1anaconda_selinux(8) SELinux Policy anaconda anaconda_selinux(8)
2
6 anaconda_selinux - Security Enhanced Linux Policy for the anaconda pro‐
7 cesses
8
10 Security-Enhanced Linux secures the anaconda processes via flexible
11 mandatory access control.
12 The anaconda processes execute with the anaconda_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16 For example:
18 ps -eZ | grep anaconda_t
20
24 The anaconda_t SELinux type can be entered via the file_type, unla‐
25 beled_t, proc_type, filesystem_type, mtrr_device_t, sysctl_type file
26 types.
27 The default entrypoint paths for the anaconda_t domain are the follow‐
29 ing:
30 all files on the system, /dev/cpu/mtrr
32
34 SELinux defines process types (domains) for each process running on the
35 system
36 You can see the context of a process using the -Z option to ps
38 Policy governs the access confined processes have to files. SELinux
40 anaconda policy is very flexible allowing users to setup their anaconda
41 processes in as secure a method as possible.
42 The following process types are defined for anaconda:
44 anaconda_t
46 Note: semanage permissive -a anaconda_t can be used to make the process
48 type anaconda_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
54 SELinux policy is customizable based on least access required. ana‐
55 conda policy is extremely flexible and has several booleans that allow
56 you to manipulate the policy and run anaconda with the tightest access
57 possible.
58 If you want to allow all domains to use other domains file descriptors,
62 you must turn on the allow_domain_fd_use boolean. Enabled by default.
63 setsebool -P allow_domain_fd_use 1
65 If you want to allow unconfined executables to make their heap memory
69 executable. Doing this is a really bad idea. Probably indicates a
70 badly coded executable, but could indicate an attack. This executable
71 should be reported in bugzilla, you must turn on the allow_execheap
72 boolean. Disabled by default.
73 setsebool -P allow_execheap 1
75 If you want to allow unconfined executables to map a memory region as
79 both executable and writable, this is dangerous and the executable
80 should be reported in bugzilla), you must turn on the allow_execmem
81 boolean. Enabled by default.
82 setsebool -P allow_execmem 1
84 If you want to allow all unconfined executables to use libraries
88 requiring text relocation that are not labeled textrel_shlib_t), you
89 must turn on the allow_execmod boolean. Enabled by default.
90 setsebool -P allow_execmod 1
92 If you want to allow unconfined executables to make their stack exe‐
96 cutable. This should never, ever be necessary. Probably indicates a
97 badly coded executable, but could indicate an attack. This executable
98 should be reported in bugzilla), you must turn on the allow_execstack
99 boolean. Enabled by default.
100 setsebool -P allow_execstack 1
102 If you want to allow sysadm to debug or ptrace all processes, you must
106 turn on the allow_ptrace boolean. Disabled by default.
107 setsebool -P allow_ptrace 1
109 If you want to allow all domains to have the kernel load modules, you
113 must turn on the domain_kernel_load_modules boolean. Disabled by
114 default.
115 setsebool -P domain_kernel_load_modules 1
117 If you want to allow all domains to execute in fips_mode, you must turn
121 on the fips_mode boolean. Enabled by default.
122 setsebool -P fips_mode 1
124 If you want to enable reading of urandom for all domains, you must turn
128 on the global_ssp boolean. Disabled by default.
129 setsebool -P global_ssp 1
131 If you want to allow certain domains to map low memory in the kernel,
135 you must turn on the mmap_low_allowed boolean. Disabled by default.
136 setsebool -P mmap_low_allowed 1
138 If you want to disable transitions to insmod, you must turn on the
142 secure_mode_insmod boolean. Disabled by default.
143 setsebool -P secure_mode_insmod 1
145 If you want to boolean to determine whether the system permits loading
149 policy, setting enforcing mode, and changing boolean values. Set this
150 to true and you have to reboot to set it back, you must turn on the
151 secure_mode_policyload boolean. Disabled by default.
152 setsebool -P secure_mode_policyload 1
154 If you want to support X userspace object manager, you must turn on the
158 xserver_object_manager boolean. Disabled by default.
159 setsebool -P xserver_object_manager 1
161
165 The SELinux process type anaconda_t can manage files labeled with the
166 following file types. The paths listed are the default paths for these
167 file types. Note the processes UID still need to have DAC permissions.
168 file_type
170 all files on the system
172
175 semanage fcontext can also be used to manipulate default file context
176 mappings.
177 semanage permissive can also be used to manipulate whether or not a
179 process type is permissive.
180 semanage module can also be used to enable/disable/install/remove pol‐
182 icy modules.
183 semanage boolean can also be used to manipulate the booleans
185 system-config-selinux is a GUI tool available to customize SELinux pol‐
188 icy settings.
189
192 This manual page was auto-generated using sepolicy manpage .
193
196 selinux(8), anaconda(8), semanage(8), restorecon(8), chcon(1) , setse‐
197 bool(8)
198anaconda 15-06-03 anaconda_selinux(8)