1xguest_openoffice_selinuSxE(L8i)nux Policy xguest_openofxfgiuceest_openoffice_selinux(8)
2
3
4
6 xguest_openoffice_selinux - Security Enhanced Linux Policy for the
7 xguest_openoffice processes
8
10 Security-Enhanced Linux secures the xguest_openoffice processes via
11 flexible mandatory access control.
12
13 The xguest_openoffice processes execute with the xguest_openoffice_t
14 SELinux type. You can check if you have these processes running by exe‐
15 cuting the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep xguest_openoffice_t
20
21
22
24 The xguest_openoffice_t SELinux type can be entered via the xses‐
25 sion_exec_t, user_home_t, openoffice_exec_t file types.
26
27 The default entrypoint paths for the xguest_openoffice_t domain are the
28 following:
29
30 /etc/kde3?/kdm/Xreset, /etc/kde3?/kdm/Xstartup, /etc/kde3?/kdm/Xses‐
31 sion, /etc/X11/[wx]dm/Xreset.*, /etc/X11/[wxg]dm/Xsession,
32 /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*,
33 /home/[^/]*/.+, /home/staff/.+, /opt/openoffice.org.*/program/.+.bin,
34 /usr/lib/openoffice.org.*/program/.+.bin, /usr/lib64/open‐
35 office.org.*/program/.+.bin
36
38 SELinux defines process types (domains) for each process running on the
39 system
40
41 You can see the context of a process using the -Z option to ps
42
43 Policy governs the access confined processes have to files. SELinux
44 xguest_openoffice policy is very flexible allowing users to setup their
45 xguest_openoffice processes in as secure a method as possible.
46
47 The following process types are defined for xguest_openoffice:
48
49 xguest_openoffice_t
50
51 Note: semanage permissive -a xguest_openoffice_t can be used to make
52 the process type xguest_openoffice_t permissive. SELinux does not deny
53 access to permissive process types, but the AVC (SELinux denials) mes‐
54 sages are still generated.
55
56
58 SELinux policy is customizable based on least access required.
59 xguest_openoffice policy is extremely flexible and has several booleans
60 that allow you to manipulate the policy and run xguest_openoffice with
61 the tightest access possible.
62
63
64
65 If you want to allow direct login to the console device. Required for
66 System 390, you must turn on the allow_console_login boolean. Enabled
67 by default.
68
69 setsebool -P allow_console_login 1
70
71
72
73 If you want to allow all domains to use other domains file descriptors,
74 you must turn on the allow_domain_fd_use boolean. Enabled by default.
75
76 setsebool -P allow_domain_fd_use 1
77
78
79
80 If you want to allow confined applications to run with kerberos, you
81 must turn on the allow_kerberos boolean. Enabled by default.
82
83 setsebool -P allow_kerberos 1
84
85
86
87 If you want to allow sysadm to debug or ptrace all processes, you must
88 turn on the allow_ptrace boolean. Disabled by default.
89
90 setsebool -P allow_ptrace 1
91
92
93
94 If you want to allows clients to write to the X server shared memory
95 segments, you must turn on the allow_write_xshm boolean. Disabled by
96 default.
97
98 setsebool -P allow_write_xshm 1
99
100
101
102 If you want to allow system to run with NIS, you must turn on the
103 allow_ypbind boolean. Disabled by default.
104
105 setsebool -P allow_ypbind 1
106
107
108
109 If you want to allow all domains to have the kernel load modules, you
110 must turn on the domain_kernel_load_modules boolean. Disabled by
111 default.
112
113 setsebool -P domain_kernel_load_modules 1
114
115
116
117 If you want to allow all domains to execute in fips_mode, you must turn
118 on the fips_mode boolean. Enabled by default.
119
120 setsebool -P fips_mode 1
121
122
123
124 If you want to enable reading of urandom for all domains, you must turn
125 on the global_ssp boolean. Disabled by default.
126
127 setsebool -P global_ssp 1
128
129
130
131 If you want to allow confined applications to use nscd shared memory,
132 you must turn on the nscd_use_shm boolean. Enabled by default.
133
134 setsebool -P nscd_use_shm 1
135
136
137
138 If you want to enabling secure mode disallows programs, such as new‐
139 role, from transitioning to administrative user domains, you must turn
140 on the secure_mode boolean. Disabled by default.
141
142 setsebool -P secure_mode 1
143
144
145
146 If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
147 the ssh_sysadm_login boolean. Disabled by default.
148
149 setsebool -P ssh_sysadm_login 1
150
151
152
153 If you want to support NFS home directories, you must turn on the
154 use_nfs_home_dirs boolean. Disabled by default.
155
156 setsebool -P use_nfs_home_dirs 1
157
158
159
160 If you want to support SAMBA home directories, you must turn on the
161 use_samba_home_dirs boolean. Disabled by default.
162
163 setsebool -P use_samba_home_dirs 1
164
165
166
167 If you want to allow regular users direct dri device access, you must
168 turn on the user_direct_dri boolean. Enabled by default.
169
170 setsebool -P user_direct_dri 1
171
172
173
174 If you want to allow user to r/w files on filesystems that do not have
175 extended attributes (FAT, CDROM, FLOPPY), you must turn on the
176 user_rw_noexattrfile boolean. Enabled by default.
177
178 setsebool -P user_rw_noexattrfile 1
179
180
181
182 If you want to allow xdm logins as sysadm, you must turn on the
183 xdm_sysadm_login boolean. Disabled by default.
184
185 setsebool -P xdm_sysadm_login 1
186
187
188
189 If you want to allow xguest to configure Network Manager and connect to
190 apache ports, you must turn on the xguest_connect_network boolean.
191 Enabled by default.
192
193 setsebool -P xguest_connect_network 1
194
195
196
197 If you want to support X userspace object manager, you must turn on the
198 xserver_object_manager boolean. Disabled by default.
199
200 setsebool -P xserver_object_manager 1
201
202
203
205 The SELinux process type xguest_openoffice_t can manage files labeled
206 with the following file types. The paths listed are the default paths
207 for these file types. Note the processes UID still need to have DAC
208 permissions.
209
210 anon_inodefs_t
211
212
213 chrome_sandbox_tmpfs_t
214
215
216 cifs_t
217
218
219 iceauth_home_t
220
221 /home/[^/]*/.DCOP.*
222 /home/[^/]*/.ICEauthority.*
223 /home/staff/.DCOP.*
224 /home/staff/.ICEauthority.*
225
226 initrc_tmp_t
227
228
229 mnt_t
230
231 /mnt(/[^/]*)
232 /mnt(/[^/]*)?
233 /rhev(/[^/]*)?
234 /media(/[^/]*)
235 /media(/[^/]*)?
236 /etc/rhgb(/.*)?
237 /media/.hal-.*
238 /net
239 /afs
240 /rhev
241 /misc
242
243 noxattrfs
244
245 all files on file systems which do not support extended attributes
246
247 tmp_t
248
249 /tmp
250 /usr/tmp
251 /var/tmp
252 /tmp-inst
253 /var/tmp-inst
254 /var/tmp/vi.recover
255
256 usbfs_t
257
258
259 user_fonts_cache_t
260
261 /home/[^/]*/.fonts/auto(/.*)?
262 /home/[^/]*/.fontconfig(/.*)?
263 /home/[^/]*/.fonts.cache-.*
264 /home/staff/.fonts/auto(/.*)?
265 /home/staff/.fontconfig(/.*)?
266 /home/staff/.fonts.cache-.*
267
268 user_fonts_t
269
270 /home/[^/]*/.fonts(/.*)?
271 /home/staff/.fonts(/.*)?
272
273 user_home_type
274
275 all user home files
276
277 user_tmp_t
278
279 /tmp/gconfd-.*
280 /tmp/gconfd-staff
281
282 user_tmpfs_t
283
284 /dev/shm/mono.*
285 /dev/shm/pulse-shm.*
286
287 xauth_home_t
288
289 /root/.Xauth.*
290 /root/.xauth.*
291 /root/.serverauth.*
292 /var/lib/pqsql/.xauth.*
293 /var/lib/pqsql/.Xauthority.*
294 /var/lib/nxserver/home/.xauth.*
295 /var/lib/nxserver/home/.Xauthority.*
296 /home/[^/]*/.xauth.*
297 /home/[^/]*/.Xauthority.*
298 /home/[^/]*/.serverauth.*
299 /home/staff/.xauth.*
300 /home/staff/.Xauthority.*
301 /home/staff/.serverauth.*
302
303 xdm_tmp_t
304
305 /tmp/.X11-unix(/.*)?
306 /tmp/.ICE-unix(/.*)?
307 /tmp/.X0-lock
308
309 xserver_tmpfs_t
310
311
312
314 semanage fcontext can also be used to manipulate default file context
315 mappings.
316
317 semanage permissive can also be used to manipulate whether or not a
318 process type is permissive.
319
320 semanage module can also be used to enable/disable/install/remove pol‐
321 icy modules.
322
323 semanage boolean can also be used to manipulate the booleans
324
325
326 system-config-selinux is a GUI tool available to customize SELinux pol‐
327 icy settings.
328
329
331 This manual page was auto-generated using sepolicy manpage .
332
333
335 selinux(8), xguest_openoffice(8), semanage(8), restorecon(8), chcon(1)
336 , setsebool(8)
337
338
339
340xguest_openoffice 15-06-03 xguest_openoffice_selinux(8)