1staff_wine_selinux(8) SELinux Policy staff_wine staff_wine_selinux(8)
2
3
4
6 staff_wine_selinux - Security Enhanced Linux Policy for the staff_wine
7 processes
8
10 Security-Enhanced Linux secures the staff_wine processes via flexible
11 mandatory access control.
12
13 The staff_wine processes execute with the staff_wine_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep staff_wine_t
20
21
22
24 The staff_wine_t SELinux type can be entered via the user_home_t,
25 wine_exec_t, xsession_exec_t file types.
26
27 The default entrypoint paths for the staff_wine_t domain are the fol‐
28 lowing:
29
30 /home/[^/]*/.+, /home/staff/.+, /usr/bin/wine.*,
31 /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*,
32 /opt/google/picasa(/.*)?/bin/msiexec,
33 /opt/google/picasa(/.*)?/bin/notepad,
34 /opt/google/picasa(/.*)?/bin/progman,
35 /opt/google/picasa(/.*)?/bin/regedit,
36 /opt/google/picasa(/.*)?/bin/regsvr32,
37 /opt/google/picasa(/.*)?/Picasa3/.*exe,
38 /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*,
39 /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad,
40 /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller,
41 /home/[^/]*/cxoffice/bin/wine.+, /home/staff/cxoffice/bin/wine.+,
42 /etc/kde3?/kdm/Xreset, /etc/kde3?/kdm/Xstartup, /etc/kde3?/kdm/Xses‐
43 sion, /etc/X11/[wx]dm/Xreset.*, /etc/X11/[wxg]dm/Xsession,
44 /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*
45
47 SELinux defines process types (domains) for each process running on the
48 system
49
50 You can see the context of a process using the -Z option to ps
51
52 Policy governs the access confined processes have to files. SELinux
53 staff_wine policy is very flexible allowing users to setup their
54 staff_wine processes in as secure a method as possible.
55
56 The following process types are defined for staff_wine:
57
58 staff_wine_t
59
60 Note: semanage permissive -a staff_wine_t can be used to make the
61 process type staff_wine_t permissive. SELinux does not deny access to
62 permissive process types, but the AVC (SELinux denials) messages are
63 still generated.
64
65
67 SELinux policy is customizable based on least access required.
68 staff_wine policy is extremely flexible and has several booleans that
69 allow you to manipulate the policy and run staff_wine with the tightest
70 access possible.
71
72
73
74 If you want to allow direct login to the console device. Required for
75 System 390, you must turn on the allow_console_login boolean. Enabled
76 by default.
77
78 setsebool -P allow_console_login 1
79
80
81
82 If you want to allow all domains to use other domains file descriptors,
83 you must turn on the allow_domain_fd_use boolean. Enabled by default.
84
85 setsebool -P allow_domain_fd_use 1
86
87
88
89 If you want to allow all unconfined executables to use libraries
90 requiring text relocation that are not labeled textrel_shlib_t), you
91 must turn on the allow_execmod boolean. Enabled by default.
92
93 setsebool -P allow_execmod 1
94
95
96
97 If you want to allow confined applications to run with kerberos, you
98 must turn on the allow_kerberos boolean. Enabled by default.
99
100 setsebool -P allow_kerberos 1
101
102
103
104 If you want to allow sysadm to debug or ptrace all processes, you must
105 turn on the allow_ptrace boolean. Disabled by default.
106
107 setsebool -P allow_ptrace 1
108
109
110
111 If you want to allow users to connect to PostgreSQL, you must turn on
112 the allow_user_postgresql_connect boolean. Disabled by default.
113
114 setsebool -P allow_user_postgresql_connect 1
115
116
117
118 If you want to allows clients to write to the X server shared memory
119 segments, you must turn on the allow_write_xshm boolean. Disabled by
120 default.
121
122 setsebool -P allow_write_xshm 1
123
124
125
126 If you want to allow system to run with NIS, you must turn on the
127 allow_ypbind boolean. Disabled by default.
128
129 setsebool -P allow_ypbind 1
130
131
132
133 If you want to allow all domains to have the kernel load modules, you
134 must turn on the domain_kernel_load_modules boolean. Disabled by
135 default.
136
137 setsebool -P domain_kernel_load_modules 1
138
139
140
141 If you want to allow all domains to execute in fips_mode, you must turn
142 on the fips_mode boolean. Enabled by default.
143
144 setsebool -P fips_mode 1
145
146
147
148 If you want to enable reading of urandom for all domains, you must turn
149 on the global_ssp boolean. Disabled by default.
150
151 setsebool -P global_ssp 1
152
153
154
155 If you want to allow certain domains to map low memory in the kernel,
156 you must turn on the mmap_low_allowed boolean. Disabled by default.
157
158 setsebool -P mmap_low_allowed 1
159
160
161
162 If you want to allow confined applications to use nscd shared memory,
163 you must turn on the nscd_use_shm boolean. Enabled by default.
164
165 setsebool -P nscd_use_shm 1
166
167
168
169 If you want to enabling secure mode disallows programs, such as new‐
170 role, from transitioning to administrative user domains, you must turn
171 on the secure_mode boolean. Disabled by default.
172
173 setsebool -P secure_mode 1
174
175
176
177 If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
178 the ssh_sysadm_login boolean. Disabled by default.
179
180 setsebool -P ssh_sysadm_login 1
181
182
183
184 If you want to support NFS home directories, you must turn on the
185 use_nfs_home_dirs boolean. Disabled by default.
186
187 setsebool -P use_nfs_home_dirs 1
188
189
190
191 If you want to support SAMBA home directories, you must turn on the
192 use_samba_home_dirs boolean. Disabled by default.
193
194 setsebool -P use_samba_home_dirs 1
195
196
197
198 If you want to allow regular users direct dri device access, you must
199 turn on the user_direct_dri boolean. Enabled by default.
200
201 setsebool -P user_direct_dri 1
202
203
204
205 If you want to allow regular users direct mouse access, you must turn
206 on the user_direct_mouse boolean. Disabled by default.
207
208 setsebool -P user_direct_mouse 1
209
210
211
212 If you want to allow user to r/w files on filesystems that do not have
213 extended attributes (FAT, CDROM, FLOPPY), you must turn on the
214 user_rw_noexattrfile boolean. Enabled by default.
215
216 setsebool -P user_rw_noexattrfile 1
217
218
219
220 If you want to allow user processes to change their priority, you must
221 turn on the user_setrlimit boolean. Enabled by default.
222
223 setsebool -P user_setrlimit 1
224
225
226
227 If you want to allow users to run TCP servers (bind to ports and accept
228 connection from the same domain and outside users) disabling this
229 forces FTP passive mode and may change other protocols, you must turn
230 on the user_tcp_server boolean. Disabled by default.
231
232 setsebool -P user_tcp_server 1
233
234
235
236 If you want to ignore wine mmap_zero errors, you must turn on the
237 wine_mmap_zero_ignore boolean. Disabled by default.
238
239 setsebool -P wine_mmap_zero_ignore 1
240
241
242
243 If you want to allow xdm logins as sysadm, you must turn on the
244 xdm_sysadm_login boolean. Disabled by default.
245
246 setsebool -P xdm_sysadm_login 1
247
248
249
250 If you want to support X userspace object manager, you must turn on the
251 xserver_object_manager boolean. Disabled by default.
252
253 setsebool -P xserver_object_manager 1
254
255
256
258 The SELinux process type staff_wine_t can manage files labeled with the
259 following file types. The paths listed are the default paths for these
260 file types. Note the processes UID still need to have DAC permissions.
261
262 anon_inodefs_t
263
264
265 cgroup_t
266
267 /cgroup(/.*)?
268
269 chrome_sandbox_tmpfs_t
270
271
272 cifs_t
273
274
275 games_data_t
276
277 /var/games(/.*)?
278 /var/lib/games(/.*)?
279
280 gpg_agent_tmp_t
281
282
283 iceauth_home_t
284
285 /home/[^/]*/.DCOP.*
286 /home/[^/]*/.ICEauthority.*
287 /home/staff/.DCOP.*
288 /home/staff/.ICEauthority.*
289
290 initrc_tmp_t
291
292
293 mail_spool_t
294
295 /var/mail(/.*)?
296 /var/spool/mail(/.*)?
297 /var/spool/imap(/.*)?
298
299 mnt_t
300
301 /mnt(/[^/]*)
302 /mnt(/[^/]*)?
303 /rhev(/[^/]*)?
304 /media(/[^/]*)
305 /media(/[^/]*)?
306 /etc/rhgb(/.*)?
307 /media/.hal-.*
308 /net
309 /afs
310 /rhev
311 /misc
312
313 mqueue_spool_t
314
315 /var/spool/(client)?mqueue(/.*)?
316
317 nfsd_rw_t
318
319
320 noxattrfs
321
322 all files on file systems which do not support extended attributes
323
324 sandbox_file_t
325
326
327 sandbox_tmpfs_type
328
329 all sandbox content in tmpfs file systems
330
331 security_t
332
333
334 tmp_t
335
336 /tmp
337 /usr/tmp
338 /var/tmp
339 /tmp-inst
340 /var/tmp-inst
341 /var/tmp/vi.recover
342
343 usbfs_t
344
345
346 user_fonts_cache_t
347
348 /home/[^/]*/.fonts/auto(/.*)?
349 /home/[^/]*/.fontconfig(/.*)?
350 /home/[^/]*/.fonts.cache-.*
351 /home/staff/.fonts/auto(/.*)?
352 /home/staff/.fontconfig(/.*)?
353 /home/staff/.fonts.cache-.*
354
355 user_fonts_t
356
357 /home/[^/]*/.fonts(/.*)?
358 /home/staff/.fonts(/.*)?
359
360 user_home_type
361
362 all user home files
363
364 user_tmp_t
365
366 /tmp/gconfd-.*
367 /tmp/gconfd-staff
368
369 user_tmpfs_t
370
371 /dev/shm/mono.*
372 /dev/shm/pulse-shm.*
373
374 xauth_home_t
375
376 /root/.Xauth.*
377 /root/.xauth.*
378 /root/.serverauth.*
379 /var/lib/pqsql/.xauth.*
380 /var/lib/pqsql/.Xauthority.*
381 /var/lib/nxserver/home/.xauth.*
382 /var/lib/nxserver/home/.Xauthority.*
383 /home/[^/]*/.xauth.*
384 /home/[^/]*/.Xauthority.*
385 /home/[^/]*/.serverauth.*
386 /home/staff/.xauth.*
387 /home/staff/.Xauthority.*
388 /home/staff/.serverauth.*
389
390 xdm_tmp_t
391
392 /tmp/.X11-unix(/.*)?
393 /tmp/.ICE-unix(/.*)?
394 /tmp/.X0-lock
395
396 xserver_tmpfs_t
397
398
399
401 semanage fcontext can also be used to manipulate default file context
402 mappings.
403
404 semanage permissive can also be used to manipulate whether or not a
405 process type is permissive.
406
407 semanage module can also be used to enable/disable/install/remove pol‐
408 icy modules.
409
410 semanage boolean can also be used to manipulate the booleans
411
412
413 system-config-selinux is a GUI tool available to customize SELinux pol‐
414 icy settings.
415
416
418 This manual page was auto-generated using sepolicy manpage .
419
420
422 selinux(8), staff_wine(8), semanage(8), restorecon(8), chcon(1) , set‐
423 sebool(8)
424
425
426
427staff_wine 15-06-03 staff_wine_selinux(8)