1xdm_selinux(8) SELinux Policy xdm xdm_selinux(8)
2
6 xdm_selinux - Security Enhanced Linux Policy for the xdm processes
7
9 Security-Enhanced Linux secures the xdm processes via flexible manda‐
10 tory access control.
11 The xdm processes execute with the xdm_t SELinux type. You can check if
13 you have these processes running by executing the ps command with the
14 -Z qualifier.
15 For example:
17 ps -eZ | grep xdm_t
19
23 The xdm_t SELinux type can be entered via the xdm_exec_t file type.
24 The default entrypoint paths for the xdm_t domain are the following:
26 /usr/s?bin/nodm, /usr/s?bin/gdm(3)?, /usr/s?bin/lightdm*,
28 /usr/s?bin/[mxgkw]dm, /usr/s?bin/gdm-binary, /usr/s?bin/lxdm(-binary)?,
29 /usr/X11R6/bin/[xgkw]dm, /usr/bin/razor-lightdm-.*, /usr/bin/sddm,
30 /usr/bin/slim, /usr/bin/gpe-dm, /opt/kde3/bin/kdm, /usr/sbin/mdm-
31 binary, /usr/bin/sddm-greeter, /etc/rc.d/init.d/x11-common,
32 /usr/libexec/gdm-disable-wayland
33
35 SELinux defines process types (domains) for each process running on the
36 system
37 You can see the context of a process using the -Z option to ps
39 Policy governs the access confined processes have to files. SELinux
41 xdm policy is very flexible allowing users to setup their xdm processes
42 in as secure a method as possible.
43 The following process types are defined for xdm:
45 xdm_t, xdm_unconfined_t
47 Note: semanage permissive -a xdm_t can be used to make the process type
49 xdm_t permissive. SELinux does not deny access to permissive process
50 types, but the AVC (SELinux denials) messages are still generated.
51
54 SELinux policy is customizable based on least access required. xdm
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run xdm with the tightest access possible.
57 If you want to allows xdm_t to bind on vnc_port_t(5910), you must turn
61 on the xdm_bind_vnc_tcp_port boolean. Disabled by default.
62 setsebool -P xdm_bind_vnc_tcp_port 1
64 If you want to allow the graphical login program to execute bootloader,
68 you must turn on the xdm_exec_bootloader boolean. Disabled by default.
69 setsebool -P xdm_exec_bootloader 1
71 If you want to allow the graphical login program to create, read,
75 write, and delete files in the /boot director and DOS filesystem, you
76 must turn on the xdm_manage_bootloader boolean. Enabled by default.
77 setsebool -P xdm_manage_bootloader 1
79 If you want to allow the graphical login program to login directly as
83 sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Dis‐
84 abled by default.
85 setsebool -P xdm_sysadm_login 1
87 If you want to allow the graphical login program to create files in
91 HOME dirs as xdm_home_t, you must turn on the xdm_write_home boolean.
92 Disabled by default.
93 setsebool -P xdm_write_home 1
95 If you want to allow users to resolve user passwd entries directly from
99 ldap rather then using a sssd server, you must turn on the authlo‐
100 gin_nsswitch_use_ldap boolean. Disabled by default.
101 setsebool -P authlogin_nsswitch_use_ldap 1
103 If you want to deny user domains applications to map a memory region as
107 both executable and writable, this is dangerous and the executable
108 should be reported in bugzilla, you must turn on the deny_execmem bool‐
109 ean. Enabled by default.
110 setsebool -P deny_execmem 1
112 If you want to deny any process from ptracing or debugging any other
116 processes, you must turn on the deny_ptrace boolean. Enabled by
117 default.
118 setsebool -P deny_ptrace 1
120 If you want to allow all domains to execute in fips_mode, you must turn
124 on the fips_mode boolean. Enabled by default.
125 setsebool -P fips_mode 1
127 If you want to allow confined applications to run with kerberos, you
131 must turn on the kerberos_enabled boolean. Disabled by default.
132 setsebool -P kerberos_enabled 1
134 If you want to allow system to run with NIS, you must turn on the
138 nis_enabled boolean. Disabled by default.
139 setsebool -P nis_enabled 1
141 If you want to allow confined applications to use nscd shared memory,
145 you must turn on the nscd_use_shm boolean. Disabled by default.
146 setsebool -P nscd_use_shm 1
148 If you want to enable polyinstantiated directory support, you must turn
152 on the polyinstantiation_enabled boolean. Disabled by default.
153 setsebool -P polyinstantiation_enabled 1
155 If you want to allow unconfined executables to make their stack exe‐
159 cutable. This should never, ever be necessary. Probably indicates a
160 badly coded executable, but could indicate an attack. This executable
161 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
162 stack boolean. Disabled by default.
163 setsebool -P selinuxuser_execstack 1
165 If you want to support ecryptfs home directories, you must turn on the
169 use_ecryptfs_home_dirs boolean. Disabled by default.
170 setsebool -P use_ecryptfs_home_dirs 1
172 If you want to support fusefs home directories, you must turn on the
176 use_fusefs_home_dirs boolean. Disabled by default.
177 setsebool -P use_fusefs_home_dirs 1
179 If you want to support NFS home directories, you must turn on the
183 use_nfs_home_dirs boolean. Enabled by default.
184 setsebool -P use_nfs_home_dirs 1
186 If you want to support SAMBA home directories, you must turn on the
190 use_samba_home_dirs boolean. Disabled by default.
191 setsebool -P use_samba_home_dirs 1
193
197 SELinux defines port types to represent TCP and UDP ports.
198 You can see the types associated with a port by using the following
200 command:
201 semanage port -l
203 Policy governs the access confined processes have to these ports.
206 SELinux xdm policy is very flexible allowing users to setup their xdm
207 processes in as secure a method as possible.
208 The following port types are defined for xdm:
210 xdmcp_port_t
213 Default Defined Ports:
217 tcp 177
218 udp 177
219
221 The SELinux process type xdm_t can manage files labeled with the fol‐
222 lowing file types. The paths listed are the default paths for these
223 file types. Note the processes UID still need to have DAC permissions.
224 anon_inodefs_t
226 auth_cache_t
229 /var/cache/coolkey(/.*)?
231 auth_home_t
233 /root/.yubico(/.*)?
235 /root/.google_authenticator
236 /root/.google_authenticator~
237 /home/[^/]+/.yubico(/.*)?
238 /home/[^/]+/.google_authenticator
239 /home/[^/]+/.google_authenticator~
240 boot_t
242 /efi(/.*)?
244 /boot/.*
245 /vmlinuz.*
246 /initrd.img.*
247 /boot
248 cgroup_t
250 /sys/fs/cgroup
252 cifs_t
254 dosfs_t
257 ecryptfs_t
260 /home/[^/]+/.Private(/.*)?
262 /home/[^/]+/.ecryptfs(/.*)?
263 etc_runtime_t
265 /[^/]+
267 /etc/mtab.*
268 /etc/blkid(/.*)?
269 /etc/nologin.*
270 /etc/.fstab.hal..+
271 /halt
272 /fastboot
273 /poweroff
274 /.autofsck
275 /etc/cmtab
276 /forcefsck
277 /.suspended
278 /fsckoptions
279 /.autorelabel
280 /etc/.updated
281 /var/.updated
282 /etc/killpower
283 /etc/nohotplug
284 /etc/securetty
285 /etc/ioctl.save
286 /etc/fstab.REVOKE
287 /etc/network/ifstate
288 /etc/sysconfig/hwconf
289 /etc/ptal/ptal-printd-like
290 /etc/xorg.conf.d/00-system-setup-keyboard.conf
291 /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
292 faillog_t
294 /var/log/btmp.*
296 /var/log/faillog.*
297 /var/log/tallylog.*
298 /var/run/faillock(/.*)?
299 fonts_cache_t
301 /var/cache/fontconfig(/.*)?
303 /usr/lib/fontconfig/cache(/.*)?
304 fusefs_t
306 /var/run/user/[^/]*/gvfs
308 gconf_home_t
310 /root/.local.*
312 /root/.gconf(d)?(/.*)?
313 /home/[^/]+/.local.*
314 /home/[^/]+/.gconf(d)?(/.*)?
315 gnome_home_type
317 initrc_var_run_t
320 /var/run/utmp
322 /var/run/random-seed
323 /var/run/runlevel.dir
324 /var/run/setmixer_flag
325 kdbusfs_t
327 krb5_host_rcache_t
330 /var/cache/krb5rcache(/.*)?
332 /var/tmp/nfs_0
333 /var/tmp/DNS_25
334 /var/tmp/host_0
335 /var/tmp/imap_0
336 /var/tmp/HTTP_23
337 /var/tmp/HTTP_48
338 /var/tmp/ldap_55
339 /var/tmp/ldap_487
340 /var/tmp/ldapmap1_0
341 lastlog_t
343 /var/log/lastlog.*
345 locale_t
347 /etc/locale.conf
349 /etc/vconsole.conf
350 /usr/lib/locale(/.*)?
351 /usr/share/locale(/.*)?
352 /usr/share/zoneinfo(/.*)?
353 /usr/share/X11/locale(/.*)?
354 /etc/timezone
355 /etc/localtime
356 /etc/sysconfig/clock
357 /etc/avahi/etc/localtime
358 /var/empty/sshd/etc/localtime
359 /var/named/chroot/etc/localtime
360 /var/spool/postfix/etc/localtime
361 nfs_t
363 pam_var_console_t
366 /var/run/console(/.*)?
368 pam_var_run_t
370 /var/(db|adm)/sudo(/.*)?
372 /var/lib/sudo(/.*)?
373 /var/run/sudo(/.*)?
374 /var/run/motd.d(/.*)?
375 /var/run/sepermit(/.*)?
376 /var/run/pam_mount(/.*)?
377 /var/run/motd
378 security_t
380 /selinux
382 sysfs_t
384 /sys(/.*)?
386 systemd_passwd_var_run_t
388 /var/run/systemd/ask-password(/.*)?
390 /var/run/systemd/ask-password-block(/.*)?
391 user_fonts_t
393 /root/.fonts(/.*)?
395 /tmp/.font-unix(/.*)?
396 /home/[^/]+/.fonts(/.*)?
397 /home/[^/]+/.local/share/fonts(/.*)?
398 user_tmp_t
400 /dev/shm/mono.*
402 /var/run/user(/.*)?
403 /tmp/.ICE-unix(/.*)?
404 /tmp/.X11-unix(/.*)?
405 /dev/shm/pulse-shm.*
406 /tmp/.X0-lock
407 /tmp/hsperfdata_root
408 /var/tmp/hsperfdata_root
409 /home/[^/]+/tmp
410 /home/[^/]+/.tmp
411 /tmp/gconfd-[^/]+
412 user_tmp_type
414 all user tmp files
416 var_auth_t
418 /var/ace(/.*)?
420 /var/rsa(/.*)?
421 /var/lib/abl(/.*)?
422 /var/lib/rsa(/.*)?
423 /var/lib/pam_ssh(/.*)?
424 /var/run/pam_ssh(/.*)?
425 /var/lib/pam_shield(/.*)?
426 /var/opt/quest/vas/vasd(/.*)?
427 /var/lib/google-authenticator(/.*)?
428 wtmp_t
430 /var/log/wtmp.*
432 xauth_home_t
434 /root/.Xauth.*
436 /root/.xauth.*
437 /root/.Xauthority.*
438 /root/.serverauth.*
439 /var/lib/pqsql/.xauth.*
440 /var/lib/pqsql/.Xauthority.*
441 /var/lib/nxserver/home/.xauth.*
442 /var/lib/nxserver/home/.Xauthority.*
443 /home/[^/]+/.Xauth.*
444 /home/[^/]+/.xauth.*
445 /home/[^/]+/.Xauthority.*
446 /home/[^/]+/.serverauth.*
447 xdm_home_t
449 /root/.dmrc.*
451 /root/.wayland-errors.*
452 /root/.xsession-errors.*
453 /home/[^/]+/.dmrc.*
454 /home/[^/]+/.cache/gdm(/.*)?
455 /home/[^/]+/.wayland-errors.*
456 /home/[^/]+/.xsession-errors.*
457 /home/[^/]+/.local/share/xorg(/.*)?
458 xdm_lock_t
460 xdm_log_t
463 /var/log/[mkwx]dm.log.*
465 /var/log/mdm(/.*)?
466 /var/log/lxdm.log.*
467 /var/log/slim.log.*
468 xdm_rw_etc_t
470 /etc/X11/wdm(/.*)?
472 /etc/opt/VirtualGL(/.*)?
473 xdm_spool_t
475 /var/spool/[mg]dm(/.*)?
477 xdm_tmpfs_t
479 xdm_var_lib_t
482 /var/lib/[mxkwg]dm(/.*)?
484 /var/cache/[mg]dm(/.*)?
485 /var/lib/gdm(3)?(/.*)?
486 /var/lib/lxdm(/.*)?
487 /var/lib/sddm(/.*)?
488 /var/lib/lightdm(/.*)?
489 /var/cache/lightdm(/.*)?
490 /var/lib/lightdm-data(/.*)?
491 xdm_var_run_t
493 /etc/kde[34]?/kdm/backgroundrc
495 /var/run/[kgm]dm(/.*)?
496 /var/run/gdm(3)?.pid
497 /var/run/gdm(3)?(/.*)?
498 /usr/lib/qt-.*/etc/settings(/.*)?
499 /var/run/slim.*
500 /var/run/lxdm(/.*)?
501 /var/run/sddm(/.*)?
502 /var/run/xauth(/.*)?
503 /var/run/xdmctl(/.*)?
504 /var/run/lightdm(/.*)?
505 /var/run/systemd/multi-session-x(/.*)?
506 /var/run/xdm.pid
507 /var/run/lxdm.pid
508 /var/run/lxdm.auth
509 /var/run/gdm_socket
510 xkb_var_lib_t
512 /var/lib/xkb(/.*)?
514 /usr/X11R6/lib/X11/xkb/.*
515 /usr/X11R6/lib/X11/xkb
516 xserver_log_t
518 /var/[xgkw]dm(/.*)?
520 /usr/var/[xgkw]dm(/.*)?
521 /var/log/gdm(3)?(/.*)?
522 /var/log/Xorg.*
523 /var/log/XFree86.*
524 /var/log/lightdm(/.*)?
525 /var/log/nvidia-installer.log.*
526 xserver_tmpfs_t
528
532 SELinux requires files to have an extended attribute to define the file
533 type.
534 You can see the context of a file using the -Z option to ls
536 Policy governs the access confined processes have to these files.
538 SELinux xdm policy is very flexible allowing users to setup their xdm
539 processes in as secure a method as possible.
540 EQUIVALENCE DIRECTORIES
542 xdm policy stores data with multiple different file context types under
545 the /var/lib/lightdm directory. If you would like to store the data in
546 a different directory you can use the semanage command to create an
547 equivalence mapping. If you wanted to store this data under the /srv
548 dirctory you would execute the following command:
549 semanage fcontext -a -e /var/lib/lightdm /srv/lightdm
551 restorecon -R -v /srv/lightdm
552 xdm policy stores data with multiple different file context types under
554 the /var/run/gdm(3)? directory. If you would like to store the data in
555 a different directory you can use the semanage command to create an
556 equivalence mapping. If you wanted to store this data under the /srv
557 dirctory you would execute the following command:
558 semanage fcontext -a -e /var/run/gdm(3)? /srv/gdm(3)?
560 restorecon -R -v /srv/gdm(3)?
561 xdm policy stores data with multiple different file context types under
563 the /var/run/lxdm directory. If you would like to store the data in a
564 different directory you can use the semanage command to create an
565 equivalence mapping. If you wanted to store this data under the /srv
566 dirctory you would execute the following command:
567 semanage fcontext -a -e /var/run/lxdm /srv/lxdm
569 restorecon -R -v /srv/lxdm
570 STANDARD FILE CONTEXT
572 SELinux defines the file context types for the xdm, if you wanted to
574 store files with these types in a diffent paths, you need to execute
575 the semanage command to sepecify alternate labeling and then use
576 restorecon to put the labels on disk.
577 semanage fcontext -a -t xdm_log_t '/srv/myxdm_content(/.*)?'
579 restorecon -R -v /srv/myxdm_content
580 Note: SELinux often uses regular expressions to specify labels that
582 match multiple files.
583 The following file types are defined for xdm:
585 xdm_etc_t
589 - Set files with the xdm_etc_t type, if you want to store xdm files in
591 the /etc directories.
592 xdm_exec_t
596 - Set files with the xdm_exec_t type, if you want to transition an exe‐
598 cutable to the xdm_t domain.
599 Paths:
602 /usr/s?bin/nodm, /usr/s?bin/gdm(3)?, /usr/s?bin/lightdm*,
603 /usr/s?bin/[mxgkw]dm, /usr/s?bin/gdm-binary,
604 /usr/s?bin/lxdm(-binary)?, /usr/X11R6/bin/[xgkw]dm,
605 /usr/bin/razor-lightdm-.*, /usr/bin/sddm, /usr/bin/slim,
606 /usr/bin/gpe-dm, /opt/kde3/bin/kdm, /usr/sbin/mdm-binary,
607 /usr/bin/sddm-greeter, /etc/rc.d/init.d/x11-common,
608 /usr/libexec/gdm-disable-wayland
609 xdm_home_t
612 - Set files with the xdm_home_t type, if you want to store xdm files in
614 the users home directory.
615 Paths:
618 /root/.dmrc.*, /root/.wayland-errors.*, /root/.xsession-errors.*,
619 /home/[^/]+/.dmrc.*, /home/[^/]+/.cache/gdm(/.*)?,
620 /home/[^/]+/.wayland-errors.*, /home/[^/]+/.xsession-errors.*,
621 /home/[^/]+/.local/share/xorg(/.*)?
622 xdm_lock_t
625 - Set files with the xdm_lock_t type, if you want to treat the files as
627 xdm lock data, stored under the /var/lock directory
628 xdm_log_t
632 - Set files with the xdm_log_t type, if you want to treat the data as
634 xdm log data, usually stored under the /var/log directory.
635 Paths:
638 /var/log/[mkwx]dm.log.*, /var/log/mdm(/.*)?, /var/log/lxdm.log.*,
639 /var/log/slim.log.*
640 xdm_rw_etc_t
643 - Set files with the xdm_rw_etc_t type, if you want to store xdm rw
645 files in the /etc directories.
646 Paths:
649 /etc/X11/wdm(/.*)?, /etc/opt/VirtualGL(/.*)?
650 xdm_spool_t
653 - Set files with the xdm_spool_t type, if you want to store the xdm
655 files under the /var/spool directory.
656 xdm_tmpfs_t
660 - Set files with the xdm_tmpfs_t type, if you want to store xdm files
662 on a tmpfs file system.
663 xdm_unconfined_exec_t
667 - Set files with the xdm_unconfined_exec_t type, if you want to transi‐
669 tion an executable to the xdm_unconfined_t domain.
670 Paths:
673 /etc/[mg]dm/Init(/.*)?, /etc/[mg]dm/PostLogin(/.*)?,
674 /etc/[mg]dm/PreSession(/.*)?, /etc/[mg]dm/PostSession(/.*)?
675 xdm_unit_file_t
678 - Set files with the xdm_unit_file_t type, if you want to treat the
680 files as xdm unit content.
681 xdm_var_lib_t
685 - Set files with the xdm_var_lib_t type, if you want to store the xdm
687 files under the /var/lib directory.
688 Paths:
691 /var/lib/[mxkwg]dm(/.*)?, /var/cache/[mg]dm(/.*)?,
692 /var/lib/gdm(3)?(/.*)?, /var/lib/lxdm(/.*)?, /var/lib/sddm(/.*)?,
693 /var/lib/lightdm(/.*)?, /var/cache/lightdm(/.*)?,
694 /var/lib/lightdm-data(/.*)?
695 xdm_var_run_t
698 - Set files with the xdm_var_run_t type, if you want to store the xdm
700 files under the /run or /var/run directory.
701 Paths:
704 /etc/kde[34]?/kdm/backgroundrc, /var/run/[kgm]dm(/.*)?,
705 /var/run/gdm(3)?.pid, /var/run/gdm(3)?(/.*)?,
706 /usr/lib/qt-.*/etc/settings(/.*)?, /var/run/slim.*,
707 /var/run/lxdm(/.*)?, /var/run/sddm(/.*)?, /var/run/xauth(/.*)?,
708 /var/run/xdmctl(/.*)?, /var/run/lightdm(/.*)?, /var/run/sys‐
709 temd/multi-session-x(/.*)?, /var/run/xdm.pid, /var/run/lxdm.pid,
710 /var/run/lxdm.auth, /var/run/gdm_socket
711 Note: File context can be temporarily modified with the chcon command.
714 If you want to permanently change the file context you need to use the
715 semanage fcontext command. This will modify the SELinux labeling data‐
716 base. You will need to use restorecon to apply the labels.
717
720 semanage fcontext can also be used to manipulate default file context
721 mappings.
722 semanage permissive can also be used to manipulate whether or not a
724 process type is permissive.
725 semanage module can also be used to enable/disable/install/remove pol‐
727 icy modules.
728 semanage port can also be used to manipulate the port definitions
730 semanage boolean can also be used to manipulate the booleans
732 system-config-selinux is a GUI tool available to customize SELinux pol‐
735 icy settings.
736
739 This manual page was auto-generated using sepolicy manpage .
740
743 selinux(8), xdm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
744 setsebool(8), xdm_unconfined_selinux(8), xdm_unconfined_selinux(8)
745xdm 19-12-02 xdm_selinux(8)