1openoffice_selinux(8)      SELinux Policy openoffice     openoffice_selinux(8)
2
3
4

NAME

6       openoffice_selinux  - Security Enhanced Linux Policy for the openoffice
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the openoffice processes  via  flexible
11       mandatory access control.
12
13       The  openoffice  processes  execute with the openoffice_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openoffice_t
20
21
22

ENTRYPOINTS

24       The  openoffice_t SELinux type can be entered via the openoffice_exec_t
25       file type.
26
27       The default entrypoint paths for the openoffice_t domain are  the  fol‐
28       lowing:
29
30       /opt/openoffice.org.*/program/.+.bin,    /usr/lib/openoffice.org.*/pro‐
31       gram/.+.bin, /usr/lib64/openoffice.org.*/program/.+.bin
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       openoffice policy is very flexible allowing users to setup their  open‐
41       office processes in as secure a method as possible.
42
43       The following process types are defined for openoffice:
44
45       openoffice_t
46
47       Note:  semanage  permissive  -a  openoffice_t  can  be used to make the
48       process type openoffice_t permissive. SELinux does not deny  access  to
49       permissive  process  types,  but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least access  required.   open‐
55       office policy is extremely flexible and has several booleans that allow
56       you to manipulate the policy  and  run  openoffice  with  the  tightest
57       access possible.
58
59
60
61       If you want to allow all domains to use other domains file descriptors,
62       you must turn on the allow_domain_fd_use boolean. Enabled by default.
63
64       setsebool -P allow_domain_fd_use 1
65
66
67
68       If you want to allow sysadm to debug or ptrace all processes, you  must
69       turn on the allow_ptrace boolean. Disabled by default.
70
71       setsebool -P allow_ptrace 1
72
73
74
75       If  you  want to allow all domains to have the kernel load modules, you
76       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
77       default.
78
79       setsebool -P domain_kernel_load_modules 1
80
81
82
83       If you want to allow all domains to execute in fips_mode, you must turn
84       on the fips_mode boolean. Enabled by default.
85
86       setsebool -P fips_mode 1
87
88
89
90       If you want to enable reading of urandom for all domains, you must turn
91       on the global_ssp boolean. Disabled by default.
92
93       setsebool -P global_ssp 1
94
95
96

MANAGED FILES

98       The SELinux process type openoffice_t can manage files labeled with the
99       following file types.  The paths listed are the default paths for these
100       file types.  Note the processes UID still need to have DAC permissions.
101
102       initrc_tmp_t
103
104
105       mnt_t
106
107            /mnt(/[^/]*)
108            /mnt(/[^/]*)?
109            /rhev(/[^/]*)?
110            /media(/[^/]*)
111            /media(/[^/]*)?
112            /etc/rhgb(/.*)?
113            /media/.hal-.*
114            /net
115            /afs
116            /rhev
117            /misc
118
119       tmp_t
120
121            /tmp
122            /usr/tmp
123            /var/tmp
124            /tmp-inst
125            /var/tmp-inst
126            /var/tmp/vi.recover
127
128

FILE CONTEXTS

130       SELinux requires files to have an extended attribute to define the file
131       type.
132
133       You can see the context of a file using the -Z option to ls
134
135       Policy governs the access  confined  processes  have  to  these  files.
136       SELinux  openoffice  policy  is  very  flexible allowing users to setup
137       their openoffice processes in as secure a method as possible.
138
139       The following file types are defined for openoffice:
140
141
142
143       openoffice_exec_t
144
145       - Set files with the openoffice_exec_t type, if you want to  transition
146       an executable to the openoffice_t domain.
147
148
149       Paths:
150            /opt/openoffice.org.*/program/.+.bin,               /usr/lib/open‐
151            office.org.*/program/.+.bin,      /usr/lib64/openoffice.org.*/pro‐
152            gram/.+.bin
153
154
155       Note:  File context can be temporarily modified with the chcon command.
156       If you want to permanently change the file context you need to use  the
157       semanage fcontext command.  This will modify the SELinux labeling data‐
158       base.  You will need to use restorecon to apply the labels.
159
160

COMMANDS

162       semanage fcontext can also be used to manipulate default  file  context
163       mappings.
164
165       semanage  permissive  can  also  be used to manipulate whether or not a
166       process type is permissive.
167
168       semanage module can also be used to enable/disable/install/remove  pol‐
169       icy modules.
170
171       semanage boolean can also be used to manipulate the booleans
172
173
174       system-config-selinux is a GUI tool available to customize SELinux pol‐
175       icy settings.
176
177

AUTHOR

179       This manual page was auto-generated using sepolicy manpage .
180
181

SEE ALSO

183       selinux(8), openoffice(8), semanage(8), restorecon(8), chcon(1) ,  set‐
184       sebool(8)
185
186
187
188openoffice                         15-06-03              openoffice_selinux(8)
Impressum