1staff_wine_selinux(8)      SELinux Policy staff_wine     staff_wine_selinux(8)
2
3
4

NAME

6       staff_wine_selinux  - Security Enhanced Linux Policy for the staff_wine
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the staff_wine processes  via  flexible
11       mandatory access control.
12
13       The  staff_wine  processes  execute with the staff_wine_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep staff_wine_t
20
21
22

ENTRYPOINTS

24       The  staff_wine_t  SELinux  type  can  be  entered via the user_home_t,
25       wine_exec_t, xsession_exec_t file types.
26
27       The default entrypoint paths for the staff_wine_t domain are  the  fol‐
28       lowing:
29
30       /home/[^/]*/.+,             /home/staff/.+,            /usr/bin/wine.*,
31       /opt/google/picasa(/.*)?/bin/wdi,  /opt/google/picasa(/.*)?/bin/wine.*,
32       /opt/google/picasa(/.*)?/bin/msiexec,
33       /opt/google/picasa(/.*)?/bin/notepad,
34       /opt/google/picasa(/.*)?/bin/progman,
35       /opt/google/picasa(/.*)?/bin/regedit,
36       /opt/google/picasa(/.*)?/bin/regsvr32,
37       /opt/google/picasa(/.*)?/Picasa3/.*exe,
38       /opt/google/picasa(/.*)?/bin/uninstaller,     /opt/cxoffice/bin/wine.*,
39       /opt/picasa/wine/bin/wine.*,    /usr/bin/msiexec,     /usr/bin/notepad,
40       /usr/bin/regedit,        /usr/bin/regsvr32,       /usr/bin/uninstaller,
41       /home/[^/]*/cxoffice/bin/wine.+,       /home/staff/cxoffice/bin/wine.+,
42       /etc/kde3?/kdm/Xreset,   /etc/kde3?/kdm/Xstartup,  /etc/kde3?/kdm/Xses‐
43       sion,       /etc/X11/[wx]dm/Xreset.*,        /etc/X11/[wxg]dm/Xsession,
44       /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*
45

PROCESS TYPES

47       SELinux defines process types (domains) for each process running on the
48       system
49
50       You can see the context of a process using the -Z option to ps
51
52       Policy governs the access confined processes have  to  files.   SELinux
53       staff_wine  policy  is  very  flexible  allowing  users  to setup their
54       staff_wine processes in as secure a method as possible.
55
56       The following process types are defined for staff_wine:
57
58       staff_wine_t
59
60       Note: semanage permissive -a staff_wine_t  can  be  used  to  make  the
61       process  type  staff_wine_t permissive. SELinux does not deny access to
62       permissive process types, but the AVC (SELinux  denials)  messages  are
63       still generated.
64
65

BOOLEANS

67       SELinux   policy  is  customizable  based  on  least  access  required.
68       staff_wine policy is extremely flexible and has several  booleans  that
69       allow you to manipulate the policy and run staff_wine with the tightest
70       access possible.
71
72
73
74       If you want to allow direct login to the console device.  Required  for
75       System  390,  you must turn on the allow_console_login boolean. Enabled
76       by default.
77
78       setsebool -P allow_console_login 1
79
80
81
82       If you want to allow all domains to use other domains file descriptors,
83       you must turn on the allow_domain_fd_use boolean. Enabled by default.
84
85       setsebool -P allow_domain_fd_use 1
86
87
88
89       If  you  want  to  allow  all  unconfined  executables to use libraries
90       requiring text relocation that are not  labeled  textrel_shlib_t),  you
91       must turn on the allow_execmod boolean. Enabled by default.
92
93       setsebool -P allow_execmod 1
94
95
96
97       If  you  want  to allow confined applications to run with kerberos, you
98       must turn on the allow_kerberos boolean. Enabled by default.
99
100       setsebool -P allow_kerberos 1
101
102
103
104       If you want to allow sysadm to debug or ptrace all processes, you  must
105       turn on the allow_ptrace boolean. Disabled by default.
106
107       setsebool -P allow_ptrace 1
108
109
110
111       If  you  want to allow users to connect to PostgreSQL, you must turn on
112       the allow_user_postgresql_connect boolean. Disabled by default.
113
114       setsebool -P allow_user_postgresql_connect 1
115
116
117
118       If you want to allows clients to write to the X  server  shared  memory
119       segments,  you  must  turn on the allow_write_xshm boolean. Disabled by
120       default.
121
122       setsebool -P allow_write_xshm 1
123
124
125
126       If you want to allow system to run with  NIS,  you  must  turn  on  the
127       allow_ypbind boolean. Disabled by default.
128
129       setsebool -P allow_ypbind 1
130
131
132
133       If  you  want to allow all domains to have the kernel load modules, you
134       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
135       default.
136
137       setsebool -P domain_kernel_load_modules 1
138
139
140
141       If you want to allow all domains to execute in fips_mode, you must turn
142       on the fips_mode boolean. Enabled by default.
143
144       setsebool -P fips_mode 1
145
146
147
148       If you want to enable reading of urandom for all domains, you must turn
149       on the global_ssp boolean. Disabled by default.
150
151       setsebool -P global_ssp 1
152
153
154
155       If  you  want to allow certain domains to map low memory in the kernel,
156       you must turn on the mmap_low_allowed boolean. Disabled by default.
157
158       setsebool -P mmap_low_allowed 1
159
160
161
162       If you want to allow confined applications to use nscd  shared  memory,
163       you must turn on the nscd_use_shm boolean. Enabled by default.
164
165       setsebool -P nscd_use_shm 1
166
167
168
169       If  you  want  to enabling secure mode disallows programs, such as new‐
170       role, from transitioning to administrative user domains, you must  turn
171       on the secure_mode boolean. Disabled by default.
172
173       setsebool -P secure_mode 1
174
175
176
177       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
178       the ssh_sysadm_login boolean. Disabled by default.
179
180       setsebool -P ssh_sysadm_login 1
181
182
183
184       If you want to support NFS home  directories,  you  must  turn  on  the
185       use_nfs_home_dirs boolean. Disabled by default.
186
187       setsebool -P use_nfs_home_dirs 1
188
189
190
191       If  you  want  to  support SAMBA home directories, you must turn on the
192       use_samba_home_dirs boolean. Disabled by default.
193
194       setsebool -P use_samba_home_dirs 1
195
196
197
198       If you want to allow regular users direct dri device access,  you  must
199       turn on the user_direct_dri boolean. Enabled by default.
200
201       setsebool -P user_direct_dri 1
202
203
204
205       If  you  want to allow regular users direct mouse access, you must turn
206       on the user_direct_mouse boolean. Disabled by default.
207
208       setsebool -P user_direct_mouse 1
209
210
211
212       If you want to allow user to r/w files on filesystems that do not  have
213       extended  attributes  (FAT,  CDROM,  FLOPPY),  you  must  turn  on  the
214       user_rw_noexattrfile boolean. Enabled by default.
215
216       setsebool -P user_rw_noexattrfile 1
217
218
219
220       If you want to allow user processes to change their priority, you  must
221       turn on the user_setrlimit boolean. Enabled by default.
222
223       setsebool -P user_setrlimit 1
224
225
226
227       If you want to allow users to run TCP servers (bind to ports and accept
228       connection from the same domain  and  outside  users)   disabling  this
229       forces  FTP  passive mode and may change other protocols, you must turn
230       on the user_tcp_server boolean. Disabled by default.
231
232       setsebool -P user_tcp_server 1
233
234
235
236       If you want to ignore wine mmap_zero  errors,  you  must  turn  on  the
237       wine_mmap_zero_ignore boolean. Disabled by default.
238
239       setsebool -P wine_mmap_zero_ignore 1
240
241
242
243       If  you  want  to  allow  xdm  logins  as  sysadm, you must turn on the
244       xdm_sysadm_login boolean. Disabled by default.
245
246       setsebool -P xdm_sysadm_login 1
247
248
249
250       If you want to support X userspace object manager, you must turn on the
251       xserver_object_manager boolean. Disabled by default.
252
253       setsebool -P xserver_object_manager 1
254
255
256

MANAGED FILES

258       The SELinux process type staff_wine_t can manage files labeled with the
259       following file types.  The paths listed are the default paths for these
260       file types.  Note the processes UID still need to have DAC permissions.
261
262       anon_inodefs_t
263
264
265       cgroup_t
266
267            /cgroup(/.*)?
268
269       chrome_sandbox_tmpfs_t
270
271
272       cifs_t
273
274
275       games_data_t
276
277            /var/games(/.*)?
278            /var/lib/games(/.*)?
279
280       gpg_agent_tmp_t
281
282
283       iceauth_home_t
284
285            /home/[^/]*/.DCOP.*
286            /home/[^/]*/.ICEauthority.*
287            /home/staff/.DCOP.*
288            /home/staff/.ICEauthority.*
289
290       initrc_tmp_t
291
292
293       mail_spool_t
294
295            /var/mail(/.*)?
296            /var/spool/mail(/.*)?
297            /var/spool/imap(/.*)?
298
299       mnt_t
300
301            /mnt(/[^/]*)
302            /mnt(/[^/]*)?
303            /rhev(/[^/]*)?
304            /media(/[^/]*)
305            /media(/[^/]*)?
306            /etc/rhgb(/.*)?
307            /media/.hal-.*
308            /net
309            /afs
310            /rhev
311            /misc
312
313       mqueue_spool_t
314
315            /var/spool/(client)?mqueue(/.*)?
316
317       nfsd_rw_t
318
319
320       noxattrfs
321
322            all files on file systems which do not support extended attributes
323
324       sandbox_file_t
325
326
327       sandbox_tmpfs_type
328
329            all sandbox content in tmpfs file systems
330
331       security_t
332
333
334       tmp_t
335
336            /tmp
337            /usr/tmp
338            /var/tmp
339            /tmp-inst
340            /var/tmp-inst
341            /var/tmp/vi.recover
342
343       usbfs_t
344
345
346       user_fonts_cache_t
347
348            /home/[^/]*/.fonts/auto(/.*)?
349            /home/[^/]*/.fontconfig(/.*)?
350            /home/[^/]*/.fonts.cache-.*
351            /home/staff/.fonts/auto(/.*)?
352            /home/staff/.fontconfig(/.*)?
353            /home/staff/.fonts.cache-.*
354
355       user_fonts_t
356
357            /home/[^/]*/.fonts(/.*)?
358            /home/staff/.fonts(/.*)?
359
360       user_home_type
361
362            all user home files
363
364       user_tmp_t
365
366            /tmp/gconfd-.*
367            /tmp/gconfd-staff
368
369       user_tmpfs_t
370
371            /dev/shm/mono.*
372            /dev/shm/pulse-shm.*
373
374       xauth_home_t
375
376            /root/.Xauth.*
377            /root/.xauth.*
378            /root/.serverauth.*
379            /var/lib/pqsql/.xauth.*
380            /var/lib/pqsql/.Xauthority.*
381            /var/lib/nxserver/home/.xauth.*
382            /var/lib/nxserver/home/.Xauthority.*
383            /home/[^/]*/.xauth.*
384            /home/[^/]*/.Xauthority.*
385            /home/[^/]*/.serverauth.*
386            /home/staff/.xauth.*
387            /home/staff/.Xauthority.*
388            /home/staff/.serverauth.*
389
390       xdm_tmp_t
391
392            /tmp/.X11-unix(/.*)?
393            /tmp/.ICE-unix(/.*)?
394            /tmp/.X0-lock
395
396       xserver_tmpfs_t
397
398
399

COMMANDS

401       semanage  fcontext  can also be used to manipulate default file context
402       mappings.
403
404       semanage permissive can also be used to manipulate  whether  or  not  a
405       process type is permissive.
406
407       semanage  module can also be used to enable/disable/install/remove pol‐
408       icy modules.
409
410       semanage boolean can also be used to manipulate the booleans
411
412
413       system-config-selinux is a GUI tool available to customize SELinux pol‐
414       icy settings.
415
416

AUTHOR

418       This manual page was auto-generated using sepolicy manpage .
419
420

SEE ALSO

422       selinux(8),  staff_wine(8), semanage(8), restorecon(8), chcon(1) , set‐
423       sebool(8)
424
425
426
427staff_wine                         15-06-03              staff_wine_selinux(8)
Impressum