semanage_selinux(8)

1semanage_selinux(8)         SELinux Policy semanage        semanage_selinux(8)
2
3
4

NAME

6       semanage_selinux - Security Enhanced Linux Policy for the semanage pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  semanage  processes  via  flexible
11       mandatory access control.
12
13       The  semanage  processes  execute with the semanage_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep semanage_t
20
21
22

ENTRYPOINTS

24       The semanage_t SELinux type can be entered via the semanage_exec_t file
25       type.
26
27       The default entrypoint paths for the semanage_t domain are the  follow‐
28       ing:
29
30       /usr/sbin/semanage,   /usr/sbin/semodule,   /usr/libexec/selinux/seman‐
31       age_migrate_store,  /usr/share/system-config-selinux/selinux_server.py,
32       /usr/share/system-config-selinux/system-config-selinux-dbus.py
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       semanage policy is very flexible allowing users to setup their semanage
42       processes in as secure a method as possible.
43
44       The following process types are defined for semanage:
45
46       semanage_t
47
48       Note: semanage permissive -a semanage_t can be used to make the process
49       type  semanage_t permissive. SELinux does not deny access to permissive
50       process types, but the AVC (SELinux denials) messages are still  gener‐
51       ated.
52
53

BOOLEANS

55       SELinux  policy is customizable based on least access required.  seman‐
56       age policy is extremely flexible and has several  booleans  that  allow
57       you  to manipulate the policy and run semanage with the tightest access
58       possible.
59
60
61
62       If you want to allow users to resolve user passwd entries directly from
63       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
64       gin_nsswitch_use_ldap boolean. Disabled by default.
65
66       setsebool -P authlogin_nsswitch_use_ldap 1
67
68
69
70       If you want to allow all daemons to write corefiles to /, you must turn
71       on the daemons_dump_core boolean. Disabled by default.
72
73       setsebool -P daemons_dump_core 1
74
75
76
77       If  you  want  to enable cluster mode for daemons, you must turn on the
78       daemons_enable_cluster_mode boolean. Enabled by default.
79
80       setsebool -P daemons_enable_cluster_mode 1
81
82
83
84       If you want to allow all daemons to use tcp wrappers, you must turn  on
85       the daemons_use_tcp_wrapper boolean. Disabled by default.
86
87       setsebool -P daemons_use_tcp_wrapper 1
88
89
90
91       If  you  want to allow all daemons the ability to read/write terminals,
92       you must turn on the daemons_use_tty boolean. Disabled by default.
93
94       setsebool -P daemons_use_tty 1
95
96
97
98       If you want to deny user domains applications to map a memory region as
99       both  executable  and  writable,  this  is dangerous and the executable
100       should be reported in bugzilla, you must turn on the deny_execmem bool‐
101       ean. Enabled by default.
102
103       setsebool -P deny_execmem 1
104
105
106
107       If  you  want  to deny any process from ptracing or debugging any other
108       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
109       default.
110
111       setsebool -P deny_ptrace 1
112
113
114
115       If  you  want  to  allow  any  process  to mmap any file on system with
116       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
117       ean. Enabled by default.
118
119       setsebool -P domain_can_mmap_files 1
120
121
122
123       If  you want to allow all domains write to kmsg_device, while kernel is
124       executed with systemd.log_target=kmsg parameter, you must turn  on  the
125       domain_can_write_kmsg boolean. Disabled by default.
126
127       setsebool -P domain_can_write_kmsg 1
128
129
130
131       If you want to allow all domains to use other domains file descriptors,
132       you must turn on the domain_fd_use boolean. Enabled by default.
133
134       setsebool -P domain_fd_use 1
135
136
137
138       If you want to allow all domains to have the kernel load  modules,  you
139       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
140       default.
141
142       setsebool -P domain_kernel_load_modules 1
143
144
145
146       If you want to allow all domains to execute in fips_mode, you must turn
147       on the fips_mode boolean. Enabled by default.
148
149       setsebool -P fips_mode 1
150
151
152
153       If you want to enable reading of urandom for all domains, you must turn
154       on the global_ssp boolean. Disabled by default.
155
156       setsebool -P global_ssp 1
157
158
159
160       If you want to allow confined applications to run  with  kerberos,  you
161       must turn on the kerberos_enabled boolean. Enabled by default.
162
163       setsebool -P kerberos_enabled 1
164
165
166
167       If  you  want  to control the ability to mmap a low area of the address
168       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
169       the mmap_low_allowed boolean. Disabled by default.
170
171       setsebool -P mmap_low_allowed 1
172
173
174
175       If  you  want  to  allow  system  to run with NIS, you must turn on the
176       nis_enabled boolean. Disabled by default.
177
178       setsebool -P nis_enabled 1
179
180
181
182       If you want to allow confined applications to use nscd  shared  memory,
183       you must turn on the nscd_use_shm boolean. Disabled by default.
184
185       setsebool -P nscd_use_shm 1
186
187
188
189       If  you  want  to  disable  kernel module loading, you must turn on the
190       secure_mode_insmod boolean. Enabled by default.
191
192       setsebool -P secure_mode_insmod 1
193
194
195
196       If you want to boolean to determine whether the system permits  loading
197       policy,  setting enforcing mode, and changing boolean values.  Set this
198       to true and you have to reboot to set it back, you  must  turn  on  the
199       secure_mode_policyload boolean. Enabled by default.
200
201       setsebool -P secure_mode_policyload 1
202
203
204
205       If  you  want to allow unconfined executables to make their heap memory
206       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
207       badly  coded  executable, but could indicate an attack. This executable
208       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
209       uxuser_execheap boolean. Disabled by default.
210
211       setsebool -P selinuxuser_execheap 1
212
213
214
215       If  you  want  to  allow  all  unconfined  executables to use libraries
216       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
217       must turn on the selinuxuser_execmod boolean. Enabled by default.
218
219       setsebool -P selinuxuser_execmod 1
220
221
222
223       If  you  want  to allow unconfined executables to make their stack exe‐
224       cutable.  This should never, ever be necessary.  Probably  indicates  a
225       badly  coded  executable, but could indicate an attack. This executable
226       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
227       stack boolean. Enabled by default.
228
229       setsebool -P selinuxuser_execstack 1
230
231
232
233       If  you want to support ecryptfs home directories, you must turn on the
234       use_ecryptfs_home_dirs boolean. Disabled by default.
235
236       setsebool -P use_ecryptfs_home_dirs 1
237
238
239
240       If you want to support fusefs home directories, you must  turn  on  the
241       use_fusefs_home_dirs boolean. Disabled by default.
242
243       setsebool -P use_fusefs_home_dirs 1
244
245
246
247       If  you  want  to  support  NFS  home directories, you must turn on the
248       use_nfs_home_dirs boolean. Disabled by default.
249
250       setsebool -P use_nfs_home_dirs 1
251
252
253
254       If you want to support SAMBA home directories, you  must  turn  on  the
255       use_samba_home_dirs boolean. Disabled by default.
256
257       setsebool -P use_samba_home_dirs 1
258
259
260
261       If you want to support X userspace object manager, you must turn on the
262       xserver_object_manager boolean. Enabled by default.
263
264       setsebool -P xserver_object_manager 1
265
266
267

MANAGED FILES

269       The SELinux process type semanage_t can manage files labeled  with  the
270       following file types.  The paths listed are the default paths for these
271       file types.  Note the processes UID still need to have DAC permissions.
272
273       file_type
274
275            all files on the system
276
277

FILE CONTEXTS

279       SELinux requires files to have an extended attribute to define the file
280       type.
281
282       You can see the context of a file using the -Z option to ls
283
284       Policy  governs  the  access  confined  processes  have to these files.
285       SELinux semanage policy is very flexible allowing users to setup  their
286       semanage processes in as secure a method as possible.
287
288       EQUIVALENCE DIRECTORIES
289
290
291       semanage  policy stores data with multiple different file context types
292       under the /var/lib/selinux directory.  If you would like to  store  the
293       data  in a different directory you can use the semanage command to cre‐
294       ate an equivalence mapping.  If you wanted to store this data under the
295       /srv dirctory you would execute the following command:
296
297       semanage fcontext -a -e /var/lib/selinux /srv/selinux
298       restorecon -R -v /srv/selinux
299
300       STANDARD FILE CONTEXT
301
302       SELinux  defines the file context types for the semanage, if you wanted
303       to store files with these types in a diffent paths, you need to execute
304       the  semanage  command  to  sepecify  alternate  labeling  and then use
305       restorecon to put the labels on disk.
306
307       semanage fcontext  -a  -t  semanage_trans_lock_t  '/srv/mysemanage_con‐
308       tent(/.*)?'
309       restorecon -R -v /srv/mysemanage_content
310
311       Note:  SELinux  often  uses  regular expressions to specify labels that
312       match multiple files.
313
314       The following file types are defined for semanage:
315
316
317
318       semanage_exec_t
319
320       - Set files with the semanage_exec_t type, if you want to transition an
321       executable to the semanage_t domain.
322
323
324       Paths:
325            /usr/sbin/semanage,  /usr/sbin/semodule, /usr/libexec/selinux/sem‐
326            anage_migrate_store,                     /usr/share/system-config-
327            selinux/selinux_server.py,   /usr/share/system-config-selinux/sys‐
328            tem-config-selinux-dbus.py
329
330
331       semanage_read_lock_t
332
333       - Set files with the semanage_read_lock_t type, if you  want  to  treat
334       the files as semanage read lock data, stored under the /var/lock direc‐
335       tory
336
337
338       Paths:
339            /etc/selinux/([^/]*/)?modules/semanage.read.LOCK,
340            /var/lib/selinux/[^/]+/semanage.read.LOCK
341
342
343       semanage_store_t
344
345       -  Set  files  with the semanage_store_t type, if you want to treat the
346       files as semanage store data.
347
348
349       Paths:
350            /etc/selinux/([^/]*/)?policy(/.*)?, /etc/selinux/(minimum|mls|tar‐
351            geted)/active(/.*)?,                    /etc/selinux/([^/]*/)?mod‐
352            ules/(active|tmp|previous)(/.*)?,          /var/lib/selinux(/.*)?,
353            /etc/share/selinux/mls(/.*)?, /etc/share/selinux/targeted(/.*)?
354
355
356       semanage_tmp_t
357
358       - Set files with the semanage_tmp_t type, if you want to store semanage
359       temporary files in the /tmp directories.
360
361
362
363       semanage_trans_lock_t
364
365       - Set files with the semanage_trans_lock_t type, if you want  to  treat
366       the  files  as  semanage  trans  lock  data, stored under the /var/lock
367       directory
368
369
370       Paths:
371            /etc/selinux/([^/]*/)?modules/semanage.trans.LOCK,
372            /var/lib/selinux/[^/]+/semanage.trans.LOCK
373
374
375       Note:  File context can be temporarily modified with the chcon command.
376       If you want to permanently change the file context you need to use  the
377       semanage fcontext command.  This will modify the SELinux labeling data‐
378       base.  You will need to use restorecon to apply the labels.
379
380

COMMANDS

382       semanage fcontext can also be used to manipulate default  file  context
383       mappings.
384
385       semanage  permissive  can  also  be used to manipulate whether or not a
386       process type is permissive.
387
388       semanage module can also be used to enable/disable/install/remove  pol‐
389       icy modules.
390
391       semanage boolean can also be used to manipulate the booleans
392
393
394       system-config-selinux is a GUI tool available to customize SELinux pol‐
395       icy settings.
396
397

AUTHOR

399       This manual page was auto-generated using sepolicy manpage .
400
401