1sandbox_xserver_selinux(8S)ELinux Policy sandbox_xservesrandbox_xserver_selinux(8)
2
3
4

NAME

6       sandbox_xserver_selinux  - Security Enhanced Linux Policy for the sand‐
7       box_xserver processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the sandbox_xserver processes via flex‐
11       ible mandatory access control.
12
13       The   sandbox_xserver  processes  execute  with  the  sandbox_xserver_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep sandbox_xserver_t
20
21
22

ENTRYPOINTS

24       The   sandbox_xserver_t   SELinux   type   can   be   entered  via  the
25       xserver_exec_t file type.
26
27       The default entrypoint paths for the sandbox_xserver_t domain  are  the
28       following:
29
30       /usr/bin/Xair,    /usr/bin/Xorg,   /usr/bin/Xephyr,   /usr/X11R6/bin/X,
31       /usr/X11R6/bin/Xorg,    /usr/X11R6/bin/Xipaq,    /usr/local/bin/x11vnc,
32       /usr/X11R6/bin/XFree86,                        /usr/X11R6/bin/Xwrapper,
33       /etc/init.d/xfree86-common
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       sandbox_xserver policy is very flexible allowing users to  setup  their
43       sandbox_xserver processes in as secure a method as possible.
44
45       The following process types are defined for sandbox_xserver:
46
47       sandbox_xserver_t
48
49       Note:  semanage permissive -a sandbox_xserver_t can be used to make the
50       process type sandbox_xserver_t permissive. SELinux does not deny access
51       to permissive process types, but the AVC (SELinux denials) messages are
52       still generated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access  required.   sand‐
57       box_xserver  policy is extremely flexible and has several booleans that
58       allow you to manipulate the policy and  run  sandbox_xserver  with  the
59       tightest access possible.
60
61
62
63       If you want to allow all domains to use other domains file descriptors,
64       you must turn on the allow_domain_fd_use boolean. Enabled by default.
65
66       setsebool -P allow_domain_fd_use 1
67
68
69
70       If you want to allow confined applications to run  with  kerberos,  you
71       must turn on the allow_kerberos boolean. Enabled by default.
72
73       setsebool -P allow_kerberos 1
74
75
76
77       If  you want to allow sysadm to debug or ptrace all processes, you must
78       turn on the allow_ptrace boolean. Disabled by default.
79
80       setsebool -P allow_ptrace 1
81
82
83
84       If you want to allows clients to write to the X  server  shared  memory
85       segments,  you  must  turn on the allow_write_xshm boolean. Disabled by
86       default.
87
88       setsebool -P allow_write_xshm 1
89
90
91
92       If you want to allow system to run with  NIS,  you  must  turn  on  the
93       allow_ypbind boolean. Disabled by default.
94
95       setsebool -P allow_ypbind 1
96
97
98
99       If  you  want to allow all domains to have the kernel load modules, you
100       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
101       default.
102
103       setsebool -P domain_kernel_load_modules 1
104
105
106
107       If you want to allow all domains to execute in fips_mode, you must turn
108       on the fips_mode boolean. Enabled by default.
109
110       setsebool -P fips_mode 1
111
112
113
114       If you want to enable reading of urandom for all domains, you must turn
115       on the global_ssp boolean. Disabled by default.
116
117       setsebool -P global_ssp 1
118
119
120
121       If  you  want to allow confined applications to use nscd shared memory,
122       you must turn on the nscd_use_shm boolean. Enabled by default.
123
124       setsebool -P nscd_use_shm 1
125
126
127
128       If you want to support fusefs home directories, you must  turn  on  the
129       use_fusefs_home_dirs boolean. Disabled by default.
130
131       setsebool -P use_fusefs_home_dirs 1
132
133
134
135       If  you  want  to  support  NFS  home directories, you must turn on the
136       use_nfs_home_dirs boolean. Disabled by default.
137
138       setsebool -P use_nfs_home_dirs 1
139
140
141
142       If you want to support SAMBA home directories, you  must  turn  on  the
143       use_samba_home_dirs boolean. Disabled by default.
144
145       setsebool -P use_samba_home_dirs 1
146
147
148
149       If you want to support X userspace object manager, you must turn on the
150       xserver_object_manager boolean. Disabled by default.
151
152       setsebool -P xserver_object_manager 1
153
154
155

MANAGED FILES

157       The SELinux process type sandbox_xserver_t  can  manage  files  labeled
158       with  the following file types.  The paths listed are the default paths
159       for these file types.  Note the processes UID still need  to  have  DAC
160       permissions.
161
162       initrc_tmp_t
163
164
165       mnt_t
166
167            /mnt(/[^/]*)
168            /mnt(/[^/]*)?
169            /rhev(/[^/]*)?
170            /media(/[^/]*)
171            /media(/[^/]*)?
172            /etc/rhgb(/.*)?
173            /media/.hal-.*
174            /net
175            /afs
176            /rhev
177            /misc
178
179       sandbox_file_t
180
181
182       sandbox_xserver_tmpfs_t
183
184
185       security_t
186
187
188       tmp_t
189
190            /tmp
191            /usr/tmp
192            /var/tmp
193            /tmp-inst
194            /var/tmp-inst
195            /var/tmp/vi.recover
196
197       user_fonts_cache_t
198
199            /home/[^/]*/.fonts/auto(/.*)?
200            /home/[^/]*/.fontconfig(/.*)?
201            /home/[^/]*/.fonts.cache-.*
202            /home/staff/.fonts/auto(/.*)?
203            /home/staff/.fontconfig(/.*)?
204            /home/staff/.fonts.cache-.*
205
206       xserver_tmpfs_t
207
208
209

COMMANDS

211       semanage  fcontext  can also be used to manipulate default file context
212       mappings.
213
214       semanage permissive can also be used to manipulate  whether  or  not  a
215       process type is permissive.
216
217       semanage  module can also be used to enable/disable/install/remove pol‐
218       icy modules.
219
220       semanage boolean can also be used to manipulate the booleans
221
222
223       system-config-selinux is a GUI tool available to customize SELinux pol‐
224       icy settings.
225
226

AUTHOR

228       This manual page was auto-generated using sepolicy manpage .
229
230

SEE ALSO

232       selinux(8),  sandbox_xserver(8), semanage(8), restorecon(8), chcon(1) ,
233       setsebool(8)
234
235
236
237sandbox_xserver                    15-06-03         sandbox_xserver_selinux(8)