user_selinux(8)

1user_selinux(8)        user SELinux Policy documentation       user_selinux(8)
2
3
4

NAME

6       user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       user_u  is an SELinux User defined in the SELinux policy. SELinux users
11       have default roles, user_r.  The  default  role  has  a  default  type,
12       user_t, associated with it.
13
14       The  SELinux  user  will  usually login to a system with a context that
15       looks like:
16
17       user_u:user_r:user_t:s0
18
19       Linux users are automatically  assigned  an  SELinux  users  at  login.
20       Login  programs  use  the SELinux User to assign initial context to the
21       user's shell.
22
23       SELinux policy uses the context to control the user's access.
24
25       By default  all  users  are  assigned  to  the  SELinux  user  via  the
26       __default__ flag
27
28       On  Targeted  policy  systems  the  __default__ user is assigned to the
29       unconfined_u SELinux user.
30
31       You can list all Linux User to SELinux user mapping using:
32
33       semanage login -l
34
35       If you wanted to change the default user  mapping  to  use  the  user_u
36       user, you would execute:
37
38       semanage login -m -s user_u __default__
39
40
41       If  you  want to map the one Linux user (joe) to the SELinux user user,
42       you would execute:
43
44       $ semanage login -a -s user_u joe
45
46
47

USER DESCRIPTION

49       The SELinux user user_u is defined in policy as  a  unprivileged  user.
50       SELinux  prevents  unprivileged  users  from doing administration tasks
51       without transitioning to a different role.
52
53

SUDO

X WINDOWS LOGIN

56       The SELinux user user_u is able to X Windows login.
57
58

NETWORK

60       The SELinux user user_u is able to listen on the following tcp ports.
61
62              6000-6020
63
64              3689
65
66              all ports >= 1024
67
68              all ports without defined types
69
70              32768-60999
71
72
73       The SELinux user user_u is able to connect to the following tcp ports.
74
75              8955
76
77              53,853
78
79              all ports
80
81              389,636,3268,3269,7389
82
83              all ports without defined types
84
85              32768-60999
86
87              all ports < 1024
88
89              9080
90
91              88,750,4444
92
93
94       The SELinux user user_u is able to listen on the following udp ports.
95
96              32768-60999
97
98              all ports without defined types
99
100              all ports >= 1024
101
102
103       The SELinux user user_u is able to connect to the following tcp ports.
104
105              8955
106
107              53,853
108
109              all ports
110
111              389,636,3268,3269,7389
112
113              all ports without defined types
114
115              32768-60999
116
117              all ports < 1024
118
119              9080
120
121              88,750,4444
122
123

BOOLEANS

125       SELinux policy is customizable based on least  access  required.   user
126       policy is extremely flexible and has several booleans that allow you to
127       manipulate the policy and run user with the tightest access possible.
128
129
130
131       If you want to determine whether crond can execute  jobs  in  the  user
132       domain  as  opposed to the the generic cronjob domain, you must turn on
133       the cron_userdomain_transition boolean. Enabled by default.
134
135       setsebool -P cron_userdomain_transition 1
136
137
138
139       If you want to deny all system processes and Linux users to  use  blue‐
140       tooth wireless technology, you must turn on the deny_bluetooth boolean.
141       Enabled by default.
142
143       setsebool -P deny_bluetooth 1
144
145
146
147       If you want to deny user domains applications to map a memory region as
148       both  executable  and  writable,  this  is dangerous and the executable
149       should be reported in bugzilla, you must turn on the deny_execmem bool‐
150       ean. Enabled by default.
151
152       setsebool -P deny_execmem 1
153
154
155
156       If  you  want  to deny any process from ptracing or debugging any other
157       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
158       default.
159
160       setsebool -P deny_ptrace 1
161
162
163
164       If you want to allow all domains to execute in fips_mode, you must turn
165       on the fips_mode boolean. Enabled by default.
166
167       setsebool -P fips_mode 1
168
169
170
171       If you want to determine whether calling user domains can  execute  Git
172       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
173       sion_users boolean. Disabled by default.
174
175       setsebool -P git_session_users 1
176
177
178
179       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
180       httpd_enable_cgi boolean. Enabled by default.
181
182       setsebool -P httpd_enable_cgi 1
183
184
185
186       If  you  want  to  determine  whether  calling user domains can execute
187       Polipo daemon in the polipo_session_t domain,  you  must  turn  on  the
188       polipo_session_users boolean. Disabled by default.
189
190       setsebool -P polipo_session_users 1
191
192
193
194       If  you  want to allow pppd to be run for a regular user, you must turn
195       on the pppd_for_user boolean. Disabled by default.
196
197       setsebool -P pppd_for_user 1
198
199
200
201       If you want to  allow  all  unconfined  executables  to  use  libraries
202       requiring  text  relocation  that  are not labeled textrel_shlib_t, you
203       must turn on the selinuxuser_execmod boolean. Disabled by default.
204
205       setsebool -P selinuxuser_execmod 1
206
207
208
209       If you want to allow unconfined executables to make  their  stack  exe‐
210       cutable.   This  should  never, ever be necessary. Probably indicates a
211       badly coded executable, but could indicate an attack.  This  executable
212       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
213       stack boolean. Disabled by default.
214
215       setsebool -P selinuxuser_execstack 1
216
217
218
219       If you want to allow users to connect to the local  mysql  server,  you
220       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
221       default.
222
223       setsebool -P selinuxuser_mysql_connect_enabled 1
224
225
226
227       If you want to allow confined users the ability to execute the ping and
228       traceroute  commands,  you  must  turn on the selinuxuser_ping boolean.
229       Disabled by default.
230
231       setsebool -P selinuxuser_ping 1
232
233
234
235       If you want to allow user to r/w files on filesystems that do not  have
236       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
237       uxuser_rw_noexattrfile boolean. Enabled by default.
238
239       setsebool -P selinuxuser_rw_noexattrfile 1
240
241
242
243       If you want to allow unprivileged user  to  create  and  transition  to
244       svirt  domains, you must turn on the unprivuser_use_svirt boolean. Dis‐
245       abled by default.
246
247       setsebool -P unprivuser_use_svirt 1
248
249
250
251       If you want to support NFS home  directories,  you  must  turn  on  the
252       use_nfs_home_dirs boolean. Enabled by default.
253
254       setsebool -P use_nfs_home_dirs 1
255
256
257
258       If  you  want  to  support SAMBA home directories, you must turn on the
259       use_samba_home_dirs boolean. Disabled by default.
260
261       setsebool -P use_samba_home_dirs 1
262
263
264

HOME_EXEC

266       The SELinux user user_u is able execute home content files.
267
268

TRANSITIONS

270       Three things can happen when user_t attempts to execute a program.
271
272       1. SELinux Policy can deny user_t from executing the program.
273
274
275
276       2. SELinux Policy can allow user_t to execute the program in  the  cur‐
277       rent user type.
278
279              Execute  the  following  to  see the types that the SELinux user
280              user_t can execute without transitioning:
281
282              sesearch -A -s user_t -c file -p execute_no_trans
283
284
285
286       3. SELinux can allow user_t to execute the program and transition to  a
287       new type.
288
289              Execute  the  following  to  see the types that the SELinux user
290              user_t can execute and transition:
291
292              $ sesearch -A -s user_t -c process -p transition
293
294
295

MANAGED FILES

297       The SELinux process type user_t can manage files labeled with the  fol‐
298       lowing  file  types.   The paths listed are the default paths for these
299       file types.  Note the processes UID still need to have DAC permissions.
300
301       alsa_home_t
302
303            /home/[^/]+/.asoundrc
304
305       anon_inodefs_t
306
307
308       auth_cache_t
309
310            /var/cache/coolkey(/.*)?
311
312       cgroup_t
313
314            /sys/fs/cgroup
315
316       chrome_sandbox_tmpfs_t
317
318
319       faillog_t
320
321            /var/log/btmp.*
322            /var/log/faillog.*
323            /var/log/tallylog.*
324            /var/run/faillock(/.*)?
325
326       games_data_t
327
328            /var/games(/.*)?
329            /var/lib/games(/.*)?
330
331       httpd_user_content_t
332
333            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
334
335       httpd_user_htaccess_t
336
337            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
338
339       httpd_user_ra_content_t
340
341            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
342
343       httpd_user_rw_content_t
344
345
346       httpd_user_script_exec_t
347
348            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
349
350       mail_spool_t
351
352            /var/mail(/.*)?
353            /var/spool/imap(/.*)?
354            /var/spool/mail(/.*)?
355            /var/spool/smtpd(/.*)?
356
357       mqueue_spool_t
358
359            /var/spool/(client)?mqueue(/.*)?
360            /var/spool/mqueue.in(/.*)?
361
362       pulseaudio_tmpfsfile
363
364
365       sandbox_tmpfs_type
366
367            all sandbox content in tmpfs file systems
368
369       security_t
370
371            /selinux
372
373       systemd_passwd_var_run_t
374
375            /var/run/systemd/ask-password(/.*)?
376            /var/run/systemd/ask-password-block(/.*)?
377
378       usbfs_t
379
380
381       user_fonts_cache_t
382
383            /root/.fontconfig(/.*)?
384            /root/.fonts/auto(/.*)?
385            /root/.fonts.cache-.*
386            /root/.cache/fontconfig(/.*)?
387            /home/[^/]+/.fontconfig(/.*)?
388            /home/[^/]+/.fonts/auto(/.*)?
389            /home/[^/]+/.fonts.cache-.*
390            /home/[^/]+/.cache/fontconfig(/.*)?
391
392       var_auth_t
393
394            /var/ace(/.*)?
395            /var/rsa(/.*)?
396            /var/lib/abl(/.*)?
397            /var/lib/rsa(/.*)?
398            /var/lib/pam_ssh(/.*)?
399            /var/lib/pam_shield(/.*)?
400            /var/opt/quest/vas/vasd(/.*)?
401            /var/lib/google-authenticator(/.*)?
402
403       virt_image_type
404
405            all virtual image files
406
407

COMMANDS

409       semanage fcontext can also be used to manipulate default  file  context
410       mappings.
411
412       semanage  permissive  can  also  be used to manipulate whether or not a
413       process type is permissive.
414
415       semanage module can also be used to enable/disable/install/remove  pol‐
416       icy modules.
417
418       semanage boolean can also be used to manipulate the booleans
419
420
421       system-config-selinux is a GUI tool available to customize SELinux pol‐
422       icy settings.
423
424

AUTHOR

426       This manual page was auto-generated using sepolicy manpage .
427
428