1colord_selinux(8) SELinux Policy colord colord_selinux(8)
2
6 colord_selinux - Security Enhanced Linux Policy for the colord pro‐
7 cesses
8
10 Security-Enhanced Linux secures the colord processes via flexible
11 mandatory access control.
12 The colord processes execute with the colord_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep colord_t
20
24 The colord_t SELinux type can be entered via the colord_exec_t file
25 type.
26 The default entrypoint paths for the colord_t domain are the following:
28 /usr/lib/[^/]*/colord/colord, /usr/lib/[^/]*/colord/colord-sane,
30 /usr/libexec/colord, /usr/lib/colord/colord, /usr/libexec/colord-sane,
31 /usr/lib/colord/colord-sane
32
34 SELinux defines process types (domains) for each process running on the
35 system
36 You can see the context of a process using the -Z option to ps
38 Policy governs the access confined processes have to files. SELinux
40 colord policy is very flexible allowing users to setup their colord
41 processes in as secure a method as possible.
42 The following process types are defined for colord:
44 colord_t
46 Note: semanage permissive -a colord_t can be used to make the process
48 type colord_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
54 SELinux policy is customizable based on least access required. colord
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run colord with the tightest access possible.
57 If you want to determine whether Colord can access nfs file systems,
61 you must turn on the colord_use_nfs boolean. Disabled by default.
62 setsebool -P colord_use_nfs 1
64 If you want to dontaudit all daemons scheduling requests (setsched,
68 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
69 Enabled by default.
70 setsebool -P daemons_dontaudit_scheduling 1
72 If you want to allow all domains to execute in fips_mode, you must turn
76 on the fips_mode boolean. Enabled by default.
77 setsebool -P fips_mode 1
79 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84 setsebool -P nis_enabled 1
86 If you want to support ecryptfs home directories, you must turn on the
90 use_ecryptfs_home_dirs boolean. Disabled by default.
91 setsebool -P use_ecryptfs_home_dirs 1
93
97 The SELinux process type colord_t can manage files labeled with the
98 following file types. The paths listed are the default paths for these
99 file types. Note the processes UID still need to have DAC permissions.
100 cluster_conf_t
102 /etc/cluster(/.*)?
104 cluster_var_lib_t
106 /var/lib/pcsd(/.*)?
108 /var/lib/cluster(/.*)?
109 /var/lib/openais(/.*)?
110 /var/lib/pengine(/.*)?
111 /var/lib/corosync(/.*)?
112 /usr/lib/heartbeat(/.*)?
113 /var/lib/heartbeat(/.*)?
114 /var/lib/pacemaker(/.*)?
115 cluster_var_run_t
117 /var/run/crm(/.*)?
119 /var/run/cman_.*
120 /var/run/rsctmp(/.*)?
121 /var/run/aisexec.*
122 /var/run/heartbeat(/.*)?
123 /var/run/pcsd-ruby.socket
124 /var/run/corosync-qnetd(/.*)?
125 /var/run/corosync-qdevice(/.*)?
126 /var/run/corosync.pid
127 /var/run/cpglockd.pid
128 /var/run/rgmanager.pid
129 /var/run/cluster/rgmanager.sk
130 colord_tmp_t
132 colord_tmpfs_t
135 colord_var_lib_t
138 /var/lib/color(/.*)?
140 /var/lib/colord(/.*)?
141 krb5_host_rcache_t
143 /var/tmp/krb5_0.rcache2
145 /var/cache/krb5rcache(/.*)?
146 /var/tmp/nfs_0
147 /var/tmp/DNS_25
148 /var/tmp/host_0
149 /var/tmp/imap_0
150 /var/tmp/HTTP_23
151 /var/tmp/HTTP_48
152 /var/tmp/ldap_55
153 /var/tmp/ldap_487
154 /var/tmp/ldapmap1_0
155 root_t
157 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
159 /
160 /initrd
161 systemd_hwdb_etc_t
163 /etc/udev/.*hwdb.*
165 zoneminder_tmpfs_t
167
171 SELinux requires files to have an extended attribute to define the file
172 type.
173 You can see the context of a file using the -Z option to ls
175 Policy governs the access confined processes have to these files.
177 SELinux colord policy is very flexible allowing users to setup their
178 colord processes in as secure a method as possible.
179 EQUIVALENCE DIRECTORIES
181 colord policy stores data with multiple different file context types
184 under the /var/lib/color directory. If you would like to store the
185 data in a different directory you can use the semanage command to cre‐
186 ate an equivalence mapping. If you wanted to store this data under the
187 /srv directory you would execute the following command:
188 semanage fcontext -a -e /var/lib/color /srv/color
190 restorecon -R -v /srv/color
191 STANDARD FILE CONTEXT
193 SELinux defines the file context types for the colord, if you wanted to
195 store files with these types in a different paths, you need to execute
196 the semanage command to specify alternate labeling and then use re‐
197 storecon to put the labels on disk.
198 semanage fcontext -a -t colord_exec_t '/srv/colord/content(/.*)?'
200 restorecon -R -v /srv/mycolord_content
201 Note: SELinux often uses regular expressions to specify labels that
203 match multiple files.
204 The following file types are defined for colord:
206 colord_exec_t
210 - Set files with the colord_exec_t type, if you want to transition an
212 executable to the colord_t domain.
213 Paths:
216 /usr/lib/[^/]*/colord/colord, /usr/lib/[^/]*/colord/colord-sane,
217 /usr/libexec/colord, /usr/lib/colord/colord, /usr/libexec/colord-
218 sane, /usr/lib/colord/colord-sane
219 colord_tmp_t
222 - Set files with the colord_tmp_t type, if you want to store colord
224 temporary files in the /tmp directories.
225 colord_tmpfs_t
229 - Set files with the colord_tmpfs_t type, if you want to store colord
231 files on a tmpfs file system.
232 colord_unit_file_t
236 - Set files with the colord_unit_file_t type, if you want to treat the
238 files as colord unit content.
239 colord_var_lib_t
243 - Set files with the colord_var_lib_t type, if you want to store the
245 colord files under the /var/lib directory.
246 Paths:
249 /var/lib/color(/.*)?, /var/lib/colord(/.*)?
250 Note: File context can be temporarily modified with the chcon command.
253 If you want to permanently change the file context you need to use the
254 semanage fcontext command. This will modify the SELinux labeling data‐
255 base. You will need to use restorecon to apply the labels.
256
259 semanage fcontext can also be used to manipulate default file context
260 mappings.
261 semanage permissive can also be used to manipulate whether or not a
263 process type is permissive.
264 semanage module can also be used to enable/disable/install/remove pol‐
266 icy modules.
267 semanage boolean can also be used to manipulate the booleans
269 system-config-selinux is a GUI tool available to customize SELinux pol‐
272 icy settings.
273
276 This manual page was auto-generated using sepolicy manpage .
277
280 selinux(8), colord(8), semanage(8), restorecon(8), chcon(1), sepol‐
281 icy(8), setsebool(8)
282colord 23-12-15 colord_selinux(8)