1rpm_script_selinux(8)      SELinux Policy rpm_script     rpm_script_selinux(8)
2
3
4

NAME

6       rpm_script_selinux  - Security Enhanced Linux Policy for the rpm_script
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the rpm_script processes  via  flexible
11       mandatory access control.
12
13       The  rpm_script  processes  execute with the rpm_script_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep rpm_script_t
20
21
22

ENTRYPOINTS

24       The  rpm_script_t  SELinux  type  can  be entered via the shell_exec_t,
25       bin_t, usr_t, ldconfig_exec_t file types.
26
27       The default entrypoint paths for the rpm_script_t domain are  the  fol‐
28       lowing:
29
30       All  executeables  with the default executable label, usually stored in
31       /usr/bin   and   /usr/sbin.    /bin/d?ash,   /bin/ksh.*,    /bin/zsh.*,
32       /usr/bin/d?ash,  /usr/bin/ksh.*,  /usr/bin/zsh.*,  /bin/esh, /bin/bash,
33       /bin/fish,  /bin/mksh,  /bin/sash,  /bin/tcsh,  /bin/yash,  /bin/bash2,
34       /usr/bin/esh,      /sbin/nologin,     /usr/bin/bash,     /usr/bin/fish,
35       /usr/bin/mksh,     /usr/bin/sash,     /usr/bin/tcsh,     /usr/bin/yash,
36       /usr/bin/bash2,   /usr/sbin/sesh,   /usr/sbin/smrsh,  /usr/bin/scponly,
37       /usr/libexec/sesh,        /usr/sbin/nologin,        /usr/bin/git-shell,
38       /usr/sbin/scponlyc,   /usr/libexec/sudo/sesh,  /usr/bin/cockpit-bridge,
39       /usr/libexec/cockpit-agent,  /usr/libexec/git-core/git-shell,  /opt/.*,
40       /usr/.*,         /emul/.*,         /export(/.*)?,        /ostree(/.*)?,
41       /usr/doc(/.*)?/lib(/.*)?,   /usr/inclu.e(/.*)?,   /usr/share/rpm(/.*)?,
42       /usr/share/doc(/.*)?/README.*,           /usr/lib/modules(/.*)/vmlinuz,
43       /usr/lib/modules(/.*)/initramfs.img,           /usr/lib/sysimage(/.*)?,
44       /usr/lib/ostree-boot(/.*)?,     /opt,     /usr,    /emul,    /sbin/sln,
45       /usr/sbin/sln, /sbin/ldconfig, /usr/sbin/ldconfig
46

PROCESS TYPES

48       SELinux defines process types (domains) for each process running on the
49       system
50
51       You can see the context of a process using the -Z option to ps
52
53       Policy  governs  the  access confined processes have to files.  SELinux
54       rpm_script policy is  very  flexible  allowing  users  to  setup  their
55       rpm_script processes in as secure a method as possible.
56
57       The following process types are defined for rpm_script:
58
59       rpm_script_t
60
61       Note:  semanage  permissive  -a  rpm_script_t  can  be used to make the
62       process type rpm_script_t permissive. SELinux does not deny  access  to
63       permissive  process  types,  but the AVC (SELinux denials) messages are
64       still generated.
65
66

BOOLEANS

68       SELinux  policy  is  customizable  based  on  least  access   required.
69       rpm_script  policy  is extremely flexible and has several booleans that
70       allow you to manipulate the policy and run rpm_script with the tightest
71       access possible.
72
73
74
75       If you want to allow users to resolve user passwd entries directly from
76       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
77       gin_nsswitch_use_ldap boolean. Disabled by default.
78
79       setsebool -P authlogin_nsswitch_use_ldap 1
80
81
82
83       If you want to deny user domains applications to map a memory region as
84       both executable and writable, this  is  dangerous  and  the  executable
85       should be reported in bugzilla, you must turn on the deny_execmem bool‐
86       ean. Enabled by default.
87
88       setsebool -P deny_execmem 1
89
90
91
92       If you want to allow all domains to execute in fips_mode, you must turn
93       on the fips_mode boolean. Enabled by default.
94
95       setsebool -P fips_mode 1
96
97
98
99       If  you  want  to allow confined applications to run with kerberos, you
100       must turn on the kerberos_enabled boolean. Enabled by default.
101
102       setsebool -P kerberos_enabled 1
103
104
105
106       If you want to control the ability to mmap a low area  of  the  address
107       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
108       the mmap_low_allowed boolean. Disabled by default.
109
110       setsebool -P mmap_low_allowed 1
111
112
113
114       If you want to allow system to run with  NIS,  you  must  turn  on  the
115       nis_enabled boolean. Disabled by default.
116
117       setsebool -P nis_enabled 1
118
119
120
121       If  you  want to allow confined applications to use nscd shared memory,
122       you must turn on the nscd_use_shm boolean. Enabled by default.
123
124       setsebool -P nscd_use_shm 1
125
126
127
128       If you want to disable kernel module loading,  you  must  turn  on  the
129       secure_mode_insmod boolean. Enabled by default.
130
131       setsebool -P secure_mode_insmod 1
132
133
134
135       If  you  want to allow unconfined executables to make their heap memory
136       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
137       badly  coded  executable, but could indicate an attack. This executable
138       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
139       uxuser_execheap boolean. Disabled by default.
140
141       setsebool -P selinuxuser_execheap 1
142
143
144
145       If  you  want  to allow unconfined executables to make their stack exe‐
146       cutable.  This should never, ever be necessary.  Probably  indicates  a
147       badly  coded  executable, but could indicate an attack. This executable
148       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
149       stack boolean. Enabled by default.
150
151       setsebool -P selinuxuser_execstack 1
152
153
154

MANAGED FILES

156       The SELinux process type rpm_script_t can manage files labeled with the
157       following file types.  The paths listed are the default paths for these
158       file types.  Note the processes UID still need to have DAC permissions.
159
160       file_type
161
162            all files on the system
163
164

COMMANDS

166       semanage  fcontext  can also be used to manipulate default file context
167       mappings.
168
169       semanage permissive can also be used to manipulate  whether  or  not  a
170       process type is permissive.
171
172       semanage  module can also be used to enable/disable/install/remove pol‐
173       icy modules.
174
175       semanage boolean can also be used to manipulate the booleans
176
177
178       system-config-selinux is a GUI tool available to customize SELinux pol‐
179       icy settings.
180
181

AUTHOR

183       This manual page was auto-generated using sepolicy manpage .
184
185

SEE ALSO

187       selinux(8), rpm_script(8), semanage(8), restorecon(8), chcon(1), sepol‐
188       icy(8), setsebool(8)
189
190
191
192rpm_script                         19-10-08              rpm_script_selinux(8)
Impressum