unconfined_mono_selinux(8)

1unconfined_mono_selinux(8S)ELinux Policy unconfined_monuonconfined_mono_selinux(8)
2
3
4

NAME

6       unconfined_mono_selinux - Security Enhanced Linux Policy for the uncon‐
7       fined_mono processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the unconfined_mono processes via flex‐
11       ible mandatory access control.
12
13       The   unconfined_mono  processes  execute  with  the  unconfined_mono_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep unconfined_mono_t
20
21
22

ENTRYPOINTS

24       The  unconfined_mono_t  SELinux  type can be entered via the file_type,
25       unlabeled_t, proc_type,  filesystem_type,  mtrr_device_t,  mono_exec_t,
26       sysctl_type, xsession_exec_t file types.
27
28       The  default  entrypoint paths for the unconfined_mono_t domain are the
29       following:
30
31       all   files   on   the    system,    /dev/cpu/mtrr,    /usr/bin/mono.*,
32       /etc/kde3?/kdm/Xreset,   /etc/kde3?/kdm/Xstartup,  /etc/kde3?/kdm/Xses‐
33       sion,       /etc/X11/[wx]dm/Xreset.*,        /etc/X11/[wxg]dm/Xsession,
34       /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*
35

PROCESS TYPES

37       SELinux defines process types (domains) for each process running on the
38       system
39
40       You can see the context of a process using the -Z option to ps
41
42       Policy governs the access confined processes have  to  files.   SELinux
43       unconfined_mono  policy  is very flexible allowing users to setup their
44       unconfined_mono processes in as secure a method as possible.
45
46       The following process types are defined for unconfined_mono:
47
48       unconfined_mono_t
49
50       Note: semanage permissive -a unconfined_mono_t can be used to make  the
51       process type unconfined_mono_t permissive. SELinux does not deny access
52       to permissive process types, but the AVC (SELinux denials) messages are
53       still generated.
54
55

BOOLEANS

57       SELinux  policy is customizable based on least access required.  uncon‐
58       fined_mono policy is extremely flexible and has several  booleans  that
59       allow  you  to  manipulate  the policy and run unconfined_mono with the
60       tightest access possible.
61
62
63
64       If you want to allow direct login to the console device.  Required  for
65       System  390,  you must turn on the allow_console_login boolean. Enabled
66       by default.
67
68       setsebool -P allow_console_login 1
69
70
71
72       If you want to allow all domains to use other domains file descriptors,
73       you must turn on the allow_domain_fd_use boolean. Enabled by default.
74
75       setsebool -P allow_domain_fd_use 1
76
77
78
79       If  you  want to allow unconfined executables to make their heap memory
80       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
81       badly  coded  executable, but could indicate an attack. This executable
82       should be reported in bugzilla, you must  turn  on  the  allow_execheap
83       boolean. Disabled by default.
84
85       setsebool -P allow_execheap 1
86
87
88
89       If  you  want to allow unconfined executables to map a memory region as
90       both executable and writable, this  is  dangerous  and  the  executable
91       should  be  reported  in  bugzilla), you must turn on the allow_execmem
92       boolean. Enabled by default.
93
94       setsebool -P allow_execmem 1
95
96
97
98       If you want to  allow  all  unconfined  executables  to  use  libraries
99       requiring  text  relocation  that are not labeled textrel_shlib_t), you
100       must turn on the allow_execmod boolean. Enabled by default.
101
102       setsebool -P allow_execmod 1
103
104
105
106       If you want to allow unconfined executables to make  their  stack  exe‐
107       cutable.   This  should  never, ever be necessary. Probably indicates a
108       badly coded executable, but could indicate an attack.  This  executable
109       should  be  reported in bugzilla), you must turn on the allow_execstack
110       boolean. Enabled by default.
111
112       setsebool -P allow_execstack 1
113
114
115
116       If you want to allow confined applications to run  with  kerberos,  you
117       must turn on the allow_kerberos boolean. Enabled by default.
118
119       setsebool -P allow_kerberos 1
120
121
122
123       If  you want to allow sysadm to debug or ptrace all processes, you must
124       turn on the allow_ptrace boolean. Disabled by default.
125
126       setsebool -P allow_ptrace 1
127
128
129
130       If you want to transition to confined nsplugin domains from  unconfined
131       user,  you  must turn on the allow_unconfined_nsplugin_transition bool‐
132       ean. Disabled by default.
133
134       setsebool -P allow_unconfined_nsplugin_transition 1
135
136
137
138       If you want to allows clients to write to the X  server  shared  memory
139       segments,  you  must  turn on the allow_write_xshm boolean. Disabled by
140       default.
141
142       setsebool -P allow_write_xshm 1
143
144
145
146       If you want to allow system to run with  NIS,  you  must  turn  on  the
147       allow_ypbind boolean. Disabled by default.
148
149       setsebool -P allow_ypbind 1
150
151
152
153       If  you  want to allow all domains to have the kernel load modules, you
154       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
155       default.
156
157       setsebool -P domain_kernel_load_modules 1
158
159
160
161       If you want to allow all domains to execute in fips_mode, you must turn
162       on the fips_mode boolean. Enabled by default.
163
164       setsebool -P fips_mode 1
165
166
167
168       If you want to enable reading of urandom for all domains, you must turn
169       on the global_ssp boolean. Disabled by default.
170
171       setsebool -P global_ssp 1
172
173
174
175       If  you  want to allow certain domains to map low memory in the kernel,
176       you must turn on the mmap_low_allowed boolean. Disabled by default.
177
178       setsebool -P mmap_low_allowed 1
179
180
181
182       If you want to allow confined applications to use nscd  shared  memory,
183       you must turn on the nscd_use_shm boolean. Enabled by default.
184
185       setsebool -P nscd_use_shm 1
186
187
188
189       If  you  want  to enabling secure mode disallows programs, such as new‐
190       role, from transitioning to administrative user domains, you must  turn
191       on the secure_mode boolean. Disabled by default.
192
193       setsebool -P secure_mode 1
194
195
196
197       If  you want to boolean to determine whether the system permits loading
198       policy, setting enforcing mode, and changing boolean values.  Set  this
199       to  true  and  you  have to reboot to set it back, you must turn on the
200       secure_mode_policyload boolean. Disabled by default.
201
202       setsebool -P secure_mode_policyload 1
203
204
205
206       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
207       the ssh_sysadm_login boolean. Disabled by default.
208
209       setsebool -P ssh_sysadm_login 1
210
211
212
213       If  you  want  to  allow  unconfined users to transition to the Mozilla
214       plugin domain when running xulrunner plugin-container, you must turn on
215       the unconfined_mozilla_plugin_transition boolean. Enabled by default.
216
217       setsebool -P unconfined_mozilla_plugin_transition 1
218
219
220
221       If  you  want to allow regular users direct dri device access, you must
222       turn on the user_direct_dri boolean. Enabled by default.
223
224       setsebool -P user_direct_dri 1
225
226
227
228       If you want to allow xdm  logins  as  sysadm,  you  must  turn  on  the
229       xdm_sysadm_login boolean. Disabled by default.
230
231       setsebool -P xdm_sysadm_login 1
232
233
234
235       If you want to support X userspace object manager, you must turn on the
236       xserver_object_manager boolean. Disabled by default.
237
238       setsebool -P xserver_object_manager 1
239
240
241

MANAGED FILES

243       The SELinux process type unconfined_mono_t  can  manage  files  labeled
244       with  the following file types.  The paths listed are the default paths
245       for these file types.  Note the processes UID still need  to  have  DAC
246       permissions.
247
248       file_type
249
250            all files on the system
251
252

COMMANDS

254       semanage  fcontext  can also be used to manipulate default file context
255       mappings.
256
257       semanage permissive can also be used to manipulate  whether  or  not  a
258       process type is permissive.
259
260       semanage  module can also be used to enable/disable/install/remove pol‐
261       icy modules.
262
263       semanage boolean can also be used to manipulate the booleans
264
265
266       system-config-selinux is a GUI tool available to customize SELinux pol‐
267       icy settings.
268
269

AUTHOR

271       This manual page was auto-generated using sepolicy manpage .
272
273