1xdm_selinux(8) SELinux Policy xdm xdm_selinux(8)
2
6 xdm_selinux - Security Enhanced Linux Policy for the xdm processes
7
9 Security-Enhanced Linux secures the xdm processes via flexible manda‐
10 tory access control.
11 The xdm processes execute with the xdm_t SELinux type. You can check if
13 you have these processes running by executing the ps command with the
14 -Z qualifier.
15 For example:
17 ps -eZ | grep xdm_t
19
23 The xdm_t SELinux type can be entered via the bin_t, xdm_exec_t file
24 types.
25 The default entrypoint paths for the xdm_t domain are the following:
27 All executeables with the default executable label, usually stored in
29 /usr/bin and /usr/sbin. /usr/(s)?bin/lxdm, /usr/(s)?bin/[xgkw]dm,
30 /usr/(s)?bin/gdm-binary, /usr/(s)?bin/lxdm-binary,
31 /usr/X11R6/bin/[xgkw]dm, /usr/bin/slim, /usr/bin/gpe-dm,
32 /opt/kde3/bin/kdm
33
35 SELinux defines process types (domains) for each process running on the
36 system
37 You can see the context of a process using the -Z option to ps
39 Policy governs the access confined processes have to files. SELinux
41 xdm policy is very flexible allowing users to setup their xdm processes
42 in as secure a method as possible.
43 The following process types are defined for xdm:
45 xdm_t, xdm_dbusd_t
47 Note: semanage permissive -a xdm_t can be used to make the process type
49 xdm_t permissive. SELinux does not deny access to permissive process
50 types, but the AVC (SELinux denials) messages are still generated.
51
54 SELinux policy is customizable based on least access required. xdm
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run xdm with the tightest access possible.
57 If you want to allows xdm to execute bootloader, you must turn on the
61 xdm_exec_bootloader boolean. Disabled by default.
62 setsebool -P xdm_exec_bootloader 1
64 If you want to allow xdm logins as sysadm, you must turn on the
68 xdm_sysadm_login boolean. Disabled by default.
69 setsebool -P xdm_sysadm_login 1
71 If you want to allow all daemons the ability to read/write terminals,
75 you must turn on the allow_daemons_use_tty boolean. Disabled by
76 default.
77 setsebool -P allow_daemons_use_tty 1
79 If you want to allow all domains to use other domains file descriptors,
83 you must turn on the allow_domain_fd_use boolean. Enabled by default.
84 setsebool -P allow_domain_fd_use 1
86 If you want to allow unconfined executables to map a memory region as
90 both executable and writable, this is dangerous and the executable
91 should be reported in bugzilla), you must turn on the allow_execmem
92 boolean. Enabled by default.
93 setsebool -P allow_execmem 1
95 If you want to allow unconfined executables to make their stack exe‐
99 cutable. This should never, ever be necessary. Probably indicates a
100 badly coded executable, but could indicate an attack. This executable
101 should be reported in bugzilla), you must turn on the allow_execstack
102 boolean. Enabled by default.
103 setsebool -P allow_execstack 1
105 If you want to allow confined applications to run with kerberos, you
109 must turn on the allow_kerberos boolean. Enabled by default.
110 setsebool -P allow_kerberos 1
112 If you want to enable polyinstantiated directory support, you must turn
116 on the allow_polyinstantiation boolean. Enabled by default.
117 setsebool -P allow_polyinstantiation 1
119 If you want to allow sysadm to debug or ptrace all processes, you must
123 turn on the allow_ptrace boolean. Disabled by default.
124 setsebool -P allow_ptrace 1
126 If you want to allow system to run with NIS, you must turn on the
130 allow_ypbind boolean. Disabled by default.
131 setsebool -P allow_ypbind 1
133 If you want to allow users to login using a radius server, you must
137 turn on the authlogin_radius boolean. Disabled by default.
138 setsebool -P authlogin_radius 1
140 If you want to allow users login programs to access /etc/shadow, you
144 must turn on the authlogin_shadow boolean. Disabled by default.
145 setsebool -P authlogin_shadow 1
147 If you want to allow all domains to have the kernel load modules, you
151 must turn on the domain_kernel_load_modules boolean. Disabled by
152 default.
153 setsebool -P domain_kernel_load_modules 1
155 If you want to allow all domains to execute in fips_mode, you must turn
159 on the fips_mode boolean. Enabled by default.
160 setsebool -P fips_mode 1
162 If you want to enable reading of urandom for all domains, you must turn
166 on the global_ssp boolean. Disabled by default.
167 setsebool -P global_ssp 1
169 If you want to enable support for upstart as the init program, you must
173 turn on the init_upstart boolean. Enabled by default.
174 setsebool -P init_upstart 1
176 If you want to allow confined applications to use nscd shared memory,
180 you must turn on the nscd_use_shm boolean. Enabled by default.
181 setsebool -P nscd_use_shm 1
183 If you want to allow a user to login as an unconfined domain, you must
187 turn on the unconfined_login boolean. Enabled by default.
188 setsebool -P unconfined_login 1
190 If you want to support NFS home directories, you must turn on the
194 use_nfs_home_dirs boolean. Disabled by default.
195 setsebool -P use_nfs_home_dirs 1
197 If you want to support SAMBA home directories, you must turn on the
201 use_samba_home_dirs boolean. Disabled by default.
202 setsebool -P use_samba_home_dirs 1
204 If you want to support X userspace object manager, you must turn on the
208 xserver_object_manager boolean. Disabled by default.
209 setsebool -P xserver_object_manager 1
211
215 SELinux defines port types to represent TCP and UDP ports.
216 You can see the types associated with a port by using the following
218 command:
219 semanage port -l
221 Policy governs the access confined processes have to these ports.
224 SELinux xdm policy is very flexible allowing users to setup their xdm
225 processes in as secure a method as possible.
226 The following port types are defined for xdm:
228 xdmcp_port_t
231 Default Defined Ports:
235 tcp 177
236 udp 177
237
239 The SELinux process type xdm_t can manage files labeled with the fol‐
240 lowing file types. The paths listed are the default paths for these
241 file types. Note the processes UID still need to have DAC permissions.
242 anon_inodefs_t
244 auth_cache_t
247 /var/cache/coolkey(/.*)?
249 cgroup_t
251 /cgroup(/.*)?
253 cifs_t
255 etc_runtime_t
258 /[^/]+
260 /etc/mtab.*
261 /etc/blkid(/.*)?
262 /etc/nologin.*
263 /etc/zipl.conf.*
264 /etc/smartd.conf.*
265 /etc/.fstab.hal..+
266 /etc/sysconfig/ip6?tables.save
267 /halt
268 /etc/motd
269 /fastboot
270 /poweroff
271 /etc/issue
272 /etc/cmtab
273 /forcefsck
274 /.autofsck
275 /.suspended
276 /fsckoptions
277 /etc/HOSTNAME
278 /.autorelabel
279 /etc/securetty
280 /etc/nohotplug
281 /etc/issue.net
282 /etc/killpower
283 /etc/ioctl.save
284 /etc/reader.conf
285 /etc/fstab.REVOKE
286 /etc/mtab.fuselock
287 /etc/network/ifstate
288 /etc/sysconfig/hwconf
289 /etc/ptal/ptal-printd-like
290 /etc/xorg.conf.d/00-system-setup-keyboard.conf
291 etc_t
293 /etc/.*
295 /var/db/.*.db
296 /usr/etc(/.*)?
297 /var/ftp/etc(/.*)?
298 /usr/local/etc(/.*)?
299 /var/lib/openshift/.limits.d(/.*)?
300 /var/lib/openshift/.openshift-proxy.d(/.*)?
301 /var/lib/openshift/.stickshift-proxy.d(/.*)?
302 /var/lib/stickshift/.limits.d(/.*)?
303 /var/lib/stickshift/.stickshift-proxy.d(/.*)?
304 /var/named/chroot/etc(/.*)?
305 /etc/ipsec.d/examples(/.*)?
306 /var/spool/postfix/etc(/.*)?
307 /etc
308 /etc/cups/client.conf
309 faillog_t
311 /var/log/btmp.*
313 /var/log/faillog.*
314 /var/log/tallylog.*
315 /var/run/faillock(/.*)?
316 fonts_cache_t
318 /var/cache/fontconfig(/.*)?
320 gconf_home_t
322 /root/.local.*
324 /root/.gconf(d)?(/.*)?
325 /home/[^/]*/.local.*
326 /home/[^/]*/.gconf(d)?(/.*)?
327 /home/staff/.local.*
328 /home/staff/.gconf(d)?(/.*)?
329 gnome_home_type
331 initrc_tmp_t
334 initrc_var_run_t
337 /var/run/utmp
339 /var/run/random-seed
340 /var/run/runlevel.dir
341 /var/run/setmixer_flag
342 krb5_host_rcache_t
344 /var/cache/krb5rcache(/.*)?
346 /var/tmp/host_0
347 /var/tmp/HTTP_23
348 lastlog_t
350 /var/log/lastlog.*
352 locale_t
354 /usr/lib/locale(/.*)?
356 /usr/share/locale(/.*)?
357 /usr/share/zoneinfo(/.*)?
358 /usr/share/X11/locale(/.*)?
359 /etc/timezone
360 /etc/localtime
361 /etc/sysconfig/clock
362 /etc/avahi/etc/localtime
363 /var/empty/sshd/etc/localtime
364 /var/named/chroot/etc/localtime
365 /var/spool/postfix/etc/localtime
366 mnt_t
368 /mnt(/[^/]*)
370 /mnt(/[^/]*)?
371 /rhev(/[^/]*)?
372 /media(/[^/]*)
373 /media(/[^/]*)?
374 /etc/rhgb(/.*)?
375 /media/.hal-.*
376 /net
377 /afs
378 /rhev
379 /misc
380 nfs_t
382 pam_var_console_t
385 /var/run/console(/.*)?
387 pam_var_run_t
389 /var/(db|adm)/sudo(/.*)?
391 /var/run/sudo(/.*)?
392 /var/lib/sudo(/.*)?
393 /var/run/sepermit(/.*)?
394 /var/run/pam_mount(/.*)?
395 pcscd_var_run_t
397 /var/run/pcscd.events(/.*)?
399 /var/run/pcscd.pid
400 /var/run/pcscd.pub
401 /var/run/pcscd.comm
402 security_t
404 shadow_t
407 /etc/shadow.*
409 /etc/gshadow.*
410 /var/db/shadow.*
411 /etc/passwd.adjunct.*
412 /etc/.pwd.lock
413 /etc/group.lock
414 /etc/passwd.lock
415 tmp_t
417 /tmp
419 /usr/tmp
420 /var/tmp
421 /tmp-inst
422 /var/tmp-inst
423 /var/tmp/vi.recover
424 user_fonts_t
426 /home/[^/]*/.fonts(/.*)?
428 /home/staff/.fonts(/.*)?
429 user_home_t
431 /home/[^/]*/.+
433 /home/staff/.+
434 user_tmp_t
436 /tmp/gconfd-.*
438 /tmp/gconfd-staff
439 user_tmpfs_t
441 /dev/shm/mono.*
443 /dev/shm/pulse-shm.*
444 var_auth_t
446 /var/ace(/.*)?
448 /var/rsa(/.*)?
449 /var/lib/rsa(/.*)?
450 /var/lib/abl(/.*)?
451 /var/run/pam_ssh(/.*)?
452 /var/lib/pam_ssh(/.*)?
453 /var/lib/pam_shield(/.*)?
454 /var/opt/quest/vas/vasd(/.*)?
455 /var/lib/google-authenticator(/.*)?
456 wtmp_t
458 /var/log/wtmp.*
460 xauth_home_t
462 /root/.Xauth.*
464 /root/.xauth.*
465 /root/.serverauth.*
466 /var/lib/pqsql/.xauth.*
467 /var/lib/pqsql/.Xauthority.*
468 /var/lib/nxserver/home/.xauth.*
469 /var/lib/nxserver/home/.Xauthority.*
470 /home/[^/]*/.xauth.*
471 /home/[^/]*/.Xauthority.*
472 /home/[^/]*/.serverauth.*
473 /home/staff/.xauth.*
474 /home/staff/.Xauthority.*
475 /home/staff/.serverauth.*
476 xdm_home_t
478 /home/[^/]*/.dmrc.*
480 /home/[^/]*/.xsession-errors.*
481 /home/staff/.dmrc.*
482 /home/staff/.xsession-errors.*
483 xdm_lock_t
485 xdm_log_t
488 /var/log/gdm(/.*)?
490 /var/log/lxdm.log.*
491 /var/log/slim.log.*
492 xdm_rw_etc_t
494 /etc/X11/wdm(/.*)?
496 xdm_spool_t
498 /var/spool/gdm(/.*)?
500 xdm_tmp_t
502 /tmp/.X11-unix(/.*)?
504 /tmp/.ICE-unix(/.*)?
505 /tmp/.X0-lock
506 xdm_tmpfs_t
508 xdm_var_lib_t
511 /var/lib/[gxkw]dm(/.*)?
513 /var/lib/lxdm(/.*)?
514 /var/cache/gdm(/.*)?
515 xdm_var_run_t
517 /usr/lib(64)?/qt-.*/etc/settings(/.*)?
519 /var/run/[gx]dm.pid
520 /etc/kde3?/kdm/backgroundrc
521 /var/run/kdm(/.*)?
522 /var/run/gdm(/.*)?
523 /var/run/slim.*
524 /var/run/lxdm(/*.)?
525 /var/run/slim(/.*)?
526 /var/run/xauth(/.*)?
527 /var/run/xdmctl(/.*)?
528 /var/run/lxdm.pid
529 /var/run/lxdm.auth
530 /var/run/gdm_socket
531 xkb_var_lib_t
533 /var/lib/xkb(/.*)?
535 /usr/X11R6/lib/X11/xkb/.*
536 /usr/X11R6/lib/X11/xkb
537 xserver_log_t
539 /var/[xgk]dm(/.*)?
541 /var/log/[kw]dm.log.*
542 /usr/var/[xgkw]dm(/.*)?
543 /var/log/Xorg.*
544 /var/log/XFree86.*
545 /var/log/nvidia-installer.log.*
546 xserver_tmpfs_t
548
552 SELinux requires files to have an extended attribute to define the file
553 type.
554 You can see the context of a file using the -Z option to ls
556 Policy governs the access confined processes have to these files.
558 SELinux xdm policy is very flexible allowing users to setup their xdm
559 processes in as secure a method as possible.
560 EQUIVALENCE DIRECTORIES
562 xdm policy stores data with multiple different file context types under
565 the /var/run/gdm directory. If you would like to store the data in a
566 different directory you can use the semanage command to create an
567 equivalence mapping. If you wanted to store this data under the /srv
568 dirctory you would execute the following command:
569 semanage fcontext -a -e /var/run/gdm /srv/gdm
571 restorecon -R -v /srv/gdm
572 xdm policy stores data with multiple different file context types under
574 the /var/run/slim directory. If you would like to store the data in a
575 different directory you can use the semanage command to create an
576 equivalence mapping. If you wanted to store this data under the /srv
577 dirctory you would execute the following command:
578 semanage fcontext -a -e /var/run/slim /srv/slim
580 restorecon -R -v /srv/slim
581 STANDARD FILE CONTEXT
583 SELinux defines the file context types for the xdm, if you wanted to
585 store files with these types in a diffent paths, you need to execute
586 the semanage command to sepecify alternate labeling and then use
587 restorecon to put the labels on disk.
588 semanage fcontext -a -t xdm_var_run_t '/srv/myxdm_content(/.*)?'
590 restorecon -R -v /srv/myxdm_content
591 Note: SELinux often uses regular expressions to specify labels that
593 match multiple files.
594 The following file types are defined for xdm:
596 xdm_etc_t
600 - Set files with the xdm_etc_t type, if you want to store xdm files in
602 the /etc directories.
603 xdm_exec_t
607 - Set files with the xdm_exec_t type, if you want to transition an exe‐
609 cutable to the xdm_t domain.
610 Paths:
613 /usr/(s)?bin/lxdm, /usr/(s)?bin/[xgkw]dm, /usr/(s)?bin/gdm-binary,
614 /usr/(s)?bin/lxdm-binary, /usr/X11R6/bin/[xgkw]dm, /usr/bin/slim,
615 /usr/bin/gpe-dm, /opt/kde3/bin/kdm
616 xdm_home_t
619 - Set files with the xdm_home_t type, if you want to store xdm files in
621 the users home directory.
622 Paths:
625 /home/[^/]*/.dmrc.*, /home/[^/]*/.xsession-errors.*,
626 /home/staff/.dmrc.*, /home/staff/.xsession-errors.*
627 xdm_lock_t
630 - Set files with the xdm_lock_t type, if you want to treat the files as
632 xdm lock data, stored under the /var/lock directory
633 xdm_log_t
637 - Set files with the xdm_log_t type, if you want to treat the data as
639 xdm log data, usually stored under the /var/log directory.
640 Paths:
643 /var/log/gdm(/.*)?, /var/log/lxdm.log.*, /var/log/slim.log.*
644 xdm_rw_etc_t
647 - Set files with the xdm_rw_etc_t type, if you want to store xdm rw
649 files in the /etc directories.
650 xdm_spool_t
654 - Set files with the xdm_spool_t type, if you want to store the xdm
656 files under the /var/spool directory.
657 xdm_tmp_t
661 - Set files with the xdm_tmp_t type, if you want to store xdm temporary
663 files in the /tmp directories.
664 Paths:
667 /tmp/.X11-unix(/.*)?, /tmp/.ICE-unix(/.*)?, /tmp/.X0-lock
668 xdm_tmpfs_t
671 - Set files with the xdm_tmpfs_t type, if you want to store xdm files
673 on a tmpfs file system.
674 xdm_var_lib_t
678 - Set files with the xdm_var_lib_t type, if you want to store the xdm
680 files under the /var/lib directory.
681 Paths:
684 /var/lib/[gxkw]dm(/.*)?, /var/lib/lxdm(/.*)?, /var/cache/gdm(/.*)?
685 xdm_var_run_t
688 - Set files with the xdm_var_run_t type, if you want to store the xdm
690 files under the /run or /var/run directory.
691 Paths:
694 /usr/lib(64)?/qt-.*/etc/settings(/.*)?, /var/run/[gx]dm.pid,
695 /etc/kde3?/kdm/backgroundrc, /var/run/kdm(/.*)?,
696 /var/run/gdm(/.*)?, /var/run/slim.*, /var/run/lxdm(/*.)?,
697 /var/run/slim(/.*)?, /var/run/xauth(/.*)?, /var/run/xdmctl(/.*)?,
698 /var/run/lxdm.pid, /var/run/lxdm.auth, /var/run/gdm_socket
699 Note: File context can be temporarily modified with the chcon command.
702 If you want to permanently change the file context you need to use the
703 semanage fcontext command. This will modify the SELinux labeling data‐
704 base. You will need to use restorecon to apply the labels.
705
708 semanage fcontext can also be used to manipulate default file context
709 mappings.
710 semanage permissive can also be used to manipulate whether or not a
712 process type is permissive.
713 semanage module can also be used to enable/disable/install/remove pol‐
715 icy modules.
716 semanage port can also be used to manipulate the port definitions
718 semanage boolean can also be used to manipulate the booleans
720 system-config-selinux is a GUI tool available to customize SELinux pol‐
723 icy settings.
724
727 This manual page was auto-generated using sepolicy manpage .
728
731 selinux(8), xdm(8), semanage(8), restorecon(8), chcon(1) , setse‐
732 bool(8), xdm_dbusd_selinux(8), xdm_dbusd_selinux(8)
733xdm 15-06-03 xdm_selinux(8)