xguest_java_selinux(8)

1xguest_java_selinux(8)    SELinux Policy xguest_java    xguest_java_selinux(8)
2
3
4

NAME

6       xguest_java_selinux   -   Security   Enhanced   Linux  Policy  for  the
7       xguest_java processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the xguest_java processes via  flexible
11       mandatory access control.
12
13       The  xguest_java processes execute with the xguest_java_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep xguest_java_t
20
21
22

ENTRYPOINTS

24       The  xguest_java_t SELinux type can be entered via the xsession_exec_t,
25       user_home_t, java_exec_t file types.
26
27       The default entrypoint paths for the xguest_java_t domain are the  fol‐
28       lowing:
29
30       /etc/kde3?/kdm/Xreset,   /etc/kde3?/kdm/Xstartup,  /etc/kde3?/kdm/Xses‐
31       sion,       /etc/X11/[wx]dm/Xreset.*,        /etc/X11/[wxg]dm/Xsession,
32       /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.*,
33       /home/[^/]*/.+,         /home/staff/.+,          /usr/(.*/)?bin/java.*,
34       /opt/(.*/)?bin/java[^/]*,                  /usr/lib(.*/)?bin/java[^/]*,
35       /usr/lib(64)?/eclipse/eclipse, /opt/matlab.*/bin.*/MATLAB.*,  /usr/mat‐
36       lab.*/bin.*/MATLAB.*,                    /usr/Aptana[^/]*/AptanaStudio,
37       /opt/ibm/java.*/(bin|javaws)(/.*)?,         /usr/lib/opera(/.*)?/opera,
38       /usr/lib/opera(/.*)?/works,                      /usr/bin/octave-[^/]*,
39       /usr/java/eclipse[^/]*/eclipse,        /usr/lib/jvm/java(.*/)bin(/.*)?,
40       /opt/local/matlab.*/bin.*/MATLAB.*, /usr/local/matlab.*/bin.*/MATLAB.*,
41       /usr/lib64/jvm/java(.*/)bin(/.*)?,       /opt/ibm/lotus/Symphony/frame‐
42       work/rcp/eclipse/plugins(/.*)?,      /usr/bin/gij,      /usr/bin/frysk,
43       /usr/bin/grmic,  /usr/bin/fastjar,   /usr/bin/gkeytool,   /usr/bin/gcj-
44       dbtool,   /usr/bin/gjarsigner,  /usr/bin/jv-convert,  /usr/bin/grmireg‐
45       istry, /usr/bin/gappletviewer
46

PROCESS TYPES

48       SELinux defines process types (domains) for each process running on the
49       system
50
51       You can see the context of a process using the -Z option to ps
52
53       Policy  governs  the  access confined processes have to files.  SELinux
54       xguest_java policy is very  flexible  allowing  users  to  setup  their
55       xguest_java processes in as secure a method as possible.
56
57       The following process types are defined for xguest_java:
58
59       xguest_java_t
60
61       Note:  semanage  permissive  -a  xguest_java_t  can be used to make the
62       process type xguest_java_t permissive. SELinux does not deny access  to
63       permissive  process  types,  but the AVC (SELinux denials) messages are
64       still generated.
65
66

BOOLEANS

68       SELinux  policy  is  customizable  based  on  least  access   required.
69       xguest_java  policy is extremely flexible and has several booleans that
70       allow you to manipulate the policy and run xguest_java with the  tight‐
71       est access possible.
72
73
74
75       If  you  want to allow direct login to the console device. Required for
76       System 390, you must turn on the allow_console_login  boolean.  Enabled
77       by default.
78
79       setsebool -P allow_console_login 1
80
81
82
83       If you want to allow all domains to use other domains file descriptors,
84       you must turn on the allow_domain_fd_use boolean. Enabled by default.
85
86       setsebool -P allow_domain_fd_use 1
87
88
89
90       If you want to allow confined applications to run  with  kerberos,  you
91       must turn on the allow_kerberos boolean. Enabled by default.
92
93       setsebool -P allow_kerberos 1
94
95
96
97       If  you want to allow sysadm to debug or ptrace all processes, you must
98       turn on the allow_ptrace boolean. Disabled by default.
99
100       setsebool -P allow_ptrace 1
101
102
103
104       If you want to allows clients to write to the X  server  shared  memory
105       segments,  you  must  turn on the allow_write_xshm boolean. Disabled by
106       default.
107
108       setsebool -P allow_write_xshm 1
109
110
111
112       If you want to allow system to run with  NIS,  you  must  turn  on  the
113       allow_ypbind boolean. Disabled by default.
114
115       setsebool -P allow_ypbind 1
116
117
118
119       If  you  want to allow all domains to have the kernel load modules, you
120       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
121       default.
122
123       setsebool -P domain_kernel_load_modules 1
124
125
126
127       If you want to allow all domains to execute in fips_mode, you must turn
128       on the fips_mode boolean. Enabled by default.
129
130       setsebool -P fips_mode 1
131
132
133
134       If you want to enable reading of urandom for all domains, you must turn
135       on the global_ssp boolean. Disabled by default.
136
137       setsebool -P global_ssp 1
138
139
140
141       If  you  want to allow confined applications to use nscd shared memory,
142       you must turn on the nscd_use_shm boolean. Enabled by default.
143
144       setsebool -P nscd_use_shm 1
145
146
147
148       If you want to enabling secure mode disallows programs,  such  as  new‐
149       role,  from transitioning to administrative user domains, you must turn
150       on the secure_mode boolean. Disabled by default.
151
152       setsebool -P secure_mode 1
153
154
155
156       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
157       the ssh_sysadm_login boolean. Disabled by default.
158
159       setsebool -P ssh_sysadm_login 1
160
161
162
163       If  you  want  to  support  NFS  home directories, you must turn on the
164       use_nfs_home_dirs boolean. Disabled by default.
165
166       setsebool -P use_nfs_home_dirs 1
167
168
169
170       If you want to support SAMBA home directories, you  must  turn  on  the
171       use_samba_home_dirs boolean. Disabled by default.
172
173       setsebool -P use_samba_home_dirs 1
174
175
176
177       If  you  want to allow regular users direct dri device access, you must
178       turn on the user_direct_dri boolean. Enabled by default.
179
180       setsebool -P user_direct_dri 1
181
182
183
184       If you want to allow user to r/w files on filesystems that do not  have
185       extended  attributes  (FAT,  CDROM,  FLOPPY),  you  must  turn  on  the
186       user_rw_noexattrfile boolean. Enabled by default.
187
188       setsebool -P user_rw_noexattrfile 1
189
190
191
192       If you want to allow xdm  logins  as  sysadm,  you  must  turn  on  the
193       xdm_sysadm_login boolean. Disabled by default.
194
195       setsebool -P xdm_sysadm_login 1
196
197
198
199       If you want to allow xguest to configure Network Manager and connect to
200       apache ports, you must  turn  on  the  xguest_connect_network  boolean.
201       Enabled by default.
202
203       setsebool -P xguest_connect_network 1
204
205
206
207       If you want to support X userspace object manager, you must turn on the
208       xserver_object_manager boolean. Disabled by default.
209
210       setsebool -P xserver_object_manager 1
211
212
213

MANAGED FILES

215       The SELinux process type xguest_java_t can manage  files  labeled  with
216       the  following  file types.  The paths listed are the default paths for
217       these file types.  Note the processes UID still need to have  DAC  per‐
218       missions.
219
220       anon_inodefs_t
221
222
223       chrome_sandbox_tmpfs_t
224
225
226       cifs_t
227
228
229       iceauth_home_t
230
231            /home/[^/]*/.DCOP.*
232            /home/[^/]*/.ICEauthority.*
233            /home/staff/.DCOP.*
234            /home/staff/.ICEauthority.*
235
236       initrc_tmp_t
237
238
239       mnt_t
240
241            /mnt(/[^/]*)
242            /mnt(/[^/]*)?
243            /rhev(/[^/]*)?
244            /media(/[^/]*)
245            /media(/[^/]*)?
246            /etc/rhgb(/.*)?
247            /media/.hal-.*
248            /net
249            /afs
250            /rhev
251            /misc
252
253       noxattrfs
254
255            all files on file systems which do not support extended attributes
256
257       tmp_t
258
259            /tmp
260            /usr/tmp
261            /var/tmp
262            /tmp-inst
263            /var/tmp-inst
264            /var/tmp/vi.recover
265
266       usbfs_t
267
268
269       user_fonts_cache_t
270
271            /home/[^/]*/.fonts/auto(/.*)?
272            /home/[^/]*/.fontconfig(/.*)?
273            /home/[^/]*/.fonts.cache-.*
274            /home/staff/.fonts/auto(/.*)?
275            /home/staff/.fontconfig(/.*)?
276            /home/staff/.fonts.cache-.*
277
278       user_fonts_t
279
280            /home/[^/]*/.fonts(/.*)?
281            /home/staff/.fonts(/.*)?
282
283       user_home_type
284
285            all user home files
286
287       user_tmp_t
288
289            /tmp/gconfd-.*
290            /tmp/gconfd-staff
291
292       user_tmpfs_t
293
294            /dev/shm/mono.*
295            /dev/shm/pulse-shm.*
296
297       xauth_home_t
298
299            /root/.Xauth.*
300            /root/.xauth.*
301            /root/.serverauth.*
302            /var/lib/pqsql/.xauth.*
303            /var/lib/pqsql/.Xauthority.*
304            /var/lib/nxserver/home/.xauth.*
305            /var/lib/nxserver/home/.Xauthority.*
306            /home/[^/]*/.xauth.*
307            /home/[^/]*/.Xauthority.*
308            /home/[^/]*/.serverauth.*
309            /home/staff/.xauth.*
310            /home/staff/.Xauthority.*
311            /home/staff/.serverauth.*
312
313       xdm_tmp_t
314
315            /tmp/.X11-unix(/.*)?
316            /tmp/.ICE-unix(/.*)?
317            /tmp/.X0-lock
318
319       xserver_tmpfs_t
320
321
322

COMMANDS

324       semanage  fcontext  can also be used to manipulate default file context
325       mappings.
326
327       semanage permissive can also be used to manipulate  whether  or  not  a
328       process type is permissive.
329
330       semanage  module can also be used to enable/disable/install/remove pol‐
331       icy modules.
332
333       semanage boolean can also be used to manipulate the booleans
334
335
336       system-config-selinux is a GUI tool available to customize SELinux pol‐
337       icy settings.
338
339

AUTHOR

341       This manual page was auto-generated using sepolicy manpage .
342
343