1staff_java_selinux(8) SELinux Policy staff_java staff_java_selinux(8)
2
3
4
6 staff_java_selinux - Security Enhanced Linux Policy for the staff_java
7 processes
8
10 Security-Enhanced Linux secures the staff_java processes via flexible
11 mandatory access control.
12
13 The staff_java processes execute with the staff_java_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep staff_java_t
20
21
22
24 The staff_java_t SELinux type can be entered via the java_exec_t,
25 user_home_t, xsession_exec_t file types.
26
27 The default entrypoint paths for the staff_java_t domain are the fol‐
28 lowing:
29
30 /usr/(.*/)?bin/java.*, /opt/(.*/)?bin/java[^/]*,
31 /usr/lib(.*/)?bin/java[^/]*, /usr/lib(64)?/eclipse/eclipse, /opt/mat‐
32 lab.*/bin.*/MATLAB.*, /usr/matlab.*/bin.*/MATLAB.*,
33 /usr/Aptana[^/]*/AptanaStudio, /opt/ibm/java.*/(bin|javaws)(/.*)?,
34 /usr/lib/opera(/.*)?/opera, /usr/lib/opera(/.*)?/works,
35 /usr/bin/octave-[^/]*, /usr/java/eclipse[^/]*/eclipse,
36 /usr/lib/jvm/java(.*/)bin(/.*)?, /opt/local/matlab.*/bin.*/MATLAB.*,
37 /usr/local/matlab.*/bin.*/MATLAB.*, /usr/lib64/jvm/java(.*/)bin(/.*)?,
38 /opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?,
39 /usr/bin/gij, /usr/bin/frysk, /usr/bin/grmic, /usr/bin/fastjar,
40 /usr/bin/gkeytool, /usr/bin/gcj-dbtool, /usr/bin/gjarsigner,
41 /usr/bin/jv-convert, /usr/bin/grmiregistry, /usr/bin/gappletviewer,
42 /home/[^/]*/.+, /home/staff/.+, /etc/kde3?/kdm/Xreset,
43 /etc/kde3?/kdm/Xstartup, /etc/kde3?/kdm/Xsession, /etc/X11/[wx]dm/Xre‐
44 set.*, /etc/X11/[wxg]dm/Xsession, /etc/X11/Xsession[^/]*,
45 /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*
46
48 SELinux defines process types (domains) for each process running on the
49 system
50
51 You can see the context of a process using the -Z option to ps
52
53 Policy governs the access confined processes have to files. SELinux
54 staff_java policy is very flexible allowing users to setup their
55 staff_java processes in as secure a method as possible.
56
57 The following process types are defined for staff_java:
58
59 staff_java_t
60
61 Note: semanage permissive -a staff_java_t can be used to make the
62 process type staff_java_t permissive. SELinux does not deny access to
63 permissive process types, but the AVC (SELinux denials) messages are
64 still generated.
65
66
68 SELinux policy is customizable based on least access required.
69 staff_java policy is extremely flexible and has several booleans that
70 allow you to manipulate the policy and run staff_java with the tightest
71 access possible.
72
73
74
75 If you want to allow direct login to the console device. Required for
76 System 390, you must turn on the allow_console_login boolean. Enabled
77 by default.
78
79 setsebool -P allow_console_login 1
80
81
82
83 If you want to allow all domains to use other domains file descriptors,
84 you must turn on the allow_domain_fd_use boolean. Enabled by default.
85
86 setsebool -P allow_domain_fd_use 1
87
88
89
90 If you want to allow all unconfined executables to use libraries
91 requiring text relocation that are not labeled textrel_shlib_t), you
92 must turn on the allow_execmod boolean. Enabled by default.
93
94 setsebool -P allow_execmod 1
95
96
97
98 If you want to allow confined applications to run with kerberos, you
99 must turn on the allow_kerberos boolean. Enabled by default.
100
101 setsebool -P allow_kerberos 1
102
103
104
105 If you want to allow sysadm to debug or ptrace all processes, you must
106 turn on the allow_ptrace boolean. Disabled by default.
107
108 setsebool -P allow_ptrace 1
109
110
111
112 If you want to allow users to connect to PostgreSQL, you must turn on
113 the allow_user_postgresql_connect boolean. Disabled by default.
114
115 setsebool -P allow_user_postgresql_connect 1
116
117
118
119 If you want to allows clients to write to the X server shared memory
120 segments, you must turn on the allow_write_xshm boolean. Disabled by
121 default.
122
123 setsebool -P allow_write_xshm 1
124
125
126
127 If you want to allow system to run with NIS, you must turn on the
128 allow_ypbind boolean. Disabled by default.
129
130 setsebool -P allow_ypbind 1
131
132
133
134 If you want to allow all domains to have the kernel load modules, you
135 must turn on the domain_kernel_load_modules boolean. Disabled by
136 default.
137
138 setsebool -P domain_kernel_load_modules 1
139
140
141
142 If you want to allow all domains to execute in fips_mode, you must turn
143 on the fips_mode boolean. Enabled by default.
144
145 setsebool -P fips_mode 1
146
147
148
149 If you want to enable reading of urandom for all domains, you must turn
150 on the global_ssp boolean. Disabled by default.
151
152 setsebool -P global_ssp 1
153
154
155
156 If you want to allow confined applications to use nscd shared memory,
157 you must turn on the nscd_use_shm boolean. Enabled by default.
158
159 setsebool -P nscd_use_shm 1
160
161
162
163 If you want to enabling secure mode disallows programs, such as new‐
164 role, from transitioning to administrative user domains, you must turn
165 on the secure_mode boolean. Disabled by default.
166
167 setsebool -P secure_mode 1
168
169
170
171 If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
172 the ssh_sysadm_login boolean. Disabled by default.
173
174 setsebool -P ssh_sysadm_login 1
175
176
177
178 If you want to support NFS home directories, you must turn on the
179 use_nfs_home_dirs boolean. Disabled by default.
180
181 setsebool -P use_nfs_home_dirs 1
182
183
184
185 If you want to support SAMBA home directories, you must turn on the
186 use_samba_home_dirs boolean. Disabled by default.
187
188 setsebool -P use_samba_home_dirs 1
189
190
191
192 If you want to allow regular users direct dri device access, you must
193 turn on the user_direct_dri boolean. Enabled by default.
194
195 setsebool -P user_direct_dri 1
196
197
198
199 If you want to allow regular users direct mouse access, you must turn
200 on the user_direct_mouse boolean. Disabled by default.
201
202 setsebool -P user_direct_mouse 1
203
204
205
206 If you want to allow user to r/w files on filesystems that do not have
207 extended attributes (FAT, CDROM, FLOPPY), you must turn on the
208 user_rw_noexattrfile boolean. Enabled by default.
209
210 setsebool -P user_rw_noexattrfile 1
211
212
213
214 If you want to allow user processes to change their priority, you must
215 turn on the user_setrlimit boolean. Enabled by default.
216
217 setsebool -P user_setrlimit 1
218
219
220
221 If you want to allow users to run TCP servers (bind to ports and accept
222 connection from the same domain and outside users) disabling this
223 forces FTP passive mode and may change other protocols, you must turn
224 on the user_tcp_server boolean. Disabled by default.
225
226 setsebool -P user_tcp_server 1
227
228
229
230 If you want to allow xdm logins as sysadm, you must turn on the
231 xdm_sysadm_login boolean. Disabled by default.
232
233 setsebool -P xdm_sysadm_login 1
234
235
236
237 If you want to support X userspace object manager, you must turn on the
238 xserver_object_manager boolean. Disabled by default.
239
240 setsebool -P xserver_object_manager 1
241
242
243
245 The SELinux process type staff_java_t can manage files labeled with the
246 following file types. The paths listed are the default paths for these
247 file types. Note the processes UID still need to have DAC permissions.
248
249 anon_inodefs_t
250
251
252 cgroup_t
253
254 /cgroup(/.*)?
255
256 chrome_sandbox_tmpfs_t
257
258
259 cifs_t
260
261
262 games_data_t
263
264 /var/games(/.*)?
265 /var/lib/games(/.*)?
266
267 gpg_agent_tmp_t
268
269
270 iceauth_home_t
271
272 /home/[^/]*/.DCOP.*
273 /home/[^/]*/.ICEauthority.*
274 /home/staff/.DCOP.*
275 /home/staff/.ICEauthority.*
276
277 initrc_tmp_t
278
279
280 mail_spool_t
281
282 /var/mail(/.*)?
283 /var/spool/mail(/.*)?
284 /var/spool/imap(/.*)?
285
286 mnt_t
287
288 /mnt(/[^/]*)
289 /mnt(/[^/]*)?
290 /rhev(/[^/]*)?
291 /media(/[^/]*)
292 /media(/[^/]*)?
293 /etc/rhgb(/.*)?
294 /media/.hal-.*
295 /net
296 /afs
297 /rhev
298 /misc
299
300 mqueue_spool_t
301
302 /var/spool/(client)?mqueue(/.*)?
303
304 nfsd_rw_t
305
306
307 noxattrfs
308
309 all files on file systems which do not support extended attributes
310
311 sandbox_file_t
312
313
314 sandbox_tmpfs_type
315
316 all sandbox content in tmpfs file systems
317
318 security_t
319
320
321 tmp_t
322
323 /tmp
324 /usr/tmp
325 /var/tmp
326 /tmp-inst
327 /var/tmp-inst
328 /var/tmp/vi.recover
329
330 usbfs_t
331
332
333 user_fonts_cache_t
334
335 /home/[^/]*/.fonts/auto(/.*)?
336 /home/[^/]*/.fontconfig(/.*)?
337 /home/[^/]*/.fonts.cache-.*
338 /home/staff/.fonts/auto(/.*)?
339 /home/staff/.fontconfig(/.*)?
340 /home/staff/.fonts.cache-.*
341
342 user_fonts_t
343
344 /home/[^/]*/.fonts(/.*)?
345 /home/staff/.fonts(/.*)?
346
347 user_home_type
348
349 all user home files
350
351 user_tmp_t
352
353 /tmp/gconfd-.*
354 /tmp/gconfd-staff
355
356 user_tmpfs_t
357
358 /dev/shm/mono.*
359 /dev/shm/pulse-shm.*
360
361 xauth_home_t
362
363 /root/.Xauth.*
364 /root/.xauth.*
365 /root/.serverauth.*
366 /var/lib/pqsql/.xauth.*
367 /var/lib/pqsql/.Xauthority.*
368 /var/lib/nxserver/home/.xauth.*
369 /var/lib/nxserver/home/.Xauthority.*
370 /home/[^/]*/.xauth.*
371 /home/[^/]*/.Xauthority.*
372 /home/[^/]*/.serverauth.*
373 /home/staff/.xauth.*
374 /home/staff/.Xauthority.*
375 /home/staff/.serverauth.*
376
377 xdm_tmp_t
378
379 /tmp/.X11-unix(/.*)?
380 /tmp/.ICE-unix(/.*)?
381 /tmp/.X0-lock
382
383 xserver_tmpfs_t
384
385
386
388 semanage fcontext can also be used to manipulate default file context
389 mappings.
390
391 semanage permissive can also be used to manipulate whether or not a
392 process type is permissive.
393
394 semanage module can also be used to enable/disable/install/remove pol‐
395 icy modules.
396
397 semanage boolean can also be used to manipulate the booleans
398
399
400 system-config-selinux is a GUI tool available to customize SELinux pol‐
401 icy settings.
402
403
405 This manual page was auto-generated using sepolicy manpage .
406
407
409 selinux(8), staff_java(8), semanage(8), restorecon(8), chcon(1) , set‐
410 sebool(8)
411
412
413
414staff_java 15-06-03 staff_java_selinux(8)