1user_openoffice_selinux(8S)ELinux Policy user_openofficueser_openoffice_selinux(8)
2
3
4
6 user_openoffice_selinux - Security Enhanced Linux Policy for the
7 user_openoffice processes
8
10 Security-Enhanced Linux secures the user_openoffice processes via flex‐
11 ible mandatory access control.
12
13 The user_openoffice processes execute with the user_openoffice_t
14 SELinux type. You can check if you have these processes running by exe‐
15 cuting the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep user_openoffice_t
20
21
22
24 The user_openoffice_t SELinux type can be entered via the xses‐
25 sion_exec_t, user_home_t, openoffice_exec_t file types.
26
27 The default entrypoint paths for the user_openoffice_t domain are the
28 following:
29
30 /etc/kde3?/kdm/Xreset, /etc/kde3?/kdm/Xstartup, /etc/kde3?/kdm/Xses‐
31 sion, /etc/X11/[wx]dm/Xreset.*, /etc/X11/[wxg]dm/Xsession,
32 /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*,
33 /home/[^/]*/.+, /home/staff/.+, /opt/openoffice.org.*/program/.+.bin,
34 /usr/lib/openoffice.org.*/program/.+.bin, /usr/lib64/open‐
35 office.org.*/program/.+.bin
36
38 SELinux defines process types (domains) for each process running on the
39 system
40
41 You can see the context of a process using the -Z option to ps
42
43 Policy governs the access confined processes have to files. SELinux
44 user_openoffice policy is very flexible allowing users to setup their
45 user_openoffice processes in as secure a method as possible.
46
47 The following process types are defined for user_openoffice:
48
49 user_openoffice_t
50
51 Note: semanage permissive -a user_openoffice_t can be used to make the
52 process type user_openoffice_t permissive. SELinux does not deny access
53 to permissive process types, but the AVC (SELinux denials) messages are
54 still generated.
55
56
58 SELinux policy is customizable based on least access required.
59 user_openoffice policy is extremely flexible and has several booleans
60 that allow you to manipulate the policy and run user_openoffice with
61 the tightest access possible.
62
63
64
65 If you want to allow direct login to the console device. Required for
66 System 390, you must turn on the allow_console_login boolean. Enabled
67 by default.
68
69 setsebool -P allow_console_login 1
70
71
72
73 If you want to allow all domains to use other domains file descriptors,
74 you must turn on the allow_domain_fd_use boolean. Enabled by default.
75
76 setsebool -P allow_domain_fd_use 1
77
78
79
80 If you want to allow all unconfined executables to use libraries
81 requiring text relocation that are not labeled textrel_shlib_t), you
82 must turn on the allow_execmod boolean. Enabled by default.
83
84 setsebool -P allow_execmod 1
85
86
87
88 If you want to allow confined applications to run with kerberos, you
89 must turn on the allow_kerberos boolean. Enabled by default.
90
91 setsebool -P allow_kerberos 1
92
93
94
95 If you want to allow sysadm to debug or ptrace all processes, you must
96 turn on the allow_ptrace boolean. Disabled by default.
97
98 setsebool -P allow_ptrace 1
99
100
101
102 If you want to allow users to connect to PostgreSQL, you must turn on
103 the allow_user_postgresql_connect boolean. Disabled by default.
104
105 setsebool -P allow_user_postgresql_connect 1
106
107
108
109 If you want to allows clients to write to the X server shared memory
110 segments, you must turn on the allow_write_xshm boolean. Disabled by
111 default.
112
113 setsebool -P allow_write_xshm 1
114
115
116
117 If you want to allow system to run with NIS, you must turn on the
118 allow_ypbind boolean. Disabled by default.
119
120 setsebool -P allow_ypbind 1
121
122
123
124 If you want to allow all domains to have the kernel load modules, you
125 must turn on the domain_kernel_load_modules boolean. Disabled by
126 default.
127
128 setsebool -P domain_kernel_load_modules 1
129
130
131
132 If you want to allow all domains to execute in fips_mode, you must turn
133 on the fips_mode boolean. Enabled by default.
134
135 setsebool -P fips_mode 1
136
137
138
139 If you want to enable reading of urandom for all domains, you must turn
140 on the global_ssp boolean. Disabled by default.
141
142 setsebool -P global_ssp 1
143
144
145
146 If you want to allow confined applications to use nscd shared memory,
147 you must turn on the nscd_use_shm boolean. Enabled by default.
148
149 setsebool -P nscd_use_shm 1
150
151
152
153 If you want to enabling secure mode disallows programs, such as new‐
154 role, from transitioning to administrative user domains, you must turn
155 on the secure_mode boolean. Disabled by default.
156
157 setsebool -P secure_mode 1
158
159
160
161 If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
162 the ssh_sysadm_login boolean. Disabled by default.
163
164 setsebool -P ssh_sysadm_login 1
165
166
167
168 If you want to support NFS home directories, you must turn on the
169 use_nfs_home_dirs boolean. Disabled by default.
170
171 setsebool -P use_nfs_home_dirs 1
172
173
174
175 If you want to support SAMBA home directories, you must turn on the
176 use_samba_home_dirs boolean. Disabled by default.
177
178 setsebool -P use_samba_home_dirs 1
179
180
181
182 If you want to allow regular users direct dri device access, you must
183 turn on the user_direct_dri boolean. Enabled by default.
184
185 setsebool -P user_direct_dri 1
186
187
188
189 If you want to allow regular users direct mouse access, you must turn
190 on the user_direct_mouse boolean. Disabled by default.
191
192 setsebool -P user_direct_mouse 1
193
194
195
196 If you want to allow user to r/w files on filesystems that do not have
197 extended attributes (FAT, CDROM, FLOPPY), you must turn on the
198 user_rw_noexattrfile boolean. Enabled by default.
199
200 setsebool -P user_rw_noexattrfile 1
201
202
203
204 If you want to allow user processes to change their priority, you must
205 turn on the user_setrlimit boolean. Enabled by default.
206
207 setsebool -P user_setrlimit 1
208
209
210
211 If you want to allow users to run TCP servers (bind to ports and accept
212 connection from the same domain and outside users) disabling this
213 forces FTP passive mode and may change other protocols, you must turn
214 on the user_tcp_server boolean. Disabled by default.
215
216 setsebool -P user_tcp_server 1
217
218
219
220 If you want to allow xdm logins as sysadm, you must turn on the
221 xdm_sysadm_login boolean. Disabled by default.
222
223 setsebool -P xdm_sysadm_login 1
224
225
226
227 If you want to support X userspace object manager, you must turn on the
228 xserver_object_manager boolean. Disabled by default.
229
230 setsebool -P xserver_object_manager 1
231
232
233
235 The SELinux process type user_openoffice_t can manage files labeled
236 with the following file types. The paths listed are the default paths
237 for these file types. Note the processes UID still need to have DAC
238 permissions.
239
240 anon_inodefs_t
241
242
243 cgroup_t
244
245 /cgroup(/.*)?
246
247 chrome_sandbox_tmpfs_t
248
249
250 cifs_t
251
252
253 games_data_t
254
255 /var/games(/.*)?
256 /var/lib/games(/.*)?
257
258 gpg_agent_tmp_t
259
260
261 iceauth_home_t
262
263 /home/[^/]*/.DCOP.*
264 /home/[^/]*/.ICEauthority.*
265 /home/staff/.DCOP.*
266 /home/staff/.ICEauthority.*
267
268 initrc_tmp_t
269
270
271 mail_spool_t
272
273 /var/mail(/.*)?
274 /var/spool/mail(/.*)?
275 /var/spool/imap(/.*)?
276
277 mnt_t
278
279 /mnt(/[^/]*)
280 /mnt(/[^/]*)?
281 /rhev(/[^/]*)?
282 /media(/[^/]*)
283 /media(/[^/]*)?
284 /etc/rhgb(/.*)?
285 /media/.hal-.*
286 /net
287 /afs
288 /rhev
289 /misc
290
291 mqueue_spool_t
292
293 /var/spool/(client)?mqueue(/.*)?
294
295 nfsd_rw_t
296
297
298 noxattrfs
299
300 all files on file systems which do not support extended attributes
301
302 sandbox_file_t
303
304
305 sandbox_tmpfs_type
306
307 all sandbox content in tmpfs file systems
308
309 security_t
310
311
312 tmp_t
313
314 /tmp
315 /usr/tmp
316 /var/tmp
317 /tmp-inst
318 /var/tmp-inst
319 /var/tmp/vi.recover
320
321 usbfs_t
322
323
324 user_fonts_cache_t
325
326 /home/[^/]*/.fonts/auto(/.*)?
327 /home/[^/]*/.fontconfig(/.*)?
328 /home/[^/]*/.fonts.cache-.*
329 /home/staff/.fonts/auto(/.*)?
330 /home/staff/.fontconfig(/.*)?
331 /home/staff/.fonts.cache-.*
332
333 user_fonts_t
334
335 /home/[^/]*/.fonts(/.*)?
336 /home/staff/.fonts(/.*)?
337
338 user_home_type
339
340 all user home files
341
342 user_tmp_t
343
344 /tmp/gconfd-.*
345 /tmp/gconfd-staff
346
347 user_tmpfs_t
348
349 /dev/shm/mono.*
350 /dev/shm/pulse-shm.*
351
352 xauth_home_t
353
354 /root/.Xauth.*
355 /root/.xauth.*
356 /root/.serverauth.*
357 /var/lib/pqsql/.xauth.*
358 /var/lib/pqsql/.Xauthority.*
359 /var/lib/nxserver/home/.xauth.*
360 /var/lib/nxserver/home/.Xauthority.*
361 /home/[^/]*/.xauth.*
362 /home/[^/]*/.Xauthority.*
363 /home/[^/]*/.serverauth.*
364 /home/staff/.xauth.*
365 /home/staff/.Xauthority.*
366 /home/staff/.serverauth.*
367
368 xdm_tmp_t
369
370 /tmp/.X11-unix(/.*)?
371 /tmp/.ICE-unix(/.*)?
372 /tmp/.X0-lock
373
374 xserver_tmpfs_t
375
376
377
379 semanage fcontext can also be used to manipulate default file context
380 mappings.
381
382 semanage permissive can also be used to manipulate whether or not a
383 process type is permissive.
384
385 semanage module can also be used to enable/disable/install/remove pol‐
386 icy modules.
387
388 semanage boolean can also be used to manipulate the booleans
389
390
391 system-config-selinux is a GUI tool available to customize SELinux pol‐
392 icy settings.
393
394
396 This manual page was auto-generated using sepolicy manpage .
397
398
400 selinux(8), user_openoffice(8), semanage(8), restorecon(8), chcon(1) ,
401 setsebool(8)
402
403
404
405user_openoffice 15-06-03 user_openoffice_selinux(8)