staff_selinux(8)

1staff_selinux(8)      staff SELinux Policy documentation      staff_selinux(8)
2
3
4

NAME

6       staff_u  -  Administrator's unprivileged user - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       staff_u is an SELinux User defined in the SELinux policy. SELinux users
12       have  default  roles,  staff_r.   The  default role has a default type,
13       staff_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       staff_u:staff_r:staff_t:s0 - s0:c0.c1023
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to  change the default user mapping to use the staff_u
37       user, you would execute:
38
39       semanage login -m -s staff_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user  staff,
43       you would execute:
44
45       $ semanage login -a -s staff_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user staff_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

56       The SELinux user staff can execute sudo.
57
58       You  can  set up sudo to allow staff to transition to an administrative
59       domain:
60
61       Add one or more of the following record to sudoers using visudo.
62
63
64       USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
65       sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
66
67       You might also need to add one or more  of  these  new  roles  to  your
68       SELinux user record.
69
70       List the SELinux roles your SELinux user can reach by executing:
71
72       $ semanage user -l |grep selinux_name
73
74       Modify the roles list and add staff_r to this list.
75
76       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
77       logadm_r dbadm_r auditadm_r' staff_u
78
79       For more details you can see semanage man page.
80
81
82       USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
83       sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
84
85       You might also need to add one or more  of  these  new  roles  to  your
86       SELinux user record.
87
88       List the SELinux roles your SELinux user can reach by executing:
89
90       $ semanage user -l |grep selinux_name
91
92       Modify the roles list and add staff_r to this list.
93
94       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
95       logadm_r dbadm_r auditadm_r' staff_u
96
97       For more details you can see semanage man page.
98
99
100       USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
101       sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
102
103       You might also need to add one or more  of  these  new  roles  to  your
104       SELinux user record.
105
106       List the SELinux roles your SELinux user can reach by executing:
107
108       $ semanage user -l |grep selinux_name
109
110       Modify the roles list and add staff_r to this list.
111
112       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
113       logadm_r dbadm_r auditadm_r' staff_u
114
115       For more details you can see semanage man page.
116
117
118       USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
119       sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
120
121       You might also need to add one or more  of  these  new  roles  to  your
122       SELinux user record.
123
124       List the SELinux roles your SELinux user can reach by executing:
125
126       $ semanage user -l |grep selinux_name
127
128       Modify the roles list and add staff_r to this list.
129
130       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
131       logadm_r dbadm_r auditadm_r' staff_u
132
133       For more details you can see semanage man page.
134
135
136       USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
137       sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
138
139       You might also need to add one or more  of  these  new  roles  to  your
140       SELinux user record.
141
142       List the SELinux roles your SELinux user can reach by executing:
143
144       $ semanage user -l |grep selinux_name
145
146       Modify the roles list and add staff_r to this list.
147
148       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
149       logadm_r dbadm_r auditadm_r' staff_u
150
151       For more details you can see semanage man page.
152
153
154       USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
155       sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
156
157       You might also need to add one or more  of  these  new  roles  to  your
158       SELinux user record.
159
160       List the SELinux roles your SELinux user can reach by executing:
161
162       $ semanage user -l |grep selinux_name
163
164       Modify the roles list and add staff_r to this list.
165
166       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
167       logadm_r dbadm_r auditadm_r' staff_u
168
169       For more details you can see semanage man page.
170
171
172       USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
173       sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
174
175       You might also need to add one or more  of  these  new  roles  to  your
176       SELinux user record.
177
178       List the SELinux roles your SELinux user can reach by executing:
179
180       $ semanage user -l |grep selinux_name
181
182       Modify the roles list and add staff_r to this list.
183
184       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
185       logadm_r dbadm_r auditadm_r' staff_u
186
187       For more details you can see semanage man page.
188
189
190       The SELinux type staff_t is not allowed to execute sudo.
191
192

X WINDOWS LOGIN

194       The SELinux user staff_u is able to X Windows login.
195
196

NETWORK

198       The SELinux user staff_u is able to listen on the following tcp ports.
199
200              6000-6020
201
202              3689
203
204              all ports >= 1024
205
206              all ports without defined types
207
208              32768-60999
209
210
211       The SELinux user staff_u is able to connect to the following tcp ports.
212
213              8955
214
215              all ports
216
217              53,853
218
219              389,636,3268,3269,7389
220
221              all ports without defined types
222
223              32768-60999
224
225              all ports < 1024
226
227              9080
228
229              88,750,4444
230
231
232       The SELinux user staff_u is able to listen on the following udp ports.
233
234              32768-60999
235
236              all ports without defined types
237
238              all ports >= 1024
239
240
241       The SELinux user staff_u is able to connect to the following tcp ports.
242
243              8955
244
245              all ports
246
247              53,853
248
249              389,636,3268,3269,7389
250
251              all ports without defined types
252
253              32768-60999
254
255              all ports < 1024
256
257              9080
258
259              88,750,4444
260
261

BOOLEANS

263       SELinux policy is customizable based on least access  required.   staff
264       policy is extremely flexible and has several booleans that allow you to
265       manipulate the policy and run staff with the tightest access possible.
266
267
268
269       If you want to allow staff user  to  create  and  transition  to  svirt
270       domains,  you  must  turn  on  the staff_use_svirt boolean. Disabled by
271       default.
272
273       setsebool -P staff_use_svirt 1
274
275
276
277       If you want to determine whether crond can execute  jobs  in  the  user
278       domain  as  opposed to the the generic cronjob domain, you must turn on
279       the cron_userdomain_transition boolean. Enabled by default.
280
281       setsebool -P cron_userdomain_transition 1
282
283
284
285       If you want to deny all system processes and Linux users to  use  blue‐
286       tooth wireless technology, you must turn on the deny_bluetooth boolean.
287       Enabled by default.
288
289       setsebool -P deny_bluetooth 1
290
291
292
293       If you want to deny user domains applications to map a memory region as
294       both  executable  and  writable,  this  is dangerous and the executable
295       should be reported in bugzilla, you must turn on the deny_execmem bool‐
296       ean. Enabled by default.
297
298       setsebool -P deny_execmem 1
299
300
301
302       If  you  want  to deny any process from ptracing or debugging any other
303       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
304       default.
305
306       setsebool -P deny_ptrace 1
307
308
309
310       If you want to allow all domains to execute in fips_mode, you must turn
311       on the fips_mode boolean. Enabled by default.
312
313       setsebool -P fips_mode 1
314
315
316
317       If you want to determine whether calling user domains can  execute  Git
318       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
319       sion_users boolean. Disabled by default.
320
321       setsebool -P git_session_users 1
322
323
324
325       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
326       httpd_enable_cgi boolean. Enabled by default.
327
328       setsebool -P httpd_enable_cgi 1
329
330
331
332       If  you  want  to  determine  whether  calling user domains can execute
333       Polipo daemon in the polipo_session_t domain,  you  must  turn  on  the
334       polipo_session_users boolean. Disabled by default.
335
336       setsebool -P polipo_session_users 1
337
338
339
340       If  you  want to allow pppd to be run for a regular user, you must turn
341       on the pppd_for_user boolean. Disabled by default.
342
343       setsebool -P pppd_for_user 1
344
345
346
347       If you want to  allow  all  unconfined  executables  to  use  libraries
348       requiring  text  relocation  that  are not labeled textrel_shlib_t, you
349       must turn on the selinuxuser_execmod boolean. Disabled by default.
350
351       setsebool -P selinuxuser_execmod 1
352
353
354
355       If you want to allow unconfined executables to make  their  stack  exe‐
356       cutable.   This  should  never, ever be necessary. Probably indicates a
357       badly coded executable, but could indicate an attack.  This  executable
358       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
359       stack boolean. Disabled by default.
360
361       setsebool -P selinuxuser_execstack 1
362
363
364
365       If you want to allow users to connect to the local  mysql  server,  you
366       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
367       default.
368
369       setsebool -P selinuxuser_mysql_connect_enabled 1
370
371
372
373       If you want to allow user to r/w files on filesystems that do not  have
374       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
375       uxuser_rw_noexattrfile boolean. Enabled by default.
376
377       setsebool -P selinuxuser_rw_noexattrfile 1
378
379
380
381       If you want to support NFS home  directories,  you  must  turn  on  the
382       use_nfs_home_dirs boolean. Enabled by default.
383
384       setsebool -P use_nfs_home_dirs 1
385
386
387
388       If  you  want  to  support SAMBA home directories, you must turn on the
389       use_samba_home_dirs boolean. Disabled by default.
390
391       setsebool -P use_samba_home_dirs 1
392
393
394

HOME_EXEC

396       The SELinux user staff_u is able execute home content files.
397
398

TRANSITIONS

400       Three things can happen when staff_t attempts to execute a program.
401
402       1. SELinux Policy can deny staff_t from executing the program.
403
404
405
406       2. SELinux Policy can allow staff_t to execute the program in the  cur‐
407       rent user type.
408
409              Execute  the  following  to  see the types that the SELinux user
410              staff_t can execute without transitioning:
411
412              sesearch -A -s staff_t -c file -p execute_no_trans
413
414
415
416       3. SELinux can allow staff_t to execute the program and transition to a
417       new type.
418
419              Execute  the  following  to  see the types that the SELinux user
420              staff_t can execute and transition:
421
422              $ sesearch -A -s staff_t -c process -p transition
423
424
425

MANAGED FILES

427       The SELinux process type staff_t can manage files labeled with the fol‐
428       lowing  file  types.   The paths listed are the default paths for these
429       file types.  Note the processes UID still need to have DAC permissions.
430
431       alsa_home_t
432
433            /home/[^/]+/.asoundrc
434
435       anon_inodefs_t
436
437
438       auth_cache_t
439
440            /var/cache/coolkey(/.*)?
441
442       cgroup_t
443
444            /sys/fs/cgroup
445
446       chrome_sandbox_tmpfs_t
447
448
449       dirsrv_config_t
450
451            /etc/dirsrv(/.*)?
452
453       dirsrv_var_lib_t
454
455            /var/lib/dirsrv(/.*)?
456
457       dirsrv_var_log_t
458
459            /var/log/dirsrv(/.*)?
460
461       dirsrv_var_run_t
462
463            /var/run/slapd.*
464            /var/run/dirsrv(/.*)?
465
466       faillog_t
467
468            /var/log/btmp.*
469            /var/log/faillog.*
470            /var/log/tallylog.*
471            /var/run/faillock(/.*)?
472
473       games_data_t
474
475            /var/games(/.*)?
476            /var/lib/games(/.*)?
477
478       httpd_user_content_t
479
480            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
481
482       httpd_user_htaccess_t
483
484            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
485
486       httpd_user_ra_content_t
487
488            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
489
490       httpd_user_rw_content_t
491
492
493       httpd_user_script_exec_t
494
495            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
496
497       mail_spool_t
498
499            /var/mail(/.*)?
500            /var/spool/imap(/.*)?
501            /var/spool/mail(/.*)?
502            /var/spool/smtpd(/.*)?
503
504       mqueue_spool_t
505
506            /var/spool/(client)?mqueue(/.*)?
507            /var/spool/mqueue.in(/.*)?
508
509       pulseaudio_tmpfsfile
510
511
512       sandbox_tmpfs_type
513
514            all sandbox content in tmpfs file systems
515
516       security_t
517
518            /selinux
519
520       systemd_passwd_var_run_t
521
522            /var/run/systemd/ask-password(/.*)?
523            /var/run/systemd/ask-password-block(/.*)?
524
525       systemd_unit_file_type
526
527
528       usbfs_t
529
530
531       user_fonts_cache_t
532
533            /root/.fontconfig(/.*)?
534            /root/.fonts/auto(/.*)?
535            /root/.fonts.cache-.*
536            /root/.cache/fontconfig(/.*)?
537            /home/[^/]+/.fontconfig(/.*)?
538            /home/[^/]+/.fonts/auto(/.*)?
539            /home/[^/]+/.fonts.cache-.*
540            /home/[^/]+/.cache/fontconfig(/.*)?
541
542       var_auth_t
543
544            /var/ace(/.*)?
545            /var/rsa(/.*)?
546            /var/lib/abl(/.*)?
547            /var/lib/rsa(/.*)?
548            /var/lib/pam_ssh(/.*)?
549            /var/lib/pam_shield(/.*)?
550            /var/opt/quest/vas/vasd(/.*)?
551            /var/lib/google-authenticator(/.*)?
552
553       virt_image_type
554
555            all virtual image files
556
557

COMMANDS

559       semanage fcontext can also be used to manipulate default  file  context
560       mappings.
561
562       semanage  permissive  can  also  be used to manipulate whether or not a
563       process type is permissive.
564
565       semanage module can also be used to enable/disable/install/remove  pol‐
566       icy modules.
567
568       semanage boolean can also be used to manipulate the booleans
569
570
571       system-config-selinux is a GUI tool available to customize SELinux pol‐
572       icy settings.
573
574

AUTHOR

576       This manual page was auto-generated using sepolicy manpage .
577
578