1user_openoffice_selinux(8S)ELinux Policy user_openofficueser_openoffice_selinux(8)
2
3
4

NAME

6       user_openoffice_selinux  -  Security  Enhanced  Linux  Policy  for  the
7       user_openoffice processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the user_openoffice processes via flex‐
11       ible mandatory access control.
12
13       The   user_openoffice  processes  execute  with  the  user_openoffice_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep user_openoffice_t
20
21
22

ENTRYPOINTS

24       The  user_openoffice_t  SELinux  type  can  be  entered  via  the xses‐
25       sion_exec_t, user_home_t, openoffice_exec_t file types.
26
27       The default entrypoint paths for the user_openoffice_t domain  are  the
28       following:
29
30       /etc/kde3?/kdm/Xreset,   /etc/kde3?/kdm/Xstartup,  /etc/kde3?/kdm/Xses‐
31       sion,       /etc/X11/[wx]dm/Xreset.*,        /etc/X11/[wxg]dm/Xsession,
32       /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*,
33       /home/[^/]*/.+,  /home/staff/.+,  /opt/openoffice.org.*/program/.+.bin,
34       /usr/lib/openoffice.org.*/program/.+.bin,              /usr/lib64/open‐
35       office.org.*/program/.+.bin
36

PROCESS TYPES

38       SELinux defines process types (domains) for each process running on the
39       system
40
41       You can see the context of a process using the -Z option to ps
42
43       Policy  governs  the  access confined processes have to files.  SELinux
44       user_openoffice policy is very flexible allowing users to  setup  their
45       user_openoffice processes in as secure a method as possible.
46
47       The following process types are defined for user_openoffice:
48
49       user_openoffice_t
50
51       Note:  semanage permissive -a user_openoffice_t can be used to make the
52       process type user_openoffice_t permissive. SELinux does not deny access
53       to permissive process types, but the AVC (SELinux denials) messages are
54       still generated.
55
56

BOOLEANS

58       SELinux  policy  is  customizable  based  on  least  access   required.
59       user_openoffice  policy  is extremely flexible and has several booleans
60       that allow you to manipulate the policy and  run  user_openoffice  with
61       the tightest access possible.
62
63
64
65       If  you  want to allow direct login to the console device. Required for
66       System 390, you must turn on the allow_console_login  boolean.  Enabled
67       by default.
68
69       setsebool -P allow_console_login 1
70
71
72
73       If you want to allow all domains to use other domains file descriptors,
74       you must turn on the allow_domain_fd_use boolean. Enabled by default.
75
76       setsebool -P allow_domain_fd_use 1
77
78
79
80       If you want to  allow  all  unconfined  executables  to  use  libraries
81       requiring  text  relocation  that are not labeled textrel_shlib_t), you
82       must turn on the allow_execmod boolean. Enabled by default.
83
84       setsebool -P allow_execmod 1
85
86
87
88       If you want to allow confined applications to run  with  kerberos,  you
89       must turn on the allow_kerberos boolean. Enabled by default.
90
91       setsebool -P allow_kerberos 1
92
93
94
95       If  you want to allow sysadm to debug or ptrace all processes, you must
96       turn on the allow_ptrace boolean. Disabled by default.
97
98       setsebool -P allow_ptrace 1
99
100
101
102       If you want to allow users to connect to PostgreSQL, you must  turn  on
103       the allow_user_postgresql_connect boolean. Disabled by default.
104
105       setsebool -P allow_user_postgresql_connect 1
106
107
108
109       If  you  want  to allows clients to write to the X server shared memory
110       segments, you must turn on the allow_write_xshm  boolean.  Disabled  by
111       default.
112
113       setsebool -P allow_write_xshm 1
114
115
116
117       If  you  want  to  allow  system  to run with NIS, you must turn on the
118       allow_ypbind boolean. Disabled by default.
119
120       setsebool -P allow_ypbind 1
121
122
123
124       If you want to allow all domains to have the kernel load  modules,  you
125       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
126       default.
127
128       setsebool -P domain_kernel_load_modules 1
129
130
131
132       If you want to allow all domains to execute in fips_mode, you must turn
133       on the fips_mode boolean. Enabled by default.
134
135       setsebool -P fips_mode 1
136
137
138
139       If you want to enable reading of urandom for all domains, you must turn
140       on the global_ssp boolean. Disabled by default.
141
142       setsebool -P global_ssp 1
143
144
145
146       If you want to allow confined applications to use nscd  shared  memory,
147       you must turn on the nscd_use_shm boolean. Enabled by default.
148
149       setsebool -P nscd_use_shm 1
150
151
152
153       If  you  want  to enabling secure mode disallows programs, such as new‐
154       role, from transitioning to administrative user domains, you must  turn
155       on the secure_mode boolean. Disabled by default.
156
157       setsebool -P secure_mode 1
158
159
160
161       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
162       the ssh_sysadm_login boolean. Disabled by default.
163
164       setsebool -P ssh_sysadm_login 1
165
166
167
168       If you want to support NFS home  directories,  you  must  turn  on  the
169       use_nfs_home_dirs boolean. Disabled by default.
170
171       setsebool -P use_nfs_home_dirs 1
172
173
174
175       If  you  want  to  support SAMBA home directories, you must turn on the
176       use_samba_home_dirs boolean. Disabled by default.
177
178       setsebool -P use_samba_home_dirs 1
179
180
181
182       If you want to allow regular users direct dri device access,  you  must
183       turn on the user_direct_dri boolean. Enabled by default.
184
185       setsebool -P user_direct_dri 1
186
187
188
189       If  you  want to allow regular users direct mouse access, you must turn
190       on the user_direct_mouse boolean. Disabled by default.
191
192       setsebool -P user_direct_mouse 1
193
194
195
196       If you want to allow user to r/w files on filesystems that do not  have
197       extended  attributes  (FAT,  CDROM,  FLOPPY),  you  must  turn  on  the
198       user_rw_noexattrfile boolean. Enabled by default.
199
200       setsebool -P user_rw_noexattrfile 1
201
202
203
204       If you want to allow user processes to change their priority, you  must
205       turn on the user_setrlimit boolean. Enabled by default.
206
207       setsebool -P user_setrlimit 1
208
209
210
211       If you want to allow users to run TCP servers (bind to ports and accept
212       connection from the same domain  and  outside  users)   disabling  this
213       forces  FTP  passive mode and may change other protocols, you must turn
214       on the user_tcp_server boolean. Disabled by default.
215
216       setsebool -P user_tcp_server 1
217
218
219
220       If you want to allow xdm  logins  as  sysadm,  you  must  turn  on  the
221       xdm_sysadm_login boolean. Disabled by default.
222
223       setsebool -P xdm_sysadm_login 1
224
225
226
227       If you want to support X userspace object manager, you must turn on the
228       xserver_object_manager boolean. Disabled by default.
229
230       setsebool -P xserver_object_manager 1
231
232
233

MANAGED FILES

235       The SELinux process type user_openoffice_t  can  manage  files  labeled
236       with  the following file types.  The paths listed are the default paths
237       for these file types.  Note the processes UID still need  to  have  DAC
238       permissions.
239
240       anon_inodefs_t
241
242
243       cgroup_t
244
245            /cgroup(/.*)?
246
247       chrome_sandbox_tmpfs_t
248
249
250       cifs_t
251
252
253       games_data_t
254
255            /var/games(/.*)?
256            /var/lib/games(/.*)?
257
258       gpg_agent_tmp_t
259
260
261       iceauth_home_t
262
263            /home/[^/]*/.DCOP.*
264            /home/[^/]*/.ICEauthority.*
265            /home/staff/.DCOP.*
266            /home/staff/.ICEauthority.*
267
268       initrc_tmp_t
269
270
271       mail_spool_t
272
273            /var/mail(/.*)?
274            /var/spool/mail(/.*)?
275            /var/spool/imap(/.*)?
276
277       mnt_t
278
279            /mnt(/[^/]*)
280            /mnt(/[^/]*)?
281            /rhev(/[^/]*)?
282            /media(/[^/]*)
283            /media(/[^/]*)?
284            /etc/rhgb(/.*)?
285            /media/.hal-.*
286            /net
287            /afs
288            /rhev
289            /misc
290
291       mqueue_spool_t
292
293            /var/spool/(client)?mqueue(/.*)?
294
295       nfsd_rw_t
296
297
298       noxattrfs
299
300            all files on file systems which do not support extended attributes
301
302       sandbox_file_t
303
304
305       sandbox_tmpfs_type
306
307            all sandbox content in tmpfs file systems
308
309       security_t
310
311
312       tmp_t
313
314            /tmp
315            /usr/tmp
316            /var/tmp
317            /tmp-inst
318            /var/tmp-inst
319            /var/tmp/vi.recover
320
321       usbfs_t
322
323
324       user_fonts_cache_t
325
326            /home/[^/]*/.fonts/auto(/.*)?
327            /home/[^/]*/.fontconfig(/.*)?
328            /home/[^/]*/.fonts.cache-.*
329            /home/staff/.fonts/auto(/.*)?
330            /home/staff/.fontconfig(/.*)?
331            /home/staff/.fonts.cache-.*
332
333       user_fonts_t
334
335            /home/[^/]*/.fonts(/.*)?
336            /home/staff/.fonts(/.*)?
337
338       user_home_type
339
340            all user home files
341
342       user_tmp_t
343
344            /tmp/gconfd-.*
345            /tmp/gconfd-staff
346
347       user_tmpfs_t
348
349            /dev/shm/mono.*
350            /dev/shm/pulse-shm.*
351
352       xauth_home_t
353
354            /root/.Xauth.*
355            /root/.xauth.*
356            /root/.serverauth.*
357            /var/lib/pqsql/.xauth.*
358            /var/lib/pqsql/.Xauthority.*
359            /var/lib/nxserver/home/.xauth.*
360            /var/lib/nxserver/home/.Xauthority.*
361            /home/[^/]*/.xauth.*
362            /home/[^/]*/.Xauthority.*
363            /home/[^/]*/.serverauth.*
364            /home/staff/.xauth.*
365            /home/staff/.Xauthority.*
366            /home/staff/.serverauth.*
367
368       xdm_tmp_t
369
370            /tmp/.X11-unix(/.*)?
371            /tmp/.ICE-unix(/.*)?
372            /tmp/.X0-lock
373
374       xserver_tmpfs_t
375
376
377

COMMANDS

379       semanage  fcontext  can also be used to manipulate default file context
380       mappings.
381
382       semanage permissive can also be used to manipulate  whether  or  not  a
383       process type is permissive.
384
385       semanage  module can also be used to enable/disable/install/remove pol‐
386       icy modules.
387
388       semanage boolean can also be used to manipulate the booleans
389
390
391       system-config-selinux is a GUI tool available to customize SELinux pol‐
392       icy settings.
393
394

AUTHOR

396       This manual page was auto-generated using sepolicy manpage .
397
398

SEE ALSO

400       selinux(8),  user_openoffice(8), semanage(8), restorecon(8), chcon(1) ,
401       setsebool(8)
402
403
404
405user_openoffice                    15-06-03         user_openoffice_selinux(8)
Impressum