consolekit_selinux(8)

1consolekit_selinux(8)      SELinux Policy consolekit     consolekit_selinux(8)
2
3
4

NAME

6       consolekit_selinux  - Security Enhanced Linux Policy for the consolekit
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the consolekit processes  via  flexible
11       mandatory access control.
12
13       The  consolekit  processes  execute with the consolekit_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep consolekit_t
20
21
22

ENTRYPOINTS

24       The  consolekit_t SELinux type can be entered via the consolekit_exec_t
25       file type.
26
27       The default entrypoint paths for the consolekit_t domain are  the  fol‐
28       lowing:
29
30       /usr/sbin/console-kit-daemon
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       consolekit  policy  is very flexible allowing users to setup their con‐
40       solekit processes in as secure a method as possible.
41
42       The following process types are defined for consolekit:
43
44       consolekit_t
45
46       Note: semanage permissive -a consolekit_t  can  be  used  to  make  the
47       process  type  consolekit_t permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux  policy  is  customizable based on least access required.  con‐
54       solekit policy is extremely flexible  and  has  several  booleans  that
55       allow you to manipulate the policy and run consolekit with the tightest
56       access possible.
57
58
59
60       If you want to allow all daemons to write corefiles to /, you must turn
61       on the allow_daemons_dump_core boolean. Disabled by default.
62
63       setsebool -P allow_daemons_dump_core 1
64
65
66
67       If  you want to allow all daemons to use tcp wrappers, you must turn on
68       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
69
70       setsebool -P allow_daemons_use_tcp_wrapper 1
71
72
73
74       If you want to allow all daemons the ability to  read/write  terminals,
75       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
76       default.
77
78       setsebool -P allow_daemons_use_tty 1
79
80
81
82       If you want to allow all domains to use other domains file descriptors,
83       you must turn on the allow_domain_fd_use boolean. Enabled by default.
84
85       setsebool -P allow_domain_fd_use 1
86
87
88
89       If  you  want  to allow confined applications to run with kerberos, you
90       must turn on the allow_kerberos boolean. Enabled by default.
91
92       setsebool -P allow_kerberos 1
93
94
95
96       If you want to allow sysadm to debug or ptrace all processes, you  must
97       turn on the allow_ptrace boolean. Disabled by default.
98
99       setsebool -P allow_ptrace 1
100
101
102
103       If  you  want  to allows clients to write to the X server shared memory
104       segments, you must turn on the allow_write_xshm  boolean.  Disabled  by
105       default.
106
107       setsebool -P allow_write_xshm 1
108
109
110
111       If  you  want  to  allow  system  to run with NIS, you must turn on the
112       allow_ypbind boolean. Disabled by default.
113
114       setsebool -P allow_ypbind 1
115
116
117
118       If you want to enable cluster mode for daemons, you must  turn  on  the
119       daemons_enable_cluster_mode boolean. Disabled by default.
120
121       setsebool -P daemons_enable_cluster_mode 1
122
123
124
125       If  you  want to allow all domains to have the kernel load modules, you
126       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
127       default.
128
129       setsebool -P domain_kernel_load_modules 1
130
131
132
133       If you want to allow all domains to execute in fips_mode, you must turn
134       on the fips_mode boolean. Enabled by default.
135
136       setsebool -P fips_mode 1
137
138
139
140       If you want to enable reading of urandom for all domains, you must turn
141       on the global_ssp boolean. Disabled by default.
142
143       setsebool -P global_ssp 1
144
145
146
147       If you want to enable support for upstart as the init program, you must
148       turn on the init_upstart boolean. Enabled by default.
149
150       setsebool -P init_upstart 1
151
152
153
154       If you want to allow confined applications to use nscd  shared  memory,
155       you must turn on the nscd_use_shm boolean. Enabled by default.
156
157       setsebool -P nscd_use_shm 1
158
159
160
161       If  you  want  to  support  NFS  home directories, you must turn on the
162       use_nfs_home_dirs boolean. Disabled by default.
163
164       setsebool -P use_nfs_home_dirs 1
165
166
167
168       If you want to support SAMBA home directories, you  must  turn  on  the
169       use_samba_home_dirs boolean. Disabled by default.
170
171       setsebool -P use_samba_home_dirs 1
172
173
174
175       If you want to support X userspace object manager, you must turn on the
176       xserver_object_manager boolean. Disabled by default.
177
178       setsebool -P xserver_object_manager 1
179
180
181

MANAGED FILES

183       The SELinux process type consolekit_t can manage files labeled with the
184       following file types.  The paths listed are the default paths for these
185       file types.  Note the processes UID still need to have DAC permissions.
186
187       cluster_conf_t
188
189            /etc/cluster(/.*)?
190
191       cluster_var_lib_t
192
193            /var/lib(64)?/openais(/.*)?
194            /var/lib(64)?/pengine(/.*)?
195            /var/lib(64)?/corosync(/.*)?
196            /usr/lib(64)?/heartbeat(/.*)?
197            /var/lib(64)?/heartbeat(/.*)?
198            /var/lib(64)?/pacemaker(/.*)?
199            /var/lib/cluster(/.*)?
200
201       cluster_var_run_t
202
203            /var/run/crm(/.*)?
204            /var/run/cman_.*
205            /var/run/rsctmp(/.*)?
206            /var/run/aisexec.*
207            /var/run/heartbeat(/.*)?
208            /var/run/cpglockd.pid
209            /var/run/corosync.pid
210            /var/run/rgmanager.pid
211            /var/run/cluster/rgmanager.sk
212
213       consolekit_log_t
214
215            /var/log/ConsoleKit(/.*)?
216
217       consolekit_var_run_t
218
219            /var/run/ConsoleKit(/.*)?
220            /var/run/consolekit.pid
221            /var/run/console-kit-daemon.pid
222
223       initrc_tmp_t
224
225
226       initrc_var_run_t
227
228            /var/run/utmp
229            /var/run/random-seed
230            /var/run/runlevel.dir
231            /var/run/setmixer_flag
232
233       mnt_t
234
235            /mnt(/[^/]*)
236            /mnt(/[^/]*)?
237            /rhev(/[^/]*)?
238            /media(/[^/]*)
239            /media(/[^/]*)?
240            /etc/rhgb(/.*)?
241            /media/.hal-.*
242            /net
243            /afs
244            /rhev
245            /misc
246
247       pam_var_console_t
248
249            /var/run/console(/.*)?
250
251       root_t
252
253            /
254            /initrd
255
256       tmp_t
257
258            /tmp
259            /usr/tmp
260            /var/tmp
261            /tmp-inst
262            /var/tmp-inst
263            /var/tmp/vi.recover
264
265       user_fonts_cache_t
266
267            /home/[^/]*/.fonts/auto(/.*)?
268            /home/[^/]*/.fontconfig(/.*)?
269            /home/[^/]*/.fonts.cache-.*
270            /home/staff/.fonts/auto(/.*)?
271            /home/staff/.fontconfig(/.*)?
272            /home/staff/.fonts.cache-.*
273
274       wtmp_t
275
276            /var/log/wtmp.*
277
278       xserver_tmpfs_t
279
280
281

FILE CONTEXTS

283       SELinux requires files to have an extended attribute to define the file
284       type.
285
286       You can see the context of a file using the -Z option to ls
287
288       Policy  governs  the  access  confined  processes  have to these files.
289       SELinux consolekit policy is very  flexible  allowing  users  to  setup
290       their consolekit processes in as secure a method as possible.
291
292       STANDARD FILE CONTEXT
293
294       SELinux  defines  the  file  context  types  for the consolekit, if you
295       wanted to store files with these types in a diffent paths, you need  to
296       execute  the  semanage  command to sepecify alternate labeling and then
297       use restorecon to put the labels on disk.
298
299       semanage fcontext -a  -t  consolekit_var_run_t  '/srv/myconsolekit_con‐
300       tent(/.*)?'
301       restorecon -R -v /srv/myconsolekit_content
302
303       Note:  SELinux  often  uses  regular expressions to specify labels that
304       match multiple files.
305
306       The following file types are defined for consolekit:
307
308
309
310       consolekit_exec_t
311
312       - Set files with the consolekit_exec_t type, if you want to  transition
313       an executable to the consolekit_t domain.
314
315
316
317       consolekit_log_t
318
319       -  Set  files  with the consolekit_log_t type, if you want to treat the
320       data as consolekit log data, usually stored under the  /var/log  direc‐
321       tory.
322
323
324
325       consolekit_tmpfs_t
326
327       - Set files with the consolekit_tmpfs_t type, if you want to store con‐
328       solekit files on a tmpfs file system.
329
330
331
332       consolekit_var_run_t
333
334       - Set files with the consolekit_var_run_t type, if you  want  to  store
335       the consolekit files under the /run or /var/run directory.
336
337
338       Paths:
339            /var/run/ConsoleKit(/.*)?,  /var/run/consolekit.pid, /var/run/con‐
340            sole-kit-daemon.pid
341
342
343       Note: File context can be temporarily modified with the chcon  command.
344       If  you want to permanently change the file context you need to use the
345       semanage fcontext command.  This will modify the SELinux labeling data‐
346       base.  You will need to use restorecon to apply the labels.
347
348

COMMANDS

350       semanage  fcontext  can also be used to manipulate default file context
351       mappings.
352
353       semanage permissive can also be used to manipulate  whether  or  not  a
354       process type is permissive.
355
356       semanage  module can also be used to enable/disable/install/remove pol‐
357       icy modules.
358
359       semanage boolean can also be used to manipulate the booleans
360
361
362       system-config-selinux is a GUI tool available to customize SELinux pol‐
363       icy settings.
364
365

AUTHOR

367       This manual page was auto-generated using sepolicy manpage .
368
369