xguest_execmem_selinux(8)

1xguest_execmem_selinux(8)SELinux Policy xguest_execmemxguest_execmem_selinux(8)
2
3
4

NAME

6       xguest_execmem_selinux   -  Security  Enhanced  Linux  Policy  for  the
7       xguest_execmem processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the xguest_execmem processes via flexi‐
11       ble mandatory access control.
12
13       The  xguest_execmem processes execute with the xguest_execmem_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep xguest_execmem_t
20
21
22

ENTRYPOINTS

24       The  xguest_execmem_t  SELinux type can be entered via the user_home_t,
25       execmem_exec_t, xsession_exec_t file types.
26
27       The default entrypoint paths for the xguest_execmem_t  domain  are  the
28       following:
29
30       /home/[^/]*/.+,      /home/staff/.+,     /usr/lib(64)?/ghc-[^/]+/ghc.*,
31       /usr/lib(64)/virtualbox/VirtualBox,        /usr/lib(64)?/gimp/2.0/plug-
32       ins/help-browser,      /usr/lib(64)?/chromium-browser/chromium-browser,
33       /opt/real/(.*/)?realplay.bin,
34       /opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater,
35       /opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application,   /usr/sbin/VBox.*,
36       /usr/bin/haddock.*,                       /usr/libexec/ghc-[^/]+/.*bin,
37       /usr/libexec/ghc-[^/]+/ghc.*, /usr/lib/wingide-[^/]+/bin/PyCore/python,
38       /usr/lib/erlang/erts-[^/]+/bin/beam.smp,              /usr/lib/thunder‐
39       bird-[^/]+/thunderbird-bin,  /usr/lib64/erlang/erts-[^/]+/bin/beam.smp,
40       /usr/bin/sbcl,    /usr/bin/darcs,    /usr/bin/skype,   /usr/bin/dosbox,
41       /usr/bin/runghc, /usr/bin/hasktags, /usr/bin/valgrind, /usr/bin/aticon‐
42       fig,             /usr/bin/runhaskell,            /usr/lib/R/bin/exec/R,
43       /usr/lib64/R/bin/exec/R,                     /usr/sbin/vboxadd-service,
44       /opt/google/chrome/chrome,   /usr/lib/ia32el/ia32x_loader,   /opt/like‐
45       wise/bin/domainjoin-cli,              /opt/google/chrome/google-chrome,
46       /opt/real/RealPlayer/realplay.bin,  /usr/local/RealPlayer/realplay.bin,
47       /opt/Komodo-Edit-5/lib/mozilla/komodo-bin,       /etc/kde3?/kdm/Xreset,
48       /etc/kde3?/kdm/Xstartup,  /etc/kde3?/kdm/Xsession, /etc/X11/[wx]dm/Xre‐
49       set.*,        /etc/X11/[wxg]dm/Xsession,        /etc/X11/Xsession[^/]*,
50       /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*
51

PROCESS TYPES

53       SELinux defines process types (domains) for each process running on the
54       system
55
56       You can see the context of a process using the -Z option to ps
57
58       Policy governs the access confined processes have  to  files.   SELinux
59       xguest_execmem  policy  is  very flexible allowing users to setup their
60       xguest_execmem processes in as secure a method as possible.
61
62       The following process types are defined for xguest_execmem:
63
64       xguest_execmem_t
65
66       Note: semanage permissive -a xguest_execmem_t can be used to  make  the
67       process  type xguest_execmem_t permissive. SELinux does not deny access
68       to permissive process types, but the AVC (SELinux denials) messages are
69       still generated.
70
71

BOOLEANS

73       SELinux   policy  is  customizable  based  on  least  access  required.
74       xguest_execmem policy is extremely flexible and  has  several  booleans
75       that allow you to manipulate the policy and run xguest_execmem with the
76       tightest access possible.
77
78
79
80       If you want to allow direct login to the console device.  Required  for
81       System  390,  you must turn on the allow_console_login boolean. Enabled
82       by default.
83
84       setsebool -P allow_console_login 1
85
86
87
88       If you want to allow all domains to use other domains file descriptors,
89       you must turn on the allow_domain_fd_use boolean. Enabled by default.
90
91       setsebool -P allow_domain_fd_use 1
92
93
94
95       If  you  want  to allow confined applications to run with kerberos, you
96       must turn on the allow_kerberos boolean. Enabled by default.
97
98       setsebool -P allow_kerberos 1
99
100
101
102       If you want to allow sysadm to debug or ptrace all processes, you  must
103       turn on the allow_ptrace boolean. Disabled by default.
104
105       setsebool -P allow_ptrace 1
106
107
108
109       If  you  want  to allows clients to write to the X server shared memory
110       segments, you must turn on the allow_write_xshm  boolean.  Disabled  by
111       default.
112
113       setsebool -P allow_write_xshm 1
114
115
116
117       If  you  want  to  allow  system  to run with NIS, you must turn on the
118       allow_ypbind boolean. Disabled by default.
119
120       setsebool -P allow_ypbind 1
121
122
123
124       If you want to allow all domains to have the kernel load  modules,  you
125       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
126       default.
127
128       setsebool -P domain_kernel_load_modules 1
129
130
131
132       If you want to allow all domains to execute in fips_mode, you must turn
133       on the fips_mode boolean. Enabled by default.
134
135       setsebool -P fips_mode 1
136
137
138
139       If you want to enable reading of urandom for all domains, you must turn
140       on the global_ssp boolean. Disabled by default.
141
142       setsebool -P global_ssp 1
143
144
145
146       If you want to allow confined applications to use nscd  shared  memory,
147       you must turn on the nscd_use_shm boolean. Enabled by default.
148
149       setsebool -P nscd_use_shm 1
150
151
152
153       If  you  want  to enabling secure mode disallows programs, such as new‐
154       role, from transitioning to administrative user domains, you must  turn
155       on the secure_mode boolean. Disabled by default.
156
157       setsebool -P secure_mode 1
158
159
160
161       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
162       the ssh_sysadm_login boolean. Disabled by default.
163
164       setsebool -P ssh_sysadm_login 1
165
166
167
168       If you want to support NFS home  directories,  you  must  turn  on  the
169       use_nfs_home_dirs boolean. Disabled by default.
170
171       setsebool -P use_nfs_home_dirs 1
172
173
174
175       If  you  want  to  support SAMBA home directories, you must turn on the
176       use_samba_home_dirs boolean. Disabled by default.
177
178       setsebool -P use_samba_home_dirs 1
179
180
181
182       If you want to allow regular users direct dri device access,  you  must
183       turn on the user_direct_dri boolean. Enabled by default.
184
185       setsebool -P user_direct_dri 1
186
187
188
189       If  you want to allow user to r/w files on filesystems that do not have
190       extended  attributes  (FAT,  CDROM,  FLOPPY),  you  must  turn  on  the
191       user_rw_noexattrfile boolean. Enabled by default.
192
193       setsebool -P user_rw_noexattrfile 1
194
195
196
197       If  you  want  to  allow  xdm  logins  as  sysadm, you must turn on the
198       xdm_sysadm_login boolean. Disabled by default.
199
200       setsebool -P xdm_sysadm_login 1
201
202
203
204       If you want to allow xguest to configure Network Manager and connect to
205       apache  ports,  you  must  turn  on the xguest_connect_network boolean.
206       Enabled by default.
207
208       setsebool -P xguest_connect_network 1
209
210
211
212       If you want to support X userspace object manager, you must turn on the
213       xserver_object_manager boolean. Disabled by default.
214
215       setsebool -P xserver_object_manager 1
216
217
218

MANAGED FILES

220       The SELinux process type xguest_execmem_t can manage files labeled with
221       the following file types.  The paths listed are the default  paths  for
222       these  file  types.  Note the processes UID still need to have DAC per‐
223       missions.
224
225       anon_inodefs_t
226
227
228       chrome_sandbox_tmpfs_t
229
230
231       cifs_t
232
233
234       iceauth_home_t
235
236            /home/[^/]*/.DCOP.*
237            /home/[^/]*/.ICEauthority.*
238            /home/staff/.DCOP.*
239            /home/staff/.ICEauthority.*
240
241       initrc_tmp_t
242
243
244       mnt_t
245
246            /mnt(/[^/]*)
247            /mnt(/[^/]*)?
248            /rhev(/[^/]*)?
249            /media(/[^/]*)
250            /media(/[^/]*)?
251            /etc/rhgb(/.*)?
252            /media/.hal-.*
253            /net
254            /afs
255            /rhev
256            /misc
257
258       noxattrfs
259
260            all files on file systems which do not support extended attributes
261
262       tmp_t
263
264            /tmp
265            /usr/tmp
266            /var/tmp
267            /tmp-inst
268            /var/tmp-inst
269            /var/tmp/vi.recover
270
271       usbfs_t
272
273
274       user_fonts_cache_t
275
276            /home/[^/]*/.fonts/auto(/.*)?
277            /home/[^/]*/.fontconfig(/.*)?
278            /home/[^/]*/.fonts.cache-.*
279            /home/staff/.fonts/auto(/.*)?
280            /home/staff/.fontconfig(/.*)?
281            /home/staff/.fonts.cache-.*
282
283       user_fonts_t
284
285            /home/[^/]*/.fonts(/.*)?
286            /home/staff/.fonts(/.*)?
287
288       user_home_type
289
290            all user home files
291
292       user_tmp_t
293
294            /tmp/gconfd-.*
295            /tmp/gconfd-staff
296
297       user_tmpfs_t
298
299            /dev/shm/mono.*
300            /dev/shm/pulse-shm.*
301
302       xauth_home_t
303
304            /root/.Xauth.*
305            /root/.xauth.*
306            /root/.serverauth.*
307            /var/lib/pqsql/.xauth.*
308            /var/lib/pqsql/.Xauthority.*
309            /var/lib/nxserver/home/.xauth.*
310            /var/lib/nxserver/home/.Xauthority.*
311            /home/[^/]*/.xauth.*
312            /home/[^/]*/.Xauthority.*
313            /home/[^/]*/.serverauth.*
314            /home/staff/.xauth.*
315            /home/staff/.Xauthority.*
316            /home/staff/.serverauth.*
317
318       xdm_tmp_t
319
320            /tmp/.X11-unix(/.*)?
321            /tmp/.ICE-unix(/.*)?
322            /tmp/.X0-lock
323
324       xserver_tmpfs_t
325
326
327

COMMANDS

329       semanage fcontext can also be used to manipulate default  file  context
330       mappings.
331
332       semanage  permissive  can  also  be used to manipulate whether or not a
333       process type is permissive.
334
335       semanage module can also be used to enable/disable/install/remove  pol‐
336       icy modules.
337
338       semanage boolean can also be used to manipulate the booleans
339
340
341       system-config-selinux is a GUI tool available to customize SELinux pol‐
342       icy settings.
343
344

AUTHOR

346       This manual page was auto-generated using sepolicy manpage .
347
348