certmonger_unconfined_selinux(8)

1certmonger_unconfined_SsEeLliinnuuxx(P8o)licy certmonger_cuenrctomnofnigneerd_unconfined_selinux(8)
2
3
4

NAME

6       certmonger_unconfined_selinux  - Security Enhanced Linux Policy for the
7       certmonger_unconfined processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the certmonger_unconfined processes via
11       flexible mandatory access control.
12
13       The  certmonger_unconfined processes execute with the certmonger_uncon‐
14       fined_t SELinux type. You can check if you have these processes running
15       by executing the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep certmonger_unconfined_t
20
21
22

ENTRYPOINTS

24       The  certmonger_unconfined_t  SELinux  type  can  be  entered  via  the
25       file_type,   certmonger_unconfined_exec_t,   unlabeled_t,    proc_type,
26       filesystem_type, mtrr_device_t, sysctl_type file types.
27
28       The default entrypoint paths for the certmonger_unconfined_t domain are
29       the following:
30
31       all   files   on   the   system,    /usr/lib(64)?/ipa/certmonger(/.*)?,
32       /dev/cpu/mtrr
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       certmonger_unconfined  policy  is very flexible allowing users to setup
42       their certmonger_unconfined processes in as secure a method  as  possi‐
43       ble.
44
45       The following process types are defined for certmonger_unconfined:
46
47       certmonger_unconfined_t
48
49       Note:  semanage  permissive  -a  certmonger_unconfined_t can be used to
50       make the process type certmonger_unconfined_t permissive. SELinux  does
51       not  deny  access  to  permissive  process  types, but the AVC (SELinux
52       denials) messages are still generated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access  required.   cert‐
57       monger_unconfined policy is extremely flexible and has several booleans
58       that allow you to manipulate the policy and  run  certmonger_unconfined
59       with the tightest access possible.
60
61
62
63       If you want to allow all domains to use other domains file descriptors,
64       you must turn on the allow_domain_fd_use boolean. Enabled by default.
65
66       setsebool -P allow_domain_fd_use 1
67
68
69
70       If you want to allow unconfined executables to make their  heap  memory
71       executable.   Doing  this  is  a  really bad idea. Probably indicates a
72       badly coded executable, but could indicate an attack.  This  executable
73       should  be  reported  in  bugzilla, you must turn on the allow_execheap
74       boolean. Disabled by default.
75
76       setsebool -P allow_execheap 1
77
78
79
80       If you want to allow unconfined executables to map a memory  region  as
81       both  executable  and  writable,  this  is dangerous and the executable
82       should be reported in bugzilla), you must  turn  on  the  allow_execmem
83       boolean. Enabled by default.
84
85       setsebool -P allow_execmem 1
86
87
88
89       If  you  want  to  allow  all  unconfined  executables to use libraries
90       requiring text relocation that are not  labeled  textrel_shlib_t),  you
91       must turn on the allow_execmod boolean. Enabled by default.
92
93       setsebool -P allow_execmod 1
94
95
96
97       If  you  want  to allow unconfined executables to make their stack exe‐
98       cutable.  This should never, ever be necessary.  Probably  indicates  a
99       badly  coded  executable, but could indicate an attack. This executable
100       should be reported in bugzilla), you must turn on  the  allow_execstack
101       boolean. Enabled by default.
102
103       setsebool -P allow_execstack 1
104
105
106
107       If  you want to allow sysadm to debug or ptrace all processes, you must
108       turn on the allow_ptrace boolean. Disabled by default.
109
110       setsebool -P allow_ptrace 1
111
112
113
114       If you want to allow all domains to have the kernel load  modules,  you
115       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
116       default.
117
118       setsebool -P domain_kernel_load_modules 1
119
120
121
122       If you want to allow all domains to execute in fips_mode, you must turn
123       on the fips_mode boolean. Enabled by default.
124
125       setsebool -P fips_mode 1
126
127
128
129       If you want to enable reading of urandom for all domains, you must turn
130       on the global_ssp boolean. Disabled by default.
131
132       setsebool -P global_ssp 1
133
134
135
136       If you want to allow certain domains to map low memory in  the  kernel,
137       you must turn on the mmap_low_allowed boolean. Disabled by default.
138
139       setsebool -P mmap_low_allowed 1
140
141
142
143       If  you want to boolean to determine whether the system permits loading
144       policy, setting enforcing mode, and changing boolean values.  Set  this
145       to  true  and  you  have to reboot to set it back, you must turn on the
146       secure_mode_policyload boolean. Disabled by default.
147
148       setsebool -P secure_mode_policyload 1
149
150
151
152       If you want to support X userspace object manager, you must turn on the
153       xserver_object_manager boolean. Disabled by default.
154
155       setsebool -P xserver_object_manager 1
156
157
158

MANAGED FILES

160       The  SELinux  process  type  certmonger_unconfined_t  can  manage files
161       labeled with the following  file  types.   The  paths  listed  are  the
162       default  paths for these file types.  Note the processes UID still need
163       to have DAC permissions.
164
165       file_type
166
167            all files on the system
168
169

FILE CONTEXTS

171       SELinux requires files to have an extended attribute to define the file
172       type.
173
174       You can see the context of a file using the -Z option to ls
175
176       Policy  governs  the  access  confined  processes  have to these files.
177       SELinux certmonger_unconfined policy is very flexible allowing users to
178       setup  their  certmonger_unconfined  processes in as secure a method as
179       possible.
180
181       The following file types are defined for certmonger_unconfined:
182
183
184
185       certmonger_unconfined_exec_t
186
187       - Set files with the certmonger_unconfined_exec_t type, if you want  to
188       transition an executable to the certmonger_unconfined_t domain.
189
190
191
192       Note:  File context can be temporarily modified with the chcon command.
193       If you want to permanently change the file context you need to use  the
194       semanage fcontext command.  This will modify the SELinux labeling data‐
195       base.  You will need to use restorecon to apply the labels.
196
197

COMMANDS

199       semanage fcontext can also be used to manipulate default  file  context
200       mappings.
201
202       semanage  permissive  can  also  be used to manipulate whether or not a
203       process type is permissive.
204
205       semanage module can also be used to enable/disable/install/remove  pol‐
206       icy modules.
207
208       semanage boolean can also be used to manipulate the booleans
209
210
211       system-config-selinux is a GUI tool available to customize SELinux pol‐
212       icy settings.
213
214

AUTHOR

216       This manual page was auto-generated using sepolicy manpage .
217
218