1user_selinux(8) user SELinux Policy documentation user_selinux(8)
2
3
4
6 user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
8
10 user_u is an SELinux User defined in the SELinux policy. SELinux users
11 have default roles, user_r. The default role has a default type,
12 user_t, associated with it.
13
14 The SELinux user will usually login to a system with a context that
15 looks like:
16
17 user_u:user_r:user_t:s0
18
19 Linux users are automatically assigned an SELinux users at login. Lo‐
20 gin programs use the SELinux User to assign initial context to the
21 user's shell.
22
23 SELinux policy uses the context to control the user's access.
24
25 By default all users are assigned to the SELinux user via the __de‐
26 fault__ flag
27
28 On Targeted policy systems the __default__ user is assigned to the un‐
29 confined_u SELinux user.
30
31 You can list all Linux User to SELinux user mapping using:
32
33 semanage login -l
34
35 If you wanted to change the default user mapping to use the user_u
36 user, you would execute:
37
38 semanage login -m -s user_u __default__
39
40
41 If you want to map the one Linux user (joe) to the SELinux user user,
42 you would execute:
43
44 $ semanage login -a -s user_u joe
45
46
47
49 The SELinux user user_u is defined in policy as a unprivileged user.
50 SELinux prevents unprivileged users from doing administration tasks
51 without transitioning to a different role.
52
53
56 The SELinux user user_u is able to X Windows login.
57
58
60 The SELinux user user_u is able to listen on the following tcp ports.
61
62 6000-6020
63
64 1716
65
66 3689
67
68 all ports >= 1024
69
70 all ports without defined types
71
72 32768-60999
73
74
75 The SELinux user user_u is able to connect to the following tcp ports.
76
77 8955
78
79 all ports
80
81 53,853
82
83 389,636,3268,3269,7389
84
85 all ports without defined types
86
87 32768-60999
88
89 all ports < 1024
90
91 9080
92
93 88,750,4444
94
95
96 The SELinux user user_u is able to listen on the following udp ports.
97
98 32768-60999
99
100 all ports without defined types
101
102 all ports >= 1024
103
104
105 The SELinux user user_u is able to connect to the following tcp ports.
106
107 8955
108
109 all ports
110
111 53,853
112
113 389,636,3268,3269,7389
114
115 all ports without defined types
116
117 32768-60999
118
119 all ports < 1024
120
121 9080
122
123 88,750,4444
124
125
127 SELinux policy is customizable based on least access required. user
128 policy is extremely flexible and has several booleans that allow you to
129 manipulate the policy and run user with the tightest access possible.
130
131
132
133 If you want to determine whether crond can execute jobs in the user do‐
134 main as opposed to the the generic cronjob domain, you must turn on the
135 cron_userdomain_transition boolean. Enabled by default.
136
137 setsebool -P cron_userdomain_transition 1
138
139
140
141 If you want to deny all system processes and Linux users to use blue‐
142 tooth wireless technology, you must turn on the deny_bluetooth boolean.
143 Enabled by default.
144
145 setsebool -P deny_bluetooth 1
146
147
148
149 If you want to deny user domains applications to map a memory region as
150 both executable and writable, this is dangerous and the executable
151 should be reported in bugzilla, you must turn on the deny_execmem bool‐
152 ean. Enabled by default.
153
154 setsebool -P deny_execmem 1
155
156
157
158 If you want to deny any process from ptracing or debugging any other
159 processes, you must turn on the deny_ptrace boolean. Enabled by de‐
160 fault.
161
162 setsebool -P deny_ptrace 1
163
164
165
166 If you want to allow all domains to execute in fips_mode, you must turn
167 on the fips_mode boolean. Enabled by default.
168
169 setsebool -P fips_mode 1
170
171
172
173 If you want to determine whether calling user domains can execute Git
174 daemon in the git_session_t domain, you must turn on the git_ses‐
175 sion_users boolean. Disabled by default.
176
177 setsebool -P git_session_users 1
178
179
180
181 If you want to allow httpd cgi support, you must turn on the httpd_en‐
182 able_cgi boolean. Enabled by default.
183
184 setsebool -P httpd_enable_cgi 1
185
186
187
188 If you want to determine whether calling user domains can execute
189 Polipo daemon in the polipo_session_t domain, you must turn on the
190 polipo_session_users boolean. Disabled by default.
191
192 setsebool -P polipo_session_users 1
193
194
195
196 If you want to allow pppd to be run for a regular user, you must turn
197 on the pppd_for_user boolean. Disabled by default.
198
199 setsebool -P pppd_for_user 1
200
201
202
203 If you want to allow all unconfined executables to use libraries re‐
204 quiring text relocation that are not labeled textrel_shlib_t, you must
205 turn on the selinuxuser_execmod boolean. Enabled by default.
206
207 setsebool -P selinuxuser_execmod 1
208
209
210
211 If you want to allow unconfined executables to make their stack exe‐
212 cutable. This should never, ever be necessary. Probably indicates a
213 badly coded executable, but could indicate an attack. This executable
214 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
215 stack boolean. Enabled by default.
216
217 setsebool -P selinuxuser_execstack 1
218
219
220
221 If you want to allow users to connect to the local mysql server, you
222 must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
223 default.
224
225 setsebool -P selinuxuser_mysql_connect_enabled 1
226
227
228
229 If you want to allow confined users the ability to execute the ping and
230 traceroute commands, you must turn on the selinuxuser_ping boolean. En‐
231 abled by default.
232
233 setsebool -P selinuxuser_ping 1
234
235
236
237 If you want to allow user to r/w files on filesystems that do not have
238 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
239 uxuser_rw_noexattrfile boolean. Disabled by default.
240
241 setsebool -P selinuxuser_rw_noexattrfile 1
242
243
244
245 If you want to allow user to use ssh chroot environment, you must turn
246 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
247
248 setsebool -P selinuxuser_use_ssh_chroot 1
249
250
251
252 If you want to allow unprivileged user to create and transition to
253 svirt domains, you must turn on the unprivuser_use_svirt boolean. Dis‐
254 abled by default.
255
256 setsebool -P unprivuser_use_svirt 1
257
258
259
260 If you want to support NFS home directories, you must turn on the
261 use_nfs_home_dirs boolean. Disabled by default.
262
263 setsebool -P use_nfs_home_dirs 1
264
265
266
267 If you want to support SAMBA home directories, you must turn on the
268 use_samba_home_dirs boolean. Disabled by default.
269
270 setsebool -P use_samba_home_dirs 1
271
272
273
275 The SELinux user user_u is able execute home content files.
276
277
279 Three things can happen when user_t attempts to execute a program.
280
281 1. SELinux Policy can deny user_t from executing the program.
282
283
284
285 2. SELinux Policy can allow user_t to execute the program in the cur‐
286 rent user type.
287
288 Execute the following to see the types that the SELinux user
289 user_t can execute without transitioning:
290
291 sesearch -A -s user_t -c file -p execute_no_trans
292
293
294
295 3. SELinux can allow user_t to execute the program and transition to a
296 new type.
297
298 Execute the following to see the types that the SELinux user
299 user_t can execute and transition:
300
301 $ sesearch -A -s user_t -c process -p transition
302
303
304
306 The SELinux process type user_t can manage files labeled with the fol‐
307 lowing file types. The paths listed are the default paths for these
308 file types. Note the processes UID still need to have DAC permissions.
309
310 alsa_home_t
311
312 /home/[^/]+/.asoundrc
313
314 auth_cache_t
315
316 /var/cache/coolkey(/.*)?
317
318 bluetooth_helper_tmp_t
319
320
321 bluetooth_helper_tmpfs_t
322
323
324 chrome_sandbox_tmpfs_t
325
326
327 faillog_t
328
329 /var/log/btmp.*
330 /var/log/faillog.*
331 /var/log/tallylog.*
332 /var/run/faillock(/.*)?
333
334 games_data_t
335
336 /var/games(/.*)?
337 /var/lib/games(/.*)?
338
339 gconf_tmp_t
340
341 /tmp/gconfd-[^/]+/.*
342
343 gpg_agent_tmp_t
344
345 /home/[^/]+/.gnupg/log-socket
346
347 httpd_user_content_t
348
349 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
350
351 httpd_user_htaccess_t
352
353 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
354
355 httpd_user_ra_content_t
356
357 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
358
359 httpd_user_rw_content_t
360
361
362 httpd_user_script_exec_t
363
364 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
365
366 krb5_host_rcache_t
367
368 /var/tmp/krb5_0.rcache2
369 /var/cache/krb5rcache(/.*)?
370 /var/tmp/nfs_0
371 /var/tmp/DNS_25
372 /var/tmp/host_0
373 /var/tmp/imap_0
374 /var/tmp/HTTP_23
375 /var/tmp/HTTP_48
376 /var/tmp/ldap_55
377 /var/tmp/ldap_487
378 /var/tmp/ldapmap1_0
379
380 mail_spool_t
381
382 /var/mail(/.*)?
383 /var/spool/imap(/.*)?
384 /var/spool/mail(/.*)?
385 /var/spool/smtpd(/.*)?
386
387 mqueue_spool_t
388
389 /var/spool/(client)?mqueue(/.*)?
390 /var/spool/mqueue.in(/.*)?
391
392 pkcs_slotd_tmpfs_t
393
394 /dev/shm/var.lib.opencryptoki.*
395
396 pulseaudio_tmpfs_t
397
398
399 pulseaudio_tmpfsfile
400
401
402 sandbox_tmpfs_type
403
404 all sandbox content in tmpfs file systems
405
406 security_t
407
408 /selinux
409
410 session_dbusd_tmp_t
411
412 /var/run/user/[0-9]+/dbus(/.*)?
413
414 systemd_passwd_var_run_t
415
416 /var/run/systemd/ask-password(/.*)?
417 /var/run/systemd/ask-password-block(/.*)?
418
419 usbfs_t
420
421
422 user_fonts_cache_t
423
424 /root/.fontconfig(/.*)?
425 /root/.fonts/auto(/.*)?
426 /root/.fonts.cache-.*
427 /root/.cache/fontconfig(/.*)?
428 /home/[^/]+/.fontconfig(/.*)?
429 /home/[^/]+/.fonts/auto(/.*)?
430 /home/[^/]+/.fonts.cache-.*
431 /home/[^/]+/.cache/fontconfig(/.*)?
432
433 user_home_type
434
435 all user home files
436
437 user_tmp_t
438
439 /dev/shm/mono.*
440 /var/run/user(/.*)?
441 /tmp/.ICE-unix(/.*)?
442 /tmp/.X11-unix(/.*)?
443 /dev/shm/pulse-shm.*
444 /tmp/.X0-lock
445 /tmp/hsperfdata_root
446 /var/tmp/hsperfdata_root
447 /home/[^/]+/tmp
448 /home/[^/]+/.tmp
449 /tmp/gconfd-[^/]+
450
451 user_tmp_type
452
453 all user tmp files
454
455 virt_image_type
456
457 all virtual image files
458
459 xserver_tmpfs_t
460
461
462
464 semanage fcontext can also be used to manipulate default file context
465 mappings.
466
467 semanage permissive can also be used to manipulate whether or not a
468 process type is permissive.
469
470 semanage module can also be used to enable/disable/install/remove pol‐
471 icy modules.
472
473 semanage boolean can also be used to manipulate the booleans
474
475
476 system-config-selinux is a GUI tool available to customize SELinux pol‐
477 icy settings.
478
479
481 This manual page was auto-generated using sepolicy manpage .
482
483
485 selinux(8), user(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
486 setsebool(8), user_dbusd_selinux(8), user_dbusd_selinux(8),
487 user_gkeyringd_selinux(8), user_gkeyringd_selinux(8),
488 user_mail_selinux(8), user_mail_selinux(8), user_screen_selinux(8),
489 user_screen_selinux(8), user_seunshare_selinux(8), user_seun‐
490 share_selinux(8), user_ssh_agent_selinux(8), user_ssh_agent_selinux(8),
491 user_wine_selinux(8), user_wine_selinux(8)
492
493
494
495mgrepl@redhat.com user user_selinux(8)