1openvpn_unconfined_sScErLiipntu_xsePloilniucxy(8o)penvpn_uonpceonnvfpinn_eudn_csocnrfiipnted_script_selinux(8)
2
3
4

NAME

6       openvpn_unconfined_script_selinux  - Security Enhanced Linux Policy for
7       the openvpn_unconfined_script processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the openvpn_unconfined_script processes
11       via flexible mandatory access control.
12
13       The openvpn_unconfined_script processes execute with the openvpn_uncon‐
14       fined_script_t SELinux type. You can check if you have these  processes
15       running by executing the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openvpn_unconfined_script_t
20
21
22

ENTRYPOINTS

24       The  openvpn_unconfined_script_t  SELinux  type  can be entered via the
25       openvpn_unconfined_script_exec_t, shell_exec_t file types.
26
27       The default entrypoint paths for the openvpn_unconfined_script_t domain
28       are the following:
29
30       /etc/openvpn/scripts(/.*)?,    /bin/d?ash,    /bin/zsh.*,   /bin/ksh.*,
31       /usr/bin/d?ash, /usr/bin/ksh.*,  /usr/bin/zsh.*,  /bin/esh,  /bin/mksh,
32       /bin/sash,  /bin/tcsh,  /bin/yash,  /bin/bash,  /bin/fish,  /bin/bash2,
33       /usr/bin/esh,     /usr/bin/sash,     /usr/bin/tcsh,      /usr/bin/yash,
34       /usr/bin/mksh,     /usr/bin/fish,     /usr/bin/bash,     /sbin/nologin,
35       /usr/sbin/sesh,  /usr/bin/bash2,   /usr/sbin/smrsh,   /usr/bin/scponly,
36       /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-
37       shell,         /usr/libexec/sudo/sesh,         /usr/bin/cockpit-bridge,
38       /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       openvpn_unconfined_script  policy  is  very  flexible allowing users to
48       setup their openvpn_unconfined_script processes in as secure  a  method
49       as possible.
50
51       The following process types are defined for openvpn_unconfined_script:
52
53       openvpn_unconfined_script_t
54
55       Note: semanage permissive -a openvpn_unconfined_script_t can be used to
56       make the process type openvpn_unconfined_script_t  permissive.  SELinux
57       does  not deny access to permissive process types, but the AVC (SELinux
58       denials) messages are still generated.
59
60

BOOLEANS

62       SELinux policy is customizable based on least access  required.   open‐
63       vpn_unconfined_script  policy  is  extremely  flexible  and has several
64       booleans that allow you to manipulate the policy and run openvpn_uncon‐
65       fined_script with the tightest access possible.
66
67
68
69       If you want to deny user domains applications to map a memory region as
70       both executable and writable, this  is  dangerous  and  the  executable
71       should be reported in bugzilla, you must turn on the deny_execmem bool‐
72       ean. Enabled by default.
73
74       setsebool -P deny_execmem 1
75
76
77
78       If you want to deny any process from ptracing or  debugging  any  other
79       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
80       default.
81
82       setsebool -P deny_ptrace 1
83
84
85
86       If you want to allow any process  to  mmap  any  file  on  system  with
87       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
88       ean. Enabled by default.
89
90       setsebool -P domain_can_mmap_files 1
91
92
93
94       If you want to allow all domains write to kmsg_device, while kernel  is
95       executed  with  systemd.log_target=kmsg parameter, you must turn on the
96       domain_can_write_kmsg boolean. Disabled by default.
97
98       setsebool -P domain_can_write_kmsg 1
99
100
101
102       If you want to allow all domains to use other domains file descriptors,
103       you must turn on the domain_fd_use boolean. Enabled by default.
104
105       setsebool -P domain_fd_use 1
106
107
108
109       If  you  want to allow all domains to have the kernel load modules, you
110       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
111       default.
112
113       setsebool -P domain_kernel_load_modules 1
114
115
116
117       If you want to allow all domains to execute in fips_mode, you must turn
118       on the fips_mode boolean. Enabled by default.
119
120       setsebool -P fips_mode 1
121
122
123
124       If you want to enable reading of urandom for all domains, you must turn
125       on the global_ssp boolean. Disabled by default.
126
127       setsebool -P global_ssp 1
128
129
130
131       If  you  want  to control the ability to mmap a low area of the address
132       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
133       the mmap_low_allowed boolean. Disabled by default.
134
135       setsebool -P mmap_low_allowed 1
136
137
138
139       If  you  want to allow openvpn to run unconfined scripts, you must turn
140       on the openvpn_run_unconfined boolean. Disabled by default.
141
142       setsebool -P openvpn_run_unconfined 1
143
144
145
146       If you want to disable kernel module loading,  you  must  turn  on  the
147       secure_mode_insmod boolean. Enabled by default.
148
149       setsebool -P secure_mode_insmod 1
150
151
152
153       If  you want to boolean to determine whether the system permits loading
154       policy, setting enforcing mode, and changing boolean values.  Set  this
155       to  true  and  you  have to reboot to set it back, you must turn on the
156       secure_mode_policyload boolean. Enabled by default.
157
158       setsebool -P secure_mode_policyload 1
159
160
161
162       If you want to allow unconfined executables to make their  heap  memory
163       executable.   Doing  this  is  a  really bad idea. Probably indicates a
164       badly coded executable, but could indicate an attack.  This  executable
165       should   be   reported  in  bugzilla,  you  must  turn  on  the  selin‐
166       uxuser_execheap boolean. Disabled by default.
167
168       setsebool -P selinuxuser_execheap 1
169
170
171
172       If you want to  allow  all  unconfined  executables  to  use  libraries
173       requiring  text  relocation  that  are not labeled textrel_shlib_t, you
174       must turn on the selinuxuser_execmod boolean. Enabled by default.
175
176       setsebool -P selinuxuser_execmod 1
177
178
179
180       If you want to allow unconfined executables to make  their  stack  exe‐
181       cutable.   This  should  never, ever be necessary. Probably indicates a
182       badly coded executable, but could indicate an attack.  This  executable
183       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
184       stack boolean. Enabled by default.
185
186       setsebool -P selinuxuser_execstack 1
187
188
189
190       If you want to support X userspace object manager, you must turn on the
191       xserver_object_manager boolean. Enabled by default.
192
193       setsebool -P xserver_object_manager 1
194
195
196

MANAGED FILES

198       The  SELinux  process type openvpn_unconfined_script_t can manage files
199       labeled with the following  file  types.   The  paths  listed  are  the
200       default  paths for these file types.  Note the processes UID still need
201       to have DAC permissions.
202
203       file_type
204
205            all files on the system
206
207

FILE CONTEXTS

209       SELinux requires files to have an extended attribute to define the file
210       type.
211
212       You can see the context of a file using the -Z option to ls
213
214       Policy  governs  the  access  confined  processes  have to these files.
215       SELinux openvpn_unconfined_script  policy  is  very  flexible  allowing
216       users to setup their openvpn_unconfined_script processes in as secure a
217       method as possible.
218
219       The following file types are defined for openvpn_unconfined_script:
220
221
222
223       openvpn_unconfined_script_exec_t
224
225       - Set files with the openvpn_unconfined_script_exec_t type, if you want
226       to transition an executable to the openvpn_unconfined_script_t domain.
227
228
229
230       Note:  File context can be temporarily modified with the chcon command.
231       If you want to permanently change the file context you need to use  the
232       semanage fcontext command.  This will modify the SELinux labeling data‐
233       base.  You will need to use restorecon to apply the labels.
234
235

COMMANDS

237       semanage fcontext can also be used to manipulate default  file  context
238       mappings.
239
240       semanage  permissive  can  also  be used to manipulate whether or not a
241       process type is permissive.
242
243       semanage module can also be used to enable/disable/install/remove  pol‐
244       icy modules.
245
246       semanage boolean can also be used to manipulate the booleans
247
248
249       system-config-selinux is a GUI tool available to customize SELinux pol‐
250       icy settings.
251
252

AUTHOR

254       This manual page was auto-generated using sepolicy manpage .
255
256

SEE ALSO

258       selinux(8), openvpn_unconfined_script(8),  semanage(8),  restorecon(8),
259       chcon(1), sepolicy(8) , setsebool(8)
260
261
262
263openvpn_unconfined_script          19-04-25openvpn_unconfined_script_selinux(8)
Impressum