1sysadm_selinux(8)     sysadm SELinux Policy documentation    sysadm_selinux(8)
2
3
4

NAME

6       sysadm_u - General system administration role - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       sysadm_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  sysadm_r.  The default role has a default
13       type, sysadm_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       sysadm_u:sysadm_r:sysadm_t:s0 - s0:c0.c1023
19
20       Linux  users are automatically assigned an SELinux users at login.  Lo‐
21       gin programs use the SELinux User to  assign  initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are assigned to the SELinux user via the __de‐
27       fault__ flag
28
29       On Targeted policy systems the __default__ user is assigned to the  un‐
30       confined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the sysadm_u
37       user, you would execute:
38
39       semanage login -m -s sysadm_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user sysadm,
43       you would execute:
44
45       $ semanage login -a -s sysadm_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user  sysadm_u  is  an admin user. It means that a mapped
51       Linux user to this SELinux user is intended for administrative actions.
52       Usually this is assigned to a root Linux user.
53
54

SUDO

56       The SELinux user sysadm can execute sudo.
57
58       You  can set up sudo to allow sysadm to transition to an administrative
59       domain:
60
61       Add one or more of the following record to sudoers using visudo.
62
63
64       USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
65       sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
66
67       You might also need to add one or more  of  these  new  roles  to  your
68       SELinux user record.
69
70       List the SELinux roles your SELinux user can reach by executing:
71
72       $ semanage user -l |grep selinux_name
73
74       Modify the roles list and add sysadm_r to this list.
75
76       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
77       sysadm_u
78
79       For more details you can see semanage man page.
80
81
82       USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
83       sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
84
85       You might also need to add one or more  of  these  new  roles  to  your
86       SELinux user record.
87
88       List the SELinux roles your SELinux user can reach by executing:
89
90       $ semanage user -l |grep selinux_name
91
92       Modify the roles list and add sysadm_r to this list.
93
94       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
95       sysadm_u
96
97       For more details you can see semanage man page.
98
99
100       USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
101       sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
102
103       You might also need to add one or more  of  these  new  roles  to  your
104       SELinux user record.
105
106       List the SELinux roles your SELinux user can reach by executing:
107
108       $ semanage user -l |grep selinux_name
109
110       Modify the roles list and add sysadm_r to this list.
111
112       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
113       sysadm_u
114
115       For more details you can see semanage man page.
116
117
118       USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
119       sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
120
121       You might also need to add one or more  of  these  new  roles  to  your
122       SELinux user record.
123
124       List the SELinux roles your SELinux user can reach by executing:
125
126       $ semanage user -l |grep selinux_name
127
128       Modify the roles list and add sysadm_r to this list.
129
130       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
131       sysadm_u
132
133       For more details you can see semanage man page.
134
135
136       The SELinux type sysadm_t is not allowed to execute sudo.
137
138

X WINDOWS LOGIN

140       The SELinux user sysadm_u is able to X Windows login.
141
142

NETWORK

144       The SELinux user sysadm_u is able to listen on the following tcp ports.
145
146              32768-60999
147
148              all ports without defined types
149
150              389,636,3268,3269,7389
151
152              1716
153
154              all ports >= 1024
155
156
157       The SELinux user sysadm_u is able  to  connect  to  the  following  tcp
158       ports.
159
160              8955
161
162              53,853
163
164              all ports
165
166              389,636,3268,3269,7389
167
168              all ports without defined types
169
170              32768-60999
171
172              all ports < 1024
173
174              9080
175
176              88,750,4444
177
178
179       The SELinux user sysadm_u is able to listen on the following udp ports.
180
181              32768-60999
182
183              all ports without defined types
184
185              123
186
187              all ports >= 1024
188
189
190       The  SELinux  user  sysadm_u  is  able  to connect to the following tcp
191       ports.
192
193              8955
194
195              53,853
196
197              all ports
198
199              389,636,3268,3269,7389
200
201              all ports without defined types
202
203              32768-60999
204
205              all ports < 1024
206
207              9080
208
209              88,750,4444
210
211

BOOLEANS

213       SELinux policy is customizable based on least access required.   sysadm
214       policy is extremely flexible and has several booleans that allow you to
215       manipulate the policy and run sysadm with the tightest access possible.
216
217
218
219       If you want to determine whether crond can execute jobs in the user do‐
220       main as opposed to the the generic cronjob domain, you must turn on the
221       cron_userdomain_transition boolean. Enabled by default.
222
223       setsebool -P cron_userdomain_transition 1
224
225
226
227       If you want to deny all system processes and Linux users to  use  blue‐
228       tooth wireless technology, you must turn on the deny_bluetooth boolean.
229       Enabled by default.
230
231       setsebool -P deny_bluetooth 1
232
233
234
235       If you want to deny user domains applications to map a memory region as
236       both  executable  and  writable,  this  is dangerous and the executable
237       should be reported in bugzilla, you must turn on the deny_execmem bool‐
238       ean. Enabled by default.
239
240       setsebool -P deny_execmem 1
241
242
243
244       If  you  want  to deny any process from ptracing or debugging any other
245       processes, you must turn on the deny_ptrace  boolean.  Enabled  by  de‐
246       fault.
247
248       setsebool -P deny_ptrace 1
249
250
251
252       If you want to allow all domains to execute in fips_mode, you must turn
253       on the fips_mode boolean. Enabled by default.
254
255       setsebool -P fips_mode 1
256
257
258
259       If you want to determine whether calling user domains can  execute  Git
260       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
261       sion_users boolean. Disabled by default.
262
263       setsebool -P git_session_users 1
264
265
266
267       If you want to determine  whether  calling  user  domains  can  execute
268       Polipo  daemon  in  the  polipo_session_t  domain, you must turn on the
269       polipo_session_users boolean. Disabled by default.
270
271       setsebool -P polipo_session_users 1
272
273
274
275       If you want to allow unconfined executables to make  their  stack  exe‐
276       cutable.   This  should  never, ever be necessary. Probably indicates a
277       badly coded executable, but could indicate an attack.  This  executable
278       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
279       stack boolean. Enabled by default.
280
281       setsebool -P selinuxuser_execstack 1
282
283
284
285       If you want to allow user to r/w files on filesystems that do not  have
286       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
287       uxuser_rw_noexattrfile boolean. Enabled by default.
288
289       setsebool -P selinuxuser_rw_noexattrfile 1
290
291
292
293       If you want to allow users to run TCP servers (bind to ports and accept
294       connection  from  the  same  domain  and outside users)  disabling this
295       forces FTP passive mode and may change other protocols, you  must  turn
296       on the selinuxuser_tcp_server boolean. Disabled by default.
297
298       setsebool -P selinuxuser_tcp_server 1
299
300
301
302       If you want to allow users to run UDP servers (bind to ports and accept
303       connection from the same domain and outside users)  disabling this  may
304       break  avahi  discovering services on the network and other udp related
305       services, you must turn on the selinuxuser_udp_server boolean. Disabled
306       by default.
307
308       setsebool -P selinuxuser_udp_server 1
309
310
311
312       If  you  want  to  support  NFS  home directories, you must turn on the
313       use_nfs_home_dirs boolean. Disabled by default.
314
315       setsebool -P use_nfs_home_dirs 1
316
317
318
319       If you want to support SAMBA home directories, you  must  turn  on  the
320       use_samba_home_dirs boolean. Disabled by default.
321
322       setsebool -P use_samba_home_dirs 1
323
324
325

HOME_EXEC

327       The SELinux user sysadm_u is able execute home content files.
328
329

TRANSITIONS

331       Three things can happen when sysadm_t attempts to execute a program.
332
333       1. SELinux Policy can deny sysadm_t from executing the program.
334
335
336
337       2. SELinux Policy can allow sysadm_t to execute the program in the cur‐
338       rent user type.
339
340              Execute the following to see the types  that  the  SELinux  user
341              sysadm_t can execute without transitioning:
342
343              sesearch -A -s sysadm_t -c file -p execute_no_trans
344
345
346
347       3.  SELinux can allow sysadm_t to execute the program and transition to
348       a new type.
349
350              Execute the following to see the types  that  the  SELinux  user
351              sysadm_t can execute and transition:
352
353              $ sesearch -A -s sysadm_t -c process -p transition
354
355
356

MANAGED FILES

358       The  SELinux  process  type  sysadm_t can manage files labeled with the
359       following file types.  The paths listed are the default paths for these
360       file types.  Note the processes UID still need to have DAC permissions.
361
362       auditd_etc_t
363
364            /etc/audit(/.*)?
365
366       auditd_log_t
367
368            /var/log/audit(/.*)?
369            /var/log/audit.log.*
370
371       boolean_type
372
373
374       chrome_sandbox_tmpfs_t
375
376
377       krb5_host_rcache_t
378
379            /var/tmp/krb5_0.rcache2
380            /var/cache/krb5rcache(/.*)?
381            /var/tmp/nfs_0
382            /var/tmp/DNS_25
383            /var/tmp/host_0
384            /var/tmp/imap_0
385            /var/tmp/HTTP_23
386            /var/tmp/HTTP_48
387            /var/tmp/ldap_55
388            /var/tmp/ldap_487
389            /var/tmp/ldapmap1_0
390
391       krb5_keytab_t
392
393            /var/kerberos/krb5(/.*)?
394            /etc/krb5.keytab
395            /etc/krb5kdc/kadm5.keytab
396            /var/kerberos/krb5kdc/kadm5.keytab
397
398       mail_spool_t
399
400            /var/mail(/.*)?
401            /var/spool/imap(/.*)?
402            /var/spool/mail(/.*)?
403            /var/spool/smtpd(/.*)?
404
405       mqueue_spool_t
406
407            /var/spool/(client)?mqueue(/.*)?
408            /var/spool/mqueue.in(/.*)?
409
410       non_security_file_type
411
412
413       security_t
414
415            /selinux
416
417       selinux_login_config_t
418
419            /etc/selinux/([^/]*/)?logins(/.*)?
420
421       semanage_store_t
422
423            /etc/selinux/([^/]*/)?policy(/.*)?
424            /etc/selinux/(minimum|mls|targeted)/active(/.*)?
425            /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
426            /var/lib/selinux(/.*)?
427            /etc/share/selinux/mls(/.*)?
428            /etc/share/selinux/targeted(/.*)?
429
430       usbfs_t
431
432
433       user_fonts_cache_t
434
435            /root/.fontconfig(/.*)?
436            /root/.fonts/auto(/.*)?
437            /root/.fonts.cache-.*
438            /root/.cache/fontconfig(/.*)?
439            /home/[^/]+/.fontconfig(/.*)?
440            /home/[^/]+/.fonts/auto(/.*)?
441            /home/[^/]+/.fonts.cache-.*
442            /home/[^/]+/.cache/fontconfig(/.*)?
443
444       user_tmp_t
445
446            /dev/shm/mono.*
447            /var/run/user(/.*)?
448            /tmp/.ICE-unix(/.*)?
449            /tmp/.X11-unix(/.*)?
450            /dev/shm/pulse-shm.*
451            /tmp/.X0-lock
452            /tmp/hsperfdata_root
453            /var/tmp/hsperfdata_root
454            /home/[^/]+/tmp
455            /home/[^/]+/.tmp
456            /tmp/gconfd-[^/]+
457
458       user_tmp_type
459
460            all user tmp files
461
462       var_auth_t
463
464            /var/ace(/.*)?
465            /var/rsa(/.*)?
466            /var/lib/abl(/.*)?
467            /var/lib/rsa(/.*)?
468            /var/lib/pam_ssh(/.*)?
469            /var/lib/pam_shield(/.*)?
470            /var/opt/quest/vas/vasd(/.*)?
471            /var/lib/google-authenticator(/.*)?
472
473       xserver_tmpfs_t
474
475
476

COMMANDS

478       semanage  fcontext  can also be used to manipulate default file context
479       mappings.
480
481       semanage permissive can also be used to manipulate  whether  or  not  a
482       process type is permissive.
483
484       semanage  module can also be used to enable/disable/install/remove pol‐
485       icy modules.
486
487       semanage boolean can also be used to manipulate the booleans
488
489
490       system-config-selinux is a GUI tool available to customize SELinux pol‐
491       icy settings.
492
493

AUTHOR

495       This manual page was auto-generated using sepolicy manpage .
496
497

SEE ALSO

499       selinux(8),  sysadm(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
500       icy(8), setsebool(8), sysadm_dbusd_selinux(8), sysadm_dbusd_selinux(8),
501       sysadm_gkeyringd_selinux(8),               sysadm_gkeyringd_selinux(8),
502       sysadm_passwd_selinux(8),                     sysadm_passwd_selinux(8),
503       sysadm_screen_selinux(8),     sysadm_screen_selinux(8),    sysadm_seun‐
504       share_selinux(8),                          sysadm_seunshare_selinux(8),
505       sysadm_ssh_agent_selinux(8),               sysadm_ssh_agent_selinux(8),
506       sysadm_su_selinux(8),   sysadm_su_selinux(8),   sysadm_sudo_selinux(8),
507       sysadm_sudo_selinux(8)
508
509
510
511mgrepl@redhat.com                   sysadm                   sysadm_selinux(8)
Impressum