1staff_java_selinux(8) SELinux Policy staff_java staff_java_selinux(8)
2
6 staff_java_selinux - Security Enhanced Linux Policy for the staff_java
7 processes
8
10 Security-Enhanced Linux secures the staff_java processes via flexible
11 mandatory access control.
12 The staff_java processes execute with the staff_java_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16 For example:
18 ps -eZ | grep staff_java_t
20
24 The staff_java_t SELinux type can be entered via the java_exec_t,
25 user_home_t, xsession_exec_t file types.
26 The default entrypoint paths for the staff_java_t domain are the fol‐
28 lowing:
29 /usr/(.*/)?bin/java.*, /opt/(.*/)?bin/java[^/]*,
31 /usr/lib(.*/)?bin/java[^/]*, /usr/lib(64)?/eclipse/eclipse, /opt/mat‐
32 lab.*/bin.*/MATLAB.*, /usr/matlab.*/bin.*/MATLAB.*,
33 /usr/Aptana[^/]*/AptanaStudio, /opt/ibm/java.*/(bin|javaws)(/.*)?,
34 /usr/lib/opera(/.*)?/opera, /usr/lib/opera(/.*)?/works,
35 /usr/bin/octave-[^/]*, /usr/java/eclipse[^/]*/eclipse,
36 /usr/lib/jvm/java(.*/)bin(/.*)?, /opt/local/matlab.*/bin.*/MATLAB.*,
37 /usr/local/matlab.*/bin.*/MATLAB.*, /usr/lib64/jvm/java(.*/)bin(/.*)?,
38 /opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?,
39 /usr/bin/gij, /usr/bin/frysk, /usr/bin/grmic, /usr/bin/fastjar,
40 /usr/bin/gkeytool, /usr/bin/gcj-dbtool, /usr/bin/gjarsigner,
41 /usr/bin/jv-convert, /usr/bin/grmiregistry, /usr/bin/gappletviewer,
42 /home/[^/]*/.+, /home/staff/.+, /etc/kde3?/kdm/Xreset,
43 /etc/kde3?/kdm/Xstartup, /etc/kde3?/kdm/Xsession, /etc/X11/[wx]dm/Xre‐
44 set.*, /etc/X11/[wxg]dm/Xsession, /etc/X11/Xsession[^/]*,
45 /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*
46
48 SELinux defines process types (domains) for each process running on the
49 system
50 You can see the context of a process using the -Z option to ps
52 Policy governs the access confined processes have to files. SELinux
54 staff_java policy is very flexible allowing users to setup their
55 staff_java processes in as secure a method as possible.
56 The following process types are defined for staff_java:
58 staff_java_t
60 Note: semanage permissive -a staff_java_t can be used to make the
62 process type staff_java_t permissive. SELinux does not deny access to
63 permissive process types, but the AVC (SELinux denials) messages are
64 still generated.
65
68 SELinux policy is customizable based on least access required.
69 staff_java policy is extremely flexible and has several booleans that
70 allow you to manipulate the policy and run staff_java with the tightest
71 access possible.
72 If you want to allow direct login to the console device. Required for
76 System 390, you must turn on the allow_console_login boolean. Enabled
77 by default.
78 setsebool -P allow_console_login 1
80 If you want to allow all domains to use other domains file descriptors,
84 you must turn on the allow_domain_fd_use boolean. Enabled by default.
85 setsebool -P allow_domain_fd_use 1
87 If you want to allow all unconfined executables to use libraries
91 requiring text relocation that are not labeled textrel_shlib_t), you
92 must turn on the allow_execmod boolean. Enabled by default.
93 setsebool -P allow_execmod 1
95 If you want to allow confined applications to run with kerberos, you
99 must turn on the allow_kerberos boolean. Enabled by default.
100 setsebool -P allow_kerberos 1
102 If you want to allow sysadm to debug or ptrace all processes, you must
106 turn on the allow_ptrace boolean. Disabled by default.
107 setsebool -P allow_ptrace 1
109 If you want to allow users to connect to PostgreSQL, you must turn on
113 the allow_user_postgresql_connect boolean. Disabled by default.
114 setsebool -P allow_user_postgresql_connect 1
116 If you want to allows clients to write to the X server shared memory
120 segments, you must turn on the allow_write_xshm boolean. Disabled by
121 default.
122 setsebool -P allow_write_xshm 1
124 If you want to allow system to run with NIS, you must turn on the
128 allow_ypbind boolean. Disabled by default.
129 setsebool -P allow_ypbind 1
131 If you want to allow all domains to have the kernel load modules, you
135 must turn on the domain_kernel_load_modules boolean. Disabled by
136 default.
137 setsebool -P domain_kernel_load_modules 1
139 If you want to allow all domains to execute in fips_mode, you must turn
143 on the fips_mode boolean. Enabled by default.
144 setsebool -P fips_mode 1
146 If you want to enable reading of urandom for all domains, you must turn
150 on the global_ssp boolean. Disabled by default.
151 setsebool -P global_ssp 1
153 If you want to allow confined applications to use nscd shared memory,
157 you must turn on the nscd_use_shm boolean. Enabled by default.
158 setsebool -P nscd_use_shm 1
160 If you want to enabling secure mode disallows programs, such as new‐
164 role, from transitioning to administrative user domains, you must turn
165 on the secure_mode boolean. Disabled by default.
166 setsebool -P secure_mode 1
168 If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
172 the ssh_sysadm_login boolean. Disabled by default.
173 setsebool -P ssh_sysadm_login 1
175 If you want to support NFS home directories, you must turn on the
179 use_nfs_home_dirs boolean. Disabled by default.
180 setsebool -P use_nfs_home_dirs 1
182 If you want to support SAMBA home directories, you must turn on the
186 use_samba_home_dirs boolean. Disabled by default.
187 setsebool -P use_samba_home_dirs 1
189 If you want to allow regular users direct dri device access, you must
193 turn on the user_direct_dri boolean. Enabled by default.
194 setsebool -P user_direct_dri 1
196 If you want to allow regular users direct mouse access, you must turn
200 on the user_direct_mouse boolean. Disabled by default.
201 setsebool -P user_direct_mouse 1
203 If you want to allow user to r/w files on filesystems that do not have
207 extended attributes (FAT, CDROM, FLOPPY), you must turn on the
208 user_rw_noexattrfile boolean. Enabled by default.
209 setsebool -P user_rw_noexattrfile 1
211 If you want to allow user processes to change their priority, you must
215 turn on the user_setrlimit boolean. Enabled by default.
216 setsebool -P user_setrlimit 1
218 If you want to allow users to run TCP servers (bind to ports and accept
222 connection from the same domain and outside users) disabling this
223 forces FTP passive mode and may change other protocols, you must turn
224 on the user_tcp_server boolean. Disabled by default.
225 setsebool -P user_tcp_server 1
227 If you want to allow xdm logins as sysadm, you must turn on the
231 xdm_sysadm_login boolean. Disabled by default.
232 setsebool -P xdm_sysadm_login 1
234 If you want to support X userspace object manager, you must turn on the
238 xserver_object_manager boolean. Disabled by default.
239 setsebool -P xserver_object_manager 1
241
245 The SELinux process type staff_java_t can manage files labeled with the
246 following file types. The paths listed are the default paths for these
247 file types. Note the processes UID still need to have DAC permissions.
248 anon_inodefs_t
250 cgroup_t
253 /cgroup(/.*)?
255 chrome_sandbox_tmpfs_t
257 cifs_t
260 games_data_t
263 /var/games(/.*)?
265 /var/lib/games(/.*)?
266 gpg_agent_tmp_t
268 iceauth_home_t
271 /home/[^/]*/.DCOP.*
273 /home/[^/]*/.ICEauthority.*
274 /home/staff/.DCOP.*
275 /home/staff/.ICEauthority.*
276 initrc_tmp_t
278 mail_spool_t
281 /var/mail(/.*)?
283 /var/spool/mail(/.*)?
284 /var/spool/imap(/.*)?
285 mnt_t
287 /mnt(/[^/]*)
289 /mnt(/[^/]*)?
290 /rhev(/[^/]*)?
291 /media(/[^/]*)
292 /media(/[^/]*)?
293 /etc/rhgb(/.*)?
294 /media/.hal-.*
295 /net
296 /afs
297 /rhev
298 /misc
299 mqueue_spool_t
301 /var/spool/(client)?mqueue(/.*)?
303 nfsd_rw_t
305 noxattrfs
308 all files on file systems which do not support extended attributes
310 sandbox_file_t
312 sandbox_tmpfs_type
315 all sandbox content in tmpfs file systems
317 security_t
319 tmp_t
322 /tmp
324 /usr/tmp
325 /var/tmp
326 /tmp-inst
327 /var/tmp-inst
328 /var/tmp/vi.recover
329 usbfs_t
331 user_fonts_cache_t
334 /home/[^/]*/.fonts/auto(/.*)?
336 /home/[^/]*/.fontconfig(/.*)?
337 /home/[^/]*/.fonts.cache-.*
338 /home/staff/.fonts/auto(/.*)?
339 /home/staff/.fontconfig(/.*)?
340 /home/staff/.fonts.cache-.*
341 user_fonts_t
343 /home/[^/]*/.fonts(/.*)?
345 /home/staff/.fonts(/.*)?
346 user_home_type
348 all user home files
350 user_tmp_t
352 /tmp/gconfd-.*
354 /tmp/gconfd-staff
355 user_tmpfs_t
357 /dev/shm/mono.*
359 /dev/shm/pulse-shm.*
360 xauth_home_t
362 /root/.Xauth.*
364 /root/.xauth.*
365 /root/.serverauth.*
366 /var/lib/pqsql/.xauth.*
367 /var/lib/pqsql/.Xauthority.*
368 /var/lib/nxserver/home/.xauth.*
369 /var/lib/nxserver/home/.Xauthority.*
370 /home/[^/]*/.xauth.*
371 /home/[^/]*/.Xauthority.*
372 /home/[^/]*/.serverauth.*
373 /home/staff/.xauth.*
374 /home/staff/.Xauthority.*
375 /home/staff/.serverauth.*
376 xdm_tmp_t
378 /tmp/.X11-unix(/.*)?
380 /tmp/.ICE-unix(/.*)?
381 /tmp/.X0-lock
382 xserver_tmpfs_t
384
388 semanage fcontext can also be used to manipulate default file context
389 mappings.
390 semanage permissive can also be used to manipulate whether or not a
392 process type is permissive.
393 semanage module can also be used to enable/disable/install/remove pol‐
395 icy modules.
396 semanage boolean can also be used to manipulate the booleans
398 system-config-selinux is a GUI tool available to customize SELinux pol‐
401 icy settings.
402
405 This manual page was auto-generated using sepolicy manpage .
406
409 selinux(8), staff_java(8), semanage(8), restorecon(8), chcon(1) , set‐
410 sebool(8)
411staff_java 15-06-03 staff_java_selinux(8)