staff_consolehelper_selinux(8)

1staff_consolehelper_selSiEnLuixn(u8x)Policy staff_consolsethaeflfp_ecronsolehelper_selinux(8)
2
3
4

NAME

6       staff_consolehelper_selinux  -  Security  Enhanced Linux Policy for the
7       staff_consolehelper processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the staff_consolehelper  processes  via
11       flexible mandatory access control.
12
13       The  staff_consolehelper  processes  execute  with  the  staff_console‐
14       helper_t SELinux type. You can check if you have these  processes  run‐
15       ning by executing the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep staff_consolehelper_t
20
21
22

ENTRYPOINTS

24       The  staff_consolehelper_t SELinux type can be entered via the console‐
25       helper_exec_t file type.
26
27       The default entrypoint paths for the staff_consolehelper_t  domain  are
28       the following:
29
30       /usr/bin/consolehelper
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       staff_consolehelper  policy  is  very  flexible allowing users to setup
40       their staff_consolehelper processes in as secure a method as possible.
41
42       The following process types are defined for staff_consolehelper:
43
44       staff_consolehelper_t
45
46       Note: semanage permissive -a staff_consolehelper_t can be used to  make
47       the  process  type  staff_consolehelper_t  permissive. SELinux does not
48       deny access to permissive process types, but the AVC (SELinux  denials)
49       messages are still generated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       staff_consolehelper policy is extremely flexible and has several  bool‐
55       eans  that  allow  you  to manipulate the policy and run staff_console‐
56       helper with the tightest access possible.
57
58
59
60       If you want to allow all domains to use other domains file descriptors,
61       you must turn on the allow_domain_fd_use boolean. Enabled by default.
62
63       setsebool -P allow_domain_fd_use 1
64
65
66
67       If  you  want  to allow confined applications to run with kerberos, you
68       must turn on the allow_kerberos boolean. Enabled by default.
69
70       setsebool -P allow_kerberos 1
71
72
73
74       If you want to allow sysadm to debug or ptrace all processes, you  must
75       turn on the allow_ptrace boolean. Disabled by default.
76
77       setsebool -P allow_ptrace 1
78
79
80
81       If  you  want  to  allow  system  to run with NIS, you must turn on the
82       allow_ypbind boolean. Disabled by default.
83
84       setsebool -P allow_ypbind 1
85
86
87
88       If you want to allow all domains to have the kernel load  modules,  you
89       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
90       default.
91
92       setsebool -P domain_kernel_load_modules 1
93
94
95
96       If you want to allow all domains to execute in fips_mode, you must turn
97       on the fips_mode boolean. Enabled by default.
98
99       setsebool -P fips_mode 1
100
101
102
103       If you want to enable reading of urandom for all domains, you must turn
104       on the global_ssp boolean. Disabled by default.
105
106       setsebool -P global_ssp 1
107
108
109
110       If you want to allow confined applications to use nscd  shared  memory,
111       you must turn on the nscd_use_shm boolean. Enabled by default.
112
113       setsebool -P nscd_use_shm 1
114
115
116

MANAGED FILES

118       The SELinux process type staff_consolehelper_t can manage files labeled
119       with the following file types.  The paths listed are the default  paths
120       for  these  file  types.  Note the processes UID still need to have DAC
121       permissions.
122
123       faillog_t
124
125            /var/log/btmp.*
126            /var/log/faillog.*
127            /var/log/tallylog.*
128            /var/run/faillock(/.*)?
129
130       initrc_tmp_t
131
132
133       krb5_host_rcache_t
134
135            /var/cache/krb5rcache(/.*)?
136            /var/tmp/host_0
137            /var/tmp/HTTP_23
138
139       lastlog_t
140
141            /var/log/lastlog.*
142
143       mnt_t
144
145            /mnt(/[^/]*)
146            /mnt(/[^/]*)?
147            /rhev(/[^/]*)?
148            /media(/[^/]*)
149            /media(/[^/]*)?
150            /etc/rhgb(/.*)?
151            /media/.hal-.*
152            /net
153            /afs
154            /rhev
155            /misc
156
157       pcscd_var_run_t
158
159            /var/run/pcscd.events(/.*)?
160            /var/run/pcscd.pid
161            /var/run/pcscd.pub
162            /var/run/pcscd.comm
163
164       security_t
165
166
167       tmp_t
168
169            /tmp
170            /usr/tmp
171            /var/tmp
172            /tmp-inst
173            /var/tmp-inst
174            /var/tmp/vi.recover
175
176

COMMANDS

178       semanage fcontext can also be used to manipulate default  file  context
179       mappings.
180
181       semanage  permissive  can  also  be used to manipulate whether or not a
182       process type is permissive.
183
184       semanage module can also be used to enable/disable/install/remove  pol‐
185       icy modules.
186
187       semanage boolean can also be used to manipulate the booleans
188
189
190       system-config-selinux is a GUI tool available to customize SELinux pol‐
191       icy settings.
192
193

AUTHOR

195       This manual page was auto-generated using sepolicy manpage .
196
197