1unconfined_mono_selinux(8S)ELinux Policy unconfined_monuonconfined_mono_selinux(8)
2
3
4
6 unconfined_mono_selinux - Security Enhanced Linux Policy for the uncon‐
7 fined_mono processes
8
10 Security-Enhanced Linux secures the unconfined_mono processes via flex‐
11 ible mandatory access control.
12
13 The unconfined_mono processes execute with the unconfined_mono_t
14 SELinux type. You can check if you have these processes running by exe‐
15 cuting the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep unconfined_mono_t
20
21
22
24 The unconfined_mono_t SELinux type can be entered via the file_type,
25 unlabeled_t, proc_type, filesystem_type, mtrr_device_t, mono_exec_t,
26 sysctl_type, xsession_exec_t file types.
27
28 The default entrypoint paths for the unconfined_mono_t domain are the
29 following:
30
31 all files on the system, /dev/cpu/mtrr, /usr/bin/mono.*,
32 /etc/kde3?/kdm/Xreset, /etc/kde3?/kdm/Xstartup, /etc/kde3?/kdm/Xses‐
33 sion, /etc/X11/[wx]dm/Xreset.*, /etc/X11/[wxg]dm/Xsession,
34 /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*
35
37 SELinux defines process types (domains) for each process running on the
38 system
39
40 You can see the context of a process using the -Z option to ps
41
42 Policy governs the access confined processes have to files. SELinux
43 unconfined_mono policy is very flexible allowing users to setup their
44 unconfined_mono processes in as secure a method as possible.
45
46 The following process types are defined for unconfined_mono:
47
48 unconfined_mono_t
49
50 Note: semanage permissive -a unconfined_mono_t can be used to make the
51 process type unconfined_mono_t permissive. SELinux does not deny access
52 to permissive process types, but the AVC (SELinux denials) messages are
53 still generated.
54
55
57 SELinux policy is customizable based on least access required. uncon‐
58 fined_mono policy is extremely flexible and has several booleans that
59 allow you to manipulate the policy and run unconfined_mono with the
60 tightest access possible.
61
62
63
64 If you want to allow direct login to the console device. Required for
65 System 390, you must turn on the allow_console_login boolean. Enabled
66 by default.
67
68 setsebool -P allow_console_login 1
69
70
71
72 If you want to allow all domains to use other domains file descriptors,
73 you must turn on the allow_domain_fd_use boolean. Enabled by default.
74
75 setsebool -P allow_domain_fd_use 1
76
77
78
79 If you want to allow unconfined executables to make their heap memory
80 executable. Doing this is a really bad idea. Probably indicates a
81 badly coded executable, but could indicate an attack. This executable
82 should be reported in bugzilla, you must turn on the allow_execheap
83 boolean. Disabled by default.
84
85 setsebool -P allow_execheap 1
86
87
88
89 If you want to allow unconfined executables to map a memory region as
90 both executable and writable, this is dangerous and the executable
91 should be reported in bugzilla), you must turn on the allow_execmem
92 boolean. Enabled by default.
93
94 setsebool -P allow_execmem 1
95
96
97
98 If you want to allow all unconfined executables to use libraries
99 requiring text relocation that are not labeled textrel_shlib_t), you
100 must turn on the allow_execmod boolean. Enabled by default.
101
102 setsebool -P allow_execmod 1
103
104
105
106 If you want to allow unconfined executables to make their stack exe‐
107 cutable. This should never, ever be necessary. Probably indicates a
108 badly coded executable, but could indicate an attack. This executable
109 should be reported in bugzilla), you must turn on the allow_execstack
110 boolean. Enabled by default.
111
112 setsebool -P allow_execstack 1
113
114
115
116 If you want to allow confined applications to run with kerberos, you
117 must turn on the allow_kerberos boolean. Enabled by default.
118
119 setsebool -P allow_kerberos 1
120
121
122
123 If you want to allow sysadm to debug or ptrace all processes, you must
124 turn on the allow_ptrace boolean. Disabled by default.
125
126 setsebool -P allow_ptrace 1
127
128
129
130 If you want to transition to confined nsplugin domains from unconfined
131 user, you must turn on the allow_unconfined_nsplugin_transition bool‐
132 ean. Disabled by default.
133
134 setsebool -P allow_unconfined_nsplugin_transition 1
135
136
137
138 If you want to allows clients to write to the X server shared memory
139 segments, you must turn on the allow_write_xshm boolean. Disabled by
140 default.
141
142 setsebool -P allow_write_xshm 1
143
144
145
146 If you want to allow system to run with NIS, you must turn on the
147 allow_ypbind boolean. Disabled by default.
148
149 setsebool -P allow_ypbind 1
150
151
152
153 If you want to allow all domains to have the kernel load modules, you
154 must turn on the domain_kernel_load_modules boolean. Disabled by
155 default.
156
157 setsebool -P domain_kernel_load_modules 1
158
159
160
161 If you want to allow all domains to execute in fips_mode, you must turn
162 on the fips_mode boolean. Enabled by default.
163
164 setsebool -P fips_mode 1
165
166
167
168 If you want to enable reading of urandom for all domains, you must turn
169 on the global_ssp boolean. Disabled by default.
170
171 setsebool -P global_ssp 1
172
173
174
175 If you want to allow certain domains to map low memory in the kernel,
176 you must turn on the mmap_low_allowed boolean. Disabled by default.
177
178 setsebool -P mmap_low_allowed 1
179
180
181
182 If you want to allow confined applications to use nscd shared memory,
183 you must turn on the nscd_use_shm boolean. Enabled by default.
184
185 setsebool -P nscd_use_shm 1
186
187
188
189 If you want to enabling secure mode disallows programs, such as new‐
190 role, from transitioning to administrative user domains, you must turn
191 on the secure_mode boolean. Disabled by default.
192
193 setsebool -P secure_mode 1
194
195
196
197 If you want to boolean to determine whether the system permits loading
198 policy, setting enforcing mode, and changing boolean values. Set this
199 to true and you have to reboot to set it back, you must turn on the
200 secure_mode_policyload boolean. Disabled by default.
201
202 setsebool -P secure_mode_policyload 1
203
204
205
206 If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
207 the ssh_sysadm_login boolean. Disabled by default.
208
209 setsebool -P ssh_sysadm_login 1
210
211
212
213 If you want to allow unconfined users to transition to the Mozilla
214 plugin domain when running xulrunner plugin-container, you must turn on
215 the unconfined_mozilla_plugin_transition boolean. Enabled by default.
216
217 setsebool -P unconfined_mozilla_plugin_transition 1
218
219
220
221 If you want to allow regular users direct dri device access, you must
222 turn on the user_direct_dri boolean. Enabled by default.
223
224 setsebool -P user_direct_dri 1
225
226
227
228 If you want to allow xdm logins as sysadm, you must turn on the
229 xdm_sysadm_login boolean. Disabled by default.
230
231 setsebool -P xdm_sysadm_login 1
232
233
234
235 If you want to support X userspace object manager, you must turn on the
236 xserver_object_manager boolean. Disabled by default.
237
238 setsebool -P xserver_object_manager 1
239
240
241
243 The SELinux process type unconfined_mono_t can manage files labeled
244 with the following file types. The paths listed are the default paths
245 for these file types. Note the processes UID still need to have DAC
246 permissions.
247
248 file_type
249
250 all files on the system
251
252
254 semanage fcontext can also be used to manipulate default file context
255 mappings.
256
257 semanage permissive can also be used to manipulate whether or not a
258 process type is permissive.
259
260 semanage module can also be used to enable/disable/install/remove pol‐
261 icy modules.
262
263 semanage boolean can also be used to manipulate the booleans
264
265
266 system-config-selinux is a GUI tool available to customize SELinux pol‐
267 icy settings.
268
269
271 This manual page was auto-generated using sepolicy manpage .
272
273
275 selinux(8), unconfined_mono(8), semanage(8), restorecon(8), chcon(1) ,
276 setsebool(8)
277
278
279
280unconfined_mono 15-06-03 unconfined_mono_selinux(8)