1sysadm_selinux(8) sysadm SELinux Policy documentation sysadm_selinux(8)
2
3
4
6 sysadm_u - General system administration role - Security Enhanced Linux
7 Policy
8
9
11 sysadm_u is an SELinux User defined in the SELinux policy. SELinux
12 users have default roles, sysadm_r. The default role has a default
13 type, sysadm_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 sysadm_u:sysadm_r:sysadm_t:s0 - s0:c0.c1023
19
20 Linux users are automatically assigned an SELinux users at login. Lo‐
21 gin programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the __de‐
27 fault__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the un‐
30 confined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the sysadm_u
37 user, you would execute:
38
39 semanage login -m -s sysadm_u __default__
40
41
42 If you want to map the one Linux user (joe) to the SELinux user sysadm,
43 you would execute:
44
45 $ semanage login -a -s sysadm_u joe
46
47
48
50 The SELinux user sysadm_u is an admin user. It means that a mapped
51 Linux user to this SELinux user is intended for administrative actions.
52 Usually this is assigned to a root Linux user.
53
54
56 The SELinux user sysadm can execute sudo.
57
58 You can set up sudo to allow sysadm to transition to an administrative
59 domain:
60
61 Add one or more of the following record to sudoers using visudo.
62
63
64 USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
65 sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
66
67 You might also need to add one or more of these new roles to your
68 SELinux user record.
69
70 List the SELinux roles your SELinux user can reach by executing:
71
72 $ semanage user -l |grep selinux_name
73
74 Modify the roles list and add sysadm_r to this list.
75
76 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
77 sysadm_u
78
79 For more details you can see semanage man page.
80
81
82 USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
83 sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
84
85 You might also need to add one or more of these new roles to your
86 SELinux user record.
87
88 List the SELinux roles your SELinux user can reach by executing:
89
90 $ semanage user -l |grep selinux_name
91
92 Modify the roles list and add sysadm_r to this list.
93
94 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
95 sysadm_u
96
97 For more details you can see semanage man page.
98
99
100 USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
101 sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
102
103 You might also need to add one or more of these new roles to your
104 SELinux user record.
105
106 List the SELinux roles your SELinux user can reach by executing:
107
108 $ semanage user -l |grep selinux_name
109
110 Modify the roles list and add sysadm_r to this list.
111
112 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
113 sysadm_u
114
115 For more details you can see semanage man page.
116
117
118 USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
119 sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
120
121 You might also need to add one or more of these new roles to your
122 SELinux user record.
123
124 List the SELinux roles your SELinux user can reach by executing:
125
126 $ semanage user -l |grep selinux_name
127
128 Modify the roles list and add sysadm_r to this list.
129
130 $ semanage user -m -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
131 sysadm_u
132
133 For more details you can see semanage man page.
134
135
136 The SELinux type sysadm_t is not allowed to execute sudo.
137
138
140 The SELinux user sysadm_u is able to X Windows login.
141
142
144 The SELinux user sysadm_u is able to listen on the following tcp ports.
145
146 32768-60999
147
148 all ports without defined types
149
150 389,636,3268,3269,7389
151
152 1716
153
154 all ports >= 1024
155
156
157 The SELinux user sysadm_u is able to connect to the following tcp
158 ports.
159
160 8955
161
162 53,853
163
164 all ports
165
166 389,636,3268,3269,7389
167
168 all ports without defined types
169
170 32768-60999
171
172 all ports < 1024
173
174 9080
175
176 88,750,4444
177
178
179 The SELinux user sysadm_u is able to listen on the following udp ports.
180
181 32768-60999
182
183 all ports without defined types
184
185 123
186
187 all ports >= 1024
188
189
190 The SELinux user sysadm_u is able to connect to the following tcp
191 ports.
192
193 8955
194
195 53,853
196
197 all ports
198
199 389,636,3268,3269,7389
200
201 all ports without defined types
202
203 32768-60999
204
205 all ports < 1024
206
207 9080
208
209 88,750,4444
210
211
213 SELinux policy is customizable based on least access required. sysadm
214 policy is extremely flexible and has several booleans that allow you to
215 manipulate the policy and run sysadm with the tightest access possible.
216
217
218
219 If you want to determine whether crond can execute jobs in the user do‐
220 main as opposed to the the generic cronjob domain, you must turn on the
221 cron_userdomain_transition boolean. Enabled by default.
222
223 setsebool -P cron_userdomain_transition 1
224
225
226
227 If you want to deny all system processes and Linux users to use blue‐
228 tooth wireless technology, you must turn on the deny_bluetooth boolean.
229 Enabled by default.
230
231 setsebool -P deny_bluetooth 1
232
233
234
235 If you want to deny user domains applications to map a memory region as
236 both executable and writable, this is dangerous and the executable
237 should be reported in bugzilla, you must turn on the deny_execmem bool‐
238 ean. Enabled by default.
239
240 setsebool -P deny_execmem 1
241
242
243
244 If you want to deny any process from ptracing or debugging any other
245 processes, you must turn on the deny_ptrace boolean. Enabled by de‐
246 fault.
247
248 setsebool -P deny_ptrace 1
249
250
251
252 If you want to allow all domains to execute in fips_mode, you must turn
253 on the fips_mode boolean. Enabled by default.
254
255 setsebool -P fips_mode 1
256
257
258
259 If you want to determine whether calling user domains can execute Git
260 daemon in the git_session_t domain, you must turn on the git_ses‐
261 sion_users boolean. Disabled by default.
262
263 setsebool -P git_session_users 1
264
265
266
267 If you want to determine whether calling user domains can execute
268 Polipo daemon in the polipo_session_t domain, you must turn on the
269 polipo_session_users boolean. Disabled by default.
270
271 setsebool -P polipo_session_users 1
272
273
274
275 If you want to allow unconfined executables to make their stack exe‐
276 cutable. This should never, ever be necessary. Probably indicates a
277 badly coded executable, but could indicate an attack. This executable
278 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
279 stack boolean. Enabled by default.
280
281 setsebool -P selinuxuser_execstack 1
282
283
284
285 If you want to allow user to r/w files on filesystems that do not have
286 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
287 uxuser_rw_noexattrfile boolean. Enabled by default.
288
289 setsebool -P selinuxuser_rw_noexattrfile 1
290
291
292
293 If you want to allow users to run TCP servers (bind to ports and accept
294 connection from the same domain and outside users) disabling this
295 forces FTP passive mode and may change other protocols, you must turn
296 on the selinuxuser_tcp_server boolean. Disabled by default.
297
298 setsebool -P selinuxuser_tcp_server 1
299
300
301
302 If you want to allow users to run UDP servers (bind to ports and accept
303 connection from the same domain and outside users) disabling this may
304 break avahi discovering services on the network and other udp related
305 services, you must turn on the selinuxuser_udp_server boolean. Disabled
306 by default.
307
308 setsebool -P selinuxuser_udp_server 1
309
310
311
312 If you want to support NFS home directories, you must turn on the
313 use_nfs_home_dirs boolean. Disabled by default.
314
315 setsebool -P use_nfs_home_dirs 1
316
317
318
319 If you want to support SAMBA home directories, you must turn on the
320 use_samba_home_dirs boolean. Disabled by default.
321
322 setsebool -P use_samba_home_dirs 1
323
324
325
327 The SELinux user sysadm_u is able execute home content files.
328
329
331 Three things can happen when sysadm_t attempts to execute a program.
332
333 1. SELinux Policy can deny sysadm_t from executing the program.
334
335
336
337 2. SELinux Policy can allow sysadm_t to execute the program in the cur‐
338 rent user type.
339
340 Execute the following to see the types that the SELinux user
341 sysadm_t can execute without transitioning:
342
343 sesearch -A -s sysadm_t -c file -p execute_no_trans
344
345
346
347 3. SELinux can allow sysadm_t to execute the program and transition to
348 a new type.
349
350 Execute the following to see the types that the SELinux user
351 sysadm_t can execute and transition:
352
353 $ sesearch -A -s sysadm_t -c process -p transition
354
355
356
358 The SELinux process type sysadm_t can manage files labeled with the
359 following file types. The paths listed are the default paths for these
360 file types. Note the processes UID still need to have DAC permissions.
361
362 auditd_etc_t
363
364 /etc/audit(/.*)?
365
366 auditd_log_t
367
368 /var/log/audit(/.*)?
369 /var/log/audit.log.*
370
371 boolean_type
372
373
374 chrome_sandbox_tmpfs_t
375
376
377 krb5_host_rcache_t
378
379 /var/tmp/krb5_0.rcache2
380 /var/cache/krb5rcache(/.*)?
381 /var/tmp/nfs_0
382 /var/tmp/DNS_25
383 /var/tmp/host_0
384 /var/tmp/imap_0
385 /var/tmp/HTTP_23
386 /var/tmp/HTTP_48
387 /var/tmp/ldap_55
388 /var/tmp/ldap_487
389 /var/tmp/ldapmap1_0
390
391 krb5_keytab_t
392
393 /var/kerberos/krb5(/.*)?
394 /etc/krb5.keytab
395 /etc/krb5kdc/kadm5.keytab
396 /var/kerberos/krb5kdc/kadm5.keytab
397
398 mail_spool_t
399
400 /var/mail(/.*)?
401 /var/spool/imap(/.*)?
402 /var/spool/mail(/.*)?
403 /var/spool/smtpd(/.*)?
404
405 mqueue_spool_t
406
407 /var/spool/(client)?mqueue(/.*)?
408 /var/spool/mqueue.in(/.*)?
409
410 non_security_file_type
411
412
413 security_t
414
415 /selinux
416
417 selinux_login_config_t
418
419 /etc/selinux/([^/]*/)?logins(/.*)?
420
421 semanage_store_t
422
423 /etc/selinux/([^/]*/)?policy(/.*)?
424 /etc/selinux/(minimum|mls|targeted)/active(/.*)?
425 /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
426 /var/lib/selinux(/.*)?
427 /etc/share/selinux/mls(/.*)?
428 /etc/share/selinux/targeted(/.*)?
429
430 usbfs_t
431
432
433 user_fonts_cache_t
434
435 /root/.fontconfig(/.*)?
436 /root/.fonts/auto(/.*)?
437 /root/.fonts.cache-.*
438 /root/.cache/fontconfig(/.*)?
439 /home/[^/]+/.fontconfig(/.*)?
440 /home/[^/]+/.fonts/auto(/.*)?
441 /home/[^/]+/.fonts.cache-.*
442 /home/[^/]+/.cache/fontconfig(/.*)?
443
444 user_tmp_t
445
446 /dev/shm/mono.*
447 /var/run/user(/.*)?
448 /tmp/.ICE-unix(/.*)?
449 /tmp/.X11-unix(/.*)?
450 /dev/shm/pulse-shm.*
451 /tmp/.X0-lock
452 /tmp/hsperfdata_root
453 /var/tmp/hsperfdata_root
454 /home/[^/]+/tmp
455 /home/[^/]+/.tmp
456 /tmp/gconfd-[^/]+
457
458 user_tmp_type
459
460 all user tmp files
461
462 var_auth_t
463
464 /var/ace(/.*)?
465 /var/rsa(/.*)?
466 /var/lib/abl(/.*)?
467 /var/lib/rsa(/.*)?
468 /var/lib/pam_ssh(/.*)?
469 /var/lib/pam_shield(/.*)?
470 /var/opt/quest/vas/vasd(/.*)?
471 /var/lib/google-authenticator(/.*)?
472
473 xserver_tmpfs_t
474
475
476
478 semanage fcontext can also be used to manipulate default file context
479 mappings.
480
481 semanage permissive can also be used to manipulate whether or not a
482 process type is permissive.
483
484 semanage module can also be used to enable/disable/install/remove pol‐
485 icy modules.
486
487 semanage boolean can also be used to manipulate the booleans
488
489
490 system-config-selinux is a GUI tool available to customize SELinux pol‐
491 icy settings.
492
493
495 This manual page was auto-generated using sepolicy manpage .
496
497
499 selinux(8), sysadm(8), semanage(8), restorecon(8), chcon(1), sepol‐
500 icy(8), setsebool(8), sysadm_dbusd_selinux(8), sysadm_dbusd_selinux(8),
501 sysadm_gkeyringd_selinux(8), sysadm_gkeyringd_selinux(8),
502 sysadm_passwd_selinux(8), sysadm_passwd_selinux(8),
503 sysadm_screen_selinux(8), sysadm_screen_selinux(8), sysadm_seun‐
504 share_selinux(8), sysadm_seunshare_selinux(8),
505 sysadm_ssh_agent_selinux(8), sysadm_ssh_agent_selinux(8),
506 sysadm_su_selinux(8), sysadm_su_selinux(8), sysadm_sudo_selinux(8),
507 sysadm_sudo_selinux(8)
508
509
510
511mgrepl@redhat.com sysadm sysadm_selinux(8)