1staff_execmem_selinux(8) SELinux Policy staff_execmem staff_execmem_selinux(8)
2
3
4

NAME

6       staff_execmem_selinux   -   Security  Enhanced  Linux  Policy  for  the
7       staff_execmem processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the staff_execmem processes via  flexi‐
11       ble mandatory access control.
12
13       The  staff_execmem  processes  execute with the staff_execmem_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep staff_execmem_t
20
21
22

ENTRYPOINTS

24       The staff_execmem_t SELinux type can be entered via the execmem_exec_t,
25       user_home_t, xsession_exec_t file types.
26
27       The default entrypoint paths for the  staff_execmem_t  domain  are  the
28       following:
29
30       /usr/lib(64)?/ghc-[^/]+/ghc.*,      /usr/lib(64)/virtualbox/VirtualBox,
31       /usr/lib(64)?/gimp/2.0/plug-ins/help-browser,   /usr/lib(64)?/chromium-
32       browser/chromium-browser,                 /opt/real/(.*/)?realplay.bin,
33       /opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater,
34       /opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application,   /usr/sbin/VBox.*,
35       /usr/bin/haddock.*,                       /usr/libexec/ghc-[^/]+/.*bin,
36       /usr/libexec/ghc-[^/]+/ghc.*, /usr/lib/wingide-[^/]+/bin/PyCore/python,
37       /usr/lib/erlang/erts-[^/]+/bin/beam.smp,              /usr/lib/thunder‐
38       bird-[^/]+/thunderbird-bin,  /usr/lib64/erlang/erts-[^/]+/bin/beam.smp,
39       /usr/bin/sbcl,   /usr/bin/darcs,    /usr/bin/skype,    /usr/bin/dosbox,
40       /usr/bin/runghc, /usr/bin/hasktags, /usr/bin/valgrind, /usr/bin/aticon‐
41       fig,            /usr/bin/runhaskell,             /usr/lib/R/bin/exec/R,
42       /usr/lib64/R/bin/exec/R,                     /usr/sbin/vboxadd-service,
43       /opt/google/chrome/chrome,   /usr/lib/ia32el/ia32x_loader,   /opt/like‐
44       wise/bin/domainjoin-cli,              /opt/google/chrome/google-chrome,
45       /opt/real/RealPlayer/realplay.bin,  /usr/local/RealPlayer/realplay.bin,
46       /opt/Komodo-Edit-5/lib/mozilla/komodo-bin,              /home/[^/]*/.+,
47       /home/staff/.+,     /etc/kde3?/kdm/Xreset,     /etc/kde3?/kdm/Xstartup,
48       /etc/kde3?/kdm/Xsession,                      /etc/X11/[wx]dm/Xreset.*,
49       /etc/X11/[wxg]dm/Xsession,                      /etc/X11/Xsession[^/]*,
50       /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*
51

PROCESS TYPES

53       SELinux defines process types (domains) for each process running on the
54       system
55
56       You can see the context of a process using the -Z option to ps
57
58       Policy governs the access confined processes have  to  files.   SELinux
59       staff_execmem  policy  is  very  flexible allowing users to setup their
60       staff_execmem processes in as secure a method as possible.
61
62       The following process types are defined for staff_execmem:
63
64       staff_execmem_t
65
66       Note: semanage permissive -a staff_execmem_t can be used  to  make  the
67       process  type  staff_execmem_t permissive. SELinux does not deny access
68       to permissive process types, but the AVC (SELinux denials) messages are
69       still generated.
70
71

BOOLEANS

73       SELinux   policy  is  customizable  based  on  least  access  required.
74       staff_execmem policy is extremely flexible  and  has  several  booleans
75       that  allow you to manipulate the policy and run staff_execmem with the
76       tightest access possible.
77
78
79
80       If you want to allow direct login to the console device.  Required  for
81       System  390,  you must turn on the allow_console_login boolean. Enabled
82       by default.
83
84       setsebool -P allow_console_login 1
85
86
87
88       If you want to allow all domains to use other domains file descriptors,
89       you must turn on the allow_domain_fd_use boolean. Enabled by default.
90
91       setsebool -P allow_domain_fd_use 1
92
93
94
95       If  you  want  to  allow  all  unconfined  executables to use libraries
96       requiring text relocation that are not  labeled  textrel_shlib_t),  you
97       must turn on the allow_execmod boolean. Enabled by default.
98
99       setsebool -P allow_execmod 1
100
101
102
103       If  you  want  to allow confined applications to run with kerberos, you
104       must turn on the allow_kerberos boolean. Enabled by default.
105
106       setsebool -P allow_kerberos 1
107
108
109
110       If you want to allow sysadm to debug or ptrace all processes, you  must
111       turn on the allow_ptrace boolean. Disabled by default.
112
113       setsebool -P allow_ptrace 1
114
115
116
117       If  you  want to allow users to connect to PostgreSQL, you must turn on
118       the allow_user_postgresql_connect boolean. Disabled by default.
119
120       setsebool -P allow_user_postgresql_connect 1
121
122
123
124       If you want to allows clients to write to the X  server  shared  memory
125       segments,  you  must  turn on the allow_write_xshm boolean. Disabled by
126       default.
127
128       setsebool -P allow_write_xshm 1
129
130
131
132       If you want to allow system to run with  NIS,  you  must  turn  on  the
133       allow_ypbind boolean. Disabled by default.
134
135       setsebool -P allow_ypbind 1
136
137
138
139       If  you  want to allow all domains to have the kernel load modules, you
140       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
141       default.
142
143       setsebool -P domain_kernel_load_modules 1
144
145
146
147       If you want to allow all domains to execute in fips_mode, you must turn
148       on the fips_mode boolean. Enabled by default.
149
150       setsebool -P fips_mode 1
151
152
153
154       If you want to enable reading of urandom for all domains, you must turn
155       on the global_ssp boolean. Disabled by default.
156
157       setsebool -P global_ssp 1
158
159
160
161       If  you  want to allow confined applications to use nscd shared memory,
162       you must turn on the nscd_use_shm boolean. Enabled by default.
163
164       setsebool -P nscd_use_shm 1
165
166
167
168       If you want to enabling secure mode disallows programs,  such  as  new‐
169       role,  from transitioning to administrative user domains, you must turn
170       on the secure_mode boolean. Disabled by default.
171
172       setsebool -P secure_mode 1
173
174
175
176       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
177       the ssh_sysadm_login boolean. Disabled by default.
178
179       setsebool -P ssh_sysadm_login 1
180
181
182
183       If  you  want  to  support  NFS  home directories, you must turn on the
184       use_nfs_home_dirs boolean. Disabled by default.
185
186       setsebool -P use_nfs_home_dirs 1
187
188
189
190       If you want to support SAMBA home directories, you  must  turn  on  the
191       use_samba_home_dirs boolean. Disabled by default.
192
193       setsebool -P use_samba_home_dirs 1
194
195
196
197       If  you  want to allow regular users direct dri device access, you must
198       turn on the user_direct_dri boolean. Enabled by default.
199
200       setsebool -P user_direct_dri 1
201
202
203
204       If you want to allow regular users direct mouse access, you  must  turn
205       on the user_direct_mouse boolean. Disabled by default.
206
207       setsebool -P user_direct_mouse 1
208
209
210
211       If  you want to allow user to r/w files on filesystems that do not have
212       extended  attributes  (FAT,  CDROM,  FLOPPY),  you  must  turn  on  the
213       user_rw_noexattrfile boolean. Enabled by default.
214
215       setsebool -P user_rw_noexattrfile 1
216
217
218
219       If  you want to allow user processes to change their priority, you must
220       turn on the user_setrlimit boolean. Enabled by default.
221
222       setsebool -P user_setrlimit 1
223
224
225
226       If you want to allow users to run TCP servers (bind to ports and accept
227       connection  from  the  same  domain  and outside users)  disabling this
228       forces FTP passive mode and may change other protocols, you  must  turn
229       on the user_tcp_server boolean. Disabled by default.
230
231       setsebool -P user_tcp_server 1
232
233
234
235       If  you  want  to  allow  xdm  logins  as  sysadm, you must turn on the
236       xdm_sysadm_login boolean. Disabled by default.
237
238       setsebool -P xdm_sysadm_login 1
239
240
241
242       If you want to support X userspace object manager, you must turn on the
243       xserver_object_manager boolean. Disabled by default.
244
245       setsebool -P xserver_object_manager 1
246
247
248

MANAGED FILES

250       The  SELinux process type staff_execmem_t can manage files labeled with
251       the following file types.  The paths listed are the default  paths  for
252       these  file  types.  Note the processes UID still need to have DAC per‐
253       missions.
254
255       anon_inodefs_t
256
257
258       cgroup_t
259
260            /cgroup(/.*)?
261
262       chrome_sandbox_tmpfs_t
263
264
265       cifs_t
266
267
268       games_data_t
269
270            /var/games(/.*)?
271            /var/lib/games(/.*)?
272
273       gpg_agent_tmp_t
274
275
276       iceauth_home_t
277
278            /home/[^/]*/.DCOP.*
279            /home/[^/]*/.ICEauthority.*
280            /home/staff/.DCOP.*
281            /home/staff/.ICEauthority.*
282
283       initrc_tmp_t
284
285
286       mail_spool_t
287
288            /var/mail(/.*)?
289            /var/spool/mail(/.*)?
290            /var/spool/imap(/.*)?
291
292       mnt_t
293
294            /mnt(/[^/]*)
295            /mnt(/[^/]*)?
296            /rhev(/[^/]*)?
297            /media(/[^/]*)
298            /media(/[^/]*)?
299            /etc/rhgb(/.*)?
300            /media/.hal-.*
301            /net
302            /afs
303            /rhev
304            /misc
305
306       mqueue_spool_t
307
308            /var/spool/(client)?mqueue(/.*)?
309
310       nfsd_rw_t
311
312
313       noxattrfs
314
315            all files on file systems which do not support extended attributes
316
317       sandbox_file_t
318
319
320       sandbox_tmpfs_type
321
322            all sandbox content in tmpfs file systems
323
324       security_t
325
326
327       tmp_t
328
329            /tmp
330            /usr/tmp
331            /var/tmp
332            /tmp-inst
333            /var/tmp-inst
334            /var/tmp/vi.recover
335
336       usbfs_t
337
338
339       user_fonts_cache_t
340
341            /home/[^/]*/.fonts/auto(/.*)?
342            /home/[^/]*/.fontconfig(/.*)?
343            /home/[^/]*/.fonts.cache-.*
344            /home/staff/.fonts/auto(/.*)?
345            /home/staff/.fontconfig(/.*)?
346            /home/staff/.fonts.cache-.*
347
348       user_fonts_t
349
350            /home/[^/]*/.fonts(/.*)?
351            /home/staff/.fonts(/.*)?
352
353       user_home_type
354
355            all user home files
356
357       user_tmp_t
358
359            /tmp/gconfd-.*
360            /tmp/gconfd-staff
361
362       user_tmpfs_t
363
364            /dev/shm/mono.*
365            /dev/shm/pulse-shm.*
366
367       xauth_home_t
368
369            /root/.Xauth.*
370            /root/.xauth.*
371            /root/.serverauth.*
372            /var/lib/pqsql/.xauth.*
373            /var/lib/pqsql/.Xauthority.*
374            /var/lib/nxserver/home/.xauth.*
375            /var/lib/nxserver/home/.Xauthority.*
376            /home/[^/]*/.xauth.*
377            /home/[^/]*/.Xauthority.*
378            /home/[^/]*/.serverauth.*
379            /home/staff/.xauth.*
380            /home/staff/.Xauthority.*
381            /home/staff/.serverauth.*
382
383       xdm_tmp_t
384
385            /tmp/.X11-unix(/.*)?
386            /tmp/.ICE-unix(/.*)?
387            /tmp/.X0-lock
388
389       xserver_tmpfs_t
390
391
392

COMMANDS

394       semanage fcontext can also be used to manipulate default  file  context
395       mappings.
396
397       semanage  permissive  can  also  be used to manipulate whether or not a
398       process type is permissive.
399
400       semanage module can also be used to enable/disable/install/remove  pol‐
401       icy modules.
402
403       semanage boolean can also be used to manipulate the booleans
404
405
406       system-config-selinux is a GUI tool available to customize SELinux pol‐
407       icy settings.
408
409

AUTHOR

411       This manual page was auto-generated using sepolicy manpage .
412
413

SEE ALSO

415       selinux(8), staff_execmem(8), semanage(8),  restorecon(8),  chcon(1)  ,
416       setsebool(8)
417
418
419
420staff_execmem                      15-06-03           staff_execmem_selinux(8)
Impressum