1unconfined_selinux(8)unconfined SELinux Policy documentatiounnconfined_selinux(8)
2
3
4

NAME

6       unconfined_r - Unconfined user role - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       SELinux  supports  Roles  Based Access Control (RBAC), some Linux roles
11       are login roles, while other roles need to be transition into.
12
13       Note: Examples in this man page will use the staff_u SELinux user.
14
15       Non login roles are usually used for administrative tasks. For example,
16       tasks  that  require root privileges.  Roles control which types a user
17       can run processes with. Roles often  have  default  types  assigned  to
18       them.
19
20       The default type for the unconfined_r role is unconfined_t.
21
22       The newrole program to transition directly to this role.
23
24       newrole -r unconfined_r -t unconfined_t
25
26       sudo is the preferred method to do transition from one role to another.
27       You setup sudo to transition to unconfined_r by adding a  similar  line
28       to the /etc/sudoers file.
29
30       USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
31
32       sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
33
34       When  using  a  non  login role, you need to setup SELinux so that your
35       SELinux user can reach unconfined_r role.
36
37       Execute the following to see all of the assigned SELinux roles:
38
39       semanage user -l
40
41       You need to add unconfined_r to the staff_u user.  You could setup  the
42       staff_u  user  to  be  able to use the unconfined_r role with a command
43       like:
44
45       $ semanage user -m -R 'staff_r system_r unconfined_r' staff_u
46
47
48

BOOLEANS

50       SELinux policy is customizable based on least access required.   uncon‐
51       fined  policy is extremely flexible and has several booleans that allow
52       you to manipulate the policy  and  run  unconfined  with  the  tightest
53       access possible.
54
55
56
57       If  you  want to allow a unconfined user to dynamically transition to a
58       new context using setcon, you must turn on the  unconfined_dyntrans_all
59       boolean. Disabled by default.
60
61       setsebool -P unconfined_dyntrans_all 1
62
63
64
65       If  you  want  to  determine whether crond can execute jobs in the user
66       domain as opposed to the the generic cronjob domain, you must  turn  on
67       the cron_userdomain_transition boolean. Enabled by default.
68
69       setsebool -P cron_userdomain_transition 1
70
71
72
73       If you want to deny user domains applications to map a memory region as
74       both executable and writable, this  is  dangerous  and  the  executable
75       should be reported in bugzilla, you must turn on the deny_execmem bool‐
76       ean. Enabled by default.
77
78       setsebool -P deny_execmem 1
79
80
81
82       If you want to control the ability to mmap a low area  of  the  address
83       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
84       the mmap_low_allowed boolean. Disabled by default.
85
86       setsebool -P mmap_low_allowed 1
87
88
89
90       If you want to disable kernel module loading,  you  must  turn  on  the
91       secure_mode_insmod boolean. Enabled by default.
92
93       setsebool -P secure_mode_insmod 1
94
95
96
97       If  you  want to allow unconfined executables to make their heap memory
98       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
99       badly  coded  executable, but could indicate an attack. This executable
100       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
101       uxuser_execheap boolean. Disabled by default.
102
103       setsebool -P selinuxuser_execheap 1
104
105
106
107       If  you  want  to allow unconfined executables to make their stack exe‐
108       cutable.  This should never, ever be necessary.  Probably  indicates  a
109       badly  coded  executable, but could indicate an attack. This executable
110       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
111       stack boolean. Disabled by default.
112
113       setsebool -P selinuxuser_execstack 1
114
115
116

MANAGED FILES

118       The SELinux process type unconfined_t can manage files labeled with the
119       following file types.  The paths listed are the default paths for these
120       file types.  Note the processes UID still need to have DAC permissions.
121
122       file_type
123
124            all files on the system
125
126

COMMANDS

128       semanage  fcontext  can also be used to manipulate default file context
129       mappings.
130
131       semanage permissive can also be used to manipulate  whether  or  not  a
132       process type is permissive.
133
134       semanage  module can also be used to enable/disable/install/remove pol‐
135       icy modules.
136
137       semanage boolean can also be used to manipulate the booleans
138
139
140       system-config-selinux is a GUI tool available to customize SELinux pol‐
141       icy settings.
142
143

AUTHOR

145       This manual page was auto-generated using sepolicy manpage .
146
147

SEE ALSO

149       selinux(8), unconfined(8), semanage(8), restorecon(8), chcon(1), sepol‐
150       icy(8),     setsebool(8),     unconfined_cronjob_selinux(8),     uncon‐
151       fined_dbusd_selinux(8),       unconfined_mount_selinux(8),       uncon‐
152       fined_munin_plugin_selinux(8),  unconfined_sendmail_selinux(8),  uncon‐
153       fined_service_selinux(8)
154
155
156
157mgrepl@redhat.com                 unconfined             unconfined_selinux(8)
Impressum