1staff_selinux(8)      staff SELinux Policy documentation      staff_selinux(8)
2
3
4

NAME

6       staff_u  -  Administrator's unprivileged user - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       staff_u is an SELinux User defined in the SELinux policy. SELinux users
12       have  default  roles,  staff_r.   The  default role has a default type,
13       staff_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       staff_u:staff_r:staff_t:s0 - s0:c0.c1023
19
20       Linux  users are automatically assigned an SELinux users at login.  Lo‐
21       gin programs use the SELinux User to  assign  initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are assigned to the SELinux user via the __de‐
27       fault__ flag
28
29       On Targeted policy systems the __default__ user is assigned to the  un‐
30       confined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to  change the default user mapping to use the staff_u
37       user, you would execute:
38
39       semanage login -m -s staff_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user  staff,
43       you would execute:
44
45       $ semanage login -a -s staff_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user staff_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

56       The SELinux user staff can execute sudo.
57
58       You  can  set up sudo to allow staff to transition to an administrative
59       domain:
60
61       Add one or more of the following record to sudoers using visudo.
62
63
64       USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
65       sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
66
67       You might also need to add one or more  of  these  new  roles  to  your
68       SELinux user record.
69
70       List the SELinux roles your SELinux user can reach by executing:
71
72       $ semanage user -l |grep selinux_name
73
74       Modify the roles list and add staff_r to this list.
75
76       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
77       logadm_r dbadm_r auditadm_r' staff_u
78
79       For more details you can see semanage man page.
80
81
82       USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
83       sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
84
85       You might also need to add one or more  of  these  new  roles  to  your
86       SELinux user record.
87
88       List the SELinux roles your SELinux user can reach by executing:
89
90       $ semanage user -l |grep selinux_name
91
92       Modify the roles list and add staff_r to this list.
93
94       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
95       logadm_r dbadm_r auditadm_r' staff_u
96
97       For more details you can see semanage man page.
98
99
100       USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
101       sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
102
103       You might also need to add one or more  of  these  new  roles  to  your
104       SELinux user record.
105
106       List the SELinux roles your SELinux user can reach by executing:
107
108       $ semanage user -l |grep selinux_name
109
110       Modify the roles list and add staff_r to this list.
111
112       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
113       logadm_r dbadm_r auditadm_r' staff_u
114
115       For more details you can see semanage man page.
116
117
118       USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
119       sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
120
121       You might also need to add one or more  of  these  new  roles  to  your
122       SELinux user record.
123
124       List the SELinux roles your SELinux user can reach by executing:
125
126       $ semanage user -l |grep selinux_name
127
128       Modify the roles list and add staff_r to this list.
129
130       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
131       logadm_r dbadm_r auditadm_r' staff_u
132
133       For more details you can see semanage man page.
134
135
136       USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
137       sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
138
139       You might also need to add one or more  of  these  new  roles  to  your
140       SELinux user record.
141
142       List the SELinux roles your SELinux user can reach by executing:
143
144       $ semanage user -l |grep selinux_name
145
146       Modify the roles list and add staff_r to this list.
147
148       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
149       logadm_r dbadm_r auditadm_r' staff_u
150
151       For more details you can see semanage man page.
152
153
154       USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
155       sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
156
157       You might also need to add one or more  of  these  new  roles  to  your
158       SELinux user record.
159
160       List the SELinux roles your SELinux user can reach by executing:
161
162       $ semanage user -l |grep selinux_name
163
164       Modify the roles list and add staff_r to this list.
165
166       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
167       logadm_r dbadm_r auditadm_r' staff_u
168
169       For more details you can see semanage man page.
170
171
172       USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
173       sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
174
175       You might also need to add one or more  of  these  new  roles  to  your
176       SELinux user record.
177
178       List the SELinux roles your SELinux user can reach by executing:
179
180       $ semanage user -l |grep selinux_name
181
182       Modify the roles list and add staff_r to this list.
183
184       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
185       logadm_r dbadm_r auditadm_r' staff_u
186
187       For more details you can see semanage man page.
188
189
190       The SELinux type staff_t is not allowed to execute sudo.
191
192

X WINDOWS LOGIN

194       The SELinux user staff_u is able to X Windows login.
195
196

NETWORK

198       The SELinux user staff_u is able to listen on the following tcp ports.
199
200              6000-6020
201
202              1716
203
204              3689
205
206              all ports >= 1024
207
208              all ports without defined types
209
210              32768-60999
211
212
213       The SELinux user staff_u is able to connect to the following tcp ports.
214
215              8955
216
217              53,853
218
219              all ports
220
221              389,636,3268,3269,7389
222
223              all ports without defined types
224
225              32768-60999
226
227              all ports < 1024
228
229              9080
230
231              88,750,4444
232
233
234       The SELinux user staff_u is able to listen on the following udp ports.
235
236              32768-60999
237
238              all ports without defined types
239
240              all ports >= 1024
241
242
243       The SELinux user staff_u is able to connect to the following tcp ports.
244
245              8955
246
247              53,853
248
249              all ports
250
251              389,636,3268,3269,7389
252
253              all ports without defined types
254
255              32768-60999
256
257              all ports < 1024
258
259              9080
260
261              88,750,4444
262
263

BOOLEANS

265       SELinux policy is customizable based on least access  required.   staff
266       policy is extremely flexible and has several booleans that allow you to
267       manipulate the policy and run staff with the tightest access possible.
268
269
270
271       If you want to allow staff user to create and transition to  svirt  do‐
272       mains,  you  must  turn on the staff_use_svirt boolean. Disabled by de‐
273       fault.
274
275       setsebool -P staff_use_svirt 1
276
277
278
279       If you want to determine whether crond can execute jobs in the user do‐
280       main as opposed to the the generic cronjob domain, you must turn on the
281       cron_userdomain_transition boolean. Enabled by default.
282
283       setsebool -P cron_userdomain_transition 1
284
285
286
287       If you want to deny all system processes and Linux users to  use  blue‐
288       tooth wireless technology, you must turn on the deny_bluetooth boolean.
289       Enabled by default.
290
291       setsebool -P deny_bluetooth 1
292
293
294
295       If you want to deny user domains applications to map a memory region as
296       both  executable  and  writable,  this  is dangerous and the executable
297       should be reported in bugzilla, you must turn on the deny_execmem bool‐
298       ean. Enabled by default.
299
300       setsebool -P deny_execmem 1
301
302
303
304       If  you  want  to deny any process from ptracing or debugging any other
305       processes, you must turn on the deny_ptrace  boolean.  Enabled  by  de‐
306       fault.
307
308       setsebool -P deny_ptrace 1
309
310
311
312       If you want to allow all domains to execute in fips_mode, you must turn
313       on the fips_mode boolean. Enabled by default.
314
315       setsebool -P fips_mode 1
316
317
318
319       If you want to determine whether calling user domains can  execute  Git
320       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
321       sion_users boolean. Disabled by default.
322
323       setsebool -P git_session_users 1
324
325
326
327       If you want to allow httpd cgi support, you must turn on the  httpd_en‐
328       able_cgi boolean. Enabled by default.
329
330       setsebool -P httpd_enable_cgi 1
331
332
333
334       If  you  want  to  determine  whether  calling user domains can execute
335       Polipo daemon in the polipo_session_t domain,  you  must  turn  on  the
336       polipo_session_users boolean. Disabled by default.
337
338       setsebool -P polipo_session_users 1
339
340
341
342       If  you  want to allow pppd to be run for a regular user, you must turn
343       on the pppd_for_user boolean. Disabled by default.
344
345       setsebool -P pppd_for_user 1
346
347
348
349       If you want to allow all unconfined executables to  use  libraries  re‐
350       quiring  text relocation that are not labeled textrel_shlib_t, you must
351       turn on the selinuxuser_execmod boolean. Enabled by default.
352
353       setsebool -P selinuxuser_execmod 1
354
355
356
357       If you want to allow unconfined executables to make  their  stack  exe‐
358       cutable.   This  should  never, ever be necessary. Probably indicates a
359       badly coded executable, but could indicate an attack.  This  executable
360       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
361       stack boolean. Enabled by default.
362
363       setsebool -P selinuxuser_execstack 1
364
365
366
367       If you want to allow users to connect to the local  mysql  server,  you
368       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
369       default.
370
371       setsebool -P selinuxuser_mysql_connect_enabled 1
372
373
374
375       If you want to allow user to r/w files on filesystems that do not  have
376       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
377       uxuser_rw_noexattrfile boolean. Disabled by default.
378
379       setsebool -P selinuxuser_rw_noexattrfile 1
380
381
382
383       If you want to allow user  to use ssh chroot environment, you must turn
384       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
385
386       setsebool -P selinuxuser_use_ssh_chroot 1
387
388
389
390       If  you  want  to  support  NFS  home directories, you must turn on the
391       use_nfs_home_dirs boolean. Disabled by default.
392
393       setsebool -P use_nfs_home_dirs 1
394
395
396
397       If you want to support SAMBA home directories, you  must  turn  on  the
398       use_samba_home_dirs boolean. Disabled by default.
399
400       setsebool -P use_samba_home_dirs 1
401
402
403

HOME_EXEC

405       The SELinux user staff_u is able execute home content files.
406
407

TRANSITIONS

409       Three things can happen when staff_t attempts to execute a program.
410
411       1. SELinux Policy can deny staff_t from executing the program.
412
413
414
415       2.  SELinux Policy can allow staff_t to execute the program in the cur‐
416       rent user type.
417
418              Execute the following to see the types  that  the  SELinux  user
419              staff_t can execute without transitioning:
420
421              sesearch -A -s staff_t -c file -p execute_no_trans
422
423
424
425       3. SELinux can allow staff_t to execute the program and transition to a
426       new type.
427
428              Execute the following to see the types  that  the  SELinux  user
429              staff_t can execute and transition:
430
431              $ sesearch -A -s staff_t -c process -p transition
432
433
434

MANAGED FILES

436       The SELinux process type staff_t can manage files labeled with the fol‐
437       lowing file types.  The paths listed are the default  paths  for  these
438       file types.  Note the processes UID still need to have DAC permissions.
439
440       alsa_home_t
441
442            /home/[^/]+/.asoundrc
443
444       auth_cache_t
445
446            /var/cache/coolkey(/.*)?
447
448       bluetooth_helper_tmp_t
449
450
451       bluetooth_helper_tmpfs_t
452
453
454       chrome_sandbox_tmpfs_t
455
456
457       dirsrv_config_t
458
459            /etc/dirsrv(/.*)?
460
461       dirsrv_var_lib_t
462
463            /var/lib/dirsrv(/.*)?
464
465       dirsrv_var_log_t
466
467            /var/log/dirsrv(/.*)?
468
469       dirsrv_var_run_t
470
471            /var/run/slapd.*
472            /var/run/dirsrv(/.*)?
473
474       faillog_t
475
476            /var/log/btmp.*
477            /var/log/faillog.*
478            /var/log/tallylog.*
479            /var/run/faillock(/.*)?
480
481       games_data_t
482
483            /var/games(/.*)?
484            /var/lib/games(/.*)?
485
486       gconf_tmp_t
487
488            /tmp/gconfd-[^/]+/.*
489
490       gpg_agent_tmp_t
491
492            /home/[^/]+/.gnupg/log-socket
493
494       httpd_user_content_t
495
496            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
497
498       httpd_user_htaccess_t
499
500            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
501
502       httpd_user_ra_content_t
503
504            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
505
506       httpd_user_rw_content_t
507
508
509       httpd_user_script_exec_t
510
511            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
512
513       krb5_host_rcache_t
514
515            /var/tmp/krb5_0.rcache2
516            /var/cache/krb5rcache(/.*)?
517            /var/tmp/nfs_0
518            /var/tmp/DNS_25
519            /var/tmp/host_0
520            /var/tmp/imap_0
521            /var/tmp/HTTP_23
522            /var/tmp/HTTP_48
523            /var/tmp/ldap_55
524            /var/tmp/ldap_487
525            /var/tmp/ldapmap1_0
526
527       mail_spool_t
528
529            /var/mail(/.*)?
530            /var/spool/imap(/.*)?
531            /var/spool/mail(/.*)?
532            /var/spool/smtpd(/.*)?
533
534       mqueue_spool_t
535
536            /var/spool/(client)?mqueue(/.*)?
537            /var/spool/mqueue.in(/.*)?
538
539       pkcs_slotd_tmpfs_t
540
541            /dev/shm/var.lib.opencryptoki.*
542
543       pulseaudio_tmpfs_t
544
545
546       pulseaudio_tmpfsfile
547
548
549       sandbox_tmpfs_type
550
551            all sandbox content in tmpfs file systems
552
553       security_t
554
555            /selinux
556
557       session_dbusd_tmp_t
558
559            /var/run/user/[0-9]+/dbus(/.*)?
560
561       systemd_passwd_var_run_t
562
563            /var/run/systemd/ask-password(/.*)?
564            /var/run/systemd/ask-password-block(/.*)?
565
566       systemd_unit_file_type
567
568
569       usbfs_t
570
571
572       user_fonts_cache_t
573
574            /root/.fontconfig(/.*)?
575            /root/.fonts/auto(/.*)?
576            /root/.fonts.cache-.*
577            /root/.cache/fontconfig(/.*)?
578            /home/[^/]+/.fontconfig(/.*)?
579            /home/[^/]+/.fonts/auto(/.*)?
580            /home/[^/]+/.fonts.cache-.*
581            /home/[^/]+/.cache/fontconfig(/.*)?
582
583       user_home_type
584
585            all user home files
586
587       user_tmp_t
588
589            /dev/shm/mono.*
590            /var/run/user(/.*)?
591            /tmp/.ICE-unix(/.*)?
592            /tmp/.X11-unix(/.*)?
593            /dev/shm/pulse-shm.*
594            /tmp/.X0-lock
595            /tmp/hsperfdata_root
596            /var/tmp/hsperfdata_root
597            /home/[^/]+/tmp
598            /home/[^/]+/.tmp
599            /tmp/gconfd-[^/]+
600
601       user_tmp_type
602
603            all user tmp files
604
605       virt_image_type
606
607            all virtual image files
608
609       wireshark_tmp_t
610
611
612       wireshark_tmpfs_t
613
614
615       xserver_tmpfs_t
616
617
618

COMMANDS

620       semanage  fcontext  can also be used to manipulate default file context
621       mappings.
622
623       semanage permissive can also be used to manipulate  whether  or  not  a
624       process type is permissive.
625
626       semanage  module can also be used to enable/disable/install/remove pol‐
627       icy modules.
628
629       semanage boolean can also be used to manipulate the booleans
630
631
632       system-config-selinux is a GUI tool available to customize SELinux pol‐
633       icy settings.
634
635

AUTHOR

637       This manual page was auto-generated using sepolicy manpage .
638
639

SEE ALSO

641       selinux(8),  staff(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
642       icy(8),  setsebool(8),  staff_consolehelper_selinux(8),  staff_console‐
643       helper_selinux(8),    staff_dbusd_selinux(8),   staff_dbusd_selinux(8),
644       staff_gkeyringd_selinux(8),                 staff_gkeyringd_selinux(8),
645       staff_screen_selinux(8),      staff_screen_selinux(8),      staff_seun‐
646       share_selinux(8),                           staff_seunshare_selinux(8),
647       staff_ssh_agent_selinux(8),                 staff_ssh_agent_selinux(8),
648       staff_sudo_selinux(8),  staff_sudo_selinux(8),   staff_wine_selinux(8),
649       staff_wine_selinux(8)
650
651
652
653mgrepl@redhat.com                    staff                    staff_selinux(8)
Impressum