1xguest_openoffice_selinuSxE(L8i)nux Policy xguest_openofxfgiuceest_openoffice_selinux(8)
2
3
4

NAME

6       xguest_openoffice_selinux  -  Security  Enhanced  Linux  Policy for the
7       xguest_openoffice processes
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  xguest_openoffice  processes  via
11       flexible mandatory access control.
12
13       The  xguest_openoffice  processes  execute with the xguest_openoffice_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep xguest_openoffice_t
20
21
22

ENTRYPOINTS

24       The  xguest_openoffice_t  SELinux  type  can  be  entered via the xses‐
25       sion_exec_t, user_home_t, openoffice_exec_t file types.
26
27       The default entrypoint paths for the xguest_openoffice_t domain are the
28       following:
29
30       /etc/kde3?/kdm/Xreset,   /etc/kde3?/kdm/Xstartup,  /etc/kde3?/kdm/Xses‐
31       sion,       /etc/X11/[wx]dm/Xreset.*,        /etc/X11/[wxg]dm/Xsession,
32       /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*,
33       /home/[^/]*/.+,  /home/staff/.+,  /opt/openoffice.org.*/program/.+.bin,
34       /usr/lib/openoffice.org.*/program/.+.bin,              /usr/lib64/open‐
35       office.org.*/program/.+.bin
36

PROCESS TYPES

38       SELinux defines process types (domains) for each process running on the
39       system
40
41       You can see the context of a process using the -Z option to ps
42
43       Policy  governs  the  access confined processes have to files.  SELinux
44       xguest_openoffice policy is very flexible allowing users to setup their
45       xguest_openoffice processes in as secure a method as possible.
46
47       The following process types are defined for xguest_openoffice:
48
49       xguest_openoffice_t
50
51       Note:  semanage  permissive  -a xguest_openoffice_t can be used to make
52       the process type xguest_openoffice_t permissive. SELinux does not  deny
53       access  to permissive process types, but the AVC (SELinux denials) mes‐
54       sages are still generated.
55
56

BOOLEANS

58       SELinux  policy  is  customizable  based  on  least  access   required.
59       xguest_openoffice policy is extremely flexible and has several booleans
60       that allow you to manipulate the policy and run xguest_openoffice  with
61       the tightest access possible.
62
63
64
65       If  you  want to allow direct login to the console device. Required for
66       System 390, you must turn on the allow_console_login  boolean.  Enabled
67       by default.
68
69       setsebool -P allow_console_login 1
70
71
72
73       If you want to allow all domains to use other domains file descriptors,
74       you must turn on the allow_domain_fd_use boolean. Enabled by default.
75
76       setsebool -P allow_domain_fd_use 1
77
78
79
80       If you want to allow confined applications to run  with  kerberos,  you
81       must turn on the allow_kerberos boolean. Enabled by default.
82
83       setsebool -P allow_kerberos 1
84
85
86
87       If  you want to allow sysadm to debug or ptrace all processes, you must
88       turn on the allow_ptrace boolean. Disabled by default.
89
90       setsebool -P allow_ptrace 1
91
92
93
94       If you want to allows clients to write to the X  server  shared  memory
95       segments,  you  must  turn on the allow_write_xshm boolean. Disabled by
96       default.
97
98       setsebool -P allow_write_xshm 1
99
100
101
102       If you want to allow system to run with  NIS,  you  must  turn  on  the
103       allow_ypbind boolean. Disabled by default.
104
105       setsebool -P allow_ypbind 1
106
107
108
109       If  you  want to allow all domains to have the kernel load modules, you
110       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
111       default.
112
113       setsebool -P domain_kernel_load_modules 1
114
115
116
117       If you want to allow all domains to execute in fips_mode, you must turn
118       on the fips_mode boolean. Enabled by default.
119
120       setsebool -P fips_mode 1
121
122
123
124       If you want to enable reading of urandom for all domains, you must turn
125       on the global_ssp boolean. Disabled by default.
126
127       setsebool -P global_ssp 1
128
129
130
131       If  you  want to allow confined applications to use nscd shared memory,
132       you must turn on the nscd_use_shm boolean. Enabled by default.
133
134       setsebool -P nscd_use_shm 1
135
136
137
138       If you want to enabling secure mode disallows programs,  such  as  new‐
139       role,  from transitioning to administrative user domains, you must turn
140       on the secure_mode boolean. Disabled by default.
141
142       setsebool -P secure_mode 1
143
144
145
146       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
147       the ssh_sysadm_login boolean. Disabled by default.
148
149       setsebool -P ssh_sysadm_login 1
150
151
152
153       If  you  want  to  support  NFS  home directories, you must turn on the
154       use_nfs_home_dirs boolean. Disabled by default.
155
156       setsebool -P use_nfs_home_dirs 1
157
158
159
160       If you want to support SAMBA home directories, you  must  turn  on  the
161       use_samba_home_dirs boolean. Disabled by default.
162
163       setsebool -P use_samba_home_dirs 1
164
165
166
167       If  you  want to allow regular users direct dri device access, you must
168       turn on the user_direct_dri boolean. Enabled by default.
169
170       setsebool -P user_direct_dri 1
171
172
173
174       If you want to allow user to r/w files on filesystems that do not  have
175       extended  attributes  (FAT,  CDROM,  FLOPPY),  you  must  turn  on  the
176       user_rw_noexattrfile boolean. Enabled by default.
177
178       setsebool -P user_rw_noexattrfile 1
179
180
181
182       If you want to allow xdm  logins  as  sysadm,  you  must  turn  on  the
183       xdm_sysadm_login boolean. Disabled by default.
184
185       setsebool -P xdm_sysadm_login 1
186
187
188
189       If you want to allow xguest to configure Network Manager and connect to
190       apache ports, you must  turn  on  the  xguest_connect_network  boolean.
191       Enabled by default.
192
193       setsebool -P xguest_connect_network 1
194
195
196
197       If you want to support X userspace object manager, you must turn on the
198       xserver_object_manager boolean. Disabled by default.
199
200       setsebool -P xserver_object_manager 1
201
202
203

MANAGED FILES

205       The SELinux process type xguest_openoffice_t can manage  files  labeled
206       with  the following file types.  The paths listed are the default paths
207       for these file types.  Note the processes UID still need  to  have  DAC
208       permissions.
209
210       anon_inodefs_t
211
212
213       chrome_sandbox_tmpfs_t
214
215
216       cifs_t
217
218
219       iceauth_home_t
220
221            /home/[^/]*/.DCOP.*
222            /home/[^/]*/.ICEauthority.*
223            /home/staff/.DCOP.*
224            /home/staff/.ICEauthority.*
225
226       initrc_tmp_t
227
228
229       mnt_t
230
231            /mnt(/[^/]*)
232            /mnt(/[^/]*)?
233            /rhev(/[^/]*)?
234            /media(/[^/]*)
235            /media(/[^/]*)?
236            /etc/rhgb(/.*)?
237            /media/.hal-.*
238            /net
239            /afs
240            /rhev
241            /misc
242
243       noxattrfs
244
245            all files on file systems which do not support extended attributes
246
247       tmp_t
248
249            /tmp
250            /usr/tmp
251            /var/tmp
252            /tmp-inst
253            /var/tmp-inst
254            /var/tmp/vi.recover
255
256       usbfs_t
257
258
259       user_fonts_cache_t
260
261            /home/[^/]*/.fonts/auto(/.*)?
262            /home/[^/]*/.fontconfig(/.*)?
263            /home/[^/]*/.fonts.cache-.*
264            /home/staff/.fonts/auto(/.*)?
265            /home/staff/.fontconfig(/.*)?
266            /home/staff/.fonts.cache-.*
267
268       user_fonts_t
269
270            /home/[^/]*/.fonts(/.*)?
271            /home/staff/.fonts(/.*)?
272
273       user_home_type
274
275            all user home files
276
277       user_tmp_t
278
279            /tmp/gconfd-.*
280            /tmp/gconfd-staff
281
282       user_tmpfs_t
283
284            /dev/shm/mono.*
285            /dev/shm/pulse-shm.*
286
287       xauth_home_t
288
289            /root/.Xauth.*
290            /root/.xauth.*
291            /root/.serverauth.*
292            /var/lib/pqsql/.xauth.*
293            /var/lib/pqsql/.Xauthority.*
294            /var/lib/nxserver/home/.xauth.*
295            /var/lib/nxserver/home/.Xauthority.*
296            /home/[^/]*/.xauth.*
297            /home/[^/]*/.Xauthority.*
298            /home/[^/]*/.serverauth.*
299            /home/staff/.xauth.*
300            /home/staff/.Xauthority.*
301            /home/staff/.serverauth.*
302
303       xdm_tmp_t
304
305            /tmp/.X11-unix(/.*)?
306            /tmp/.ICE-unix(/.*)?
307            /tmp/.X0-lock
308
309       xserver_tmpfs_t
310
311
312

COMMANDS

314       semanage  fcontext  can also be used to manipulate default file context
315       mappings.
316
317       semanage permissive can also be used to manipulate  whether  or  not  a
318       process type is permissive.
319
320       semanage  module can also be used to enable/disable/install/remove pol‐
321       icy modules.
322
323       semanage boolean can also be used to manipulate the booleans
324
325
326       system-config-selinux is a GUI tool available to customize SELinux pol‐
327       icy settings.
328
329

AUTHOR

331       This manual page was auto-generated using sepolicy manpage .
332
333

SEE ALSO

335       selinux(8),  xguest_openoffice(8), semanage(8), restorecon(8), chcon(1)
336       , setsebool(8)
337
338
339
340xguest_openoffice                  15-06-03       xguest_openoffice_selinux(8)
Impressum