1staff_selinux(8) staff SELinux Policy documentation staff_selinux(8)
2
3
4
6 staff_u - Administrator's unprivileged user - Security Enhanced Linux
7 Policy
8
9
11 staff_u is an SELinux User defined in the SELinux policy. SELinux users
12 have default roles, staff_r. The default role has a default type,
13 staff_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 staff_u:staff_r:staff_t:s0 - s0:c0.c1023
19
20 Linux users are automatically assigned an SELinux users at login. Lo‐
21 gin programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the __de‐
27 fault__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the un‐
30 confined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the staff_u
37 user, you would execute:
38
39 semanage login -m -s staff_u __default__
40
41
42 If you want to map the one Linux user (joe) to the SELinux user staff,
43 you would execute:
44
45 $ semanage login -a -s staff_u joe
46
47
48
50 The SELinux user staff_u is defined in policy as a unprivileged user.
51 SELinux prevents unprivileged users from doing administration tasks
52 without transitioning to a different role.
53
54
56 The SELinux user staff can execute sudo.
57
58 You can set up sudo to allow staff to transition to an administrative
59 domain:
60
61 Add one or more of the following record to sudoers using visudo.
62
63
64 USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
65 sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
66
67 You might also need to add one or more of these new roles to your
68 SELinux user record.
69
70 List the SELinux roles your SELinux user can reach by executing:
71
72 $ semanage user -l |grep selinux_name
73
74 Modify the roles list and add staff_r to this list.
75
76 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
77 logadm_r dbadm_r auditadm_r' staff_u
78
79 For more details you can see semanage man page.
80
81
82 USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
83 sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
84
85 You might also need to add one or more of these new roles to your
86 SELinux user record.
87
88 List the SELinux roles your SELinux user can reach by executing:
89
90 $ semanage user -l |grep selinux_name
91
92 Modify the roles list and add staff_r to this list.
93
94 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
95 logadm_r dbadm_r auditadm_r' staff_u
96
97 For more details you can see semanage man page.
98
99
100 USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
101 sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
102
103 You might also need to add one or more of these new roles to your
104 SELinux user record.
105
106 List the SELinux roles your SELinux user can reach by executing:
107
108 $ semanage user -l |grep selinux_name
109
110 Modify the roles list and add staff_r to this list.
111
112 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
113 logadm_r dbadm_r auditadm_r' staff_u
114
115 For more details you can see semanage man page.
116
117
118 USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
119 sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
120
121 You might also need to add one or more of these new roles to your
122 SELinux user record.
123
124 List the SELinux roles your SELinux user can reach by executing:
125
126 $ semanage user -l |grep selinux_name
127
128 Modify the roles list and add staff_r to this list.
129
130 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
131 logadm_r dbadm_r auditadm_r' staff_u
132
133 For more details you can see semanage man page.
134
135
136 USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
137 sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
138
139 You might also need to add one or more of these new roles to your
140 SELinux user record.
141
142 List the SELinux roles your SELinux user can reach by executing:
143
144 $ semanage user -l |grep selinux_name
145
146 Modify the roles list and add staff_r to this list.
147
148 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
149 logadm_r dbadm_r auditadm_r' staff_u
150
151 For more details you can see semanage man page.
152
153
154 USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
155 sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
156
157 You might also need to add one or more of these new roles to your
158 SELinux user record.
159
160 List the SELinux roles your SELinux user can reach by executing:
161
162 $ semanage user -l |grep selinux_name
163
164 Modify the roles list and add staff_r to this list.
165
166 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
167 logadm_r dbadm_r auditadm_r' staff_u
168
169 For more details you can see semanage man page.
170
171
172 USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
173 sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
174
175 You might also need to add one or more of these new roles to your
176 SELinux user record.
177
178 List the SELinux roles your SELinux user can reach by executing:
179
180 $ semanage user -l |grep selinux_name
181
182 Modify the roles list and add staff_r to this list.
183
184 $ semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
185 logadm_r dbadm_r auditadm_r' staff_u
186
187 For more details you can see semanage man page.
188
189
190 The SELinux type staff_t is not allowed to execute sudo.
191
192
194 The SELinux user staff_u is able to X Windows login.
195
196
198 The SELinux user staff_u is able to listen on the following tcp ports.
199
200 6000-6020
201
202 1716
203
204 3689
205
206 all ports >= 1024
207
208 all ports without defined types
209
210 32768-60999
211
212
213 The SELinux user staff_u is able to connect to the following tcp ports.
214
215 8955
216
217 all ports
218
219 53,853
220
221 389,636,3268,3269,7389
222
223 all ports without defined types
224
225 32768-60999
226
227 all ports < 1024
228
229 9080
230
231 88,750,4444
232
233
234 The SELinux user staff_u is able to listen on the following udp ports.
235
236 32768-60999
237
238 all ports without defined types
239
240 all ports >= 1024
241
242
243 The SELinux user staff_u is able to connect to the following tcp ports.
244
245 8955
246
247 all ports
248
249 53,853
250
251 389,636,3268,3269,7389
252
253 all ports without defined types
254
255 32768-60999
256
257 all ports < 1024
258
259 9080
260
261 88,750,4444
262
263
265 SELinux policy is customizable based on least access required. staff
266 policy is extremely flexible and has several booleans that allow you to
267 manipulate the policy and run staff with the tightest access possible.
268
269
270
271 If you want to allow staff user to create and transition to svirt do‐
272 mains, you must turn on the staff_use_svirt boolean. Disabled by de‐
273 fault.
274
275 setsebool -P staff_use_svirt 1
276
277
278
279 If you want to determine whether crond can execute jobs in the user do‐
280 main as opposed to the the generic cronjob domain, you must turn on the
281 cron_userdomain_transition boolean. Enabled by default.
282
283 setsebool -P cron_userdomain_transition 1
284
285
286
287 If you want to deny all system processes and Linux users to use blue‐
288 tooth wireless technology, you must turn on the deny_bluetooth boolean.
289 Enabled by default.
290
291 setsebool -P deny_bluetooth 1
292
293
294
295 If you want to deny user domains applications to map a memory region as
296 both executable and writable, this is dangerous and the executable
297 should be reported in bugzilla, you must turn on the deny_execmem bool‐
298 ean. Enabled by default.
299
300 setsebool -P deny_execmem 1
301
302
303
304 If you want to deny any process from ptracing or debugging any other
305 processes, you must turn on the deny_ptrace boolean. Enabled by de‐
306 fault.
307
308 setsebool -P deny_ptrace 1
309
310
311
312 If you want to allow all domains to execute in fips_mode, you must turn
313 on the fips_mode boolean. Enabled by default.
314
315 setsebool -P fips_mode 1
316
317
318
319 If you want to determine whether calling user domains can execute Git
320 daemon in the git_session_t domain, you must turn on the git_ses‐
321 sion_users boolean. Disabled by default.
322
323 setsebool -P git_session_users 1
324
325
326
327 If you want to allow httpd cgi support, you must turn on the httpd_en‐
328 able_cgi boolean. Enabled by default.
329
330 setsebool -P httpd_enable_cgi 1
331
332
333
334 If you want to determine whether calling user domains can execute
335 Polipo daemon in the polipo_session_t domain, you must turn on the
336 polipo_session_users boolean. Disabled by default.
337
338 setsebool -P polipo_session_users 1
339
340
341
342 If you want to allow pppd to be run for a regular user, you must turn
343 on the pppd_for_user boolean. Disabled by default.
344
345 setsebool -P pppd_for_user 1
346
347
348
349 If you want to allow all unconfined executables to use libraries re‐
350 quiring text relocation that are not labeled textrel_shlib_t, you must
351 turn on the selinuxuser_execmod boolean. Enabled by default.
352
353 setsebool -P selinuxuser_execmod 1
354
355
356
357 If you want to allow unconfined executables to make their stack exe‐
358 cutable. This should never, ever be necessary. Probably indicates a
359 badly coded executable, but could indicate an attack. This executable
360 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
361 stack boolean. Enabled by default.
362
363 setsebool -P selinuxuser_execstack 1
364
365
366
367 If you want to allow users to connect to the local mysql server, you
368 must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
369 default.
370
371 setsebool -P selinuxuser_mysql_connect_enabled 1
372
373
374
375 If you want to allow user to r/w files on filesystems that do not have
376 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
377 uxuser_rw_noexattrfile boolean. Disabled by default.
378
379 setsebool -P selinuxuser_rw_noexattrfile 1
380
381
382
383 If you want to allow user to use ssh chroot environment, you must turn
384 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
385
386 setsebool -P selinuxuser_use_ssh_chroot 1
387
388
389
390 If you want to support NFS home directories, you must turn on the
391 use_nfs_home_dirs boolean. Disabled by default.
392
393 setsebool -P use_nfs_home_dirs 1
394
395
396
397 If you want to support SAMBA home directories, you must turn on the
398 use_samba_home_dirs boolean. Disabled by default.
399
400 setsebool -P use_samba_home_dirs 1
401
402
403
405 The SELinux user staff_u is able execute home content files.
406
407
409 Three things can happen when staff_t attempts to execute a program.
410
411 1. SELinux Policy can deny staff_t from executing the program.
412
413
414
415 2. SELinux Policy can allow staff_t to execute the program in the cur‐
416 rent user type.
417
418 Execute the following to see the types that the SELinux user
419 staff_t can execute without transitioning:
420
421 sesearch -A -s staff_t -c file -p execute_no_trans
422
423
424
425 3. SELinux can allow staff_t to execute the program and transition to a
426 new type.
427
428 Execute the following to see the types that the SELinux user
429 staff_t can execute and transition:
430
431 $ sesearch -A -s staff_t -c process -p transition
432
433
434
436 The SELinux process type staff_t can manage files labeled with the fol‐
437 lowing file types. The paths listed are the default paths for these
438 file types. Note the processes UID still need to have DAC permissions.
439
440 alsa_home_t
441
442 /home/[^/]+/.asoundrc
443
444 auth_cache_t
445
446 /var/cache/coolkey(/.*)?
447
448 bluetooth_helper_tmp_t
449
450
451 bluetooth_helper_tmpfs_t
452
453
454 chrome_sandbox_tmpfs_t
455
456
457 dirsrv_config_t
458
459 /etc/dirsrv(/.*)?
460
461 dirsrv_var_lib_t
462
463 /var/lib/dirsrv(/.*)?
464
465 dirsrv_var_log_t
466
467 /var/log/dirsrv(/.*)?
468
469 dirsrv_var_run_t
470
471 /var/run/slapd.*
472 /var/run/dirsrv(/.*)?
473
474 faillog_t
475
476 /var/log/btmp.*
477 /var/log/faillog.*
478 /var/log/tallylog.*
479 /var/run/faillock(/.*)?
480
481 games_data_t
482
483 /var/games(/.*)?
484 /var/lib/games(/.*)?
485
486 gconf_tmp_t
487
488 /tmp/gconfd-[^/]+/.*
489
490 gpg_agent_tmp_t
491
492 /home/[^/]+/.gnupg/log-socket
493
494 httpd_user_content_t
495
496 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
497
498 httpd_user_htaccess_t
499
500 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
501
502 httpd_user_ra_content_t
503
504 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
505
506 httpd_user_rw_content_t
507
508
509 httpd_user_script_exec_t
510
511 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
512
513 krb5_host_rcache_t
514
515 /var/tmp/krb5_0.rcache2
516 /var/cache/krb5rcache(/.*)?
517 /var/tmp/nfs_0
518 /var/tmp/DNS_25
519 /var/tmp/host_0
520 /var/tmp/imap_0
521 /var/tmp/HTTP_23
522 /var/tmp/HTTP_48
523 /var/tmp/ldap_55
524 /var/tmp/ldap_487
525 /var/tmp/ldapmap1_0
526
527 mail_spool_t
528
529 /var/mail(/.*)?
530 /var/spool/imap(/.*)?
531 /var/spool/mail(/.*)?
532 /var/spool/smtpd(/.*)?
533
534 mqueue_spool_t
535
536 /var/spool/(client)?mqueue(/.*)?
537 /var/spool/mqueue.in(/.*)?
538
539 pkcs_slotd_tmpfs_t
540
541 /dev/shm/var.lib.opencryptoki.*
542
543 pulseaudio_tmpfs_t
544
545
546 pulseaudio_tmpfsfile
547
548
549 sandbox_tmpfs_type
550
551 all sandbox content in tmpfs file systems
552
553 security_t
554
555 /selinux
556
557 session_dbusd_tmp_t
558
559 /var/run/user/[0-9]+/bus
560 /var/run/user/[0-9]+/dbus(/.*)?
561 /var/run/user/[0-9]+/dbus-1(/.*)?
562
563 systemd_passwd_var_run_t
564
565 /var/run/systemd/ask-password(/.*)?
566 /var/run/systemd/ask-password-block(/.*)?
567
568 systemd_unit_file_type
569
570
571 usbfs_t
572
573
574 user_fonts_cache_t
575
576 /root/.fontconfig(/.*)?
577 /root/.fonts/auto(/.*)?
578 /root/.fonts.cache-.*
579 /root/.cache/fontconfig(/.*)?
580 /home/[^/]+/.fontconfig(/.*)?
581 /home/[^/]+/.fonts/auto(/.*)?
582 /home/[^/]+/.fonts.cache-.*
583 /home/[^/]+/.cache/fontconfig(/.*)?
584
585 user_home_type
586
587 all user home files
588
589 user_tmp_t
590
591 /dev/shm/mono.*
592 /var/run/user/[^/]+
593 /tmp/.ICE-unix(/.*)?
594 /tmp/.X11-unix(/.*)?
595 /dev/shm/pulse-shm.*
596 /tmp/.X0-lock
597 /var/run/user
598 /tmp/hsperfdata_root
599 /var/tmp/hsperfdata_root
600 /home/[^/]+/tmp
601 /home/[^/]+/.tmp
602 /var/run/user/[0-9]+
603 /tmp/gconfd-[^/]+
604
605 user_tmp_type
606
607 all user tmp files
608
609 virt_image_type
610
611 all virtual image files
612
613 wireshark_tmp_t
614
615
616 wireshark_tmpfs_t
617
618
619 xserver_tmpfs_t
620
621
622
624 semanage fcontext can also be used to manipulate default file context
625 mappings.
626
627 semanage permissive can also be used to manipulate whether or not a
628 process type is permissive.
629
630 semanage module can also be used to enable/disable/install/remove pol‐
631 icy modules.
632
633 semanage boolean can also be used to manipulate the booleans
634
635
636 system-config-selinux is a GUI tool available to customize SELinux pol‐
637 icy settings.
638
639
641 This manual page was auto-generated using sepolicy manpage .
642
643
645 selinux(8), staff(8), semanage(8), restorecon(8), chcon(1), sepol‐
646 icy(8), setsebool(8), staff_consolehelper_selinux(8), staff_console‐
647 helper_selinux(8), staff_dbusd_selinux(8), staff_dbusd_selinux(8),
648 staff_gkeyringd_selinux(8), staff_gkeyringd_selinux(8),
649 staff_screen_selinux(8), staff_screen_selinux(8), staff_seun‐
650 share_selinux(8), staff_seunshare_selinux(8),
651 staff_ssh_agent_selinux(8), staff_ssh_agent_selinux(8),
652 staff_sudo_selinux(8), staff_sudo_selinux(8), staff_wine_selinux(8),
653 staff_wine_selinux(8)
654
655
656
657mgrepl@redhat.com staff staff_selinux(8)