staff_selinux(8)

1staff_selinux(8)      staff SELinux Policy documentation      staff_selinux(8)
2
3
4

NAME

6       staff_u  -  Administrator's unprivileged user - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       staff_u is an SELinux User defined in the SELinux policy. SELinux users
12       have  default  roles,  staff_r.   The  default role has a default type,
13       staff_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       staff_u:staff_r:staff_t:s0 - s0:c0.c1023
19
20       Linux  users are automatically assigned an SELinux users at login.  Lo‐
21       gin programs use the SELinux User to  assign  initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are assigned to the SELinux user via the __de‐
27       fault__ flag
28
29       On Targeted policy systems the __default__ user is assigned to the  un‐
30       confined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to  change the default user mapping to use the staff_u
37       user, you would execute:
38
39       semanage login -m -s staff_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user  staff,
43       you would execute:
44
45       $ semanage login -a -s staff_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user staff_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

56       The SELinux user staff can execute sudo.
57
58       You  can  set up sudo to allow staff to transition to an administrative
59       domain:
60
61       Add one or more of the following record to sudoers using visudo.
62
63
64       USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
65       sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
66
67       You might also need to add one or more  of  these  new  roles  to  your
68       SELinux user record.
69
70       List the SELinux roles your SELinux user can reach by executing:
71
72       $ semanage user -l |grep selinux_name
73
74       Modify the roles list and add staff_r to this list.
75
76       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
77       logadm_r dbadm_r auditadm_r' staff_u
78
79       For more details you can see semanage man page.
80
81
82       USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
83       sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
84
85       You might also need to add one or more  of  these  new  roles  to  your
86       SELinux user record.
87
88       List the SELinux roles your SELinux user can reach by executing:
89
90       $ semanage user -l |grep selinux_name
91
92       Modify the roles list and add staff_r to this list.
93
94       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
95       logadm_r dbadm_r auditadm_r' staff_u
96
97       For more details you can see semanage man page.
98
99
100       USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
101       sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
102
103       You might also need to add one or more  of  these  new  roles  to  your
104       SELinux user record.
105
106       List the SELinux roles your SELinux user can reach by executing:
107
108       $ semanage user -l |grep selinux_name
109
110       Modify the roles list and add staff_r to this list.
111
112       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
113       logadm_r dbadm_r auditadm_r' staff_u
114
115       For more details you can see semanage man page.
116
117
118       USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
119       sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
120
121       You might also need to add one or more  of  these  new  roles  to  your
122       SELinux user record.
123
124       List the SELinux roles your SELinux user can reach by executing:
125
126       $ semanage user -l |grep selinux_name
127
128       Modify the roles list and add staff_r to this list.
129
130       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
131       logadm_r dbadm_r auditadm_r' staff_u
132
133       For more details you can see semanage man page.
134
135
136       USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
137       sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
138
139       You might also need to add one or more  of  these  new  roles  to  your
140       SELinux user record.
141
142       List the SELinux roles your SELinux user can reach by executing:
143
144       $ semanage user -l |grep selinux_name
145
146       Modify the roles list and add staff_r to this list.
147
148       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
149       logadm_r dbadm_r auditadm_r' staff_u
150
151       For more details you can see semanage man page.
152
153
154       USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
155       sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
156
157       You might also need to add one or more  of  these  new  roles  to  your
158       SELinux user record.
159
160       List the SELinux roles your SELinux user can reach by executing:
161
162       $ semanage user -l |grep selinux_name
163
164       Modify the roles list and add staff_r to this list.
165
166       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
167       logadm_r dbadm_r auditadm_r' staff_u
168
169       For more details you can see semanage man page.
170
171
172       USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
173       sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
174
175       You might also need to add one or more  of  these  new  roles  to  your
176       SELinux user record.
177
178       List the SELinux roles your SELinux user can reach by executing:
179
180       $ semanage user -l |grep selinux_name
181
182       Modify the roles list and add staff_r to this list.
183
184       $  semanage user -m -R 'staff_r webadm_r unconfined_r sysadm_r secadm_r
185       logadm_r dbadm_r auditadm_r' staff_u
186
187       For more details you can see semanage man page.
188
189
190       The SELinux type staff_t is not allowed to execute sudo.
191
192

X WINDOWS LOGIN

194       The SELinux user staff_u is able to X Windows login.
195
196

NETWORK

198       The SELinux user staff_u is able to listen on the following tcp ports.
199
200              1716
201
202              6000-6020
203
204              3689
205
206              all ports >= 1024
207
208              all ports without defined types
209
210              32768-60999
211
212
213       The SELinux user staff_u is able to connect to the following tcp ports.
214
215              8955
216
217              all ports
218
219              53,853
220
221              389,636,3268,3269,7389
222
223              all ports without defined types
224
225              32768-60999
226
227              all ports < 1024
228
229              9080
230
231              88,750,4444
232
233
234       The SELinux user staff_u is able to listen on the following udp ports.
235
236              all ports without defined types
237
238              32768-60999
239
240              all ports >= 1024
241
242
243       The SELinux user staff_u is able to connect to the following tcp ports.
244
245              8955
246
247              all ports
248
249              53,853
250
251              389,636,3268,3269,7389
252
253              all ports without defined types
254
255              32768-60999
256
257              all ports < 1024
258
259              9080
260
261              88,750,4444
262
263

BOOLEANS

265       SELinux policy is customizable based on least access  required.   staff
266       policy is extremely flexible and has several booleans that allow you to
267       manipulate the policy and run staff with the tightest access possible.
268
269
270
271       If you want to allow staff user to create and transition to  svirt  do‐
272       mains,  you  must  turn on the staff_use_svirt boolean. Disabled by de‐
273       fault.
274
275       setsebool -P staff_use_svirt 1
276
277
278
279       If you want to determine whether crond can execute jobs in the user do‐
280       main as opposed to the the generic cronjob domain, you must turn on the
281       cron_userdomain_transition boolean. Enabled by default.
282
283       setsebool -P cron_userdomain_transition 1
284
285
286
287       If you want to deny all system processes and Linux users to  use  blue‐
288       tooth wireless technology, you must turn on the deny_bluetooth boolean.
289       Disabled by default.
290
291       setsebool -P deny_bluetooth 1
292
293
294
295       If you want to deny user domains applications to map a memory region as
296       both  executable  and  writable,  this  is dangerous and the executable
297       should be reported in bugzilla, you must turn on the deny_execmem bool‐
298       ean. Disabled by default.
299
300       setsebool -P deny_execmem 1
301
302
303
304       If  you  want  to deny any process from ptracing or debugging any other
305       processes, you must turn on the deny_ptrace boolean.  Disabled  by  de‐
306       fault.
307
308       setsebool -P deny_ptrace 1
309
310
311
312       If you want to allow all domains to execute in fips_mode, you must turn
313       on the fips_mode boolean. Enabled by default.
314
315       setsebool -P fips_mode 1
316
317
318
319       If you want to determine whether calling user domains can  execute  Git
320       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
321       sion_users boolean. Disabled by default.
322
323       setsebool -P git_session_users 1
324
325
326
327       If you want to allow httpd cgi support, you must turn on the  httpd_en‐
328       able_cgi boolean. Enabled by default.
329
330       setsebool -P httpd_enable_cgi 1
331
332
333
334       If you want to unify HTTPD handling of all content files, you must turn
335       on the httpd_unified boolean. Disabled by default.
336
337       setsebool -P httpd_unified 1
338
339
340
341       If you want to allow system to run with  NIS,  you  must  turn  on  the
342       nis_enabled boolean. Disabled by default.
343
344       setsebool -P nis_enabled 1
345
346
347
348       If  you  want  to  determine  whether  calling user domains can execute
349       Polipo daemon in the polipo_session_t domain,  you  must  turn  on  the
350       polipo_session_users boolean. Disabled by default.
351
352       setsebool -P polipo_session_users 1
353
354
355
356       If  you  want to allow pppd to be run for a regular user, you must turn
357       on the pppd_for_user boolean. Disabled by default.
358
359       setsebool -P pppd_for_user 1
360
361
362
363       If you want to allow all unconfined executables to  use  libraries  re‐
364       quiring  text relocation that are not labeled textrel_shlib_t, you must
365       turn on the selinuxuser_execmod boolean. Enabled by default.
366
367       setsebool -P selinuxuser_execmod 1
368
369
370
371       If you want to allow unconfined executables to make  their  stack  exe‐
372       cutable.   This  should  never, ever be necessary. Probably indicates a
373       badly coded executable, but could indicate an attack.  This  executable
374       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
375       stack boolean. Enabled by default.
376
377       setsebool -P selinuxuser_execstack 1
378
379
380
381       If you want to allow users to connect to the local  mysql  server,  you
382       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
383       default.
384
385       setsebool -P selinuxuser_mysql_connect_enabled 1
386
387
388
389       If you want to allow user to r/w files on filesystems that do not  have
390       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
391       uxuser_rw_noexattrfile boolean. Enabled by default.
392
393       setsebool -P selinuxuser_rw_noexattrfile 1
394
395
396
397       If you want to allow user  to use ssh chroot environment, you must turn
398       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
399
400       setsebool -P selinuxuser_use_ssh_chroot 1
401
402
403
404       If  you  want  to  support  NFS  home directories, you must turn on the
405       use_nfs_home_dirs boolean. Disabled by default.
406
407       setsebool -P use_nfs_home_dirs 1
408
409
410
411       If you want to support SAMBA home directories, you  must  turn  on  the
412       use_samba_home_dirs boolean. Disabled by default.
413
414       setsebool -P use_samba_home_dirs 1
415
416
417

HOME_EXEC

419       The SELinux user staff_u is able execute home content files.
420
421

TRANSITIONS

423       Three things can happen when staff_t attempts to execute a program.
424
425       1. SELinux Policy can deny staff_t from executing the program.
426
427
428
429       2.  SELinux Policy can allow staff_t to execute the program in the cur‐
430       rent user type.
431
432              Execute the following to see the types  that  the  SELinux  user
433              staff_t can execute without transitioning:
434
435              sesearch -A -s staff_t -c file -p execute_no_trans
436
437
438
439       3. SELinux can allow staff_t to execute the program and transition to a
440       new type.
441
442              Execute the following to see the types  that  the  SELinux  user
443              staff_t can execute and transition:
444
445              $ sesearch -A -s staff_t -c process -p transition
446
447
448

MANAGED FILES

450       The SELinux process type staff_t can manage files labeled with the fol‐
451       lowing file types.  The paths listed are the default  paths  for  these
452       file types.  Note the processes UID still need to have DAC permissions.
453
454       alsa_home_t
455
456            /home/[^/]+/.asoundrc
457
458       auth_cache_t
459
460            /var/cache/coolkey(/.*)?
461
462       bluetooth_helper_tmp_t
463
464
465       bluetooth_helper_tmpfs_t
466
467
468       chrome_sandbox_tmpfs_t
469
470
471       dirsrv_config_t
472
473            /etc/dirsrv(/.*)?
474
475       dirsrv_var_lib_t
476
477            /var/lib/dirsrv(/.*)?
478
479       dirsrv_var_log_t
480
481            /var/log/dirsrv(/.*)?
482
483       dirsrv_var_run_t
484
485            /var/run/slapd.*
486            /var/run/dirsrv(/.*)?
487
488       faillog_t
489
490            /var/log/btmp.*
491            /var/log/faillog.*
492            /var/log/tallylog.*
493            /var/run/faillock(/.*)?
494
495       games_data_t
496
497            /var/games(/.*)?
498            /var/lib/games(/.*)?
499
500       gconf_tmp_t
501
502            /tmp/gconfd-[^/]+/.*
503
504       gpg_agent_tmp_t
505
506            /home/[^/]+/.gnupg/log-socket
507
508       httpd_user_content_t
509
510            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
511
512       httpd_user_htaccess_t
513
514            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
515
516       httpd_user_ra_content_t
517
518            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
519
520       httpd_user_rw_content_t
521
522
523       httpd_user_script_exec_t
524
525            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
526
527       krb5_host_rcache_t
528
529            /var/tmp/krb5_0.rcache2
530            /var/cache/krb5rcache(/.*)?
531            /var/tmp/nfs_0
532            /var/tmp/DNS_25
533            /var/tmp/host_0
534            /var/tmp/imap_0
535            /var/tmp/HTTP_23
536            /var/tmp/HTTP_48
537            /var/tmp/ldap_55
538            /var/tmp/ldap_487
539            /var/tmp/ldapmap1_0
540
541       mail_spool_t
542
543            /var/mail(/.*)?
544            /var/spool/imap(/.*)?
545            /var/spool/mail(/.*)?
546            /var/spool/smtpd(/.*)?
547
548       mqueue_spool_t
549
550            /var/spool/(client)?mqueue(/.*)?
551            /var/spool/mqueue.in(/.*)?
552
553       pulseaudio_tmpfs_t
554
555
556       pulseaudio_tmpfsfile
557
558
559       sandbox_tmpfs_type
560
561            all sandbox content in tmpfs file systems
562
563       security_t
564
565            /selinux
566
567       session_dbusd_tmp_t
568
569            /var/run/user/[0-9]+/bus
570            /var/run/user/[0-9]+/dbus(/.*)?
571            /var/run/user/[0-9]+/dbus-1(/.*)?
572
573       systemd_passwd_var_run_t
574
575            /var/run/systemd/ask-password(/.*)?
576            /var/run/systemd/ask-password-block(/.*)?
577
578       systemd_unit_file_type
579
580
581       usbfs_t
582
583
584       user_fonts_cache_t
585
586            /root/.fontconfig(/.*)?
587            /root/.fonts/auto(/.*)?
588            /root/.fonts.cache-.*
589            /root/.cache/fontconfig(/.*)?
590            /home/[^/]+/.fontconfig(/.*)?
591            /home/[^/]+/.fonts/auto(/.*)?
592            /home/[^/]+/.fonts.cache-.*
593            /home/[^/]+/.cache/fontconfig(/.*)?
594
595       user_home_type
596
597            all user home files
598
599       user_tmp_t
600
601            /dev/shm/mono.*
602            /var/run/user/[^/]+
603            /tmp/.ICE-unix(/.*)?
604            /tmp/.X11-unix(/.*)?
605            /dev/shm/pulse-shm.*
606            /tmp/.X0-lock
607            /var/run/user
608            /tmp/hsperfdata_root
609            /var/tmp/hsperfdata_root
610            /home/[^/]+/tmp
611            /home/[^/]+/.tmp
612            /var/run/user/[0-9]+
613            /tmp/gconfd-[^/]+
614
615       user_tmp_type
616
617            all user tmp files
618
619       virt_image_type
620
621            all virtual image files
622
623       wireshark_tmp_t
624
625
626       wireshark_tmpfs_t
627
628
629       xserver_tmpfs_t
630
631
632

COMMANDS

634       semanage  fcontext  can also be used to manipulate default file context
635       mappings.
636
637       semanage permissive can also be used to manipulate  whether  or  not  a
638       process type is permissive.
639
640       semanage  module can also be used to enable/disable/install/remove pol‐
641       icy modules.
642
643       semanage boolean can also be used to manipulate the booleans
644
645
646       system-config-selinux is a GUI tool available to customize SELinux pol‐
647       icy settings.
648
649

AUTHOR

651       This manual page was auto-generated using sepolicy manpage .
652
653