1bcfg2_selinux(8) SELinux Policy bcfg2 bcfg2_selinux(8)
2
3
4
6 bcfg2_selinux - Security Enhanced Linux Policy for the bcfg2 processes
7
9 Security-Enhanced Linux secures the bcfg2 processes via flexible manda‐
10 tory access control.
11
12 The bcfg2 processes execute with the bcfg2_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep bcfg2_t
19
20
21
23 The bcfg2_t SELinux type can be entered via the file_type,
24 bcfg2_exec_t, unlabeled_t, proc_type, filesystem_type, mtrr_device_t,
25 sysctl_type file types.
26
27 The default entrypoint paths for the bcfg2_t domain are the following:
28
29 all files on the system, /usr/sbin/bcfg2-server, /dev/cpu/mtrr
30
32 SELinux defines process types (domains) for each process running on the
33 system
34
35 You can see the context of a process using the -Z option to ps
36
37 Policy governs the access confined processes have to files. SELinux
38 bcfg2 policy is very flexible allowing users to setup their bcfg2 pro‐
39 cesses in as secure a method as possible.
40
41 The following process types are defined for bcfg2:
42
43 bcfg2_t
44
45 Note: semanage permissive -a bcfg2_t can be used to make the process
46 type bcfg2_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
50
52 SELinux policy is customizable based on least access required. bcfg2
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run bcfg2 with the tightest access possible.
55
56
57
58 If you want to allow all daemons to write corefiles to /, you must turn
59 on the allow_daemons_dump_core boolean. Disabled by default.
60
61 setsebool -P allow_daemons_dump_core 1
62
63
64
65 If you want to allow all daemons to use tcp wrappers, you must turn on
66 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
67
68 setsebool -P allow_daemons_use_tcp_wrapper 1
69
70
71
72 If you want to allow all daemons the ability to read/write terminals,
73 you must turn on the allow_daemons_use_tty boolean. Disabled by
74 default.
75
76 setsebool -P allow_daemons_use_tty 1
77
78
79
80 If you want to allow all domains to use other domains file descriptors,
81 you must turn on the allow_domain_fd_use boolean. Enabled by default.
82
83 setsebool -P allow_domain_fd_use 1
84
85
86
87 If you want to allow unconfined executables to make their heap memory
88 executable. Doing this is a really bad idea. Probably indicates a
89 badly coded executable, but could indicate an attack. This executable
90 should be reported in bugzilla, you must turn on the allow_execheap
91 boolean. Disabled by default.
92
93 setsebool -P allow_execheap 1
94
95
96
97 If you want to allow unconfined executables to map a memory region as
98 both executable and writable, this is dangerous and the executable
99 should be reported in bugzilla), you must turn on the allow_execmem
100 boolean. Enabled by default.
101
102 setsebool -P allow_execmem 1
103
104
105
106 If you want to allow all unconfined executables to use libraries
107 requiring text relocation that are not labeled textrel_shlib_t), you
108 must turn on the allow_execmod boolean. Enabled by default.
109
110 setsebool -P allow_execmod 1
111
112
113
114 If you want to allow unconfined executables to make their stack exe‐
115 cutable. This should never, ever be necessary. Probably indicates a
116 badly coded executable, but could indicate an attack. This executable
117 should be reported in bugzilla), you must turn on the allow_execstack
118 boolean. Enabled by default.
119
120 setsebool -P allow_execstack 1
121
122
123
124 If you want to allow confined applications to run with kerberos, you
125 must turn on the allow_kerberos boolean. Enabled by default.
126
127 setsebool -P allow_kerberos 1
128
129
130
131 If you want to allow sysadm to debug or ptrace all processes, you must
132 turn on the allow_ptrace boolean. Disabled by default.
133
134 setsebool -P allow_ptrace 1
135
136
137
138 If you want to allow system to run with NIS, you must turn on the
139 allow_ypbind boolean. Disabled by default.
140
141 setsebool -P allow_ypbind 1
142
143
144
145 If you want to enable cluster mode for daemons, you must turn on the
146 daemons_enable_cluster_mode boolean. Disabled by default.
147
148 setsebool -P daemons_enable_cluster_mode 1
149
150
151
152 If you want to allow all domains to have the kernel load modules, you
153 must turn on the domain_kernel_load_modules boolean. Disabled by
154 default.
155
156 setsebool -P domain_kernel_load_modules 1
157
158
159
160 If you want to allow all domains to execute in fips_mode, you must turn
161 on the fips_mode boolean. Enabled by default.
162
163 setsebool -P fips_mode 1
164
165
166
167 If you want to enable reading of urandom for all domains, you must turn
168 on the global_ssp boolean. Disabled by default.
169
170 setsebool -P global_ssp 1
171
172
173
174 If you want to enable support for upstart as the init program, you must
175 turn on the init_upstart boolean. Enabled by default.
176
177 setsebool -P init_upstart 1
178
179
180
181 If you want to allow certain domains to map low memory in the kernel,
182 you must turn on the mmap_low_allowed boolean. Disabled by default.
183
184 setsebool -P mmap_low_allowed 1
185
186
187
188 If you want to allow confined applications to use nscd shared memory,
189 you must turn on the nscd_use_shm boolean. Enabled by default.
190
191 setsebool -P nscd_use_shm 1
192
193
194
195 If you want to boolean to determine whether the system permits loading
196 policy, setting enforcing mode, and changing boolean values. Set this
197 to true and you have to reboot to set it back, you must turn on the
198 secure_mode_policyload boolean. Disabled by default.
199
200 setsebool -P secure_mode_policyload 1
201
202
203
204 If you want to support X userspace object manager, you must turn on the
205 xserver_object_manager boolean. Disabled by default.
206
207 setsebool -P xserver_object_manager 1
208
209
210
212 The SELinux process type bcfg2_t can manage files labeled with the fol‐
213 lowing file types. The paths listed are the default paths for these
214 file types. Note the processes UID still need to have DAC permissions.
215
216 file_type
217
218 all files on the system
219
220
222 SELinux requires files to have an extended attribute to define the file
223 type.
224
225 You can see the context of a file using the -Z option to ls
226
227 Policy governs the access confined processes have to these files.
228 SELinux bcfg2 policy is very flexible allowing users to setup their
229 bcfg2 processes in as secure a method as possible.
230
231 STANDARD FILE CONTEXT
232
233 SELinux defines the file context types for the bcfg2, if you wanted to
234 store files with these types in a diffent paths, you need to execute
235 the semanage command to sepecify alternate labeling and then use
236 restorecon to put the labels on disk.
237
238 semanage fcontext -a -t bcfg2_var_run_t '/srv/mybcfg2_content(/.*)?'
239 restorecon -R -v /srv/mybcfg2_content
240
241 Note: SELinux often uses regular expressions to specify labels that
242 match multiple files.
243
244 The following file types are defined for bcfg2:
245
246
247
248 bcfg2_exec_t
249
250 - Set files with the bcfg2_exec_t type, if you want to transition an
251 executable to the bcfg2_t domain.
252
253
254
255 bcfg2_initrc_exec_t
256
257 - Set files with the bcfg2_initrc_exec_t type, if you want to transi‐
258 tion an executable to the bcfg2_initrc_t domain.
259
260
261
262 bcfg2_var_lib_t
263
264 - Set files with the bcfg2_var_lib_t type, if you want to store the
265 bcfg2 files under the /var/lib directory.
266
267
268
269 bcfg2_var_run_t
270
271 - Set files with the bcfg2_var_run_t type, if you want to store the
272 bcfg2 files under the /run or /var/run directory.
273
274
275
276 Note: File context can be temporarily modified with the chcon command.
277 If you want to permanently change the file context you need to use the
278 semanage fcontext command. This will modify the SELinux labeling data‐
279 base. You will need to use restorecon to apply the labels.
280
281
283 semanage fcontext can also be used to manipulate default file context
284 mappings.
285
286 semanage permissive can also be used to manipulate whether or not a
287 process type is permissive.
288
289 semanage module can also be used to enable/disable/install/remove pol‐
290 icy modules.
291
292 semanage boolean can also be used to manipulate the booleans
293
294
295 system-config-selinux is a GUI tool available to customize SELinux pol‐
296 icy settings.
297
298
300 This manual page was auto-generated using sepolicy manpage .
301
302
304 selinux(8), bcfg2(8), semanage(8), restorecon(8), chcon(1) , setse‐
305 bool(8)
306
307
308
309bcfg2 15-06-03 bcfg2_selinux(8)