pegasus_openlmi_logicalfile_selinux(8)

1pegasus_openlmi_logSiEcLailnfuixleP_osleilciynupxe(g8a)sus_poepgeanslumsi__olpoegnilcmail_fliolgeicalfile_selinux(8)
2
3
4

NAME

6       pegasus_openlmi_logicalfile_selinux  -  Security  Enhanced Linux Policy
7       for the pegasus_openlmi_logicalfile processes
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  pegasus_openlmi_logicalfile  pro‐
11       cesses via flexible mandatory access control.
12
13       The   pegasus_openlmi_logicalfile  processes  execute  with  the  pega‐
14       sus_openlmi_logicalfile_t SELinux type. You can check if you have these
15       processes running by executing the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pegasus_openlmi_logicalfile_t
20
21
22

ENTRYPOINTS

24       The  pegasus_openlmi_logicalfile_t  SELinux type can be entered via the
25       user_home_t, pegasus_openlmi_logicalfile_exec_t file types.
26
27       The default  entrypoint  paths  for  the  pegasus_openlmi_logicalfile_t
28       domain are the following:
29
30       /home/[^/]+/.+, /usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       pegasus_openlmi_logicalfile  policy  is very flexible allowing users to
40       setup their pegasus_openlmi_logicalfile processes in as secure a method
41       as possible.
42
43       The  following  process  types are defined for pegasus_openlmi_logical‐
44       file:
45
46       pegasus_openlmi_logicalfile_t
47
48       Note: semanage permissive -a pegasus_openlmi_logicalfile_t can be  used
49       to  make  the  process  type  pegasus_openlmi_logicalfile_t permissive.
50       SELinux does not deny access to permissive process types, but  the  AVC
51       (SELinux denials) messages are still generated.
52
53

BOOLEANS

55       SELinux  policy  is customizable based on least access required.  pega‐
56       sus_openlmi_logicalfile policy is extremely flexible  and  has  several
57       booleans  that  allow  you  to  manipulate  the  policy  and  run pega‐
58       sus_openlmi_logicalfile with the tightest access possible.
59
60
61
62       If you want to allow all daemons to write corefiles to /, you must turn
63       on the daemons_dump_core boolean. Disabled by default.
64
65       setsebool -P daemons_dump_core 1
66
67
68
69       If  you  want  to enable cluster mode for daemons, you must turn on the
70       daemons_enable_cluster_mode boolean. Enabled by default.
71
72       setsebool -P daemons_enable_cluster_mode 1
73
74
75
76       If you want to allow all daemons to use tcp wrappers, you must turn  on
77       the daemons_use_tcp_wrapper boolean. Disabled by default.
78
79       setsebool -P daemons_use_tcp_wrapper 1
80
81
82
83       If  you  want to allow all daemons the ability to read/write terminals,
84       you must turn on the daemons_use_tty boolean. Disabled by default.
85
86       setsebool -P daemons_use_tty 1
87
88
89
90       If you want to deny user domains applications to map a memory region as
91       both  executable  and  writable,  this  is dangerous and the executable
92       should be reported in bugzilla, you must turn on the deny_execmem bool‐
93       ean. Enabled by default.
94
95       setsebool -P deny_execmem 1
96
97
98
99       If  you  want  to deny any process from ptracing or debugging any other
100       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
101       default.
102
103       setsebool -P deny_ptrace 1
104
105
106
107       If  you  want  to  allow  any  process  to mmap any file on system with
108       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
109       ean. Enabled by default.
110
111       setsebool -P domain_can_mmap_files 1
112
113
114
115       If  you want to allow all domains write to kmsg_device, while kernel is
116       executed with systemd.log_target=kmsg parameter, you must turn  on  the
117       domain_can_write_kmsg boolean. Disabled by default.
118
119       setsebool -P domain_can_write_kmsg 1
120
121
122
123       If you want to allow all domains to use other domains file descriptors,
124       you must turn on the domain_fd_use boolean. Enabled by default.
125
126       setsebool -P domain_fd_use 1
127
128
129
130       If you want to allow all domains to have the kernel load  modules,  you
131       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
132       default.
133
134       setsebool -P domain_kernel_load_modules 1
135
136
137
138       If you want to allow all domains to execute in fips_mode, you must turn
139       on the fips_mode boolean. Enabled by default.
140
141       setsebool -P fips_mode 1
142
143
144
145       If you want to enable reading of urandom for all domains, you must turn
146       on the global_ssp boolean. Disabled by default.
147
148       setsebool -P global_ssp 1
149
150
151
152       If you want to control the ability to mmap a low area  of  the  address
153       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
154       the mmap_low_allowed boolean. Disabled by default.
155
156       setsebool -P mmap_low_allowed 1
157
158
159
160       If you want to disable kernel module loading,  you  must  turn  on  the
161       secure_mode_insmod boolean. Enabled by default.
162
163       setsebool -P secure_mode_insmod 1
164
165
166
167       If  you want to boolean to determine whether the system permits loading
168       policy, setting enforcing mode, and changing boolean values.  Set  this
169       to  true  and  you  have to reboot to set it back, you must turn on the
170       secure_mode_policyload boolean. Enabled by default.
171
172       setsebool -P secure_mode_policyload 1
173
174
175
176       If you want to allow unconfined executables to make their  heap  memory
177       executable.   Doing  this  is  a  really bad idea. Probably indicates a
178       badly coded executable, but could indicate an attack.  This  executable
179       should   be   reported  in  bugzilla,  you  must  turn  on  the  selin‐
180       uxuser_execheap boolean. Disabled by default.
181
182       setsebool -P selinuxuser_execheap 1
183
184
185
186       If you want to  allow  all  unconfined  executables  to  use  libraries
187       requiring  text  relocation  that  are not labeled textrel_shlib_t, you
188       must turn on the selinuxuser_execmod boolean. Enabled by default.
189
190       setsebool -P selinuxuser_execmod 1
191
192
193
194       If you want to allow unconfined executables to make  their  stack  exe‐
195       cutable.   This  should  never, ever be necessary. Probably indicates a
196       badly coded executable, but could indicate an attack.  This  executable
197       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
198       stack boolean. Enabled by default.
199
200       setsebool -P selinuxuser_execstack 1
201
202
203
204       If you want to support NFS home  directories,  you  must  turn  on  the
205       use_nfs_home_dirs boolean. Disabled by default.
206
207       setsebool -P use_nfs_home_dirs 1
208
209
210
211       If  you  want  to  support SAMBA home directories, you must turn on the
212       use_samba_home_dirs boolean. Disabled by default.
213
214       setsebool -P use_samba_home_dirs 1
215
216
217
218       If you want to support X userspace object manager, you must turn on the
219       xserver_object_manager boolean. Enabled by default.
220
221       setsebool -P xserver_object_manager 1
222
223
224

MANAGED FILES

226       The SELinux process type pegasus_openlmi_logicalfile_t can manage files
227       labeled with the following  file  types.   The  paths  listed  are  the
228       default  paths for these file types.  Note the processes UID still need
229       to have DAC permissions.
230
231       file_type
232
233            all files on the system
234
235

FILE CONTEXTS

237       SELinux requires files to have an extended attribute to define the file
238       type.
239
240       You can see the context of a file using the -Z option to ls
241
242       Policy  governs  the  access  confined  processes  have to these files.
243       SELinux pegasus_openlmi_logicalfile policy is  very  flexible  allowing
244       users to setup their pegasus_openlmi_logicalfile processes in as secure
245       a method as possible.
246
247       The following file types are defined for pegasus_openlmi_logicalfile:
248
249
250
251       pegasus_openlmi_logicalfile_exec_t
252
253       - Set files with the pegasus_openlmi_logicalfile_exec_t  type,  if  you
254       want  to  transition an executable to the pegasus_openlmi_logicalfile_t
255       domain.
256
257
258
259       Note: File context can be temporarily modified with the chcon  command.
260       If  you want to permanently change the file context you need to use the
261       semanage fcontext command.  This will modify the SELinux labeling data‐
262       base.  You will need to use restorecon to apply the labels.
263
264

COMMANDS

266       semanage  fcontext  can also be used to manipulate default file context
267       mappings.
268
269       semanage permissive can also be used to manipulate  whether  or  not  a
270       process type is permissive.
271
272       semanage  module can also be used to enable/disable/install/remove pol‐
273       icy modules.
274
275       semanage boolean can also be used to manipulate the booleans
276
277
278       system-config-selinux is a GUI tool available to customize SELinux pol‐
279       icy settings.
280
281

AUTHOR

283       This manual page was auto-generated using sepolicy manpage .
284
285