1pulseaudio_selinux(8) SELinux Policy pulseaudio pulseaudio_selinux(8)
2
6 pulseaudio_selinux - Security Enhanced Linux Policy for the pulseaudio
7 processes
8
10 Security-Enhanced Linux secures the pulseaudio processes via flexible
11 mandatory access control.
12 The pulseaudio processes execute with the pulseaudio_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16 For example:
18 ps -eZ | grep pulseaudio_t
20
24 The pulseaudio_t SELinux type can be entered via the pulseaudio_exec_t
25 file type.
26 The default entrypoint paths for the pulseaudio_t domain are the fol‐
28 lowing:
29 /usr/bin/pulseaudio
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 pulseaudio policy is very flexible allowing users to setup their
40 pulseaudio processes in as secure a method as possible.
41 The following process types are defined for pulseaudio:
43 pulseaudio_t
45 Note: semanage permissive -a pulseaudio_t can be used to make the
47 process type pulseaudio_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
53 SELinux policy is customizable based on least access required.
54 pulseaudio policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run pulseaudio with the tightest
56 access possible.
57 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63 setsebool -P authlogin_nsswitch_use_ldap 1
65 If you want to allow all daemons the ability to read/write terminals,
69 you must turn on the daemons_use_tty boolean. Disabled by default.
70 setsebool -P daemons_use_tty 1
72 If you want to deny any process from ptracing or debugging any other
76 processes, you must turn on the deny_ptrace boolean. Enabled by
77 default.
78 setsebool -P deny_ptrace 1
80 If you want to allow any process to mmap any file on system with
84 attribute file_type, you must turn on the domain_can_mmap_files bool‐
85 ean. Enabled by default.
86 setsebool -P domain_can_mmap_files 1
88 If you want to allow all domains write to kmsg_device, while kernel is
92 executed with systemd.log_target=kmsg parameter, you must turn on the
93 domain_can_write_kmsg boolean. Disabled by default.
94 setsebool -P domain_can_write_kmsg 1
96 If you want to allow all domains to use other domains file descriptors,
100 you must turn on the domain_fd_use boolean. Enabled by default.
101 setsebool -P domain_fd_use 1
103 If you want to allow all domains to have the kernel load modules, you
107 must turn on the domain_kernel_load_modules boolean. Disabled by
108 default.
109 setsebool -P domain_kernel_load_modules 1
111 If you want to allow all domains to execute in fips_mode, you must turn
115 on the fips_mode boolean. Enabled by default.
116 setsebool -P fips_mode 1
118 If you want to enable reading of urandom for all domains, you must turn
122 on the global_ssp boolean. Disabled by default.
123 setsebool -P global_ssp 1
125 If you want to allow confined applications to run with kerberos, you
129 must turn on the kerberos_enabled boolean. Enabled by default.
130 setsebool -P kerberos_enabled 1
132 If you want to allow system to run with NIS, you must turn on the
136 nis_enabled boolean. Disabled by default.
137 setsebool -P nis_enabled 1
139 If you want to allow confined applications to use nscd shared memory,
143 you must turn on the nscd_use_shm boolean. Disabled by default.
144 setsebool -P nscd_use_shm 1
146 If you want to allow regular users direct dri device access, you must
150 turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
151 setsebool -P selinuxuser_direct_dri_enabled 1
153 If you want to support NFS home directories, you must turn on the
157 use_nfs_home_dirs boolean. Disabled by default.
158 setsebool -P use_nfs_home_dirs 1
160 If you want to support SAMBA home directories, you must turn on the
164 use_samba_home_dirs boolean. Disabled by default.
165 setsebool -P use_samba_home_dirs 1
167 If you want to allows clients to write to the X server shared memory
171 segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
172 abled by default.
173 setsebool -P xserver_clients_write_xshm 1
175 If you want to support X userspace object manager, you must turn on the
179 xserver_object_manager boolean. Enabled by default.
180 setsebool -P xserver_object_manager 1
182
186 SELinux defines port types to represent TCP and UDP ports.
187 You can see the types associated with a port by using the following
189 command:
190 semanage port -l
192 Policy governs the access confined processes have to these ports.
195 SELinux pulseaudio policy is very flexible allowing users to setup
196 their pulseaudio processes in as secure a method as possible.
197 The following port types are defined for pulseaudio:
199 pulseaudio_port_t
202 Default Defined Ports:
206 tcp 4713
207 udp 4713
208
210 The SELinux process type pulseaudio_t can manage files labeled with the
211 following file types. The paths listed are the default paths for these
212 file types. Note the processes UID still need to have DAC permissions.
213 anon_inodefs_t
215 cifs_t
218 gstreamer_home_t
221 /var/run/user/[^/]*/.orc(/.*)?
223 /root/.gstreamer-.*
224 /root/.cache/gstreamer-.*
225 /home/[^/]+/.orc(/.*)?
226 /home/[^/]+/.gstreamer-.*
227 /home/[^/]+/.nv/GLCache(/.*)?
228 /home/[^/]+/.cache/GLCache(/.*)?
229 /home/[^/]+/.cache/gstreamer-.*
230 /home/[^/]+/.grl-bookmarks
231 /home/[^/]+/.grl-metadata-store
232 nfs_t
234 pulseaudio_home_t
237 /root/.pulse(/.*)?
239 /root/.config/pulse(/.*)?
240 /root/.esd_auth
241 /root/.pulse-cookie
242 /home/[^/]+/.pulse(/.*)?
243 /home/[^/]+/.config/pulse(/.*)?
244 /home/[^/]+/.esd_auth
245 /home/[^/]+/.pulse-cookie
246 pulseaudio_var_lib_t
248 /var/lib/pulse(/.*)?
250 pulseaudio_var_run_t
252 /var/run/pulse(/.*)?
254 user_fonts_cache_t
256 /root/.fontconfig(/.*)?
258 /root/.fonts/auto(/.*)?
259 /root/.fonts.cache-.*
260 /home/[^/]+/.fontconfig(/.*)?
261 /home/[^/]+/.fonts/auto(/.*)?
262 /home/[^/]+/.fonts.cache-.*
263 user_tmp_t
265 /dev/shm/mono.*
267 /var/run/user(/.*)?
268 /tmp/.X11-unix(/.*)?
269 /tmp/.ICE-unix(/.*)?
270 /dev/shm/pulse-shm.*
271 /tmp/.X0-lock
272 /tmp/hsperfdata_root
273 /var/tmp/hsperfdata_root
274 /home/[^/]+/tmp
275 /home/[^/]+/.tmp
276 /tmp/gconfd-[^/]+
277 user_tmp_type
279 all user tmp files
281 virt_tmpfs_type
283 xserver_tmpfs_t
286
290 SELinux requires files to have an extended attribute to define the file
291 type.
292 You can see the context of a file using the -Z option to ls
294 Policy governs the access confined processes have to these files.
296 SELinux pulseaudio policy is very flexible allowing users to setup
297 their pulseaudio processes in as secure a method as possible.
298 STANDARD FILE CONTEXT
300 SELinux defines the file context types for the pulseaudio, if you
302 wanted to store files with these types in a diffent paths, you need to
303 execute the semanage command to sepecify alternate labeling and then
304 use restorecon to put the labels on disk.
305 semanage fcontext -a -t pulseaudio_var_run_t '/srv/mypulseaudio_con‐
307 tent(/.*)?'
308 restorecon -R -v /srv/mypulseaudio_content
309 Note: SELinux often uses regular expressions to specify labels that
311 match multiple files.
312 The following file types are defined for pulseaudio:
314 pulseaudio_exec_t
318 - Set files with the pulseaudio_exec_t type, if you want to transition
320 an executable to the pulseaudio_t domain.
321 pulseaudio_home_t
325 - Set files with the pulseaudio_home_t type, if you want to store
327 pulseaudio files in the users home directory.
328 Paths:
331 /root/.pulse(/.*)?, /root/.config/pulse(/.*)?, /root/.esd_auth,
332 /root/.pulse-cookie, /home/[^/]+/.pulse(/.*)?, /home/[^/]+/.con‐
333 fig/pulse(/.*)?, /home/[^/]+/.esd_auth, /home/[^/]+/.pulse-cookie
334 pulseaudio_tmpfs_t
337 - Set files with the pulseaudio_tmpfs_t type, if you want to store
339 pulseaudio files on a tmpfs file system.
340 pulseaudio_var_lib_t
344 - Set files with the pulseaudio_var_lib_t type, if you want to store
346 the pulseaudio files under the /var/lib directory.
347 pulseaudio_var_run_t
351 - Set files with the pulseaudio_var_run_t type, if you want to store
353 the pulseaudio files under the /run or /var/run directory.
354 Note: File context can be temporarily modified with the chcon command.
358 If you want to permanently change the file context you need to use the
359 semanage fcontext command. This will modify the SELinux labeling data‐
360 base. You will need to use restorecon to apply the labels.
361
364 semanage fcontext can also be used to manipulate default file context
365 mappings.
366 semanage permissive can also be used to manipulate whether or not a
368 process type is permissive.
369 semanage module can also be used to enable/disable/install/remove pol‐
371 icy modules.
372 semanage port can also be used to manipulate the port definitions
374 semanage boolean can also be used to manipulate the booleans
376 system-config-selinux is a GUI tool available to customize SELinux pol‐
379 icy settings.
380
383 This manual page was auto-generated using sepolicy manpage .
384
387 selinux(8), pulseaudio(8), semanage(8), restorecon(8), chcon(1), sepol‐
388 icy(8) , setsebool(8)
389pulseaudio 19-04-25 pulseaudio_selinux(8)