home_dirs 1
116
117
118

MANAGED FILES

120       The  SELinux  process  type useradd_t can manage files labeled with the
121       following file types.  The paths listed are the default paths for these
122       file types.  Note the processes UID still need to have DAC permissions.
123
124       cifs_t
125
126
127       default_context_t
128
129            /etc/selinux/([^/]*/)?contexts(/.*)?
130            /root/.default_contexts
131
132       etc_runtime_t
133
134            /[^/]+
135            /etc/mtab.*
136            /etc/blkid(/.*)?
137            /etc/nologin.*
138            /etc/.fstab.hal..+
139            /halt
140            /fastboot
141            /poweroff
142            /.autofsck
143            /etc/cmtab
144            /forcefsck
145            /.suspended
146            /fsckoptions
147            /.autorelabel
148            /etc/.updated
149            /var/.updated
150            /etc/killpower
151            /etc/nohotplug
152            /etc/securetty
153            /etc/ioctl.save
154            /etc/fstab.REVOKE
155            /etc/network/ifstate
156            /etc/sysconfig/hwconf
157            /etc/ptal/ptal-printd-like
158            /etc/xorg.conf.d/00-system-setup-keyboard.conf
159            /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
160
161       etc_t
162
163            /etc/.*
164            /usr/etc(/.*)?
165            /var/ftp/etc(/.*)?
166            /var/lib/openshift/.limits.d(/.*)?
167            /var/lib/openshift/.openshift-proxy.d(/.*)?
168            /var/lib/openshift/.stickshift-proxy.d(/.*)?
169            /var/lib/stickshift/.limits.d(/.*)?
170            /var/lib/stickshift/.stickshift-proxy.d(/.*)?
171            /etc/ipsec.d/examples(/.*)?
172            /var/named/chroot/etc(/.*)?
173            /var/spool/postfix/etc(/.*)?
174            /etc
175            /run/cockpit/motd
176            /etc/cups/client.conf
177
178       faillog_t
179
180            /var/log/btmp.*
181            /var/log/faillog.*
182            /var/log/tallylog.*
183            /var/run/faillock(/.*)?
184
185       file_context_t
186
187            /etc/selinux/([^/]*/)?contexts/files(/.*)?
188
189       httpd_user_content_type
190
191
192       initrc_var_run_t
193
194            /var/run/utmp
195            /var/run/random-seed
196            /var/run/runlevel.dir
197            /var/run/setmixer_flag
198
199       krb5kdc_var_lib_t
200
201            /var/lib/kdcproxy(/.*)?
202
203       lastlog_t
204
205            /var/log/lastlog.*
206
207       mail_spool_t
208
209            /var/mail(/.*)?
210            /var/spool/imap(/.*)?
211            /var/spool/mail(/.*)?
212            /var/spool/smtpd(/.*)?
213
214       nfs_t
215
216
217       openshift_file_type
218
219
220       passwd_file_t
221
222            /etc/group[-+]?
223            /etc/passwd[-+]?
224            /etc/passwd.adjunct.*
225            /etc/ptmptmp
226            /etc/.pwd.lock
227            /etc/group.lock
228            /etc/passwd.OLD
229            /etc/passwd.lock
230
231       security_t
232
233            /selinux
234
235       selinux_config_t
236
237            /etc/selinux(/.*)?
238            /etc/selinux/([^/]*/)?seusers
239            /etc/selinux/([^/]*/)?users(/.*)?
240            /etc/selinux/([^/]*/)?setrans.conf
241            /var/lib/sepolgen(/.*)?
242
243       selinux_login_config_t
244
245            /etc/selinux/([^/]*/)?logins(/.*)?
246
247       semanage_read_lock_t
248
249            /etc/selinux/([^/]*/)?modules/semanage.read.LOCK
250            /var/lib/selinux/[^/]+/semanage.read.LOCK
251
252       semanage_store_t
253
254            /etc/selinux/([^/]*/)?policy(/.*)?
255            /etc/selinux/(minimum|mls|targeted)/active(/.*)?
256            /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
257            /var/lib/selinux(/.*)?
258            /etc/share/selinux/mls(/.*)?
259            /etc/share/selinux/targeted(/.*)?
260
261       semanage_tmp_t
262
263
264       semanage_trans_lock_t
265
266            /etc/selinux/([^/]*/)?modules/semanage.trans.LOCK
267            /var/lib/selinux/[^/]+/semanage.trans.LOCK
268
269       shadow_t
270
271            /etc/shadow.*
272            /etc/gshadow.*
273            /etc/nshadow.*
274            /var/db/shadow.*
275            /etc/security/opasswd
276            /etc/security/opasswd.old
277
278       smsd_var_lib_t
279
280            /var/lib/smstools(/.*)?
281
282       sssd_public_t
283
284            /var/lib/sss/mc(/.*)?
285            /var/lib/sss/pubconf(/.*)?
286
287       sssd_var_lib_t
288
289            /var/lib/sss(/.*)?
290
291       stapserver_var_lib_t
292
293            /var/lib/stap-server(/.*)?
294
295       user_home_type
296
297            all user home files
298
299       useradd_var_run_t
300
301
302

FILE CONTEXTS

304       SELinux requires files to have an extended attribute to define the file
305       type.
306
307       You can see the context of a file using the -Z option to ls
308
309       Policy governs the access  confined  processes  have  to  these  files.
310       SELinux  useradd  policy is very flexible allowing users to setup their
311       useradd processes in as secure a method as possible.
312
313       STANDARD FILE CONTEXT
314
315       SELinux defines the file context types for the useradd, if  you  wanted
316       to store files with these types in a diffent paths, you need to execute
317       the semanage command  to  sepecify  alternate  labeling  and  then  use
318       restorecon to put the labels on disk.
319
320       semanage   fcontext   -a   -t   useradd_var_run_t  '/srv/myuseradd_con‐
321       tent(/.*)?'
322       restorecon -R -v /srv/myuseradd_content
323
324       Note: SELinux often uses regular expressions  to  specify  labels  that
325       match multiple files.
326
327       The following file types are defined for useradd:
328
329
330
331       useradd_exec_t
332
333       -  Set files with the useradd_exec_t type, if you want to transition an
334       executable to the useradd_t domain.
335
336
337       Paths:
338            /usr/sbin/useradd,      /usr/sbin/userdel,      /usr/sbin/usermod,
339            /usr/sbin/newusers
340
341
342       useradd_var_run_t
343
344       -  Set  files with the useradd_var_run_t type, if you want to store the
345       useradd files under the /run or /var/run directory.
346
347
348
349       Note: File context can be temporarily modified with the chcon  command.
350       If  you want to permanently change the file context you need to use the
351       semanage fcontext command.  This will modify the SELinux labeling data‐
352       base.  You will need to use restorecon to apply the labels.
353
354

COMMANDS

356       semanage  fcontext  can also be used to manipulate default file context
357       mappings.
358
359       semanage permissive can also be used to manipulate  whether  or  not  a
360       process type is permissive.
361
362       semanage  module can also be used to enable/disable/install/remove pol‐
363       icy modules.
364
365       semanage boolean can also be used to manipulate the booleans
366
367
368       system-config-selinux is a GUI tool available to customize SELinux pol‐
369       icy settings.
370
371

AUTHOR

373       This manual page was auto-generated using sepolicy manpage .
374
375

SEE ALSO

377       selinux(8),  useradd(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
378       icy(8), setsebool(8)
379
380
381
382useradd                            19-12-02                 useradd_selinux(8)
Impressum