1user_selinux(8)        user SELinux Policy documentation       user_selinux(8)
2
3
4

NAME

6       user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       user_u  is an SELinux User defined in the SELinux policy. SELinux users
11       have default roles, user_r.  The  default  role  has  a  default  type,
12       user_t, associated with it.
13
14       The  SELinux  user  will  usually login to a system with a context that
15       looks like:
16
17       user_u:user_r:user_t:s0
18
19       Linux users are automatically assigned an SELinux users at login.   Lo‐
20       gin  programs  use  the  SELinux  User to assign initial context to the
21       user's shell.
22
23       SELinux policy uses the context to control the user's access.
24
25       By default all users are assigned to the SELinux  user  via  the  __de‐
26       fault__ flag
27
28       On  Targeted policy systems the __default__ user is assigned to the un‐
29       confined_u SELinux user.
30
31       You can list all Linux User to SELinux user mapping using:
32
33       semanage login -l
34
35       If you wanted to change the default user  mapping  to  use  the  user_u
36       user, you would execute:
37
38       semanage login -m -s user_u __default__
39
40
41       If  you  want to map the one Linux user (joe) to the SELinux user user,
42       you would execute:
43
44       $ semanage login -a -s user_u joe
45
46
47

USER DESCRIPTION

49       The SELinux user user_u is defined in policy as  a  unprivileged  user.
50       SELinux  prevents  unprivileged  users  from doing administration tasks
51       without transitioning to a different role.
52
53

SUDO

X WINDOWS LOGIN

56       The SELinux user user_u is able to X Windows login.
57
58

NETWORK

60       The SELinux user user_u is able to listen on the following tcp ports.
61
62              6000-6020
63
64              1716
65
66              3689
67
68              all ports >= 1024
69
70              all ports without defined types
71
72              32768-60999
73
74
75       The SELinux user user_u is able to connect to the following tcp ports.
76
77              8955
78
79              all ports
80
81              53,853
82
83              389,636,3268,3269,7389
84
85              all ports without defined types
86
87              32768-60999
88
89              all ports < 1024
90
91              9080
92
93              88,750,4444
94
95
96       The SELinux user user_u is able to listen on the following udp ports.
97
98              32768-60999
99
100              all ports without defined types
101
102              all ports >= 1024
103
104
105       The SELinux user user_u is able to connect to the following tcp ports.
106
107              8955
108
109              all ports
110
111              53,853
112
113              389,636,3268,3269,7389
114
115              all ports without defined types
116
117              32768-60999
118
119              all ports < 1024
120
121              9080
122
123              88,750,4444
124
125

BOOLEANS

127       SELinux policy is customizable based on least  access  required.   user
128       policy is extremely flexible and has several booleans that allow you to
129       manipulate the policy and run user with the tightest access possible.
130
131
132
133       If you want to determine whether crond can execute jobs in the user do‐
134       main as opposed to the the generic cronjob domain, you must turn on the
135       cron_userdomain_transition boolean. Enabled by default.
136
137       setsebool -P cron_userdomain_transition 1
138
139
140
141       If you want to deny all system processes and Linux users to  use  blue‐
142       tooth wireless technology, you must turn on the deny_bluetooth boolean.
143       Enabled by default.
144
145       setsebool -P deny_bluetooth 1
146
147
148
149       If you want to deny user domains applications to map a memory region as
150       both  executable  and  writable,  this  is dangerous and the executable
151       should be reported in bugzilla, you must turn on the deny_execmem bool‐
152       ean. Enabled by default.
153
154       setsebool -P deny_execmem 1
155
156
157
158       If  you  want  to deny any process from ptracing or debugging any other
159       processes, you must turn on the deny_ptrace  boolean.  Enabled  by  de‐
160       fault.
161
162       setsebool -P deny_ptrace 1
163
164
165
166       If you want to allow all domains to execute in fips_mode, you must turn
167       on the fips_mode boolean. Enabled by default.
168
169       setsebool -P fips_mode 1
170
171
172
173       If you want to determine whether calling user domains can  execute  Git
174       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
175       sion_users boolean. Disabled by default.
176
177       setsebool -P git_session_users 1
178
179
180
181       If you want to allow httpd cgi support, you must turn on the  httpd_en‐
182       able_cgi boolean. Enabled by default.
183
184       setsebool -P httpd_enable_cgi 1
185
186
187
188       If  you  want  to  determine  whether  calling user domains can execute
189       Polipo daemon in the polipo_session_t domain,  you  must  turn  on  the
190       polipo_session_users boolean. Disabled by default.
191
192       setsebool -P polipo_session_users 1
193
194
195
196       If  you  want to allow pppd to be run for a regular user, you must turn
197       on the pppd_for_user boolean. Disabled by default.
198
199       setsebool -P pppd_for_user 1
200
201
202
203       If you want to allow all unconfined executables to  use  libraries  re‐
204       quiring  text relocation that are not labeled textrel_shlib_t, you must
205       turn on the selinuxuser_execmod boolean. Enabled by default.
206
207       setsebool -P selinuxuser_execmod 1
208
209
210
211       If you want to allow unconfined executables to make  their  stack  exe‐
212       cutable.   This  should  never, ever be necessary. Probably indicates a
213       badly coded executable, but could indicate an attack.  This  executable
214       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
215       stack boolean. Enabled by default.
216
217       setsebool -P selinuxuser_execstack 1
218
219
220
221       If you want to allow users to connect to the local  mysql  server,  you
222       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
223       default.
224
225       setsebool -P selinuxuser_mysql_connect_enabled 1
226
227
228
229       If you want to allow confined users the ability to execute the ping and
230       traceroute commands, you must turn on the selinuxuser_ping boolean. En‐
231       abled by default.
232
233       setsebool -P selinuxuser_ping 1
234
235
236
237       If you want to allow user to r/w files on filesystems that do not  have
238       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
239       uxuser_rw_noexattrfile boolean. Disabled by default.
240
241       setsebool -P selinuxuser_rw_noexattrfile 1
242
243
244
245       If you want to allow user  to use ssh chroot environment, you must turn
246       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
247
248       setsebool -P selinuxuser_use_ssh_chroot 1
249
250
251
252       If  you  want  to  allow  unprivileged user to create and transition to
253       svirt domains, you must turn on the unprivuser_use_svirt boolean.  Dis‐
254       abled by default.
255
256       setsebool -P unprivuser_use_svirt 1
257
258
259
260       If  you  want  to  support  NFS  home directories, you must turn on the
261       use_nfs_home_dirs boolean. Disabled by default.
262
263       setsebool -P use_nfs_home_dirs 1
264
265
266
267       If you want to support SAMBA home directories, you  must  turn  on  the
268       use_samba_home_dirs boolean. Disabled by default.
269
270       setsebool -P use_samba_home_dirs 1
271
272
273

HOME_EXEC

275       The SELinux user user_u is able execute home content files.
276
277

TRANSITIONS

279       Three things can happen when user_t attempts to execute a program.
280
281       1. SELinux Policy can deny user_t from executing the program.
282
283
284
285       2.  SELinux  Policy can allow user_t to execute the program in the cur‐
286       rent user type.
287
288              Execute the following to see the types  that  the  SELinux  user
289              user_t can execute without transitioning:
290
291              sesearch -A -s user_t -c file -p execute_no_trans
292
293
294
295       3.  SELinux can allow user_t to execute the program and transition to a
296       new type.
297
298              Execute the following to see the types  that  the  SELinux  user
299              user_t can execute and transition:
300
301              $ sesearch -A -s user_t -c process -p transition
302
303
304

MANAGED FILES

306       The  SELinux process type user_t can manage files labeled with the fol‐
307       lowing file types.  The paths listed are the default  paths  for  these
308       file types.  Note the processes UID still need to have DAC permissions.
309
310       alsa_home_t
311
312            /home/[^/]+/.asoundrc
313
314       auth_cache_t
315
316            /var/cache/coolkey(/.*)?
317
318       bluetooth_helper_tmp_t
319
320
321       bluetooth_helper_tmpfs_t
322
323
324       chrome_sandbox_tmpfs_t
325
326
327       faillog_t
328
329            /var/log/btmp.*
330            /var/log/faillog.*
331            /var/log/tallylog.*
332            /var/run/faillock(/.*)?
333
334       games_data_t
335
336            /var/games(/.*)?
337            /var/lib/games(/.*)?
338
339       gconf_tmp_t
340
341            /tmp/gconfd-[^/]+/.*
342
343       gpg_agent_tmp_t
344
345            /home/[^/]+/.gnupg/log-socket
346
347       httpd_user_content_t
348
349            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
350
351       httpd_user_htaccess_t
352
353            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
354
355       httpd_user_ra_content_t
356
357            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
358
359       httpd_user_rw_content_t
360
361
362       httpd_user_script_exec_t
363
364            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
365
366       krb5_host_rcache_t
367
368            /var/tmp/krb5_0.rcache2
369            /var/cache/krb5rcache(/.*)?
370            /var/tmp/nfs_0
371            /var/tmp/DNS_25
372            /var/tmp/host_0
373            /var/tmp/imap_0
374            /var/tmp/HTTP_23
375            /var/tmp/HTTP_48
376            /var/tmp/ldap_55
377            /var/tmp/ldap_487
378            /var/tmp/ldapmap1_0
379
380       mail_spool_t
381
382            /var/mail(/.*)?
383            /var/spool/imap(/.*)?
384            /var/spool/mail(/.*)?
385            /var/spool/smtpd(/.*)?
386
387       mqueue_spool_t
388
389            /var/spool/(client)?mqueue(/.*)?
390            /var/spool/mqueue.in(/.*)?
391
392       pkcs_slotd_tmpfs_t
393
394            /dev/shm/var.lib.opencryptoki.*
395
396       pulseaudio_tmpfs_t
397
398
399       pulseaudio_tmpfsfile
400
401
402       sandbox_tmpfs_type
403
404            all sandbox content in tmpfs file systems
405
406       security_t
407
408            /selinux
409
410       session_dbusd_tmp_t
411
412            /var/run/user/[0-9]+/dbus(/.*)?
413
414       systemd_passwd_var_run_t
415
416            /var/run/systemd/ask-password(/.*)?
417            /var/run/systemd/ask-password-block(/.*)?
418
419       usbfs_t
420
421
422       user_fonts_cache_t
423
424            /root/.fontconfig(/.*)?
425            /root/.fonts/auto(/.*)?
426            /root/.fonts.cache-.*
427            /root/.cache/fontconfig(/.*)?
428            /home/[^/]+/.fontconfig(/.*)?
429            /home/[^/]+/.fonts/auto(/.*)?
430            /home/[^/]+/.fonts.cache-.*
431            /home/[^/]+/.cache/fontconfig(/.*)?
432
433       user_home_type
434
435            all user home files
436
437       user_tmp_t
438
439            /dev/shm/mono.*
440            /var/run/user(/.*)?
441            /tmp/.ICE-unix(/.*)?
442            /tmp/.X11-unix(/.*)?
443            /dev/shm/pulse-shm.*
444            /tmp/.X0-lock
445            /tmp/hsperfdata_root
446            /var/tmp/hsperfdata_root
447            /home/[^/]+/tmp
448            /home/[^/]+/.tmp
449            /tmp/gconfd-[^/]+
450
451       user_tmp_type
452
453            all user tmp files
454
455       virt_image_type
456
457            all virtual image files
458
459       xserver_tmpfs_t
460
461
462

COMMANDS

464       semanage  fcontext  can also be used to manipulate default file context
465       mappings.
466
467       semanage permissive can also be used to manipulate  whether  or  not  a
468       process type is permissive.
469
470       semanage  module can also be used to enable/disable/install/remove pol‐
471       icy modules.
472
473       semanage boolean can also be used to manipulate the booleans
474
475
476       system-config-selinux is a GUI tool available to customize SELinux pol‐
477       icy settings.
478
479

AUTHOR

481       This manual page was auto-generated using sepolicy manpage .
482
483

SEE ALSO

485       selinux(8), user(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
486       setsebool(8),       user_dbusd_selinux(8),       user_dbusd_selinux(8),
487       user_gkeyringd_selinux(8),                   user_gkeyringd_selinux(8),
488       user_mail_selinux(8),   user_mail_selinux(8),   user_screen_selinux(8),
489       user_screen_selinux(8),      user_seunshare_selinux(8),      user_seun‐
490       share_selinux(8), user_ssh_agent_selinux(8), user_ssh_agent_selinux(8),
491       user_wine_selinux(8), user_wine_selinux(8)
492
493
494
495mgrepl@redhat.com                    user                      user_selinux(8)
Impressum