1staff_java_selinux(8)      SELinux Policy staff_java     staff_java_selinux(8)
2
3
4

NAME

6       staff_java_selinux  - Security Enhanced Linux Policy for the staff_java
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the staff_java processes  via  flexible
11       mandatory access control.
12
13       The  staff_java  processes  execute with the staff_java_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep staff_java_t
20
21
22

ENTRYPOINTS

24       The  staff_java_t  SELinux  type  can  be  entered via the java_exec_t,
25       user_home_t, xsession_exec_t file types.
26
27       The default entrypoint paths for the staff_java_t domain are  the  fol‐
28       lowing:
29
30       /usr/(.*/)?bin/java.*,                        /opt/(.*/)?bin/java[^/]*,
31       /usr/lib(.*/)?bin/java[^/]*,  /usr/lib(64)?/eclipse/eclipse,  /opt/mat‐
32       lab.*/bin.*/MATLAB.*,                     /usr/matlab.*/bin.*/MATLAB.*,
33       /usr/Aptana[^/]*/AptanaStudio,      /opt/ibm/java.*/(bin|javaws)(/.*)?,
34       /usr/lib/opera(/.*)?/opera,                 /usr/lib/opera(/.*)?/works,
35       /usr/bin/octave-[^/]*,                  /usr/java/eclipse[^/]*/eclipse,
36       /usr/lib/jvm/java(.*/)bin(/.*)?,    /opt/local/matlab.*/bin.*/MATLAB.*,
37       /usr/local/matlab.*/bin.*/MATLAB.*,  /usr/lib64/jvm/java(.*/)bin(/.*)?,
38       /opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?,
39       /usr/bin/gij,   /usr/bin/frysk,    /usr/bin/grmic,    /usr/bin/fastjar,
40       /usr/bin/gkeytool,       /usr/bin/gcj-dbtool,      /usr/bin/gjarsigner,
41       /usr/bin/jv-convert,   /usr/bin/grmiregistry,   /usr/bin/gappletviewer,
42       /home/[^/]*/.+,          /home/staff/.+,         /etc/kde3?/kdm/Xreset,
43       /etc/kde3?/kdm/Xstartup, /etc/kde3?/kdm/Xsession,  /etc/X11/[wx]dm/Xre‐
44       set.*,        /etc/X11/[wxg]dm/Xsession,        /etc/X11/Xsession[^/]*,
45       /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*
46

PROCESS TYPES

48       SELinux defines process types (domains) for each process running on the
49       system
50
51       You can see the context of a process using the -Z option to ps
52
53       Policy  governs  the  access confined processes have to files.  SELinux
54       staff_java policy is  very  flexible  allowing  users  to  setup  their
55       staff_java processes in as secure a method as possible.
56
57       The following process types are defined for staff_java:
58
59       staff_java_t
60
61       Note:  semanage  permissive  -a  staff_java_t  can  be used to make the
62       process type staff_java_t permissive. SELinux does not deny  access  to
63       permissive  process  types,  but the AVC (SELinux denials) messages are
64       still generated.
65
66

BOOLEANS

68       SELinux  policy  is  customizable  based  on  least  access   required.
69       staff_java  policy  is extremely flexible and has several booleans that
70       allow you to manipulate the policy and run staff_java with the tightest
71       access possible.
72
73
74
75       If  you  want to allow direct login to the console device. Required for
76       System 390, you must turn on the allow_console_login  boolean.  Enabled
77       by default.
78
79       setsebool -P allow_console_login 1
80
81
82
83       If you want to allow all domains to use other domains file descriptors,
84       you must turn on the allow_domain_fd_use boolean. Enabled by default.
85
86       setsebool -P allow_domain_fd_use 1
87
88
89
90       If you want to  allow  all  unconfined  executables  to  use  libraries
91       requiring  text  relocation  that are not labeled textrel_shlib_t), you
92       must turn on the allow_execmod boolean. Enabled by default.
93
94       setsebool -P allow_execmod 1
95
96
97
98       If you want to allow confined applications to run  with  kerberos,  you
99       must turn on the allow_kerberos boolean. Enabled by default.
100
101       setsebool -P allow_kerberos 1
102
103
104
105       If  you want to allow sysadm to debug or ptrace all processes, you must
106       turn on the allow_ptrace boolean. Disabled by default.
107
108       setsebool -P allow_ptrace 1
109
110
111
112       If you want to allow users to connect to PostgreSQL, you must  turn  on
113       the allow_user_postgresql_connect boolean. Disabled by default.
114
115       setsebool -P allow_user_postgresql_connect 1
116
117
118
119       If  you  want  to allows clients to write to the X server shared memory
120       segments, you must turn on the allow_write_xshm  boolean.  Disabled  by
121       default.
122
123       setsebool -P allow_write_xshm 1
124
125
126
127       If  you  want  to  allow  system  to run with NIS, you must turn on the
128       allow_ypbind boolean. Disabled by default.
129
130       setsebool -P allow_ypbind 1
131
132
133
134       If you want to allow all domains to have the kernel load  modules,  you
135       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
136       default.
137
138       setsebool -P domain_kernel_load_modules 1
139
140
141
142       If you want to allow all domains to execute in fips_mode, you must turn
143       on the fips_mode boolean. Enabled by default.
144
145       setsebool -P fips_mode 1
146
147
148
149       If you want to enable reading of urandom for all domains, you must turn
150       on the global_ssp boolean. Disabled by default.
151
152       setsebool -P global_ssp 1
153
154
155
156       If you want to allow confined applications to use nscd  shared  memory,
157       you must turn on the nscd_use_shm boolean. Enabled by default.
158
159       setsebool -P nscd_use_shm 1
160
161
162
163       If  you  want  to enabling secure mode disallows programs, such as new‐
164       role, from transitioning to administrative user domains, you must  turn
165       on the secure_mode boolean. Disabled by default.
166
167       setsebool -P secure_mode 1
168
169
170
171       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
172       the ssh_sysadm_login boolean. Disabled by default.
173
174       setsebool -P ssh_sysadm_login 1
175
176
177
178       If you want to support NFS home  directories,  you  must  turn  on  the
179       use_nfs_home_dirs boolean. Disabled by default.
180
181       setsebool -P use_nfs_home_dirs 1
182
183
184
185       If  you  want  to  support SAMBA home directories, you must turn on the
186       use_samba_home_dirs boolean. Disabled by default.
187
188       setsebool -P use_samba_home_dirs 1
189
190
191
192       If you want to allow regular users direct dri device access,  you  must
193       turn on the user_direct_dri boolean. Enabled by default.
194
195       setsebool -P user_direct_dri 1
196
197
198
199       If  you  want to allow regular users direct mouse access, you must turn
200       on the user_direct_mouse boolean. Disabled by default.
201
202       setsebool -P user_direct_mouse 1
203
204
205
206       If you want to allow user to r/w files on filesystems that do not  have
207       extended  attributes  (FAT,  CDROM,  FLOPPY),  you  must  turn  on  the
208       user_rw_noexattrfile boolean. Enabled by default.
209
210       setsebool -P user_rw_noexattrfile 1
211
212
213
214       If you want to allow user processes to change their priority, you  must
215       turn on the user_setrlimit boolean. Enabled by default.
216
217       setsebool -P user_setrlimit 1
218
219
220
221       If you want to allow users to run TCP servers (bind to ports and accept
222       connection from the same domain  and  outside  users)   disabling  this
223       forces  FTP  passive mode and may change other protocols, you must turn
224       on the user_tcp_server boolean. Disabled by default.
225
226       setsebool -P user_tcp_server 1
227
228
229
230       If you want to allow xdm  logins  as  sysadm,  you  must  turn  on  the
231       xdm_sysadm_login boolean. Disabled by default.
232
233       setsebool -P xdm_sysadm_login 1
234
235
236
237       If you want to support X userspace object manager, you must turn on the
238       xserver_object_manager boolean. Disabled by default.
239
240       setsebool -P xserver_object_manager 1
241
242
243

MANAGED FILES

245       The SELinux process type staff_java_t can manage files labeled with the
246       following file types.  The paths listed are the default paths for these
247       file types.  Note the processes UID still need to have DAC permissions.
248
249       anon_inodefs_t
250
251
252       cgroup_t
253
254            /cgroup(/.*)?
255
256       chrome_sandbox_tmpfs_t
257
258
259       cifs_t
260
261
262       games_data_t
263
264            /var/games(/.*)?
265            /var/lib/games(/.*)?
266
267       gpg_agent_tmp_t
268
269
270       iceauth_home_t
271
272            /home/[^/]*/.DCOP.*
273            /home/[^/]*/.ICEauthority.*
274            /home/staff/.DCOP.*
275            /home/staff/.ICEauthority.*
276
277       initrc_tmp_t
278
279
280       mail_spool_t
281
282            /var/mail(/.*)?
283            /var/spool/mail(/.*)?
284            /var/spool/imap(/.*)?
285
286       mnt_t
287
288            /mnt(/[^/]*)
289            /mnt(/[^/]*)?
290            /rhev(/[^/]*)?
291            /media(/[^/]*)
292            /media(/[^/]*)?
293            /etc/rhgb(/.*)?
294            /media/.hal-.*
295            /net
296            /afs
297            /rhev
298            /misc
299
300       mqueue_spool_t
301
302            /var/spool/(client)?mqueue(/.*)?
303
304       nfsd_rw_t
305
306
307       noxattrfs
308
309            all files on file systems which do not support extended attributes
310
311       sandbox_file_t
312
313
314       sandbox_tmpfs_type
315
316            all sandbox content in tmpfs file systems
317
318       security_t
319
320
321       tmp_t
322
323            /tmp
324            /usr/tmp
325            /var/tmp
326            /tmp-inst
327            /var/tmp-inst
328            /var/tmp/vi.recover
329
330       usbfs_t
331
332
333       user_fonts_cache_t
334
335            /home/[^/]*/.fonts/auto(/.*)?
336            /home/[^/]*/.fontconfig(/.*)?
337            /home/[^/]*/.fonts.cache-.*
338            /home/staff/.fonts/auto(/.*)?
339            /home/staff/.fontconfig(/.*)?
340            /home/staff/.fonts.cache-.*
341
342       user_fonts_t
343
344            /home/[^/]*/.fonts(/.*)?
345            /home/staff/.fonts(/.*)?
346
347       user_home_type
348
349            all user home files
350
351       user_tmp_t
352
353            /tmp/gconfd-.*
354            /tmp/gconfd-staff
355
356       user_tmpfs_t
357
358            /dev/shm/mono.*
359            /dev/shm/pulse-shm.*
360
361       xauth_home_t
362
363            /root/.Xauth.*
364            /root/.xauth.*
365            /root/.serverauth.*
366            /var/lib/pqsql/.xauth.*
367            /var/lib/pqsql/.Xauthority.*
368            /var/lib/nxserver/home/.xauth.*
369            /var/lib/nxserver/home/.Xauthority.*
370            /home/[^/]*/.xauth.*
371            /home/[^/]*/.Xauthority.*
372            /home/[^/]*/.serverauth.*
373            /home/staff/.xauth.*
374            /home/staff/.Xauthority.*
375            /home/staff/.serverauth.*
376
377       xdm_tmp_t
378
379            /tmp/.X11-unix(/.*)?
380            /tmp/.ICE-unix(/.*)?
381            /tmp/.X0-lock
382
383       xserver_tmpfs_t
384
385
386

COMMANDS

388       semanage fcontext can also be used to manipulate default  file  context
389       mappings.
390
391       semanage  permissive  can  also  be used to manipulate whether or not a
392       process type is permissive.
393
394       semanage module can also be used to enable/disable/install/remove  pol‐
395       icy modules.
396
397       semanage boolean can also be used to manipulate the booleans
398
399
400       system-config-selinux is a GUI tool available to customize SELinux pol‐
401       icy settings.
402
403

AUTHOR

405       This manual page was auto-generated using sepolicy manpage .
406
407

SEE ALSO

409       selinux(8), staff_java(8), semanage(8), restorecon(8), chcon(1) ,  set‐
410       sebool(8)
411
412
413
414staff_java                         15-06-03              staff_java_selinux(8)
Impressum