unconfined_selinux(8)

1unconfined_selinux(8)unconfined SELinux Policy documentatiounnconfined_selinux(8)
2
3
4

NAME

6       unconfined_r - Unconfiend user role - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       SELinux  supports  Roles  Based Access Control (RBAC), some Linux roles
11       are login roles, while other roles need to be transition into.
12
13       Note: Examples in this man page will use the staff_u SELinux user.
14
15       Non login roles are usually used for administrative tasks. For example,
16       tasks  that  require root privileges.  Roles control which types a user
17       can run processes with. Roles often  have  default  types  assigned  to
18       them.
19
20       The default type for the unconfined_r role is unconfined_t.
21
22       The newrole program to transition directly to this role.
23
24       newrole -r unconfined_r -t unconfined_t
25
26       sudo is the preferred method to do transition from one role to another.
27       You setup sudo to transition to unconfined_r by adding a  similar  line
28       to the /etc/sudoers file.
29
30       USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
31
32       sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
33
34       When  using  a a non login role, you need to setup SELinux so that your
35       SELinux user can reach unconfined_r role.
36
37       Execute the following to see all of the assigned SELinux roles:
38
39       semanage user -l
40
41       You need to add unconfined_r to the staff_u user.  You could setup  the
42       staff_u  user  to  be  able to use the unconfined_r role with a command
43       like:
44
45       $ semanage user -m -R 'staff_r system_r unconfined_r' staff_u
46
47
48

BOOLEANS

50       SELinux policy is customizable based on least access required.   uncon‐
51       fined  policy is extremely flexible and has several booleans that allow
52       you to manipulate the policy  and  run  unconfined  with  the  tightest
53       access possible.
54
55
56
57       If  you want to allow a user to login as an unconfined domain, you must
58       turn on the unconfined_login boolean. Enabled by default.
59
60       setsebool -P unconfined_login 1
61
62
63
64       If you want to allow unconfined users  to  transition  to  the  Mozilla
65       plugin domain when running xulrunner plugin-container, you must turn on
66       the unconfined_mozilla_plugin_transition boolean. Enabled by default.
67
68       setsebool -P unconfined_mozilla_plugin_transition 1
69
70
71
72       If you want to allow direct login to the console device.  Required  for
73       System  390,  you must turn on the allow_console_login boolean. Enabled
74       by default.
75
76       setsebool -P allow_console_login 1
77
78
79
80       If you want to allow all daemons the ability to  read/write  terminals,
81       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
82       default.
83
84       setsebool -P allow_daemons_use_tty 1
85
86
87
88       If you want to allow all domains to use other domains file descriptors,
89       you must turn on the allow_domain_fd_use boolean. Enabled by default.
90
91       setsebool -P allow_domain_fd_use 1
92
93
94
95       If  you  want to allow unconfined executables to make their heap memory
96       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
97       badly  coded  executable, but could indicate an attack. This executable
98       should be reported in bugzilla, you must  turn  on  the  allow_execheap
99       boolean. Disabled by default.
100
101       setsebool -P allow_execheap 1
102
103
104
105       If  you  want to allow unconfined executables to map a memory region as
106       both executable and writable, this  is  dangerous  and  the  executable
107       should  be  reported  in  bugzilla), you must turn on the allow_execmem
108       boolean. Enabled by default.
109
110       setsebool -P allow_execmem 1
111
112
113
114       If you want to  allow  all  unconfined  executables  to  use  libraries
115       requiring  text  relocation  that are not labeled textrel_shlib_t), you
116       must turn on the allow_execmod boolean. Enabled by default.
117
118       setsebool -P allow_execmod 1
119
120
121
122       If you want to allow unconfined executables to make  their  stack  exe‐
123       cutable.   This  should  never, ever be necessary. Probably indicates a
124       badly coded executable, but could indicate an attack.  This  executable
125       should  be  reported in bugzilla), you must turn on the allow_execstack
126       boolean. Enabled by default.
127
128       setsebool -P allow_execstack 1
129
130
131
132       If you want to allow confined applications to run  with  kerberos,  you
133       must turn on the allow_kerberos boolean. Enabled by default.
134
135       setsebool -P allow_kerberos 1
136
137
138
139       If  you want to allow sysadm to debug or ptrace all processes, you must
140       turn on the allow_ptrace boolean. Disabled by default.
141
142       setsebool -P allow_ptrace 1
143
144
145
146       If you want to transition to confined nsplugin domains from  unconfined
147       user,  you  must turn on the allow_unconfined_nsplugin_transition bool‐
148       ean. Enabled by default.
149
150       setsebool -P allow_unconfined_nsplugin_transition 1
151
152
153
154       If you want to allow system to run with  NIS,  you  must  turn  on  the
155       allow_ypbind boolean. Disabled by default.
156
157       setsebool -P allow_ypbind 1
158
159
160
161       If  you  want to allow all domains to have the kernel load modules, you
162       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
163       default.
164
165       setsebool -P domain_kernel_load_modules 1
166
167
168
169       If you want to allow all domains to execute in fips_mode, you must turn
170       on the fips_mode boolean. Enabled by default.
171
172       setsebool -P fips_mode 1
173
174
175
176       If you want to enable reading of urandom for all domains, you must turn
177       on the global_ssp boolean. Disabled by default.
178
179       setsebool -P global_ssp 1
180
181
182
183       If you want to enable support for upstart as the init program, you must
184       turn on the init_upstart boolean. Enabled by default.
185
186       setsebool -P init_upstart 1
187
188
189
190       If you want to allow certain domains to map low memory in  the  kernel,
191       you must turn on the mmap_low_allowed boolean. Disabled by default.
192
193       setsebool -P mmap_low_allowed 1
194
195
196
197       If  you  want to allow confined applications to use nscd shared memory,
198       you must turn on the nscd_use_shm boolean. Enabled by default.
199
200       setsebool -P nscd_use_shm 1
201
202
203
204       If you want to enabling secure mode disallows programs,  such  as  new‐
205       role,  from transitioning to administrative user domains, you must turn
206       on the secure_mode boolean. Disabled by default.
207
208       setsebool -P secure_mode 1
209
210
211
212       If you want to boolean to determine whether the system permits  loading
213       policy,  setting enforcing mode, and changing boolean values.  Set this
214       to true and you have to reboot to set it back, you  must  turn  on  the
215       secure_mode_policyload boolean. Disabled by default.
216
217       setsebool -P secure_mode_policyload 1
218
219
220
221       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
222       the ssh_sysadm_login boolean. Disabled by default.
223
224       setsebool -P ssh_sysadm_login 1
225
226
227
228       If you want to support NFS home  directories,  you  must  turn  on  the
229       use_nfs_home_dirs boolean. Disabled by default.
230
231       setsebool -P use_nfs_home_dirs 1
232
233
234
235       If  you  want  to  support SAMBA home directories, you must turn on the
236       use_samba_home_dirs boolean. Disabled by default.
237
238       setsebool -P use_samba_home_dirs 1
239
240
241
242       If you want to allow xdm  logins  as  sysadm,  you  must  turn  on  the
243       xdm_sysadm_login boolean. Disabled by default.
244
245       setsebool -P xdm_sysadm_login 1
246
247
248
249       If you want to support X userspace object manager, you must turn on the
250       xserver_object_manager boolean. Disabled by default.
251
252       setsebool -P xserver_object_manager 1
253
254
255

MANAGED FILES

257       The SELinux process type unconfined_t can manage files labeled with the
258       following file types.  The paths listed are the default paths for these
259       file types.  Note the processes UID still need to have DAC permissions.
260
261       file_type
262
263            all files on the system
264
265

COMMANDS

267       semanage fcontext can also be used to manipulate default  file  context
268       mappings.
269
270       semanage  permissive  can  also  be used to manipulate whether or not a
271       process type is permissive.
272
273       semanage module can also be used to enable/disable/install/remove  pol‐
274       icy modules.
275
276       semanage boolean can also be used to manipulate the booleans
277
278
279       system-config-selinux is a GUI tool available to customize SELinux pol‐
280       icy settings.
281
282

AUTHOR

284       This manual page was auto-generated using sepolicy manpage .
285
286

NAME

DESCRIPTION

BOOLEANS

MANAGED FILES

COMMANDS

AUTHOR

SEE ALSO