1hald_selinux(8) SELinux Policy hald hald_selinux(8)
2
6 hald_selinux - Security Enhanced Linux Policy for the hald processes
7
9 Security-Enhanced Linux secures the hald processes via flexible manda‐
10 tory access control.
11 The hald processes execute with the hald_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15 For example:
17 ps -eZ | grep hald_t
19
23 The hald_t SELinux type can be entered via the hald_exec_t file type.
24 The default entrypoint paths for the hald_t domain are the following:
26 /usr/sbin/hald, /usr/libexec/hal-hotplug-map,
28 /etc/hal/device.d/printer_remove.hal, /etc/hal/capabil‐
29 ity.d/printer_update.hal
30
32 SELinux defines process types (domains) for each process running on the
33 system
34 You can see the context of a process using the -Z option to ps
36 Policy governs the access confined processes have to files. SELinux
38 hald policy is very flexible allowing users to setup their hald pro‐
39 cesses in as secure a method as possible.
40 The following process types are defined for hald:
42 hald_mac_t, hald_dccm_t, hald_sonypic_t, hald_acl_t, hald_t, hald_keymap_t
44 Note: semanage permissive -a hald_t can be used to make the process
46 type hald_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
52 SELinux policy is customizable based on least access required. hald
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run hald with the tightest access possible.
55 If you want to allow all daemons to write corefiles to /, you must turn
59 on the allow_daemons_dump_core boolean. Disabled by default.
60 setsebool -P allow_daemons_dump_core 1
62 If you want to allow all daemons to use tcp wrappers, you must turn on
66 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
67 setsebool -P allow_daemons_use_tcp_wrapper 1
69 If you want to allow all daemons the ability to read/write terminals,
73 you must turn on the allow_daemons_use_tty boolean. Disabled by
74 default.
75 setsebool -P allow_daemons_use_tty 1
77 If you want to allow all domains to use other domains file descriptors,
81 you must turn on the allow_domain_fd_use boolean. Enabled by default.
82 setsebool -P allow_domain_fd_use 1
84 If you want to allow confined applications to run with kerberos, you
88 must turn on the allow_kerberos boolean. Enabled by default.
89 setsebool -P allow_kerberos 1
91 If you want to allow sysadm to debug or ptrace all processes, you must
95 turn on the allow_ptrace boolean. Disabled by default.
96 setsebool -P allow_ptrace 1
98 If you want to allow system to run with NIS, you must turn on the
102 allow_ypbind boolean. Disabled by default.
103 setsebool -P allow_ypbind 1
105 If you want to enable cluster mode for daemons, you must turn on the
109 daemons_enable_cluster_mode boolean. Disabled by default.
110 setsebool -P daemons_enable_cluster_mode 1
112 If you want to allow all domains to have the kernel load modules, you
116 must turn on the domain_kernel_load_modules boolean. Disabled by
117 default.
118 setsebool -P domain_kernel_load_modules 1
120 If you want to allow all domains to execute in fips_mode, you must turn
124 on the fips_mode boolean. Enabled by default.
125 setsebool -P fips_mode 1
127 If you want to enable reading of urandom for all domains, you must turn
131 on the global_ssp boolean. Disabled by default.
132 setsebool -P global_ssp 1
134 If you want to enable support for upstart as the init program, you must
138 turn on the init_upstart boolean. Enabled by default.
139 setsebool -P init_upstart 1
141 If you want to allow confined applications to use nscd shared memory,
145 you must turn on the nscd_use_shm boolean. Enabled by default.
146 setsebool -P nscd_use_shm 1
148 If you want to disable transitions to insmod, you must turn on the
152 secure_mode_insmod boolean. Disabled by default.
153 setsebool -P secure_mode_insmod 1
155 If you want to allow virt to manage nfs files, you must turn on the
159 virt_use_nfs boolean. Disabled by default.
160 setsebool -P virt_use_nfs 1
162 If you want to allow virt to manage cifs files, you must turn on the
166 virt_use_samba boolean. Disabled by default.
167 setsebool -P virt_use_samba 1
169
173 The SELinux process type hald_t can manage files labeled with the fol‐
174 lowing file types. The paths listed are the default paths for these
175 file types. Note the processes UID still need to have DAC permissions.
176 cardmgr_var_run_t
178 /var/lib/pcmcia(/.*)?
180 /var/run/stab
181 /var/run/cardmgr.pid
182 cifs_t
184 cluster_conf_t
187 /etc/cluster(/.*)?
189 cluster_var_lib_t
191 /var/lib(64)?/openais(/.*)?
193 /var/lib(64)?/pengine(/.*)?
194 /var/lib(64)?/corosync(/.*)?
195 /usr/lib(64)?/heartbeat(/.*)?
196 /var/lib(64)?/heartbeat(/.*)?
197 /var/lib(64)?/pacemaker(/.*)?
198 /var/lib/cluster(/.*)?
199 cluster_var_run_t
201 /var/run/crm(/.*)?
203 /var/run/cman_.*
204 /var/run/rsctmp(/.*)?
205 /var/run/aisexec.*
206 /var/run/heartbeat(/.*)?
207 /var/run/cpglockd.pid
208 /var/run/corosync.pid
209 /var/run/rgmanager.pid
210 /var/run/cluster/rgmanager.sk
211 dosfs_t
213 etc_runtime_t
216 /[^/]+
218 /etc/mtab.*
219 /etc/blkid(/.*)?
220 /etc/nologin.*
221 /etc/zipl.conf.*
222 /etc/smartd.conf.*
223 /etc/.fstab.hal..+
224 /etc/sysconfig/ip6?tables.save
225 /halt
226 /etc/motd
227 /fastboot
228 /poweroff
229 /etc/issue
230 /etc/cmtab
231 /forcefsck
232 /.autofsck
233 /.suspended
234 /fsckoptions
235 /etc/HOSTNAME
236 /.autorelabel
237 /etc/securetty
238 /etc/nohotplug
239 /etc/issue.net
240 /etc/killpower
241 /etc/ioctl.save
242 /etc/reader.conf
243 /etc/fstab.REVOKE
244 /etc/mtab.fuselock
245 /etc/network/ifstate
246 /etc/sysconfig/hwconf
247 /etc/ptal/ptal-printd-like
248 /etc/xorg.conf.d/00-system-setup-keyboard.conf
249 hald_cache_t
251 /var/cache/hald(/.*)?
253 hald_log_t
255 /var/log/pm(/.*)?
257 /var/log/pm-.*.log.*
258 hald_tmp_t
260 hald_var_lib_t
263 /var/lib/hal(/.*)?
265 hald_var_run_t
267 /var/run/pm(/.*)?
269 /var/run/vbe.*
270 /var/run/hald(/.*)?
271 /var/run/synce.*
272 /var/run/pm-utils(/.*)?
273 /var/run/haldaemon.pid
274 initrc_tmp_t
276 initrc_var_run_t
279 /var/run/utmp
281 /var/run/random-seed
282 /var/run/runlevel.dir
283 /var/run/setmixer_flag
284 mnt_t
286 /mnt(/[^/]*)
288 /mnt(/[^/]*)?
289 /rhev(/[^/]*)?
290 /media(/[^/]*)
291 /media(/[^/]*)?
292 /etc/rhgb(/.*)?
293 /media/.hal-.*
294 /net
295 /afs
296 /rhev
297 /misc
298 nfs_t
300 root_t
303 /
305 /initrd
306 security_t
308 sysfs_t
311 /sys(/.*)?
313 tmp_t
315 /tmp
317 /usr/tmp
318 /var/tmp
319 /tmp-inst
320 /var/tmp-inst
321 /var/tmp/vi.recover
322 usbfs_t
324 virt_image_type
327 all virtual image files
329
332 SELinux requires files to have an extended attribute to define the file
333 type.
334 You can see the context of a file using the -Z option to ls
336 Policy governs the access confined processes have to these files.
338 SELinux hald policy is very flexible allowing users to setup their hald
339 processes in as secure a method as possible.
340 EQUIVALENCE DIRECTORIES
342 hald policy stores data with multiple different file context types
345 under the /var/log/pm directory. If you would like to store the data
346 in a different directory you can use the semanage command to create an
347 equivalence mapping. If you wanted to store this data under the /srv
348 dirctory you would execute the following command:
349 semanage fcontext -a -e /var/log/pm /srv/pm
351 restorecon -R -v /srv/pm
352 hald policy stores data with multiple different file context types
354 under the /var/run/pm directory. If you would like to store the data
355 in a different directory you can use the semanage command to create an
356 equivalence mapping. If you wanted to store this data under the /srv
357 dirctory you would execute the following command:
358 semanage fcontext -a -e /var/run/pm /srv/pm
360 restorecon -R -v /srv/pm
361 hald policy stores data with multiple different file context types
363 under the /var/run/hald directory. If you would like to store the data
364 in a different directory you can use the semanage command to create an
365 equivalence mapping. If you wanted to store this data under the /srv
366 dirctory you would execute the following command:
367 semanage fcontext -a -e /var/run/hald /srv/hald
369 restorecon -R -v /srv/hald
370 STANDARD FILE CONTEXT
372 SELinux defines the file context types for the hald, if you wanted to
374 store files with these types in a diffent paths, you need to execute
375 the semanage command to sepecify alternate labeling and then use
376 restorecon to put the labels on disk.
377 semanage fcontext -a -t hald_var_run_t '/srv/myhald_content(/.*)?'
379 restorecon -R -v /srv/myhald_content
380 Note: SELinux often uses regular expressions to specify labels that
382 match multiple files.
383 The following file types are defined for hald:
385 hald_acl_exec_t
389 - Set files with the hald_acl_exec_t type, if you want to transition an
391 executable to the hald_acl_t domain.
392 hald_cache_t
396 - Set files with the hald_cache_t type, if you want to store the files
398 under the /var/cache directory.
399 hald_dccm_exec_t
403 - Set files with the hald_dccm_exec_t type, if you want to transition
405 an executable to the hald_dccm_t domain.
406 hald_exec_t
410 - Set files with the hald_exec_t type, if you want to transition an
412 executable to the hald_t domain.
413 Paths:
416 /usr/sbin/hald, /usr/libexec/hal-hotplug-map,
417 /etc/hal/device.d/printer_remove.hal, /etc/hal/capabil‐
418 ity.d/printer_update.hal
419 hald_keymap_exec_t
422 - Set files with the hald_keymap_exec_t type, if you want to transition
424 an executable to the hald_keymap_t domain.
425 hald_log_t
429 - Set files with the hald_log_t type, if you want to treat the data as
431 hald log data, usually stored under the /var/log directory.
432 Paths:
435 /var/log/pm(/.*)?, /var/log/pm-.*.log.*
436 hald_mac_exec_t
439 - Set files with the hald_mac_exec_t type, if you want to transition an
441 executable to the hald_mac_t domain.
442 Paths:
445 /usr/sbin/radeontool, /usr/libexec/hald-addon-macbook-backlight,
446 /usr/libexec/hald-addon-macbookpro-backlight
447 hald_sonypic_exec_t
450 - Set files with the hald_sonypic_exec_t type, if you want to transi‐
452 tion an executable to the hald_sonypic_t domain.
453 hald_tmp_t
457 - Set files with the hald_tmp_t type, if you want to store hald tempo‐
459 rary files in the /tmp directories.
460 hald_var_lib_t
464 - Set files with the hald_var_lib_t type, if you want to store the hald
466 files under the /var/lib directory.
467 hald_var_run_t
471 - Set files with the hald_var_run_t type, if you want to store the hald
473 files under the /run or /var/run directory.
474 Paths:
477 /var/run/pm(/.*)?, /var/run/vbe.*, /var/run/hald(/.*)?,
478 /var/run/synce.*, /var/run/pm-utils(/.*)?, /var/run/haldaemon.pid
479 Note: File context can be temporarily modified with the chcon command.
482 If you want to permanently change the file context you need to use the
483 semanage fcontext command. This will modify the SELinux labeling data‐
484 base. You will need to use restorecon to apply the labels.
485
488 semanage fcontext can also be used to manipulate default file context
489 mappings.
490 semanage permissive can also be used to manipulate whether or not a
492 process type is permissive.
493 semanage module can also be used to enable/disable/install/remove pol‐
495 icy modules.
496 semanage boolean can also be used to manipulate the booleans
498 system-config-selinux is a GUI tool available to customize SELinux pol‐
501 icy settings.
502
505 This manual page was auto-generated using sepolicy manpage .
506
509 selinux(8), hald(8), semanage(8), restorecon(8), chcon(1) , setse‐
510 bool(8), hald_acl_selinux(8), hald_dccm_selinux(8),
511 hald_keymap_selinux(8), hald_mac_selinux(8), hald_sonypic_selinux(8)
512hald 15-06-03 hald_selinux(8)