1staff_selinux(8) staff SELinux Policy documentation staff_selinux(8)
2
3
4
6 staff_u - Administrator's unprivileged user - Security Enhanced Linux
7 Policy
8
9
11 staff_u is an SELinux User defined in the SELinux policy. SELinux users
12 have default roles, staff_r. The default role has a default type,
13 staff_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 staff_u:staff_r:staff_t:s0 - s0:c0.c1023
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the staff_u
37 user, you would execute:
38
39 semanage login -m -s staff_u __default__
40
41
42 If you want to map the one Linux user (joe) to the SELinux user staff,
43 you would execute:
44
45 $ semanage login -a -s staff_u joe
46
47
48
50 The SELinux user staff_u is defined in policy as a unprivileged user.
51 SELinux prevents unprivileged users from doing administration tasks
52 without transitioning to a different role.
53
54
56 The SELinux user staff can execute sudo.
57
58 You can set up sudo to allow staff to transition to an administrative
59 domain:
60
61 Add one or more of the following record to sudoers using visudo.
62
63
64 USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
65 sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
66
67 You might also need to add one or more of these new roles to your
68 SELinux user record.
69
70 List the SELinux roles your SELinux user can reach by executing:
71
72 $ semanage user -l |grep selinux_name
73
74 Modify the roles list and add staff_r to this list.
75
76 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
77 logadm_r dbadm_r auditadm_r' staff_u
78
79 For more details you can see semanage man page.
80
81
82 USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
83 sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
84
85 You might also need to add one or more of these new roles to your
86 SELinux user record.
87
88 List the SELinux roles your SELinux user can reach by executing:
89
90 $ semanage user -l |grep selinux_name
91
92 Modify the roles list and add staff_r to this list.
93
94 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
95 logadm_r dbadm_r auditadm_r' staff_u
96
97 For more details you can see semanage man page.
98
99
100 USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
101 sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
102
103 You might also need to add one or more of these new roles to your
104 SELinux user record.
105
106 List the SELinux roles your SELinux user can reach by executing:
107
108 $ semanage user -l |grep selinux_name
109
110 Modify the roles list and add staff_r to this list.
111
112 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
113 logadm_r dbadm_r auditadm_r' staff_u
114
115 For more details you can see semanage man page.
116
117
118 USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
119 sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
120
121 You might also need to add one or more of these new roles to your
122 SELinux user record.
123
124 List the SELinux roles your SELinux user can reach by executing:
125
126 $ semanage user -l |grep selinux_name
127
128 Modify the roles list and add staff_r to this list.
129
130 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
131 logadm_r dbadm_r auditadm_r' staff_u
132
133 For more details you can see semanage man page.
134
135
136 USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
137 sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
138
139 You might also need to add one or more of these new roles to your
140 SELinux user record.
141
142 List the SELinux roles your SELinux user can reach by executing:
143
144 $ semanage user -l |grep selinux_name
145
146 Modify the roles list and add staff_r to this list.
147
148 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
149 logadm_r dbadm_r auditadm_r' staff_u
150
151 For more details you can see semanage man page.
152
153
154 USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
155 sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
156
157 You might also need to add one or more of these new roles to your
158 SELinux user record.
159
160 List the SELinux roles your SELinux user can reach by executing:
161
162 $ semanage user -l |grep selinux_name
163
164 Modify the roles list and add staff_r to this list.
165
166 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
167 logadm_r dbadm_r auditadm_r' staff_u
168
169 For more details you can see semanage man page.
170
171
172 USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
173 sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
174
175 You might also need to add one or more of these new roles to your
176 SELinux user record.
177
178 List the SELinux roles your SELinux user can reach by executing:
179
180 $ semanage user -l |grep selinux_name
181
182 Modify the roles list and add staff_r to this list.
183
184 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
185 logadm_r dbadm_r auditadm_r' staff_u
186
187 For more details you can see semanage man page.
188
189
190 The SELinux type staff_t is not allowed to execute sudo.
191
192
194 The SELinux user staff_u is able to X Windows login.
195
196
198 The SELinux user staff_u is able to listen on the following tcp ports.
199
200 6000-6020
201
202 3689
203
204 all ports > 1024
205
206 all ports with out defined types
207
208 32768-60999
209
210
211 The SELinux user staff_u is able to connect to the following tcp ports.
212
213 8955
214
215 all ports
216
217 53,853
218
219 389,636,3268,3269,7389
220
221 all ports with out defined types
222
223 32768-60999
224
225 all ports < 1024
226
227 9080
228
229 88,750,4444
230
231
232 The SELinux user staff_u is able to listen on the following udp ports.
233
234 all ports with out defined types
235
236 32768-60999
237
238 all ports > 1024
239
240
241 The SELinux user staff_u is able to connect to the following tcp ports.
242
243 8955
244
245 all ports
246
247 53,853
248
249 389,636,3268,3269,7389
250
251 all ports with out defined types
252
253 32768-60999
254
255 all ports < 1024
256
257 9080
258
259 88,750,4444
260
261
263 SELinux policy is customizable based on least access required. staff
264 policy is extremely flexible and has several booleans that allow you to
265 manipulate the policy and run staff with the tightest access possible.
266
267
268
269 If you want to allow staff user to create and transition to svirt
270 domains, you must turn on the staff_use_svirt boolean. Disabled by
271 default.
272
273 setsebool -P staff_use_svirt 1
274
275
276
277 If you want to determine whether crond can execute jobs in the user
278 domain as opposed to the the generic cronjob domain, you must turn on
279 the cron_userdomain_transition boolean. Enabled by default.
280
281 setsebool -P cron_userdomain_transition 1
282
283
284
285 If you want to deny all system processes and Linux users to use blue‐
286 tooth wireless technology, you must turn on the deny_bluetooth boolean.
287 Enabled by default.
288
289 setsebool -P deny_bluetooth 1
290
291
292
293 If you want to deny user domains applications to map a memory region as
294 both executable and writable, this is dangerous and the executable
295 should be reported in bugzilla, you must turn on the deny_execmem bool‐
296 ean. Enabled by default.
297
298 setsebool -P deny_execmem 1
299
300
301
302 If you want to deny any process from ptracing or debugging any other
303 processes, you must turn on the deny_ptrace boolean. Enabled by
304 default.
305
306 setsebool -P deny_ptrace 1
307
308
309
310 If you want to allow all domains to execute in fips_mode, you must turn
311 on the fips_mode boolean. Enabled by default.
312
313 setsebool -P fips_mode 1
314
315
316
317 If you want to determine whether calling user domains can execute Git
318 daemon in the git_session_t domain, you must turn on the git_ses‐
319 sion_users boolean. Disabled by default.
320
321 setsebool -P git_session_users 1
322
323
324
325 If you want to allow httpd cgi support, you must turn on the
326 httpd_enable_cgi boolean. Enabled by default.
327
328 setsebool -P httpd_enable_cgi 1
329
330
331
332 If you want to determine whether calling user domains can execute
333 Polipo daemon in the polipo_session_t domain, you must turn on the
334 polipo_session_users boolean. Disabled by default.
335
336 setsebool -P polipo_session_users 1
337
338
339
340 If you want to allow pppd to be run for a regular user, you must turn
341 on the pppd_for_user boolean. Disabled by default.
342
343 setsebool -P pppd_for_user 1
344
345
346
347 If you want to allow all unconfined executables to use libraries
348 requiring text relocation that are not labeled textrel_shlib_t, you
349 must turn on the selinuxuser_execmod boolean. Disabled by default.
350
351 setsebool -P selinuxuser_execmod 1
352
353
354
355 If you want to allow unconfined executables to make their stack exe‐
356 cutable. This should never, ever be necessary. Probably indicates a
357 badly coded executable, but could indicate an attack. This executable
358 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
359 stack boolean. Disabled by default.
360
361 setsebool -P selinuxuser_execstack 1
362
363
364
365 If you want to allow users to connect to the local mysql server, you
366 must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
367 default.
368
369 setsebool -P selinuxuser_mysql_connect_enabled 1
370
371
372
373 If you want to allow user to r/w files on filesystems that do not have
374 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
375 uxuser_rw_noexattrfile boolean. Enabled by default.
376
377 setsebool -P selinuxuser_rw_noexattrfile 1
378
379
380
381 If you want to support NFS home directories, you must turn on the
382 use_nfs_home_dirs boolean. Enabled by default.
383
384 setsebool -P use_nfs_home_dirs 1
385
386
387
388 If you want to support SAMBA home directories, you must turn on the
389 use_samba_home_dirs boolean. Disabled by default.
390
391 setsebool -P use_samba_home_dirs 1
392
393
394
396 The SELinux user staff_u is able execute home content files.
397
398
400 Three things can happen when staff_t attempts to execute a program.
401
402 1. SELinux Policy can deny staff_t from executing the program.
403
404
405
406 2. SELinux Policy can allow staff_t to execute the program in the cur‐
407 rent user type.
408
409 Execute the following to see the types that the SELinux user
410 staff_t can execute without transitioning:
411
412 sesearch -A -s staff_t -c file -p execute_no_trans
413
414
415
416 3. SELinux can allow staff_t to execute the program and transition to a
417 new type.
418
419 Execute the following to see the types that the SELinux user
420 staff_t can execute and transition:
421
422 $ sesearch -A -s staff_t -c process -p transition
423
424
425
427 The SELinux process type staff_t can manage files labeled with the fol‐
428 lowing file types. The paths listed are the default paths for these
429 file types. Note the processes UID still need to have DAC permissions.
430
431 alsa_home_t
432
433 /home/[^/]+/.asoundrc
434
435 anon_inodefs_t
436
437
438 auth_cache_t
439
440 /var/cache/coolkey(/.*)?
441
442 cgroup_t
443
444 /sys/fs/cgroup
445
446 chrome_sandbox_tmpfs_t
447
448
449 dirsrv_config_t
450
451 /etc/dirsrv(/.*)?
452
453 dirsrv_var_lib_t
454
455 /var/lib/dirsrv(/.*)?
456
457 dirsrv_var_log_t
458
459 /var/log/dirsrv(/.*)?
460
461 dirsrv_var_run_t
462
463 /var/run/slapd.*
464 /var/run/dirsrv(/.*)?
465
466 faillog_t
467
468 /var/log/btmp.*
469 /var/log/faillog.*
470 /var/log/tallylog.*
471 /var/run/faillock(/.*)?
472
473 games_data_t
474
475 /var/games(/.*)?
476 /var/lib/games(/.*)?
477
478 httpd_user_content_t
479
480 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
481
482 httpd_user_htaccess_t
483
484 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
485
486 httpd_user_ra_content_t
487
488 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
489
490 httpd_user_rw_content_t
491
492
493 httpd_user_script_exec_t
494
495 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
496
497 mail_spool_t
498
499 /var/mail(/.*)?
500 /var/spool/imap(/.*)?
501 /var/spool/mail(/.*)?
502 /var/spool/smtpd(/.*)?
503
504 mqueue_spool_t
505
506 /var/spool/(client)?mqueue(/.*)?
507 /var/spool/mqueue.in(/.*)?
508
509 pulseaudio_tmpfsfile
510
511
512 sandbox_tmpfs_type
513
514 all sandbox content in tmpfs file systems
515
516 security_t
517
518 /selinux
519
520 systemd_passwd_var_run_t
521
522 /var/run/systemd/ask-password(/.*)?
523 /var/run/systemd/ask-password-block(/.*)?
524
525 systemd_unit_file_type
526
527
528 usbfs_t
529
530
531 user_fonts_cache_t
532
533 /root/.fontconfig(/.*)?
534 /root/.fonts/auto(/.*)?
535 /root/.fonts.cache-.*
536 /root/.cache/fontconfig(/.*)?
537 /home/[^/]+/.fontconfig(/.*)?
538 /home/[^/]+/.fonts/auto(/.*)?
539 /home/[^/]+/.fonts.cache-.*
540 /home/[^/]+/.cache/fontconfig(/.*)?
541
542 var_auth_t
543
544 /var/ace(/.*)?
545 /var/rsa(/.*)?
546 /var/lib/abl(/.*)?
547 /var/lib/rsa(/.*)?
548 /var/lib/pam_ssh(/.*)?
549 /var/lib/pam_shield(/.*)?
550 /var/opt/quest/vas/vasd(/.*)?
551 /var/lib/google-authenticator(/.*)?
552
553 virt_image_type
554
555 all virtual image files
556
557
559 semanage fcontext can also be used to manipulate default file context
560 mappings.
561
562 semanage permissive can also be used to manipulate whether or not a
563 process type is permissive.
564
565 semanage module can also be used to enable/disable/install/remove pol‐
566 icy modules.
567
568 semanage boolean can also be used to manipulate the booleans
569
570
571 system-config-selinux is a GUI tool available to customize SELinux pol‐
572 icy settings.
573
574
576 This manual page was auto-generated using sepolicy manpage .
577
578
580 selinux(8), staff(8), semanage(8), restorecon(8), chcon(1), sepol‐
581 icy(8), setsebool(8), staff_consolehelper_selinux(8), staff_console‐
582 helper_selinux(8), staff_dbusd_selinux(8), staff_dbusd_selinux(8),
583 staff_gkeyringd_selinux(8), staff_gkeyringd_selinux(8),
584 staff_screen_selinux(8), staff_screen_selinux(8), staff_seun‐
585 share_selinux(8), staff_seunshare_selinux(8),
586 staff_ssh_agent_selinux(8), staff_ssh_agent_selinux(8),
587 staff_sudo_selinux(8), staff_sudo_selinux(8), staff_wine_selinux(8),
588 staff_wine_selinux(8)
589
590
591
592mgrepl@redhat.com staff staff_selinux(8)