1update_modules_selinux(8)SELinux Policy update_modulesupdate_modules_selinux(8)
2
3
4

NAME

6       update_modules_selinux   -  Security  Enhanced  Linux  Policy  for  the
7       update_modules processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the update_modules processes via flexi‐
11       ble mandatory access control.
12
13       The  update_modules processes execute with the update_modules_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep update_modules_t
20
21
22

ENTRYPOINTS

24       The  update_modules_t  SELinux  type can be entered via the update_mod‐
25       ules_exec_t file type.
26
27       The default entrypoint paths for the update_modules_t  domain  are  the
28       following:
29
30       /sbin/modules-update,     /sbin/update-modules,     /sbin/generate-mod‐
31       probe.conf
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       update_modules policy is very flexible allowing users  to  setup  their
41       update_modules processes in as secure a method as possible.
42
43       The following process types are defined for update_modules:
44
45       update_modules_t
46
47       Note:  semanage  permissive -a update_modules_t can be used to make the
48       process type update_modules_t permissive. SELinux does not deny  access
49       to permissive process types, but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       update_modules  policy  is  extremely flexible and has several booleans
56       that allow you to manipulate the policy and run update_modules with the
57       tightest access possible.
58
59
60
61       If  you  want to allow all daemons the ability to read/write terminals,
62       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
63       default.
64
65       setsebool -P allow_daemons_use_tty 1
66
67
68
69       If you want to allow all domains to use other domains file descriptors,
70       you must turn on the allow_domain_fd_use boolean. Enabled by default.
71
72       setsebool -P allow_domain_fd_use 1
73
74
75
76       If you want to allow sysadm to debug or ptrace all processes, you  must
77       turn on the allow_ptrace boolean. Disabled by default.
78
79       setsebool -P allow_ptrace 1
80
81
82
83       If  you  want to allow all domains to have the kernel load modules, you
84       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
85       default.
86
87       setsebool -P domain_kernel_load_modules 1
88
89
90
91       If you want to allow all domains to execute in fips_mode, you must turn
92       on the fips_mode boolean. Enabled by default.
93
94       setsebool -P fips_mode 1
95
96
97
98       If you want to enable reading of urandom for all domains, you must turn
99       on the global_ssp boolean. Disabled by default.
100
101       setsebool -P global_ssp 1
102
103
104
105       If  you  want  to  disable  transitions to insmod, you must turn on the
106       secure_mode_insmod boolean. Disabled by default.
107
108       setsebool -P secure_mode_insmod 1
109
110
111

MANAGED FILES

113       The SELinux process type update_modules_t can manage files labeled with
114       the  following  file types.  The paths listed are the default paths for
115       these file types.  Note the processes UID still need to have  DAC  per‐
116       missions.
117
118       initrc_tmp_t
119
120
121       mnt_t
122
123            /mnt(/[^/]*)
124            /mnt(/[^/]*)?
125            /rhev(/[^/]*)?
126            /media(/[^/]*)
127            /media(/[^/]*)?
128            /etc/rhgb(/.*)?
129            /media/.hal-.*
130            /net
131            /afs
132            /rhev
133            /misc
134
135       modules_conf_t
136
137            /etc/modprobe.d(/.*)?
138            /etc/modules.conf.*
139            /etc/modprobe.conf.*
140            /lib/modules/modprobe.conf
141            /lib64/modules/modprobe.conf
142
143       modules_dep_t
144
145            /lib/modules/[^/]+/modules..+
146            /lib64/modules/[^/]+/modules..+
147
148       tmp_t
149
150            /tmp
151            /usr/tmp
152            /var/tmp
153            /tmp-inst
154            /var/tmp-inst
155            /var/tmp/vi.recover
156
157       update_modules_tmp_t
158
159
160

FILE CONTEXTS

162       SELinux requires files to have an extended attribute to define the file
163       type.
164
165       You can see the context of a file using the -Z option to ls
166
167       Policy governs the access  confined  processes  have  to  these  files.
168       SELinux  update_modules policy is very flexible allowing users to setup
169       their update_modules processes in as secure a method as possible.
170
171       STANDARD FILE CONTEXT
172
173       SELinux defines the file context types for the update_modules,  if  you
174       wanted  to store files with these types in a diffent paths, you need to
175       execute the semanage command to sepecify alternate  labeling  and  then
176       use restorecon to put the labels on disk.
177
178       semanage   fcontext   -a  -t  update_modules_tmp_t  '/srv/myupdate_mod‐
179       ules_content(/.*)?'
180       restorecon -R -v /srv/myupdate_modules_content
181
182       Note: SELinux often uses regular expressions  to  specify  labels  that
183       match multiple files.
184
185       The following file types are defined for update_modules:
186
187
188
189       update_modules_exec_t
190
191       - Set files with the update_modules_exec_t type, if you want to transi‐
192       tion an executable to the update_modules_t domain.
193
194
195       Paths:
196            /sbin/modules-update,  /sbin/update-modules,   /sbin/generate-mod‐
197            probe.conf
198
199
200       update_modules_tmp_t
201
202       -  Set  files  with the update_modules_tmp_t type, if you want to store
203       update modules temporary files in the /tmp directories.
204
205
206
207       Note: File context can be temporarily modified with the chcon  command.
208       If  you want to permanently change the file context you need to use the
209       semanage fcontext command.  This will modify the SELinux labeling data‐
210       base.  You will need to use restorecon to apply the labels.
211
212

COMMANDS

214       semanage  fcontext  can also be used to manipulate default file context
215       mappings.
216
217       semanage permissive can also be used to manipulate  whether  or  not  a
218       process type is permissive.
219
220       semanage  module can also be used to enable/disable/install/remove pol‐
221       icy modules.
222
223       semanage boolean can also be used to manipulate the booleans
224
225
226       system-config-selinux is a GUI tool available to customize SELinux pol‐
227       icy settings.
228
229

AUTHOR

231       This manual page was auto-generated using sepolicy manpage .
232
233

SEE ALSO

235       selinux(8),  update_modules(8),  semanage(8), restorecon(8), chcon(1) ,
236       setsebool(8)
237
238
239
240update_modules                     15-06-03          update_modules_selinux(8)
Impressum