user_u is an SELinux User defined in the SELinux policy. SELinux users have default roles, user_r. The default role has a default type, user_t, associated with it.
The SELinux user will usually login to a system with a context that looks like:
user_u:user_r:user_t:s0-s0:c0.c1023
Linux users are automatically assigned an SELinux users at login. Login programs use the SELinux User to assign initial context to the user's shell.
SELinux policy uses the context to control the user's access.
By default all users are assigned to the SELinux user via the __default__ flag
On Targeted policy systems the __default__ user is assigned to the unconfined_u SELinux user.
You can list all Linux User to SELinux user mapping using:
semanage login -l
If you wanted to change the default user mapping to use the user_u user, you would execute:
semanage login -m -s user_u __default__
If you want to map the one Linux user (joe) to the SELinux user user, you would execute:
$ semanage login -a -s user_u joe
The SELinux user user_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
The SELinux user user_u is able to X Windows login.
xserver_port_t: 6000-6020
all ports
all ports with out defined types
ephemeral_port_t: 32768-61000
all ports
If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
setsebool -P clamscan_read_user_content 1
If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean.
setsebool -P selinuxuser_execheap 1
If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean.
setsebool -P selinuxuser_execmod 1
If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean.
setsebool -P exim_read_user_files 1
If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean.
setsebool -P postgresql_selinux_users_ddl 1
If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
setsebool -P pppd_for_user 1
If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean.
setsebool -P selinuxuser_rw_noexattrfile 1
If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean.
setsebool -P git_session_users 1
If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean.
setsebool -P selinuxuser_direct_dri_enabled 1
If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
setsebool -P dbadm_manage_user_files 1
If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean.
setsebool -P selinuxuser_user_share_music 1
If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean.
setsebool -P selinuxuser_postgresql_connect_enabled 1
If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean.
setsebool -P selinuxuser_tcp_server 1
If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.
setsebool -P unprivuser_use_svirt 1
If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean.
setsebool -P selinuxuser_execstack 1
If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean.
setsebool -P webadm_read_user_files 1
If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
setsebool -P httpd_read_user_content 1
If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
setsebool -P selinuxuser_ping 1
If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean.
setsebool -P exim_manage_user_files 1
If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean.
setsebool -P dbadm_read_user_files 1
If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean.
setsebool -P polipo_session_users 1
If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean.
setsebool -P webadm_manage_user_files 1
If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean.
setsebool -P selinuxuser_mysql_connect_enabled 1
The SELinux user user_u is able execute home content files.
Three things can happen when user_t attempts to execute a program.
1. SELinux Policy can deny user_t from executing the program.
Execute the following to see the types that the SELinux user user_t can execute without transitioning:
sesearch -A -s user_t -c file -p execute_no_trans
Execute the following to see the types that the SELinux user user_t can execute and transition:
$ sesearch -A -s user_t -c process -p transition
The SELinux user type user_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
anon_inodefs_t
auth_cache_t
/var/cache/coolkey(/.*)?
bluetooth_helper_tmp_t
bluetooth_helper_tmpfs_t
cgroup_t
/cgroup
/sys/fs/cgroup
chrome_sandbox_tmpfs_t
games_data_t
/var/games(/.*)?
/var/lib/games(/.*)?
gpg_agent