1kpatch_selinux(8)            SELinux Policy kpatch           kpatch_selinux(8)
2
3
4

NAME

6       kpatch_selinux  -  Security  Enhanced  Linux Policy for the kpatch pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  kpatch  processes  via  flexible
11       mandatory access control.
12
13       The  kpatch  processes  execute with the kpatch_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep kpatch_t
20
21
22

ENTRYPOINTS

24       The  kpatch_t  SELinux  type  can be entered via the kpatch_exec_t file
25       type.
26
27       The default entrypoint paths for the kpatch_t domain are the following:
28
29       /usr/sbin/kpatch
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       kpatch policy is very flexible allowing users  to  setup  their  kpatch
39       processes in as secure a method as possible.
40
41       The following process types are defined for kpatch:
42
43       kpatch_t
44
45       Note:  semanage  permissive -a kpatch_t can be used to make the process
46       type kpatch_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   kpatch
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run kpatch with the tightest access possible.
55
56
57
58       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
59       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
60       Enabled by default.
61
62       setsebool -P daemons_dontaudit_scheduling 1
63
64
65
66       If you want to deny user domains applications to map a memory region as
67       both  executable  and  writable,  this  is dangerous and the executable
68       should be reported in bugzilla, you must turn on the deny_execmem bool‐
69       ean. Disabled by default.
70
71       setsebool -P deny_execmem 1
72
73
74
75       If  you  want  to control the ability to mmap a low area of the address
76       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
77       the mmap_low_allowed boolean. Disabled by default.
78
79       setsebool -P mmap_low_allowed 1
80
81
82
83       If  you  want  to  allow  system  to run with NIS, you must turn on the
84       nis_enabled boolean. Disabled by default.
85
86       setsebool -P nis_enabled 1
87
88
89
90       If you want to disable kernel module loading, you must turn on the  se‐
91       cure_mode_insmod boolean. Disabled by default.
92
93       setsebool -P secure_mode_insmod 1
94
95
96
97       If  you  want to allow unconfined executables to make their heap memory
98       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
99       badly  coded  executable, but could indicate an attack. This executable
100       should be reported in bugzilla, you must turn  on  the  selinuxuser_ex‐
101       echeap boolean. Disabled by default.
102
103       setsebool -P selinuxuser_execheap 1
104
105
106
107       If  you  want  to allow unconfined executables to make their stack exe‐
108       cutable.  This should never, ever be necessary.  Probably  indicates  a
109       badly  coded  executable, but could indicate an attack. This executable
110       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
111       stack boolean. Enabled by default.
112
113       setsebool -P selinuxuser_execstack 1
114
115
116

MANAGED FILES

118       The  SELinux  process  type  kpatch_t can manage files labeled with the
119       following file types.  The paths listed are the default paths for these
120       file types.  Note the processes UID still need to have DAC permissions.
121
122       file_type
123
124            all files on the system
125
126

FILE CONTEXTS

128       SELinux requires files to have an extended attribute to define the file
129       type.
130
131       You can see the context of a file using the -Z option to ls
132
133       Policy governs the access  confined  processes  have  to  these  files.
134       SELinux  kpatch  policy  is very flexible allowing users to setup their
135       kpatch processes in as secure a method as possible.
136
137       STANDARD FILE CONTEXT
138
139       SELinux defines the file context types for the kpatch, if you wanted to
140       store  files with these types in a different paths, you need to execute
141       the semanage command to specify alternate labeling  and  then  use  re‐
142       storecon to put the labels on disk.
143
144       semanage fcontext -a -t kpatch_exec_t '/srv/kpatch/content(/.*)?'
145       restorecon -R -v /srv/mykpatch_content
146
147       Note:  SELinux  often  uses  regular expressions to specify labels that
148       match multiple files.
149
150       The following file types are defined for kpatch:
151
152
153
154       kpatch_exec_t
155
156       - Set files with the kpatch_exec_t type, if you want to  transition  an
157       executable to the kpatch_t domain.
158
159
160
161       kpatch_var_lib_t
162
163       -  Set  files  with the kpatch_var_lib_t type, if you want to store the
164       kpatch files under the /var/lib directory.
165
166
167
168       Note: File context can be temporarily modified with the chcon  command.
169       If  you want to permanently change the file context you need to use the
170       semanage fcontext command.  This will modify the SELinux labeling data‐
171       base.  You will need to use restorecon to apply the labels.
172
173

COMMANDS

175       semanage  fcontext  can also be used to manipulate default file context
176       mappings.
177
178       semanage permissive can also be used to manipulate  whether  or  not  a
179       process type is permissive.
180
181       semanage  module can also be used to enable/disable/install/remove pol‐
182       icy modules.
183
184       semanage boolean can also be used to manipulate the booleans
185
186
187       system-config-selinux is a GUI tool available to customize SELinux pol‐
188       icy settings.
189
190

AUTHOR

192       This manual page was auto-generated using sepolicy manpage .
193
194

SEE ALSO

196       selinux(8),  kpatch(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
197       icy(8), setsebool(8)
198
199
200
201kpatch                             23-10-20                  kpatch_selinux(8)
Impressum