user_wine_selinux(8)

1user_wine_selinux(8)       SELinux Policy user_wine       user_wine_selinux(8)
2
3
4

NAME

6       user_wine_selinux  -  Security  Enhanced Linux Policy for the user_wine
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the user_wine  processes  via  flexible
11       mandatory access control.
12
13       The  user_wine processes execute with the user_wine_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep user_wine_t
20
21
22

ENTRYPOINTS

24       The  user_wine_t  SELinux  type  can  be  entered  via the wine_exec_t,
25       mount_exec_t, user_home_t, mount_ecryptfs_exec_t file types.
26
27       The default entrypoint paths for the user_wine_t domain are the follow‐
28       ing:
29
30       /usr/bin/wine.*,                      /opt/teamviewer(/.*)?/bin/wine.*,
31       /opt/google/picasa(/.*)?/bin/wdi,  /opt/google/picasa(/.*)?/bin/wine.*,
32       /opt/google/picasa(/.*)?/bin/msiexec,
33       /opt/google/picasa(/.*)?/bin/notepad,
34       /opt/google/picasa(/.*)?/bin/progman,
35       /opt/google/picasa(/.*)?/bin/regedit,
36       /opt/google/picasa(/.*)?/bin/regsvr32,
37       /opt/google/picasa(/.*)?/Picasa3/.*exe,
38       /opt/google/picasa(/.*)?/bin/uninstaller,     /opt/cxoffice/bin/wine.*,
39       /opt/picasa/wine/bin/wine.*,    /usr/bin/msiexec,     /usr/bin/notepad,
40       /usr/bin/regedit,        /usr/bin/regsvr32,       /usr/bin/uninstaller,
41       /home/[^/]+/cxoffice/bin/wine.+,      /bin/mount.*,      /bin/umount.*,
42       /sbin/mount.*,   /sbin/umount.*,  /usr/bin/mount.*,  /usr/bin/umount.*,
43       /usr/sbin/mount.*,         /usr/sbin/umount.*,          /home/[^/]+/.+,
44       /usr/sbin/mount.ecryptfs,                    /usr/sbin/umount.ecryptfs,
45       /usr/sbin/mount.ecryptfs_private, /usr/sbin/umount.ecryptfs_private
46

PROCESS TYPES

48       SELinux defines process types (domains) for each process running on the
49       system
50
51       You can see the context of a process using the -Z option to ps
52
53       Policy  governs  the  access confined processes have to files.  SELinux
54       user_wine policy  is  very  flexible  allowing  users  to  setup  their
55       user_wine processes in as secure a method as possible.
56
57       The following process types are defined for user_wine:
58
59       user_wine_t
60
61       Note:  semanage  permissive  -a  user_wine_t  can  be  used to make the
62       process type user_wine_t permissive. SELinux does not  deny  access  to
63       permissive  process  types,  but the AVC (SELinux denials) messages are
64       still generated.
65
66

BOOLEANS

68       SELinux  policy  is  customizable  based  on  least  access   required.
69       user_wine  policy  is  extremely flexible and has several booleans that
70       allow you to manipulate the policy and run user_wine with the  tightest
71       access possible.
72
73
74
75       If you want to allow users to resolve user passwd entries directly from
76       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
77       gin_nsswitch_use_ldap boolean. Disabled by default.
78
79       setsebool -P authlogin_nsswitch_use_ldap 1
80
81
82
83       If  you  want  to deny any process from ptracing or debugging any other
84       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
85       default.
86
87       setsebool -P deny_ptrace 1
88
89
90
91       If  you  want  to  allow  any  process  to mmap any file on system with
92       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
93       ean. Enabled by default.
94
95       setsebool -P domain_can_mmap_files 1
96
97
98
99       If  you want to allow all domains write to kmsg_device, while kernel is
100       executed with systemd.log_target=kmsg parameter, you must turn  on  the
101       domain_can_write_kmsg boolean. Disabled by default.
102
103       setsebool -P domain_can_write_kmsg 1
104
105
106
107       If you want to allow all domains to use other domains file descriptors,
108       you must turn on the domain_fd_use boolean. Enabled by default.
109
110       setsebool -P domain_fd_use 1
111
112
113
114       If you want to allow all domains to have the kernel load  modules,  you
115       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
116       default.
117
118       setsebool -P domain_kernel_load_modules 1
119
120
121
122       If you want to allow all domains to execute in fips_mode, you must turn
123       on the fips_mode boolean. Enabled by default.
124
125       setsebool -P fips_mode 1
126
127
128
129       If you want to enable reading of urandom for all domains, you must turn
130       on the global_ssp boolean. Disabled by default.
131
132       setsebool -P global_ssp 1
133
134
135
136       If you want to allow confined applications to run  with  kerberos,  you
137       must turn on the kerberos_enabled boolean. Enabled by default.
138
139       setsebool -P kerberos_enabled 1
140
141
142
143       If you want to allow logging in and using the system from /dev/console,
144       you must turn on the login_console_enabled boolean. Enabled by default.
145
146       setsebool -P login_console_enabled 1
147
148
149
150       If you want to control the ability to mmap a low area  of  the  address
151       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
152       the mmap_low_allowed boolean. Disabled by default.
153
154       setsebool -P mmap_low_allowed 1
155
156
157
158       If you want to allow system to run with  NIS,  you  must  turn  on  the
159       nis_enabled boolean. Disabled by default.
160
161       setsebool -P nis_enabled 1
162
163
164
165       If  you  want to allow confined applications to use nscd shared memory,
166       you must turn on the nscd_use_shm boolean. Disabled by default.
167
168       setsebool -P nscd_use_shm 1
169
170
171
172       If you want to disallow programs, such as newrole,  from  transitioning
173       to  administrative user domains, you must turn on the secure_mode bool‐
174       ean. Enabled by default.
175
176       setsebool -P secure_mode 1
177
178
179
180       If you want to allow regular users direct dri device access,  you  must
181       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
182
183       setsebool -P selinuxuser_direct_dri_enabled 1
184
185
186
187       If  you  want to allow users to connect to PostgreSQL, you must turn on
188       the   selinuxuser_postgresql_connect_enabled   boolean.   Disabled   by
189       default.
190
191       setsebool -P selinuxuser_postgresql_connect_enabled 1
192
193
194
195       If  you want to allow user to r/w files on filesystems that do not have
196       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
197       uxuser_rw_noexattrfile boolean. Enabled by default.
198
199       setsebool -P selinuxuser_rw_noexattrfile 1
200
201
202
203       If  you  want  to allow user music sharing, you must turn on the selin‐
204       uxuser_share_music boolean. Disabled by default.
205
206       setsebool -P selinuxuser_share_music 1
207
208
209
210       If you want to allow users to run TCP servers (bind to ports and accept
211       connection  from  the  same  domain  and outside users)  disabling this
212       forces FTP passive mode and may change other protocols, you  must  turn
213       on the selinuxuser_tcp_server boolean. Disabled by default.
214
215       setsebool -P selinuxuser_tcp_server 1
216
217
218
219       If you want to allow users to run UDP servers (bind to ports and accept
220       connection from the same domain and outside users)  disabling this  may
221       break  avahi  discovering services on the network and other udp related
222       services, you must turn on the selinuxuser_udp_server boolean. Disabled
223       by default.
224
225       setsebool -P selinuxuser_udp_server 1
226
227
228
229       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
230       the ssh_sysadm_login boolean. Disabled by default.
231
232       setsebool -P ssh_sysadm_login 1
233
234
235
236       If you want to support NFS home  directories,  you  must  turn  on  the
237       use_nfs_home_dirs boolean. Disabled by default.
238
239       setsebool -P use_nfs_home_dirs 1
240
241
242
243       If  you  want  to  support SAMBA home directories, you must turn on the
244       use_samba_home_dirs boolean. Disabled by default.
245
246       setsebool -P use_samba_home_dirs 1
247
248
249
250       If you want to allow the graphical login program to login  directly  as
251       sysadm_r:sysadm_t,  you  must  turn  on  the  xdm_sysadm_login boolean.
252       Enabled by default.
253
254       setsebool -P xdm_sysadm_login 1
255
256
257
258       If you want to allows clients to write to the X  server  shared  memory
259       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
260       abled by default.
261
262       setsebool -P xserver_clients_write_xshm 1
263
264
265
266       If you want to support X userspace object manager, you must turn on the
267       xserver_object_manager boolean. Enabled by default.
268
269       setsebool -P xserver_object_manager 1
270
271
272

MANAGED FILES

274       The  SELinux process type user_wine_t can manage files labeled with the
275       following file types.  The paths listed are the default paths for these
276       file types.  Note the processes UID still need to have DAC permissions.
277
278       anon_inodefs_t
279
280
281       cgroup_t
282
283            /sys/fs/cgroup
284
285       chrome_sandbox_tmpfs_t
286
287
288       cifs_t
289
290
291       games_data_t
292
293            /var/games(/.*)?
294            /var/lib/games(/.*)?
295
296       gpg_agent_tmp_t
297
298            /home/[^/]+/.gnupg/log-socket
299
300       iceauth_home_t
301
302            /root/.DCOP.*
303            /root/.ICEauthority.*
304            /home/[^/]+/.DCOP.*
305            /home/[^/]+/.ICEauthority.*
306
307       mail_spool_t
308
309            /var/mail(/.*)?
310            /var/spool/imap(/.*)?
311            /var/spool/mail(/.*)?
312            /var/spool/smtpd(/.*)?
313
314       mqueue_spool_t
315
316            /var/spool/(client)?mqueue(/.*)?
317            /var/spool/mqueue.in(/.*)?
318
319       noxattrfs
320
321            all files on file systems which do not support extended attributes
322
323       pulseaudio_tmpfs_t
324
325
326       pulseaudio_tmpfsfile
327
328
329       usbfs_t
330
331
332       user_fonts_cache_t
333
334            /root/.fontconfig(/.*)?
335            /root/.fonts/auto(/.*)?
336            /root/.fonts.cache-.*
337            /home/[^/]+/.fontconfig(/.*)?
338            /home/[^/]+/.fonts/auto(/.*)?
339            /home/[^/]+/.fonts.cache-.*
340
341       user_fonts_t
342
343            /root/.fonts(/.*)?
344            /tmp/.font-unix(/.*)?
345            /home/[^/]+/.fonts(/.*)?
346            /home/[^/]+/.local/share/fonts(/.*)?
347
348       user_home_type
349
350            all user home files
351
352       user_tmp_t
353
354            /dev/shm/mono.*
355            /var/run/user(/.*)?
356            /tmp/.X11-unix(/.*)?
357            /tmp/.ICE-unix(/.*)?
358            /dev/shm/pulse-shm.*
359            /tmp/.X0-lock
360            /tmp/hsperfdata_root
361            /var/tmp/hsperfdata_root
362            /home/[^/]+/tmp
363            /home/[^/]+/.tmp
364            /tmp/gconfd-[^/]+
365
366       user_tmp_type
367
368            all user tmp files
369
370       xauth_home_t
371
372            /root/.xauth.*
373            /root/.Xauth.*
374            /root/.serverauth.*
375            /root/.Xauthority.*
376            /var/lib/pqsql/.xauth.*
377            /var/lib/pqsql/.Xauthority.*
378            /var/lib/nxserver/home/.xauth.*
379            /var/lib/nxserver/home/.Xauthority.*
380            /home/[^/]+/.xauth.*
381            /home/[^/]+/.Xauth.*
382            /home/[^/]+/.serverauth.*
383            /home/[^/]+/.Xauthority.*
384
385       xserver_tmpfs_t
386
387
388

COMMANDS

390       semanage  fcontext  can also be used to manipulate default file context
391       mappings.
392
393       semanage permissive can also be used to manipulate  whether  or  not  a
394       process type is permissive.
395
396       semanage  module can also be used to enable/disable/install/remove pol‐
397       icy modules.
398
399       semanage boolean can also be used to manipulate the booleans
400
401
402       system-config-selinux is a GUI tool available to customize SELinux pol‐
403       icy settings.
404
405

AUTHOR

407       This manual page was auto-generated using sepolicy manpage .
408
409