xserver_selinux(8)

1xserver_selinux(8)          SELinux Policy xserver          xserver_selinux(8)
2
3
4

NAME

6       xserver_selinux  -  Security Enhanced Linux Policy for the xserver pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  xserver  processes  via  flexible
11       mandatory access control.
12
13       The  xserver processes execute with the xserver_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep xserver_t
20
21
22

ENTRYPOINTS

24       The  xserver_t  SELinux type can be entered via the xserver_exec_t file
25       type.
26
27       The default entrypoint paths for the xserver_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/nvidia.*,    /usr/bin/Xair,    /usr/bin/Xorg,   /usr/bin/Xvnc,
31       /usr/bin/Xephyr,           /usr/bin/x11vnc,           /usr/X11R6/bin/X,
32       /usr/X11R6/bin/Xorg,    /usr/X11R6/bin/Xipaq,    /usr/libexec/Xorg.bin,
33       /usr/libexec/Xorg.wrap, /usr/X11R6/bin/XFree86, /usr/X11R6/bin/Xwrapper
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       xserver policy is very flexible allowing users to setup  their  xserver
43       processes in as secure a method as possible.
44
45       The following process types are defined for xserver:
46
47       xserver_t
48
49       Note:  semanage permissive -a xserver_t can be used to make the process
50       type xserver_t permissive. SELinux does not deny access  to  permissive
51       process  types, but the AVC (SELinux denials) messages are still gener‐
52       ated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access required.  xserver
57       policy is extremely flexible and has several booleans that allow you to
58       manipulate the policy and run xserver with the tightest  access  possi‐
59       ble.
60
61
62
63       If you want to allows XServer to execute writable memory, you must turn
64       on the xserver_execmem boolean. Disabled by default.
65
66       setsebool -P xserver_execmem 1
67
68
69
70       If you want to support X userspace object manager, you must turn on the
71       xserver_object_manager boolean. Enabled by default.
72
73       setsebool -P xserver_object_manager 1
74
75
76
77       If you want to allow users to resolve user passwd entries directly from
78       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
79       gin_nsswitch_use_ldap boolean. Disabled by default.
80
81       setsebool -P authlogin_nsswitch_use_ldap 1
82
83
84
85       If  you  want to allow all daemons the ability to read/write terminals,
86       you must turn on the daemons_use_tty boolean. Disabled by default.
87
88       setsebool -P daemons_use_tty 1
89
90
91
92       If you want to deny user domains applications to map a memory region as
93       both  executable  and  writable,  this  is dangerous and the executable
94       should be reported in bugzilla, you must turn on the deny_execmem bool‐
95       ean. Enabled by default.
96
97       setsebool -P deny_execmem 1
98
99
100
101       If  you  want  to deny any process from ptracing or debugging any other
102       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
103       default.
104
105       setsebool -P deny_ptrace 1
106
107
108
109       If  you  want  to  allow  any  process  to mmap any file on system with
110       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
111       ean. Enabled by default.
112
113       setsebool -P domain_can_mmap_files 1
114
115
116
117       If  you want to allow all domains write to kmsg_device, while kernel is
118       executed with systemd.log_target=kmsg parameter, you must turn  on  the
119       domain_can_write_kmsg boolean. Disabled by default.
120
121       setsebool -P domain_can_write_kmsg 1
122
123
124
125       If you want to allow all domains to use other domains file descriptors,
126       you must turn on the domain_fd_use boolean. Enabled by default.
127
128       setsebool -P domain_fd_use 1
129
130
131
132       If you want to allow all domains to have the kernel load  modules,  you
133       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
134       default.
135
136       setsebool -P domain_kernel_load_modules 1
137
138
139
140       If you want to allow all domains to execute in fips_mode, you must turn
141       on the fips_mode boolean. Enabled by default.
142
143       setsebool -P fips_mode 1
144
145
146
147       If you want to enable reading of urandom for all domains, you must turn
148       on the global_ssp boolean. Disabled by default.
149
150       setsebool -P global_ssp 1
151
152
153
154       If you want to allow confined applications to run  with  kerberos,  you
155       must turn on the kerberos_enabled boolean. Enabled by default.
156
157       setsebool -P kerberos_enabled 1
158
159
160
161       If  you  want  to control the ability to mmap a low area of the address
162       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
163       the mmap_low_allowed boolean. Disabled by default.
164
165       setsebool -P mmap_low_allowed 1
166
167
168
169       If  you  want  to  allow  system  to run with NIS, you must turn on the
170       nis_enabled boolean. Disabled by default.
171
172       setsebool -P nis_enabled 1
173
174
175
176       If you want to allow confined applications to use nscd  shared  memory,
177       you must turn on the nscd_use_shm boolean. Disabled by default.
178
179       setsebool -P nscd_use_shm 1
180
181
182
183       If  you  want  to  disable  kernel module loading, you must turn on the
184       secure_mode_insmod boolean. Enabled by default.
185
186       setsebool -P secure_mode_insmod 1
187
188
189
190       If you want to boolean to determine whether the system permits  loading
191       policy,  setting enforcing mode, and changing boolean values.  Set this
192       to true and you have to reboot to set it back, you  must  turn  on  the
193       secure_mode_policyload boolean. Enabled by default.
194
195       setsebool -P secure_mode_policyload 1
196
197
198
199       If  you  want to allow unconfined executables to make their heap memory
200       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
201       badly  coded  executable, but could indicate an attack. This executable
202       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
203       uxuser_execheap boolean. Disabled by default.
204
205       setsebool -P selinuxuser_execheap 1
206
207
208
209       If  you  want  to  allow  all  unconfined  executables to use libraries
210       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
211       must turn on the selinuxuser_execmod boolean. Enabled by default.
212
213       setsebool -P selinuxuser_execmod 1
214
215
216
217       If  you  want  to allow unconfined executables to make their stack exe‐
218       cutable.  This should never, ever be necessary.  Probably  indicates  a
219       badly  coded  executable, but could indicate an attack. This executable
220       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
221       stack boolean. Enabled by default.
222
223       setsebool -P selinuxuser_execstack 1
224
225
226
227       If  you want to support ecryptfs home directories, you must turn on the
228       use_ecryptfs_home_dirs boolean. Disabled by default.
229
230       setsebool -P use_ecryptfs_home_dirs 1
231
232
233
234       If you want to support fusefs home directories, you must  turn  on  the
235       use_fusefs_home_dirs boolean. Disabled by default.
236
237       setsebool -P use_fusefs_home_dirs 1
238
239
240
241       If  you  want  to  support  NFS  home directories, you must turn on the
242       use_nfs_home_dirs boolean. Disabled by default.
243
244       setsebool -P use_nfs_home_dirs 1
245
246
247
248       If you want to support SAMBA home directories, you  must  turn  on  the
249       use_samba_home_dirs boolean. Disabled by default.
250
251       setsebool -P use_samba_home_dirs 1
252
253
254
255       If  you  want  to  allow  confined  virtual guests to interact with the
256       xserver, you must turn on the  virt_use_xserver  boolean.  Disabled  by
257       default.
258
259       setsebool -P virt_use_xserver 1
260
261
262

PORT TYPES

264       SELinux defines port types to represent TCP and UDP ports.
265
266       You  can  see  the  types associated with a port by using the following
267       command:
268
269       semanage port -l
270
271
272       Policy governs the access  confined  processes  have  to  these  ports.
273       SELinux  xserver  policy is very flexible allowing users to setup their
274       xserver processes in as secure a method as possible.
275
276       The following port types are defined for xserver:
277
278
279       xserver_port_t
280
281
282
283       Default Defined Ports:
284                 tcp 6000-6020
285

MANAGED FILES

287       The SELinux process type xserver_t can manage files  labeled  with  the
288       following file types.  The paths listed are the default paths for these
289       file types.  Note the processes UID still need to have DAC permissions.
290
291       file_type
292
293            all files on the system
294
295

FILE CONTEXTS

297       SELinux requires files to have an extended attribute to define the file
298       type.
299
300       You can see the context of a file using the -Z option to ls
301
302       Policy  governs  the  access  confined  processes  have to these files.
303       SELinux xserver policy is very flexible allowing users to  setup  their
304       xserver processes in as secure a method as possible.
305
306       STANDARD FILE CONTEXT
307
308       SELinux  defines  the file context types for the xserver, if you wanted
309       to store files with these types in a diffent paths, you need to execute
310       the  semanage  command  to  sepecify  alternate  labeling  and then use
311       restorecon to put the labels on disk.
312
313       semanage  fcontext   -a   -t   xserver_var_run_t   '/srv/myxserver_con‐
314       tent(/.*)?'
315       restorecon -R -v /srv/myxserver_content
316
317       Note:  SELinux  often  uses  regular expressions to specify labels that
318       match multiple files.
319
320       The following file types are defined for xserver:
321
322
323
324       xserver_etc_t
325
326       - Set files with the xserver_etc_t type, if you want to  store  xserver
327       files in the /etc directories.
328
329
330
331       xserver_exec_t
332
333       -  Set files with the xserver_exec_t type, if you want to transition an
334       executable to the xserver_t domain.
335
336
337       Paths:
338            /usr/bin/nvidia.*,  /usr/bin/Xair,  /usr/bin/Xorg,  /usr/bin/Xvnc,
339            /usr/bin/Xephyr,         /usr/bin/x11vnc,        /usr/X11R6/bin/X,
340            /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq,  /usr/libexec/Xorg.bin,
341            /usr/libexec/Xorg.wrap,                    /usr/X11R6/bin/XFree86,
342            /usr/X11R6/bin/Xwrapper
343
344
345       xserver_log_t
346
347       - Set files with the xserver_log_t type, if you want to treat the  data
348       as xserver log data, usually stored under the /var/log directory.
349
350
351       Paths:
352            /var/[xgkw]dm(/.*)?,                      /usr/var/[xgkw]dm(/.*)?,
353            /var/log/gdm(3)?(/.*)?,    /var/log/Xorg.*,    /var/log/XFree86.*,
354            /var/log/lightdm(/.*)?, /var/log/nvidia-installer.log.*
355
356
357       xserver_tmpfs_t
358
359       - Set files with the xserver_tmpfs_t type, if you want to store xserver
360       files on a tmpfs file system.
361
362
363
364       xserver_var_lib_t
365
366       - Set files with the xserver_var_lib_t type, if you want to  store  the
367       xserver files under the /var/lib directory.
368
369
370
371       xserver_var_run_t
372
373       -  Set  files with the xserver_var_run_t type, if you want to store the
374       xserver files under the /run or /var/run directory.
375
376
377       Paths:
378            /var/run/xorg(/.*)?, /var/run/video.rom
379
380
381       Note: File context can be temporarily modified with the chcon  command.
382       If  you want to permanently change the file context you need to use the
383       semanage fcontext command.  This will modify the SELinux labeling data‐
384       base.  You will need to use restorecon to apply the labels.
385
386

COMMANDS

388       semanage  fcontext  can also be used to manipulate default file context
389       mappings.
390
391       semanage permissive can also be used to manipulate  whether  or  not  a
392       process type is permissive.
393
394       semanage  module can also be used to enable/disable/install/remove pol‐
395       icy modules.
396
397       semanage port can also be used to manipulate the port definitions
398
399       semanage boolean can also be used to manipulate the booleans
400
401
402       system-config-selinux is a GUI tool available to customize SELinux pol‐
403       icy settings.
404
405

AUTHOR

407       This manual page was auto-generated using sepolicy manpage .
408
409