1games_selinux(8)             SELinux Policy games             games_selinux(8)
2
3
4

NAME

6       games_selinux - Security Enhanced Linux Policy for the games processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the games processes via flexible manda‐
10       tory access control.
11
12       The games processes execute with the  games_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep games_t
19
20
21

ENTRYPOINTS

23       The games_t SELinux type can be entered via the games_exec_t file type.
24
25       The default entrypoint paths for the games_t domain are the following:
26
27       /usr/lib(64)?/games(/.*)?,     /usr/games/.*,     /usr/bin/civclient.*,
28       /usr/bin/civserver.*,   /usr/bin/sol,   /usr/bin/micq,   /usr/bin/kolf,
29       /usr/bin/kpat,    /usr/bin/gnect,    /usr/bin/gtali,    /usr/bin/iagno,
30       /usr/bin/ksame,    /usr/bin/ktron,    /usr/bin/kwin4,   /usr/bin/lskat,
31       /usr/bin/gataxx,  /usr/bin/glines,  /usr/bin/klines,   /usr/bin/kmines,
32       /usr/bin/kpoker,  /usr/bin/ksnake,  /usr/bin/gnomine, /usr/bin/gnotski,
33       /usr/bin/katomic, /usr/bin/kbounce, /usr/bin/kshisen, /usr/bin/ksirtet,
34       /usr/bin/gnibbles,         /usr/bin/gnobots2,        /usr/bin/mahjongg,
35       /usr/bin/atlantik, /usr/bin/kenolaba, /usr/bin/klickety,  /usr/bin/kon‐
36       quest,    /usr/bin/kreversi,   /usr/bin/ksokoban,   /usr/bin/blackjack,
37       /usr/bin/gnotravex,       /usr/bin/kblackbox,       /usr/bin/kfouleggs,
38       /usr/bin/kmahjongg,       /usr/bin/kwin4proc,       /usr/bin/lskatproc,
39       /usr/bin/Maelstrom,      /usr/bin/same-gnome,      /usr/bin/kasteroids,
40       /usr/bin/ksmiletris,      /usr/bin/kspaceduel,     /usr/bin/ktuberling,
41       /usr/bin/kbackgammon,    /usr/bin/kbattleship,    /usr/bin/kgoldrunner,
42       /usr/bin/gnome-stones, /usr/bin/kjumpingcube
43

PROCESS TYPES

45       SELinux defines process types (domains) for each process running on the
46       system
47
48       You can see the context of a process using the -Z option to ps
49
50       Policy governs the access confined processes have  to  files.   SELinux
51       games  policy is very flexible allowing users to setup their games pro‐
52       cesses in as secure a method as possible.
53
54       The following process types are defined for games:
55
56       games_t, games_srv_t
57
58       Note: semanage permissive -a games_t can be used to  make  the  process
59       type  games_t  permissive.  SELinux  does not deny access to permissive
60       process types, but the AVC (SELinux denials) messages are still  gener‐
61       ated.
62
63

BOOLEANS

65       SELinux  policy  is customizable based on least access required.  games
66       policy is extremely flexible and has several booleans that allow you to
67       manipulate the policy and run games with the tightest access possible.
68
69
70
71       If you want to allow all domains to use other domains file descriptors,
72       you must turn on the allow_domain_fd_use boolean. Enabled by default.
73
74       setsebool -P allow_domain_fd_use 1
75
76
77
78       If you want to allow unconfined executables to map a memory  region  as
79       both  executable  and  writable,  this  is dangerous and the executable
80       should be reported in bugzilla), you must  turn  on  the  allow_execmem
81       boolean. Enabled by default.
82
83       setsebool -P allow_execmem 1
84
85
86
87       If  you want to allow sysadm to debug or ptrace all processes, you must
88       turn on the allow_ptrace boolean. Disabled by default.
89
90       setsebool -P allow_ptrace 1
91
92
93
94       If you want to allows clients to write to the X  server  shared  memory
95       segments,  you  must  turn on the allow_write_xshm boolean. Disabled by
96       default.
97
98       setsebool -P allow_write_xshm 1
99
100
101
102       If you want to allow all domains to have the kernel load  modules,  you
103       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
104       default.
105
106       setsebool -P domain_kernel_load_modules 1
107
108
109
110       If you want to allow all domains to execute in fips_mode, you must turn
111       on the fips_mode boolean. Enabled by default.
112
113       setsebool -P fips_mode 1
114
115
116
117       If you want to enable reading of urandom for all domains, you must turn
118       on the global_ssp boolean. Disabled by default.
119
120       setsebool -P global_ssp 1
121
122
123
124       If you want to support NFS home  directories,  you  must  turn  on  the
125       use_nfs_home_dirs boolean. Disabled by default.
126
127       setsebool -P use_nfs_home_dirs 1
128
129
130
131       If  you  want  to  support SAMBA home directories, you must turn on the
132       use_samba_home_dirs boolean. Disabled by default.
133
134       setsebool -P use_samba_home_dirs 1
135
136
137
138       If you want to support X userspace object manager, you must turn on the
139       xserver_object_manager boolean. Disabled by default.
140
141       setsebool -P xserver_object_manager 1
142
143
144

MANAGED FILES

146       The SELinux process type games_t can manage files labeled with the fol‐
147       lowing file types.  The paths listed are the default  paths  for  these
148       file types.  Note the processes UID still need to have DAC permissions.
149
150       games_data_t
151
152            /var/games(/.*)?
153            /var/lib/games(/.*)?
154
155       games_tmp_t
156
157
158       games_tmpfs_t
159
160
161       initrc_tmp_t
162
163
164       mnt_t
165
166            /mnt(/[^/]*)
167            /mnt(/[^/]*)?
168            /rhev(/[^/]*)?
169            /media(/[^/]*)
170            /media(/[^/]*)?
171            /etc/rhgb(/.*)?
172            /media/.hal-.*
173            /net
174            /afs
175            /rhev
176            /misc
177
178       tmp_t
179
180            /tmp
181            /usr/tmp
182            /var/tmp
183            /tmp-inst
184            /var/tmp-inst
185            /var/tmp/vi.recover
186
187       user_fonts_cache_t
188
189            /home/[^/]*/.fonts/auto(/.*)?
190            /home/[^/]*/.fontconfig(/.*)?
191            /home/[^/]*/.fonts.cache-.*
192            /home/staff/.fonts/auto(/.*)?
193            /home/staff/.fontconfig(/.*)?
194            /home/staff/.fonts.cache-.*
195
196       user_tmp_t
197
198            /tmp/gconfd-.*
199            /tmp/gconfd-staff
200
201       xserver_tmpfs_t
202
203
204

FILE CONTEXTS

206       SELinux requires files to have an extended attribute to define the file
207       type.
208
209       You can see the context of a file using the -Z option to ls
210
211       Policy governs the access  confined  processes  have  to  these  files.
212       SELinux  games  policy  is  very flexible allowing users to setup their
213       games processes in as secure a method as possible.
214
215       STANDARD FILE CONTEXT
216
217       SELinux defines the file context types for the games, if you wanted  to
218       store  files  with  these types in a diffent paths, you need to execute
219       the semanage command  to  sepecify  alternate  labeling  and  then  use
220       restorecon to put the labels on disk.
221
222       semanage fcontext -a -t games_tmpfs_t '/srv/mygames_content(/.*)?'
223       restorecon -R -v /srv/mygames_content
224
225       Note:  SELinux  often  uses  regular expressions to specify labels that
226       match multiple files.
227
228       The following file types are defined for games:
229
230
231
232       games_data_t
233
234       - Set files with the games_data_t type, if you want to treat the  files
235       as games content.
236
237
238       Paths:
239            /var/games(/.*)?, /var/lib/games(/.*)?
240
241
242       games_exec_t
243
244       -  Set  files  with the games_exec_t type, if you want to transition an
245       executable to the games_t domain.
246
247
248       Paths:
249            /usr/lib(64)?/games(/.*)?,  /usr/games/.*,   /usr/bin/civclient.*,
250            /usr/bin/civserver.*,  /usr/bin/sol, /usr/bin/micq, /usr/bin/kolf,
251            /usr/bin/kpat,  /usr/bin/gnect,  /usr/bin/gtali,   /usr/bin/iagno,
252            /usr/bin/ksame,  /usr/bin/ktron,  /usr/bin/kwin4,  /usr/bin/lskat,
253            /usr/bin/gataxx,         /usr/bin/glines,         /usr/bin/klines,
254            /usr/bin/kmines,         /usr/bin/kpoker,         /usr/bin/ksnake,
255            /usr/bin/gnomine,       /usr/bin/gnotski,        /usr/bin/katomic,
256            /usr/bin/kbounce,        /usr/bin/kshisen,       /usr/bin/ksirtet,
257            /usr/bin/gnibbles,      /usr/bin/gnobots2,      /usr/bin/mahjongg,
258            /usr/bin/atlantik,      /usr/bin/kenolaba,      /usr/bin/klickety,
259            /usr/bin/konquest,      /usr/bin/kreversi,      /usr/bin/ksokoban,
260            /usr/bin/blackjack,     /usr/bin/gnotravex,    /usr/bin/kblackbox,
261            /usr/bin/kfouleggs,    /usr/bin/kmahjongg,     /usr/bin/kwin4proc,
262            /usr/bin/lskatproc,    /usr/bin/Maelstrom,    /usr/bin/same-gnome,
263            /usr/bin/kasteroids,   /usr/bin/ksmiletris,   /usr/bin/kspaceduel,
264            /usr/bin/ktuberling,  /usr/bin/kbackgammon,  /usr/bin/kbattleship,
265            /usr/bin/kgoldrunner, /usr/bin/gnome-stones, /usr/bin/kjumpingcube
266
267
268       games_srv_var_run_t
269
270       - Set files with the games_srv_var_run_t type, if you want to store the
271       games srv files under the /run or /var/run directory.
272
273
274
275       games_tmp_t
276
277       -  Set files with the games_tmp_t type, if you want to store games tem‐
278       porary files in the /tmp directories.
279
280
281
282       games_tmpfs_t
283
284       - Set files with the games_tmpfs_t type, if you  want  to  store  games
285       files on a tmpfs file system.
286
287
288
289       Note:  File context can be temporarily modified with the chcon command.
290       If you want to permanently change the file context you need to use  the
291       semanage fcontext command.  This will modify the SELinux labeling data‐
292       base.  You will need to use restorecon to apply the labels.
293
294

COMMANDS

296       semanage fcontext can also be used to manipulate default  file  context
297       mappings.
298
299       semanage  permissive  can  also  be used to manipulate whether or not a
300       process type is permissive.
301
302       semanage module can also be used to enable/disable/install/remove  pol‐
303       icy modules.
304
305       semanage boolean can also be used to manipulate the booleans
306
307
308       system-config-selinux is a GUI tool available to customize SELinux pol‐
309       icy settings.
310
311

AUTHOR

313       This manual page was auto-generated using sepolicy manpage .
314
315

SEE ALSO

317       selinux(8), games(8), semanage(8),  restorecon(8),  chcon(1)  ,  setse‐
318       bool(8), games_srv_selinux(8), games_srv_selinux(8)
319
320
321
322games                              15-06-03                   games_selinux(8)
Impressum