sge_job_selinux(8)

1sge_job_selinux(8)          SELinux Policy sge_job          sge_job_selinux(8)
2
3
4

NAME

6       sge_job_selinux  -  Security Enhanced Linux Policy for the sge_job pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  sge_job  processes  via  flexible
11       mandatory access control.
12
13       The  sge_job processes execute with the sge_job_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep sge_job_t
20
21
22

ENTRYPOINTS

24       The  sge_job_t  SELinux  type  can  be  entered  via  the shell_exec_t,
25       sge_job_exec_t file types.
26
27       The default entrypoint paths for the sge_job_t domain are  the  follow‐
28       ing:
29
30       /bin/d?ash,  /bin/zsh.*,  /bin/ksh.*,  /usr/bin/d?ash,  /usr/bin/ksh.*,
31       /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash,  /bin/tcsh,  /bin/yash,
32       /bin/bash,    /bin/fish,   /bin/bash2,   /usr/bin/esh,   /usr/bin/sash,
33       /usr/bin/tcsh,     /usr/bin/yash,     /usr/bin/mksh,     /usr/bin/fish,
34       /usr/bin/bash,     /sbin/nologin,    /usr/sbin/sesh,    /usr/bin/bash2,
35       /usr/sbin/smrsh,          /usr/bin/scponly,          /usr/sbin/nologin,
36       /usr/libexec/sesh,        /usr/sbin/scponlyc,       /usr/bin/git-shell,
37       /usr/libexec/sudo/sesh, /usr/bin/cockpit-bridge,  /usr/libexec/cockpit-
38       agent, /usr/libexec/git-core/git-shell
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       sge_job  policy  is very flexible allowing users to setup their sge_job
48       processes in as secure a method as possible.
49
50       The following process types are defined for sge_job:
51
52       sge_job_t, sge_job_ssh_t
53
54       Note: semanage permissive -a sge_job_t can be used to make the  process
55       type  sge_job_t  permissive. SELinux does not deny access to permissive
56       process types, but the AVC (SELinux denials) messages are still  gener‐
57       ated.
58
59

BOOLEANS

61       SELinux policy is customizable based on least access required.  sge_job
62       policy is extremely flexible and has several booleans that allow you to
63       manipulate  the  policy and run sge_job with the tightest access possi‐
64       ble.
65
66
67
68       If you want to deny user domains applications to map a memory region as
69       both  executable  and  writable,  this  is dangerous and the executable
70       should be reported in bugzilla, you must turn on the deny_execmem bool‐
71       ean. Enabled by default.
72
73       setsebool -P deny_execmem 1
74
75
76
77       If  you  want  to deny any process from ptracing or debugging any other
78       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
79       default.
80
81       setsebool -P deny_ptrace 1
82
83
84
85       If  you  want  to  allow  any  process  to mmap any file on system with
86       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
87       ean. Enabled by default.
88
89       setsebool -P domain_can_mmap_files 1
90
91
92
93       If  you want to allow all domains write to kmsg_device, while kernel is
94       executed with systemd.log_target=kmsg parameter, you must turn  on  the
95       domain_can_write_kmsg boolean. Disabled by default.
96
97       setsebool -P domain_can_write_kmsg 1
98
99
100
101       If you want to allow all domains to use other domains file descriptors,
102       you must turn on the domain_fd_use boolean. Enabled by default.
103
104       setsebool -P domain_fd_use 1
105
106
107
108       If you want to allow all domains to have the kernel load  modules,  you
109       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
110       default.
111
112       setsebool -P domain_kernel_load_modules 1
113
114
115
116       If you want to allow all domains to execute in fips_mode, you must turn
117       on the fips_mode boolean. Enabled by default.
118
119       setsebool -P fips_mode 1
120
121
122
123       If you want to enable reading of urandom for all domains, you must turn
124       on the global_ssp boolean. Disabled by default.
125
126       setsebool -P global_ssp 1
127
128
129
130       If you want to control the ability to mmap a low area  of  the  address
131       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
132       the mmap_low_allowed boolean. Disabled by default.
133
134       setsebool -P mmap_low_allowed 1
135
136
137
138       If you want to allow confined applications to use nscd  shared  memory,
139       you must turn on the nscd_use_shm boolean. Disabled by default.
140
141       setsebool -P nscd_use_shm 1
142
143
144
145       If  you  want  to  disable  kernel module loading, you must turn on the
146       secure_mode_insmod boolean. Enabled by default.
147
148       setsebool -P secure_mode_insmod 1
149
150
151
152       If you want to boolean to determine whether the system permits  loading
153       policy,  setting enforcing mode, and changing boolean values.  Set this
154       to true and you have to reboot to set it back, you  must  turn  on  the
155       secure_mode_policyload boolean. Enabled by default.
156
157       setsebool -P secure_mode_policyload 1
158
159
160
161       If  you  want to allow unconfined executables to make their heap memory
162       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
163       badly  coded  executable, but could indicate an attack. This executable
164       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
165       uxuser_execheap boolean. Disabled by default.
166
167       setsebool -P selinuxuser_execheap 1
168
169
170
171       If  you  want  to  allow  all  unconfined  executables to use libraries
172       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
173       must turn on the selinuxuser_execmod boolean. Enabled by default.
174
175       setsebool -P selinuxuser_execmod 1
176
177
178
179       If  you  want  to allow unconfined executables to make their stack exe‐
180       cutable.  This should never, ever be necessary.  Probably  indicates  a
181       badly  coded  executable, but could indicate an attack. This executable
182       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
183       stack boolean. Enabled by default.
184
185       setsebool -P selinuxuser_execstack 1
186
187
188
189       If  you want to allow sge to connect to the network using any TCP port,
190       you must turn on the sge_domain_can_network_connect  boolean.  Disabled
191       by default.
192
193       setsebool -P sge_domain_can_network_connect 1
194
195
196
197       If  you  want to allow sge to access nfs file systems, you must turn on
198       the sge_use_nfs boolean. Disabled by default.
199
200       setsebool -P sge_use_nfs 1
201
202
203
204       If you want to support X userspace object manager, you must turn on the
205       xserver_object_manager boolean. Enabled by default.
206
207       setsebool -P xserver_object_manager 1
208
209
210

MANAGED FILES

212       The  SELinux  process  type sge_job_t can manage files labeled with the
213       following file types.  The paths listed are the default paths for these
214       file types.  Note the processes UID still need to have DAC permissions.
215
216       file_type
217
218            all files on the system
219
220

COMMANDS

222       semanage  fcontext  can also be used to manipulate default file context
223       mappings.
224
225       semanage permissive can also be used to manipulate  whether  or  not  a
226       process type is permissive.
227
228       semanage  module can also be used to enable/disable/install/remove pol‐
229       icy modules.
230
231       semanage boolean can also be used to manipulate the booleans
232
233
234       system-config-selinux is a GUI tool available to customize SELinux pol‐
235       icy settings.
236
237

AUTHOR

239       This manual page was auto-generated using sepolicy manpage .
240
241