1devicekit_disk_selinux(8)SELinux Policy devicekit_diskdevicekit_disk_selinux(8)
2
3
4

NAME

6       devicekit_disk_selinux  -  Security  Enhanced  Linux Policy for the de‐
7       vicekit_disk processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the devicekit_disk processes via flexi‐
11       ble mandatory access control.
12
13       The  devicekit_disk processes execute with the devicekit_disk_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep devicekit_disk_t
20
21
22

ENTRYPOINTS

24       The   devicekit_disk_t   SELinux  type  can  be  entered  via  the  de‐
25       vicekit_disk_exec_t file type.
26
27       The default entrypoint paths for the devicekit_disk_t  domain  are  the
28       following:
29
30       /lib/udisks2/udisksd,   /lib/udev/udisks-part-id,  /usr/lib/udisks2/ud‐
31       isksd,    /usr/libexec/udisks-daemon,     /usr/lib/udev/udisks-part-id,
32       /usr/libexec/udisks2/udisksd,            /usr/lib/udisks/udisks-daemon,
33       /usr/libexec/devkit-disks-daemon
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       devicekit_disk policy is very flexible allowing users  to  setup  their
43       devicekit_disk processes in as secure a method as possible.
44
45       The following process types are defined for devicekit_disk:
46
47       devicekit_disk_t
48
49       Note:  semanage  permissive -a devicekit_disk_t can be used to make the
50       process type devicekit_disk_t permissive. SELinux does not deny  access
51       to permissive process types, but the AVC (SELinux denials) messages are
52       still generated.
53
54

BOOLEANS

56       SELinux policy is customizable based on  least  access  required.   de‐
57       vicekit_disk policy is extremely flexible and has several booleans that
58       allow you to manipulate the policy  and  run  devicekit_disk  with  the
59       tightest access possible.
60
61
62
63       If you want to deny user domains applications to map a memory region as
64       both executable and writable, this  is  dangerous  and  the  executable
65       should be reported in bugzilla, you must turn on the deny_execmem bool‐
66       ean. Enabled by default.
67
68       setsebool -P deny_execmem 1
69
70
71
72       If you want to control the ability to mmap a low area  of  the  address
73       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
74       the mmap_low_allowed boolean. Disabled by default.
75
76       setsebool -P mmap_low_allowed 1
77
78
79
80       If you want to disable kernel module loading, you must turn on the  se‐
81       cure_mode_insmod boolean. Enabled by default.
82
83       setsebool -P secure_mode_insmod 1
84
85
86
87       If  you  want to allow unconfined executables to make their heap memory
88       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
89       badly  coded  executable, but could indicate an attack. This executable
90       should be reported in bugzilla, you must turn  on  the  selinuxuser_ex‐
91       echeap boolean. Disabled by default.
92
93       setsebool -P selinuxuser_execheap 1
94
95
96
97       If  you  want  to allow unconfined executables to make their stack exe‐
98       cutable.  This should never, ever be necessary.  Probably  indicates  a
99       badly  coded  executable, but could indicate an attack. This executable
100       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
101       stack boolean. Enabled by default.
102
103       setsebool -P selinuxuser_execstack 1
104
105
106

MANAGED FILES

108       The SELinux process type devicekit_disk_t can manage files labeled with
109       the following file types.  The paths listed are the default  paths  for
110       these  file  types.  Note the processes UID still need to have DAC per‐
111       missions.
112
113       file_type
114
115            all files on the system
116
117

FILE CONTEXTS

119       SELinux requires files to have an extended attribute to define the file
120       type.
121
122       You can see the context of a file using the -Z option to ls
123
124       Policy  governs  the  access  confined  processes  have to these files.
125       SELinux devicekit_disk policy is very flexible allowing users to  setup
126       their devicekit_disk processes in as secure a method as possible.
127
128       The following file types are defined for devicekit_disk:
129
130
131
132       devicekit_disk_exec_t
133
134       - Set files with the devicekit_disk_exec_t type, if you want to transi‐
135       tion an executable to the devicekit_disk_t domain.
136
137
138       Paths:
139            /lib/udisks2/udisksd,    /lib/udev/udisks-part-id,    /usr/lib/ud‐
140            isks2/udisksd,  /usr/libexec/udisks-daemon,  /usr/lib/udev/udisks-
141            part-id, /usr/libexec/udisks2/udisksd, /usr/lib/udisks/udisks-dae‐
142            mon, /usr/libexec/devkit-disks-daemon
143
144
145       Note:  File context can be temporarily modified with the chcon command.
146       If you want to permanently change the file context you need to use  the
147       semanage fcontext command.  This will modify the SELinux labeling data‐
148       base.  You will need to use restorecon to apply the labels.
149
150

COMMANDS

152       semanage fcontext can also be used to manipulate default  file  context
153       mappings.
154
155       semanage  permissive  can  also  be used to manipulate whether or not a
156       process type is permissive.
157
158       semanage module can also be used to enable/disable/install/remove  pol‐
159       icy modules.
160
161       semanage boolean can also be used to manipulate the booleans
162
163
164       system-config-selinux is a GUI tool available to customize SELinux pol‐
165       icy settings.
166
167

AUTHOR

169       This manual page was auto-generated using sepolicy manpage .
170
171

SEE ALSO

173       selinux(8), devicekit_disk(8),  semanage(8),  restorecon(8),  chcon(1),
174       sepolicy(8), setsebool(8)
175
176
177
178devicekit_disk                     21-06-09          devicekit_disk_selinux(8)
Impressum