unconfined_java_selinux(8)

1unconfined_java_selinux(8S)ELinux Policy unconfined_javuanconfined_java_selinux(8)
2
3
4

NAME

6       unconfined_java_selinux - Security Enhanced Linux Policy for the uncon‐
7       fined_java processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the unconfined_java processes via flex‐
11       ible mandatory access control.
12
13       The   unconfined_java  processes  execute  with  the  unconfined_java_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep unconfined_java_t
20
21
22

ENTRYPOINTS

24       The  unconfined_java_t  SELinux  type can be entered via the file_type,
25       java_exec_t, unlabeled_t,  proc_type,  filesystem_type,  mtrr_device_t,
26       sysctl_type file types.
27
28       The  default  entrypoint paths for the unconfined_java_t domain are the
29       following:
30
31       all     files      on      the      system,      /usr/(.*/)?bin/java.*,
32       /opt/(.*/)?bin/java[^/]*,                  /usr/lib(.*/)?bin/java[^/]*,
33       /usr/lib(64)?/eclipse/eclipse, /opt/matlab.*/bin.*/MATLAB.*,  /usr/mat‐
34       lab.*/bin.*/MATLAB.*,                    /usr/Aptana[^/]*/AptanaStudio,
35       /opt/ibm/java.*/(bin|javaws)(/.*)?,         /usr/lib/opera(/.*)?/opera,
36       /usr/lib/opera(/.*)?/works,                      /usr/bin/octave-[^/]*,
37       /usr/java/eclipse[^/]*/eclipse,        /usr/lib/jvm/java(.*/)bin(/.*)?,
38       /opt/local/matlab.*/bin.*/MATLAB.*, /usr/local/matlab.*/bin.*/MATLAB.*,
39       /usr/lib64/jvm/java(.*/)bin(/.*)?,       /opt/ibm/lotus/Symphony/frame‐
40       work/rcp/eclipse/plugins(/.*)?,      /usr/bin/gij,      /usr/bin/frysk,
41       /usr/bin/grmic,  /usr/bin/fastjar,   /usr/bin/gkeytool,   /usr/bin/gcj-
42       dbtool,   /usr/bin/gjarsigner,  /usr/bin/jv-convert,  /usr/bin/grmireg‐
43       istry, /usr/bin/gappletviewer, /dev/cpu/mtrr
44

PROCESS TYPES

46       SELinux defines process types (domains) for each process running on the
47       system
48
49       You can see the context of a process using the -Z option to ps
50
51       Policy  governs  the  access confined processes have to files.  SELinux
52       unconfined_java policy is very flexible allowing users to  setup  their
53       unconfined_java processes in as secure a method as possible.
54
55       The following process types are defined for unconfined_java:
56
57       unconfined_java_t
58
59       Note:  semanage permissive -a unconfined_java_t can be used to make the
60       process type unconfined_java_t permissive. SELinux does not deny access
61       to permissive process types, but the AVC (SELinux denials) messages are
62       still generated.
63
64

BOOLEANS

66       SELinux policy is customizable based on least access required.   uncon‐
67       fined_java  policy  is extremely flexible and has several booleans that
68       allow you to manipulate the policy and  run  unconfined_java  with  the
69       tightest access possible.
70
71
72
73       If  you  want to allow direct login to the console device. Required for
74       System 390, you must turn on the allow_console_login  boolean.  Enabled
75       by default.
76
77       setsebool -P allow_console_login 1
78
79
80
81       If  you  want to allow all daemons the ability to read/write terminals,
82       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
83       default.
84
85       setsebool -P allow_daemons_use_tty 1
86
87
88
89       If you want to allow all domains to use other domains file descriptors,
90       you must turn on the allow_domain_fd_use boolean. Enabled by default.
91
92       setsebool -P allow_domain_fd_use 1
93
94
95
96       If you want to allow unconfined executables to make their  heap  memory
97       executable.   Doing  this  is  a  really bad idea. Probably indicates a
98       badly coded executable, but could indicate an attack.  This  executable
99       should  be  reported  in  bugzilla, you must turn on the allow_execheap
100       boolean. Disabled by default.
101
102       setsebool -P allow_execheap 1
103
104
105
106       If you want to allow unconfined executables to map a memory  region  as
107       both  executable  and  writable,  this  is dangerous and the executable
108       should be reported in bugzilla), you must  turn  on  the  allow_execmem
109       boolean. Enabled by default.
110
111       setsebool -P allow_execmem 1
112
113
114
115       If  you  want  to  allow  all  unconfined  executables to use libraries
116       requiring text relocation that are not  labeled  textrel_shlib_t),  you
117       must turn on the allow_execmod boolean. Enabled by default.
118
119       setsebool -P allow_execmod 1
120
121
122
123       If  you  want  to allow unconfined executables to make their stack exe‐
124       cutable.  This should never, ever be necessary.  Probably  indicates  a
125       badly  coded  executable, but could indicate an attack. This executable
126       should be reported in bugzilla), you must turn on  the  allow_execstack
127       boolean. Enabled by default.
128
129       setsebool -P allow_execstack 1
130
131
132
133       If  you  want  to allow confined applications to run with kerberos, you
134       must turn on the allow_kerberos boolean. Enabled by default.
135
136       setsebool -P allow_kerberos 1
137
138
139
140       If you want to allow sysadm to debug or ptrace all processes, you  must
141       turn on the allow_ptrace boolean. Disabled by default.
142
143       setsebool -P allow_ptrace 1
144
145
146
147       If  you want to transition to confined nsplugin domains from unconfined
148       user, you must turn on the  allow_unconfined_nsplugin_transition  bool‐
149       ean. Disabled by default.
150
151       setsebool -P allow_unconfined_nsplugin_transition 1
152
153
154
155       If  you  want  to  allow  system  to run with NIS, you must turn on the
156       allow_ypbind boolean. Disabled by default.
157
158       setsebool -P allow_ypbind 1
159
160
161
162       If you want to allow all domains to have the kernel load  modules,  you
163       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
164       default.
165
166       setsebool -P domain_kernel_load_modules 1
167
168
169
170       If you want to allow all domains to execute in fips_mode, you must turn
171       on the fips_mode boolean. Enabled by default.
172
173       setsebool -P fips_mode 1
174
175
176
177       If you want to enable reading of urandom for all domains, you must turn
178       on the global_ssp boolean. Disabled by default.
179
180       setsebool -P global_ssp 1
181
182
183
184       If you want to allow certain domains to map low memory in  the  kernel,
185       you must turn on the mmap_low_allowed boolean. Disabled by default.
186
187       setsebool -P mmap_low_allowed 1
188
189
190
191       If  you  want to allow confined applications to use nscd shared memory,
192       you must turn on the nscd_use_shm boolean. Enabled by default.
193
194       setsebool -P nscd_use_shm 1
195
196
197
198       If you want to enabling secure mode disallows programs,  such  as  new‐
199       role,  from transitioning to administrative user domains, you must turn
200       on the secure_mode boolean. Disabled by default.
201
202       setsebool -P secure_mode 1
203
204
205
206       If you want to boolean to determine whether the system permits  loading
207       policy,  setting enforcing mode, and changing boolean values.  Set this
208       to true and you have to reboot to set it back, you  must  turn  on  the
209       secure_mode_policyload boolean. Disabled by default.
210
211       setsebool -P secure_mode_policyload 1
212
213
214
215       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
216       the ssh_sysadm_login boolean. Disabled by default.
217
218       setsebool -P ssh_sysadm_login 1
219
220
221
222       If you want to allow unconfined users  to  transition  to  the  Mozilla
223       plugin domain when running xulrunner plugin-container, you must turn on
224       the unconfined_mozilla_plugin_transition boolean. Enabled by default.
225
226       setsebool -P unconfined_mozilla_plugin_transition 1
227
228
229
230       If you want to allow xdm  logins  as  sysadm,  you  must  turn  on  the
231       xdm_sysadm_login boolean. Disabled by default.
232
233       setsebool -P xdm_sysadm_login 1
234
235
236
237       If you want to support X userspace object manager, you must turn on the
238       xserver_object_manager boolean. Disabled by default.
239
240       setsebool -P xserver_object_manager 1
241
242
243

MANAGED FILES

245       The SELinux process type unconfined_java_t  can  manage  files  labeled
246       with  the following file types.  The paths listed are the default paths
247       for these file types.  Note the processes UID still need  to  have  DAC
248       permissions.
249
250       file_type
251
252            all files on the system
253
254

COMMANDS

256       semanage  fcontext  can also be used to manipulate default file context
257       mappings.
258
259       semanage permissive can also be used to manipulate  whether  or  not  a
260       process type is permissive.
261
262       semanage  module can also be used to enable/disable/install/remove pol‐
263       icy modules.
264
265       semanage boolean can also be used to manipulate the booleans
266
267
268       system-config-selinux is a GUI tool available to customize SELinux pol‐
269       icy settings.
270
271

AUTHOR

273       This manual page was auto-generated using sepolicy manpage .
274
275