1prelink_selinux(8) SELinux Policy prelink prelink_selinux(8)
2
3
4
6 prelink_selinux - Security Enhanced Linux Policy for the prelink pro‐
7 cesses
8
10 Security-Enhanced Linux secures the prelink processes via flexible
11 mandatory access control.
12
13 The prelink processes execute with the prelink_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep prelink_t
20
21
22
24 The prelink_t SELinux type can be entered via the prelink_exec_t file
25 type.
26
27 The default entrypoint paths for the prelink_t domain are the follow‐
28 ing:
29
30 /usr/sbin/prelink(.bin)?
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 prelink policy is very flexible allowing users to setup their prelink
40 processes in as secure a method as possible.
41
42 The following process types are defined for prelink:
43
44 prelink_t, prelink_cron_system_t
45
46 Note: semanage permissive -a prelink_t can be used to make the process
47 type prelink_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. prelink
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run prelink with the tightest access possi‐
56 ble.
57
58
59
60 If you want to deny user domains applications to map a memory region as
61 both executable and writable, this is dangerous and the executable
62 should be reported in bugzilla, you must turn on the deny_execmem bool‐
63 ean. Enabled by default.
64
65 setsebool -P deny_execmem 1
66
67
68
69 If you want to allow all domains to execute in fips_mode, you must turn
70 on the fips_mode boolean. Enabled by default.
71
72 setsebool -P fips_mode 1
73
74
75
76 If you want to control the ability to mmap a low area of the address
77 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
78 the mmap_low_allowed boolean. Disabled by default.
79
80 setsebool -P mmap_low_allowed 1
81
82
83
84 If you want to disable kernel module loading, you must turn on the
85 secure_mode_insmod boolean. Enabled by default.
86
87 setsebool -P secure_mode_insmod 1
88
89
90
91 If you want to allow unconfined executables to make their heap memory
92 executable. Doing this is a really bad idea. Probably indicates a
93 badly coded executable, but could indicate an attack. This executable
94 should be reported in bugzilla, you must turn on the selin‐
95 uxuser_execheap boolean. Disabled by default.
96
97 setsebool -P selinuxuser_execheap 1
98
99
100
101 If you want to allow unconfined executables to make their stack exe‐
102 cutable. This should never, ever be necessary. Probably indicates a
103 badly coded executable, but could indicate an attack. This executable
104 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
105 stack boolean. Enabled by default.
106
107 setsebool -P selinuxuser_execstack 1
108
109
110
112 The SELinux process type prelink_t can manage files labeled with the
113 following file types. The paths listed are the default paths for these
114 file types. Note the processes UID still need to have DAC permissions.
115
116 file_type
117
118 all files on the system
119
120
122 SELinux requires files to have an extended attribute to define the file
123 type.
124
125 You can see the context of a file using the -Z option to ls
126
127 Policy governs the access confined processes have to these files.
128 SELinux prelink policy is very flexible allowing users to setup their
129 prelink processes in as secure a method as possible.
130
131 EQUIVALENCE DIRECTORIES
132
133
134 prelink policy stores data with multiple different file context types
135 under the /var/log/prelink directory. If you would like to store the
136 data in a different directory you can use the semanage command to cre‐
137 ate an equivalence mapping. If you wanted to store this data under the
138 /srv dirctory you would execute the following command:
139
140 semanage fcontext -a -e /var/log/prelink /srv/prelink
141 restorecon -R -v /srv/prelink
142
143 STANDARD FILE CONTEXT
144
145 SELinux defines the file context types for the prelink, if you wanted
146 to store files with these types in a diffent paths, you need to execute
147 the semanage command to sepecify alternate labeling and then use
148 restorecon to put the labels on disk.
149
150 semanage fcontext -a -t prelink_var_lib_t '/srv/myprelink_con‐
151 tent(/.*)?'
152 restorecon -R -v /srv/myprelink_content
153
154 Note: SELinux often uses regular expressions to specify labels that
155 match multiple files.
156
157 The following file types are defined for prelink:
158
159
160
161 prelink_cache_t
162
163 - Set files with the prelink_cache_t type, if you want to store the
164 files under the /var/cache directory.
165
166
167
168 prelink_cron_system_exec_t
169
170 - Set files with the prelink_cron_system_exec_t type, if you want to
171 transition an executable to the prelink_cron_system_t domain.
172
173
174
175 prelink_exec_t
176
177 - Set files with the prelink_exec_t type, if you want to transition an
178 executable to the prelink_t domain.
179
180
181
182 prelink_log_t
183
184 - Set files with the prelink_log_t type, if you want to treat the data
185 as prelink log data, usually stored under the /var/log directory.
186
187
188 Paths:
189 /var/log/prelink(/.*)?, /var/log/prelink.log.*
190
191
192 prelink_tmp_t
193
194 - Set files with the prelink_tmp_t type, if you want to store prelink
195 temporary files in the /tmp directories.
196
197
198
199 prelink_tmpfs_t
200
201 - Set files with the prelink_tmpfs_t type, if you want to store prelink
202 files on a tmpfs file system.
203
204
205
206 prelink_var_lib_t
207
208 - Set files with the prelink_var_lib_t type, if you want to store the
209 prelink files under the /var/lib directory.
210
211
212 Paths:
213 /var/lib/prelink(/.*)?, /var/lib/misc/prelink.*
214
215
216 Note: File context can be temporarily modified with the chcon command.
217 If you want to permanently change the file context you need to use the
218 semanage fcontext command. This will modify the SELinux labeling data‐
219 base. You will need to use restorecon to apply the labels.
220
221
223 semanage fcontext can also be used to manipulate default file context
224 mappings.
225
226 semanage permissive can also be used to manipulate whether or not a
227 process type is permissive.
228
229 semanage module can also be used to enable/disable/install/remove pol‐
230 icy modules.
231
232 semanage boolean can also be used to manipulate the booleans
233
234
235 system-config-selinux is a GUI tool available to customize SELinux pol‐
236 icy settings.
237
238
240 This manual page was auto-generated using sepolicy manpage .
241
242
244 selinux(8), prelink(8), semanage(8), restorecon(8), chcon(1), sepol‐
245 icy(8), setsebool(8), prelink_cron_system_selinux(8), prelink_cron_sys‐
246 tem_selinux(8)
247
248
249
250prelink 19-10-08 prelink_selinux(8)