devicekit_power_selinux(8)

1devicekit_power_selinux(8S)ELinux Policy devicekit_powedrevicekit_power_selinux(8)
2
3
4

NAME

6       devicekit_power_selinux  -  Security  Enhanced  Linux  Policy  for  the
7       devicekit_power processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the devicekit_power processes via flex‐
11       ible mandatory access control.
12
13       The   devicekit_power  processes  execute  with  the  devicekit_power_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep devicekit_power_t
20
21
22

ENTRYPOINTS

24       The  devicekit_power_t  SELinux  type can be entered via the file_type,
25       unlabeled_t,   proc_type,   filesystem_type,    devicekit_power_exec_t,
26       mtrr_device_t, sysctl_type file types.
27
28       The  default  entrypoint paths for the devicekit_power_t domain are the
29       following:
30
31       all files on  the  system,  /usr/libexec/upowerd,  /usr/libexec/devkit-
32       power-daemon, /dev/cpu/mtrr
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       devicekit_power  policy  is very flexible allowing users to setup their
42       devicekit_power processes in as secure a method as possible.
43
44       The following process types are defined for devicekit_power:
45
46       devicekit_power_t
47
48       Note: semanage permissive -a devicekit_power_t can be used to make  the
49       process type devicekit_power_t permissive. SELinux does not deny access
50       to permissive process types, but the AVC (SELinux denials) messages are
51       still generated.
52
53

BOOLEANS

55       SELinux   policy  is  customizable  based  on  least  access  required.
56       devicekit_power policy is extremely flexible and has  several  booleans
57       that  allow  you  to manipulate the policy and run devicekit_power with
58       the tightest access possible.
59
60
61
62       If you want to allow all daemons the ability to  read/write  terminals,
63       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
64       default.
65
66       setsebool -P allow_daemons_use_tty 1
67
68
69
70       If you want to allow all domains to use other domains file descriptors,
71       you must turn on the allow_domain_fd_use boolean. Enabled by default.
72
73       setsebool -P allow_domain_fd_use 1
74
75
76
77       If  you  want to allow unconfined executables to make their heap memory
78       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
79       badly  coded  executable, but could indicate an attack. This executable
80       should be reported in bugzilla, you must  turn  on  the  allow_execheap
81       boolean. Disabled by default.
82
83       setsebool -P allow_execheap 1
84
85
86
87       If  you  want to allow unconfined executables to map a memory region as
88       both executable and writable, this  is  dangerous  and  the  executable
89       should  be  reported  in  bugzilla), you must turn on the allow_execmem
90       boolean. Enabled by default.
91
92       setsebool -P allow_execmem 1
93
94
95
96       If you want to  allow  all  unconfined  executables  to  use  libraries
97       requiring  text  relocation  that are not labeled textrel_shlib_t), you
98       must turn on the allow_execmod boolean. Enabled by default.
99
100       setsebool -P allow_execmod 1
101
102
103
104       If you want to allow unconfined executables to make  their  stack  exe‐
105       cutable.   This  should  never, ever be necessary. Probably indicates a
106       badly coded executable, but could indicate an attack.  This  executable
107       should  be  reported in bugzilla), you must turn on the allow_execstack
108       boolean. Enabled by default.
109
110       setsebool -P allow_execstack 1
111
112
113
114       If you want to allow confined applications to run  with  kerberos,  you
115       must turn on the allow_kerberos boolean. Enabled by default.
116
117       setsebool -P allow_kerberos 1
118
119
120
121       If  you want to allow sysadm to debug or ptrace all processes, you must
122       turn on the allow_ptrace boolean. Disabled by default.
123
124       setsebool -P allow_ptrace 1
125
126
127
128       If you want to allow system to run with  NIS,  you  must  turn  on  the
129       allow_ypbind boolean. Disabled by default.
130
131       setsebool -P allow_ypbind 1
132
133
134
135       If  you  want to allow all domains to have the kernel load modules, you
136       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
137       default.
138
139       setsebool -P domain_kernel_load_modules 1
140
141
142
143       If you want to allow all domains to execute in fips_mode, you must turn
144       on the fips_mode boolean. Enabled by default.
145
146       setsebool -P fips_mode 1
147
148
149
150       If you want to enable reading of urandom for all domains, you must turn
151       on the global_ssp boolean. Disabled by default.
152
153       setsebool -P global_ssp 1
154
155
156
157       If  you  want to allow certain domains to map low memory in the kernel,
158       you must turn on the mmap_low_allowed boolean. Disabled by default.
159
160       setsebool -P mmap_low_allowed 1
161
162
163
164       If you want to allow confined applications to use nscd  shared  memory,
165       you must turn on the nscd_use_shm boolean. Enabled by default.
166
167       setsebool -P nscd_use_shm 1
168
169
170
171       If  you want to boolean to determine whether the system permits loading
172       policy, setting enforcing mode, and changing boolean values.  Set  this
173       to  true  and  you  have to reboot to set it back, you must turn on the
174       secure_mode_policyload boolean. Disabled by default.
175
176       setsebool -P secure_mode_policyload 1
177
178
179
180       If you want to support X userspace object manager, you must turn on the
181       xserver_object_manager boolean. Disabled by default.
182
183       setsebool -P xserver_object_manager 1
184
185
186

MANAGED FILES

188       The  SELinux  process  type  devicekit_power_t can manage files labeled
189       with the following file types.  The paths listed are the default  paths
190       for  these  file  types.  Note the processes UID still need to have DAC
191       permissions.
192
193       file_type
194
195            all files on the system
196
197

FILE CONTEXTS

199       SELinux requires files to have an extended attribute to define the file
200       type.
201
202       You can see the context of a file using the -Z option to ls
203
204       Policy  governs  the  access  confined  processes  have to these files.
205       SELinux devicekit_power policy is very flexible allowing users to setup
206       their devicekit_power processes in as secure a method as possible.
207
208       The following file types are defined for devicekit_power:
209
210
211
212       devicekit_power_exec_t
213
214       -  Set files with the devicekit_power_exec_t type, if you want to tran‐
215       sition an executable to the devicekit_power_t domain.
216
217
218       Paths:
219            /usr/libexec/upowerd, /usr/libexec/devkit-power-daemon
220
221
222       Note: File context can be temporarily modified with the chcon  command.
223       If  you want to permanently change the file context you need to use the
224       semanage fcontext command.  This will modify the SELinux labeling data‐
225       base.  You will need to use restorecon to apply the labels.
226
227

COMMANDS

229       semanage  fcontext  can also be used to manipulate default file context
230       mappings.
231
232       semanage permissive can also be used to manipulate  whether  or  not  a
233       process type is permissive.
234
235       semanage  module can also be used to enable/disable/install/remove pol‐
236       icy modules.
237
238       semanage boolean can also be used to manipulate the booleans
239
240
241       system-config-selinux is a GUI tool available to customize SELinux pol‐
242       icy settings.
243
244

AUTHOR

246       This manual page was auto-generated using sepolicy manpage .
247
248