1kdumpgui_selinux(8)         SELinux Policy kdumpgui        kdumpgui_selinux(8)
2
3
4

NAME

6       kdumpgui_selinux - Security Enhanced Linux Policy for the kdumpgui pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  kdumpgui  processes  via  flexible
11       mandatory access control.
12
13       The  kdumpgui  processes  execute with the kdumpgui_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep kdumpgui_t
20
21
22

ENTRYPOINTS

24       The kdumpgui_t SELinux type can be entered via the kdumpgui_exec_t file
25       type.
26
27       The default entrypoint paths for the kdumpgui_t domain are the  follow‐
28       ing:
29
30       /usr/share/system-config-kdump/system-config-kdump-backend.py
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       kdumpgui policy is very flexible allowing users to setup their kdumpgui
40       processes in as secure a method as possible.
41
42       The following process types are defined for kdumpgui:
43
44       kdumpgui_t
45
46       Note: semanage permissive -a kdumpgui_t can be used to make the process
47       type  kdumpgui_t permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       kdumpgui policy is extremely flexible and  has  several  booleans  that
55       allow  you  to manipulate the policy and run kdumpgui with the tightest
56       access possible.
57
58
59
60       If you want to allow s-c-kdump to run bootloader in  bootloader_t,  you
61       must turn on the kdumpgui_run_bootloader boolean. Disabled by default.
62
63       setsebool -P kdumpgui_run_bootloader 1
64
65
66
67       If  you  want to allow all daemons the ability to read/write terminals,
68       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
69       default.
70
71       setsebool -P allow_daemons_use_tty 1
72
73
74
75       If you want to allow all domains to use other domains file descriptors,
76       you must turn on the allow_domain_fd_use boolean. Enabled by default.
77
78       setsebool -P allow_domain_fd_use 1
79
80
81
82       If you want to allow confined applications to run  with  kerberos,  you
83       must turn on the allow_kerberos boolean. Enabled by default.
84
85       setsebool -P allow_kerberos 1
86
87
88
89       If  you want to allow sysadm to debug or ptrace all processes, you must
90       turn on the allow_ptrace boolean. Disabled by default.
91
92       setsebool -P allow_ptrace 1
93
94
95
96       If you want to allow system to run with  NIS,  you  must  turn  on  the
97       allow_ypbind boolean. Disabled by default.
98
99       setsebool -P allow_ypbind 1
100
101
102
103       If  you  want to allow all domains to have the kernel load modules, you
104       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
105       default.
106
107       setsebool -P domain_kernel_load_modules 1
108
109
110
111       If you want to allow all domains to execute in fips_mode, you must turn
112       on the fips_mode boolean. Enabled by default.
113
114       setsebool -P fips_mode 1
115
116
117
118       If you want to enable reading of urandom for all domains, you must turn
119       on the global_ssp boolean. Disabled by default.
120
121       setsebool -P global_ssp 1
122
123
124
125       If  you  want to allow confined applications to use nscd shared memory,
126       you must turn on the nscd_use_shm boolean. Enabled by default.
127
128       setsebool -P nscd_use_shm 1
129
130
131

MANAGED FILES

133       The SELinux process type kdumpgui_t can manage files labeled  with  the
134       following file types.  The paths listed are the default paths for these
135       file types.  Note the processes UID still need to have DAC permissions.
136
137       boot_t
138
139            /boot/.*
140            /vmlinuz.*
141            /initrd.img.*
142            /boot
143
144       bootloader_etc_t
145
146            /etc/lilo.conf.*
147            /etc/yaboot.conf.*
148            /boot/etc/yaboot.conf.*
149
150       dosfs_t
151
152
153       etc_runtime_t
154
155            /[^/]+
156            /etc/mtab.*
157            /etc/blkid(/.*)?
158            /etc/nologin.*
159            /etc/zipl.conf.*
160            /etc/smartd.conf.*
161            /etc/.fstab.hal..+
162            /etc/sysconfig/ip6?tables.save
163            /halt
164            /etc/motd
165            /fastboot
166            /poweroff
167            /etc/issue
168            /etc/cmtab
169            /forcefsck
170            /.autofsck
171            /.suspended
172            /fsckoptions
173            /etc/HOSTNAME
174            /.autorelabel
175            /etc/securetty
176            /etc/nohotplug
177            /etc/issue.net
178            /etc/killpower
179            /etc/ioctl.save
180            /etc/reader.conf
181            /etc/fstab.REVOKE
182            /etc/mtab.fuselock
183            /etc/network/ifstate
184            /etc/sysconfig/hwconf
185            /etc/ptal/ptal-printd-like
186            /etc/xorg.conf.d/00-system-setup-keyboard.conf
187
188       initrc_tmp_t
189
190
191       kdump_etc_t
192
193            /etc/kdump.conf
194
195       kdumpgui_tmp_t
196
197
198       mnt_t
199
200            /mnt(/[^/]*)
201            /mnt(/[^/]*)?
202            /rhev(/[^/]*)?
203            /media(/[^/]*)
204            /media(/[^/]*)?
205            /etc/rhgb(/.*)?
206            /media/.hal-.*
207            /net
208            /afs
209            /rhev
210            /misc
211
212       tmp_t
213
214            /tmp
215            /usr/tmp
216            /var/tmp
217            /tmp-inst
218            /var/tmp-inst
219            /var/tmp/vi.recover
220
221

FILE CONTEXTS

223       SELinux requires files to have an extended attribute to define the file
224       type.
225
226       You can see the context of a file using the -Z option to ls
227
228       Policy  governs  the  access  confined  processes  have to these files.
229       SELinux kdumpgui policy is very flexible allowing users to setup  their
230       kdumpgui processes in as secure a method as possible.
231
232       STANDARD FILE CONTEXT
233
234       SELinux  defines the file context types for the kdumpgui, if you wanted
235       to store files with these types in a diffent paths, you need to execute
236       the  semanage  command  to  sepecify  alternate  labeling  and then use
237       restorecon to put the labels on disk.
238
239       semanage fcontext -a -t kdumpgui_tmp_t '/srv/mykdumpgui_content(/.*)?'
240       restorecon -R -v /srv/mykdumpgui_content
241
242       Note: SELinux often uses regular expressions  to  specify  labels  that
243       match multiple files.
244
245       The following file types are defined for kdumpgui:
246
247
248
249       kdumpgui_exec_t
250
251       - Set files with the kdumpgui_exec_t type, if you want to transition an
252       executable to the kdumpgui_t domain.
253
254
255
256       kdumpgui_tmp_t
257
258       - Set files with the kdumpgui_tmp_t type, if you want to store kdumpgui
259       temporary files in the /tmp directories.
260
261
262
263       Note:  File context can be temporarily modified with the chcon command.
264       If you want to permanently change the file context you need to use  the
265       semanage fcontext command.  This will modify the SELinux labeling data‐
266       base.  You will need to use restorecon to apply the labels.
267
268

COMMANDS

270       semanage fcontext can also be used to manipulate default  file  context
271       mappings.
272
273       semanage  permissive  can  also  be used to manipulate whether or not a
274       process type is permissive.
275
276       semanage module can also be used to enable/disable/install/remove  pol‐
277       icy modules.
278
279       semanage boolean can also be used to manipulate the booleans
280
281
282       system-config-selinux is a GUI tool available to customize SELinux pol‐
283       icy settings.
284
285

AUTHOR

287       This manual page was auto-generated using sepolicy manpage .
288
289

SEE ALSO

291       selinux(8), kdumpgui(8), semanage(8), restorecon(8), chcon(1) ,  setse‐
292       bool(8)
293
294
295
296kdumpgui                           15-06-03                kdumpgui_selinux(8)
Impressum