user_selinux(8)

1user_selinux(8)        user SELinux Policy documentation       user_selinux(8)
2
3
4

NAME

6       user_u - Generic unprivileged user - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       user_u  is an SELinux User defined in the SELinux policy. SELinux users
11       have default roles, user_r.  The  default  role  has  a  default  type,
12       user_t, associated with it.
13
14       The  SELinux  user  will  usually login to a system with a context that
15       looks like:
16
17       user_u:user_r:user_t:s0
18
19       Linux users are automatically assigned an SELinux users at login.   Lo‐
20       gin  programs  use  the  SELinux  User to assign initial context to the
21       user's shell.
22
23       SELinux policy uses the context to control the user's access.
24
25       By default all users are assigned to the SELinux  user  via  the  __de‐
26       fault__ flag
27
28       On  Targeted policy systems the __default__ user is assigned to the un‐
29       confined_u SELinux user.
30
31       You can list all Linux User to SELinux user mapping using:
32
33       semanage login -l
34
35       If you wanted to change the default user  mapping  to  use  the  user_u
36       user, you would execute:
37
38       semanage login -m -s user_u __default__
39
40
41       If  you  want to map the one Linux user (joe) to the SELinux user user,
42       you would execute:
43
44       $ semanage login -a -s user_u joe
45
46
47

USER DESCRIPTION

49       The SELinux user user_u is defined in policy as  a  unprivileged  user.
50       SELinux  prevents  unprivileged  users  from doing administration tasks
51       without transitioning to a different role.
52
53

SUDO

X WINDOWS LOGIN

56       The SELinux user user_u is able to X Windows login.
57
58

NETWORK

60       The SELinux user user_u is able to listen on the following tcp ports.
61
62              1716
63
64              6000-6020
65
66              3689
67
68              all ports >= 1024
69
70              all ports without defined types
71
72              32768-60999
73
74
75       The SELinux user user_u is able to connect to the following tcp ports.
76
77              8955
78
79              all ports
80
81              53,853
82
83              389,636,3268,3269,7389
84
85              all ports without defined types
86
87              32768-60999
88
89              all ports < 1024
90
91              9080
92
93              88,750,4444
94
95
96       The SELinux user user_u is able to listen on the following udp ports.
97
98              all ports without defined types
99
100              32768-60999
101
102              all ports >= 1024
103
104
105       The SELinux user user_u is able to connect to the following tcp ports.
106
107              8955
108
109              all ports
110
111              53,853
112
113              389,636,3268,3269,7389
114
115              all ports without defined types
116
117              32768-60999
118
119              all ports < 1024
120
121              9080
122
123              88,750,4444
124
125

BOOLEANS

127       SELinux policy is customizable based on least  access  required.   user
128       policy is extremely flexible and has several booleans that allow you to
129       manipulate the policy and run user with the tightest access possible.
130
131
132
133       If you want to determine whether crond can execute jobs in the user do‐
134       main as opposed to the the generic cronjob domain, you must turn on the
135       cron_userdomain_transition boolean. Enabled by default.
136
137       setsebool -P cron_userdomain_transition 1
138
139
140
141       If you want to deny all system processes and Linux users to  use  blue‐
142       tooth wireless technology, you must turn on the deny_bluetooth boolean.
143       Disabled by default.
144
145       setsebool -P deny_bluetooth 1
146
147
148
149       If you want to deny user domains applications to map a memory region as
150       both  executable  and  writable,  this  is dangerous and the executable
151       should be reported in bugzilla, you must turn on the deny_execmem bool‐
152       ean. Disabled by default.
153
154       setsebool -P deny_execmem 1
155
156
157
158       If  you  want  to deny any process from ptracing or debugging any other
159       processes, you must turn on the deny_ptrace boolean.  Disabled  by  de‐
160       fault.
161
162       setsebool -P deny_ptrace 1
163
164
165
166       If you want to allow all domains to execute in fips_mode, you must turn
167       on the fips_mode boolean. Enabled by default.
168
169       setsebool -P fips_mode 1
170
171
172
173       If you want to determine whether calling user domains can  execute  Git
174       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
175       sion_users boolean. Disabled by default.
176
177       setsebool -P git_session_users 1
178
179
180
181       If you want to allow httpd cgi support, you must turn on the  httpd_en‐
182       able_cgi boolean. Enabled by default.
183
184       setsebool -P httpd_enable_cgi 1
185
186
187
188       If you want to unify HTTPD handling of all content files, you must turn
189       on the httpd_unified boolean. Disabled by default.
190
191       setsebool -P httpd_unified 1
192
193
194
195       If you want to allow system to run with  NIS,  you  must  turn  on  the
196       nis_enabled boolean. Disabled by default.
197
198       setsebool -P nis_enabled 1
199
200
201
202       If  you  want  to  determine  whether  calling user domains can execute
203       Polipo daemon in the polipo_session_t domain,  you  must  turn  on  the
204       polipo_session_users boolean. Disabled by default.
205
206       setsebool -P polipo_session_users 1
207
208
209
210       If  you  want to allow pppd to be run for a regular user, you must turn
211       on the pppd_for_user boolean. Disabled by default.
212
213       setsebool -P pppd_for_user 1
214
215
216
217       If you want to allow all unconfined executables to  use  libraries  re‐
218       quiring  text relocation that are not labeled textrel_shlib_t, you must
219       turn on the selinuxuser_execmod boolean. Enabled by default.
220
221       setsebool -P selinuxuser_execmod 1
222
223
224
225       If you want to allow unconfined executables to make  their  stack  exe‐
226       cutable.   This  should  never, ever be necessary. Probably indicates a
227       badly coded executable, but could indicate an attack.  This  executable
228       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
229       stack boolean. Enabled by default.
230
231       setsebool -P selinuxuser_execstack 1
232
233
234
235       If you want to allow users to connect to the local  mysql  server,  you
236       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
237       default.
238
239       setsebool -P selinuxuser_mysql_connect_enabled 1
240
241
242
243       If you want to allow confined users the ability to execute the ping and
244       traceroute commands, you must turn on the selinuxuser_ping boolean. En‐
245       abled by default.
246
247       setsebool -P selinuxuser_ping 1
248
249
250
251       If you want to allow user to r/w files on filesystems that do not  have
252       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
253       uxuser_rw_noexattrfile boolean. Enabled by default.
254
255       setsebool -P selinuxuser_rw_noexattrfile 1
256
257
258
259       If you want to allow user  to use ssh chroot environment, you must turn
260       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
261
262       setsebool -P selinuxuser_use_ssh_chroot 1
263
264
265
266       If  you  want  to  allow  unprivileged user to create and transition to
267       svirt domains, you must turn on the unprivuser_use_svirt boolean.  Dis‐
268       abled by default.
269
270       setsebool -P unprivuser_use_svirt 1
271
272
273
274       If  you  want  to  support  NFS  home directories, you must turn on the
275       use_nfs_home_dirs boolean. Disabled by default.
276
277       setsebool -P use_nfs_home_dirs 1
278
279
280
281       If you want to support SAMBA home directories, you  must  turn  on  the
282       use_samba_home_dirs boolean. Disabled by default.
283
284       setsebool -P use_samba_home_dirs 1
285
286
287

HOME_EXEC

289       The SELinux user user_u is able execute home content files.
290
291

TRANSITIONS

293       Three things can happen when user_t attempts to execute a program.
294
295       1. SELinux Policy can deny user_t from executing the program.
296
297
298
299       2.  SELinux  Policy can allow user_t to execute the program in the cur‐
300       rent user type.
301
302              Execute the following to see the types  that  the  SELinux  user
303              user_t can execute without transitioning:
304
305              sesearch -A -s user_t -c file -p execute_no_trans
306
307
308
309       3.  SELinux can allow user_t to execute the program and transition to a
310       new type.
311
312              Execute the following to see the types  that  the  SELinux  user
313              user_t can execute and transition:
314
315              $ sesearch -A -s user_t -c process -p transition
316
317
318

MANAGED FILES

320       The  SELinux process type user_t can manage files labeled with the fol‐
321       lowing file types.  The paths listed are the default  paths  for  these
322       file types.  Note the processes UID still need to have DAC permissions.
323
324       alsa_home_t
325
326            /home/[^/]+/.asoundrc
327
328       auth_cache_t
329
330            /var/cache/coolkey(/.*)?
331
332       bluetooth_helper_tmp_t
333
334
335       bluetooth_helper_tmpfs_t
336
337
338       chrome_sandbox_tmpfs_t
339
340
341       faillog_t
342
343            /var/log/btmp.*
344            /var/log/faillog.*
345            /var/log/tallylog.*
346            /var/run/faillock(/.*)?
347
348       games_data_t
349
350            /var/games(/.*)?
351            /var/lib/games(/.*)?
352
353       gconf_tmp_t
354
355            /tmp/gconfd-[^/]+/.*
356
357       gpg_agent_tmp_t
358
359            /home/[^/]+/.gnupg/log-socket
360
361       httpd_user_content_t
362
363            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
364
365       httpd_user_htaccess_t
366
367            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
368
369       httpd_user_ra_content_t
370
371            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
372
373       httpd_user_rw_content_t
374
375
376       httpd_user_script_exec_t
377
378            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
379
380       krb5_host_rcache_t
381
382            /var/tmp/krb5_0.rcache2
383            /var/cache/krb5rcache(/.*)?
384            /var/tmp/nfs_0
385            /var/tmp/DNS_25
386            /var/tmp/host_0
387            /var/tmp/imap_0
388            /var/tmp/HTTP_23
389            /var/tmp/HTTP_48
390            /var/tmp/ldap_55
391            /var/tmp/ldap_487
392            /var/tmp/ldapmap1_0
393
394       mail_spool_t
395
396            /var/mail(/.*)?
397            /var/spool/imap(/.*)?
398            /var/spool/mail(/.*)?
399            /var/spool/smtpd(/.*)?
400
401       mqueue_spool_t
402
403            /var/spool/(client)?mqueue(/.*)?
404            /var/spool/mqueue.in(/.*)?
405
406       pulseaudio_tmpfs_t
407
408
409       pulseaudio_tmpfsfile
410
411
412       sandbox_tmpfs_type
413
414            all sandbox content in tmpfs file systems
415
416       security_t
417
418            /selinux
419
420       session_dbusd_tmp_t
421
422            /var/run/user/[0-9]+/bus
423            /var/run/user/[0-9]+/dbus(/.*)?
424            /var/run/user/[0-9]+/dbus-1(/.*)?
425
426       systemd_passwd_var_run_t
427
428            /var/run/systemd/ask-password(/.*)?
429            /var/run/systemd/ask-password-block(/.*)?
430
431       usbfs_t
432
433
434       user_fonts_cache_t
435
436            /root/.fontconfig(/.*)?
437            /root/.fonts/auto(/.*)?
438            /root/.fonts.cache-.*
439            /root/.cache/fontconfig(/.*)?
440            /home/[^/]+/.fontconfig(/.*)?
441            /home/[^/]+/.fonts/auto(/.*)?
442            /home/[^/]+/.fonts.cache-.*
443            /home/[^/]+/.cache/fontconfig(/.*)?
444
445       user_home_type
446
447            all user home files
448
449       user_tmp_t
450
451            /dev/shm/mono.*
452            /var/run/user/[^/]+
453            /tmp/.ICE-unix(/.*)?
454            /tmp/.X11-unix(/.*)?
455            /dev/shm/pulse-shm.*
456            /tmp/.X0-lock
457            /var/run/user
458            /tmp/hsperfdata_root
459            /var/tmp/hsperfdata_root
460            /home/[^/]+/tmp
461            /home/[^/]+/.tmp
462            /var/run/user/[0-9]+
463            /tmp/gconfd-[^/]+
464
465       user_tmp_type
466
467            all user tmp files
468
469       virt_image_type
470
471            all virtual image files
472
473       xserver_tmpfs_t
474
475
476

COMMANDS

478       semanage  fcontext  can also be used to manipulate default file context
479       mappings.
480
481       semanage permissive can also be used to manipulate  whether  or  not  a
482       process type is permissive.
483
484       semanage  module can also be used to enable/disable/install/remove pol‐
485       icy modules.
486
487       semanage boolean can also be used to manipulate the booleans
488
489
490       system-config-selinux is a GUI tool available to customize SELinux pol‐
491       icy settings.
492
493

AUTHOR

495       This manual page was auto-generated using sepolicy manpage .
496
497