sysadm_u is an SELinux User defined in the SELinux policy. SELinux users have default roles, sysadm_r. The default role has a default type, sysadm_t, associated with it.
The SELinux user will usually login to a system with a context that looks like:
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
Linux users are automatically assigned an SELinux users at login. Login programs use the SELinux User to assign initial context to the user's shell.
SELinux policy uses the context to control the user's access.
By default all users are assigned to the SELinux user via the __default__ flag
On Targeted policy systems the __default__ user is assigned to the unconfined_u SELinux user.
You can list all Linux User to SELinux user mapping using:
semanage login -l
If you wanted to change the default user mapping to use the sysadm_u user, you would execute:
semanage login -m -s sysadm_u __default__
If you want to map the one Linux user (joe) to the SELinux user sysadm, you would execute:
$ semanage login -a -s sysadm_u joe
The SELinux user sysadm_u is an admin user. It means that a mapped Linux user to this SELinux user is intended for administrative actions. Usually this is assigned to a root Linux user.
The SELinux user sysadm can execute sudo.
You can set up sudo to allow sysadm to transition to an administrative domain:
Add one or more of the following record to sudoers using visudo.
USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
You might also need to add one or more of these new roles to your SELinux user record.
List the SELinux roles your SELinux user can reach by executing:
$ semanage user -l |grep selinux_name
Modify the roles list and add sysadm_r to this list.
$ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
For more details you can see semanage man page.
USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
You might also need to add one or more of these new roles to your SELinux user record.
List the SELinux roles your SELinux user can reach by executing:
$ semanage user -l |grep selinux_name
Modify the roles list and add sysadm_r to this list.
$ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
For more details you can see semanage man page.
USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
You might also need to add one or more of these new roles to your SELinux user record.
List the SELinux roles your SELinux user can reach by executing:
$ semanage user -l |grep selinux_name
Modify the roles list and add sysadm_r to this list.
$ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
For more details you can see semanage man page.
USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
You might also need to add one or more of these new roles to your SELinux user record.
List the SELinux roles your SELinux user can reach by executing:
$ semanage user -l |grep selinux_name
Modify the roles list and add sysadm_r to this list.
$ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
For more details you can see semanage man page.
The SELinux type sysadm_t is not allowed to execute sudo.
The SELinux user sysadm_u is able to X Windows login.
all ports with out defined types
ephemeral_port_t: 32768-61000
all ports
all ports with out defined types
ntp_port_t: 123
ephemeral_port_t: 32768-61000
all ports
If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
setsebool -P xdm_sysadm_login 1
If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
setsebool -P ssh_sysadm_login 1
The SELinux user sysadm_u is able execute home content files.
Three things can happen when sysadm_t attempts to execute a program.
1. SELinux Policy can deny sysadm_t from executing the program.
Execute the following to see the types that the SELinux user sysadm_t can execute without transitioning:
sesearch -A -s sysadm_t -c file -p execute_no_trans
Execute the following to see the types that the SELinux user sysadm_t can execute and transition:
$ sesearch -A -s sysadm_t -c process -p transition
The SELinux user type sysadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
auditd_etc_t
/etc/audit(/.*)?
auditd_log_t
/var/log/audit(/.*)?
/var/log/audit.log
boolean_type
etc_runtime_t
/[^/]+
/etc/mtab.*
/etc/blkid(/.*)?
/etc/nologin.*
/etc/.fstab.hal..+
/halt
/fastboot
/poweroff
/etc/cmtab
/forcefsck
/.autofsck
/.suspended
/fsckoptions
/.autorelabel
/etc/securetty
/etc/nohotplug
/etc/killpower
/etc/ioctl.save
/etc/fstab.REVOKE
/etc/network/ifstate
/etc/sysconfig/hwconf
/etc/ptal/ptal-printd-like
/etc/sysconfig/iptables.save
/etc/xorg.conf.d/00-system-setup-keyboard.conf
/etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
iceauth_home_t
/root/.DCOP.*
/root/.ICEauthority.*
/home/[^/]*/.DCOP.*
/home/[^/]*/.ICEauthority.*
krb5_host_rcache_t
/var/cache/krb5rcache(/.*)?
/var/tmp/nfs_0
/var/tmp/host_0
/var/tmp/imap_0
/var/tmp/HTTP_23
/var/tmp/HTTP_48
/var/tmp/ldap_55
/var/tmp/ldap_487
/var/tmp/ldapmap1_0
krb5_keytab_t
/etc/krb5.keytab
/etc/krb5kdc/kadm5.keytab
/var/kerberos/krb5kdc/kadm5.keytab
non_security_file_type
screen_home_t
/root/.screen(/.*)?
/home/[^/]*/.screen(/.*)?
/home/[^/]*/.screenrc
sysctl_type
systemd_passwd_var_run_t
/var/run/systemd/ask-password(/.*)?
/var/run/systemd/ask-password-block(/.*)?
systemd_unit_file_type
usbfs_t
user_fonts_cache_t
/root/.fontconfig(/.*)?
/root/.fonts/auto(/.*)?
/root/.fonts.cache-.*
/home/[^/]*/.fontconfig(/.*)?
/home/[^/]*/.fonts/auto(/.*)?
/home/[^/]*/.fonts.cache-.*
user_fonts_t
/root/.fonts(/.*)?
/tmp/.font-unix(/.*)?
/home/[^/]*/.fonts(/.*)?
user_home_t
/home/[^/]*/.+
user_home_type
all user home files
user_tmp_type
all user tmp files
user_tmpfs_type
all user content in tmpfs file systems
xauth_home_t
/root/.xauth.*
/root/.Xauth.*
/root/.serverauth.*
/root/.Xauthority.*
/var/lib/pqsql/.xauth.*
/var/lib/pqsql/.Xauthority.*
/var/lib/nxserve