staff_wine_selinux(8)

1staff_wine_selinux(8)      SELinux Policy staff_wine     staff_wine_selinux(8)
2
3
4

NAME

6       staff_wine_selinux  - Security Enhanced Linux Policy for the staff_wine
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the staff_wine processes  via  flexible
11       mandatory access control.
12
13       The  staff_wine  processes  execute with the staff_wine_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep staff_wine_t
20
21
22

ENTRYPOINTS

24       The  staff_wine_t  SELinux  type  can  be  entered via the user_home_t,
25       mount_exec_t, mount_ecryptfs_exec_t, wine_exec_t file types.
26
27       The default entrypoint paths for the staff_wine_t domain are  the  fol‐
28       lowing:
29
30       /home/[^/]+/.+,     /bin/mount.*,     /bin/umount.*,     /sbin/mount.*,
31       /sbin/umount.*, /usr/bin/mount.*, /usr/bin/umount.*, /usr/sbin/mount.*,
32       /usr/sbin/umount.*,                           /usr/sbin/mount.ecryptfs,
33       /usr/sbin/umount.ecryptfs,            /usr/sbin/mount.ecryptfs_private,
34       /usr/sbin/umount.ecryptfs_private,                     /usr/bin/wine.*,
35       /opt/teamviewer(/.*)?/bin/wine.*,     /opt/google/picasa(/.*)?/bin/wdi,
36       /opt/google/picasa(/.*)?/bin/wine.*,
37       /opt/google/picasa(/.*)?/bin/msiexec,
38       /opt/google/picasa(/.*)?/bin/notepad,
39       /opt/google/picasa(/.*)?/bin/progman,
40       /opt/google/picasa(/.*)?/bin/regedit,
41       /opt/google/picasa(/.*)?/bin/regsvr32,
42       /opt/google/picasa(/.*)?/Picasa3/.*exe,
43       /opt/google/picasa(/.*)?/bin/uninstaller,     /opt/cxoffice/bin/wine.*,
44       /opt/picasa/wine/bin/wine.*,     /usr/bin/msiexec,    /usr/bin/notepad,
45       /usr/bin/regedit,       /usr/bin/regsvr32,        /usr/bin/uninstaller,
46       /home/[^/]+/cxoffice/bin/wine.+
47

PROCESS TYPES

49       SELinux defines process types (domains) for each process running on the
50       system
51
52       You can see the context of a process using the -Z option to ps
53
54       Policy governs the access confined processes have  to  files.   SELinux
55       staff_wine  policy  is  very  flexible  allowing  users  to setup their
56       staff_wine processes in as secure a method as possible.
57
58       The following process types are defined for staff_wine:
59
60       staff_wine_t
61
62       Note: semanage permissive -a staff_wine_t  can  be  used  to  make  the
63       process  type  staff_wine_t permissive. SELinux does not deny access to
64       permissive process types, but the AVC (SELinux  denials)  messages  are
65       still generated.
66
67

BOOLEANS

69       SELinux   policy  is  customizable  based  on  least  access  required.
70       staff_wine policy is extremely flexible and has several  booleans  that
71       allow you to manipulate the policy and run staff_wine with the tightest
72       access possible.
73
74
75
76       If you want to allow users to resolve user passwd entries directly from
77       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
78       gin_nsswitch_use_ldap boolean. Disabled by default.
79
80       setsebool -P authlogin_nsswitch_use_ldap 1
81
82
83
84       If you want to deny any process from ptracing or  debugging  any  other
85       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
86       default.
87
88       setsebool -P deny_ptrace 1
89
90
91
92       If you want to allow any process  to  mmap  any  file  on  system  with
93       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
94       ean. Enabled by default.
95
96       setsebool -P domain_can_mmap_files 1
97
98
99
100       If you want to allow all domains write to kmsg_device, while kernel  is
101       executed  with  systemd.log_target=kmsg parameter, you must turn on the
102       domain_can_write_kmsg boolean. Disabled by default.
103
104       setsebool -P domain_can_write_kmsg 1
105
106
107
108       If you want to allow all domains to use other domains file descriptors,
109       you must turn on the domain_fd_use boolean. Enabled by default.
110
111       setsebool -P domain_fd_use 1
112
113
114
115       If  you  want to allow all domains to have the kernel load modules, you
116       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
117       default.
118
119       setsebool -P domain_kernel_load_modules 1
120
121
122
123       If you want to allow all domains to execute in fips_mode, you must turn
124       on the fips_mode boolean. Enabled by default.
125
126       setsebool -P fips_mode 1
127
128
129
130       If you want to enable reading of urandom for all domains, you must turn
131       on the global_ssp boolean. Disabled by default.
132
133       setsebool -P global_ssp 1
134
135
136
137       If  you  want  to allow confined applications to run with kerberos, you
138       must turn on the kerberos_enabled boolean. Enabled by default.
139
140       setsebool -P kerberos_enabled 1
141
142
143
144       If you want to allow logging in and using the system from /dev/console,
145       you must turn on the login_console_enabled boolean. Enabled by default.
146
147       setsebool -P login_console_enabled 1
148
149
150
151       If  you  want  to control the ability to mmap a low area of the address
152       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
153       the mmap_low_allowed boolean. Disabled by default.
154
155       setsebool -P mmap_low_allowed 1
156
157
158
159       If  you  want  to  allow  system  to run with NIS, you must turn on the
160       nis_enabled boolean. Disabled by default.
161
162       setsebool -P nis_enabled 1
163
164
165
166       If you want to allow confined applications to use nscd  shared  memory,
167       you must turn on the nscd_use_shm boolean. Disabled by default.
168
169       setsebool -P nscd_use_shm 1
170
171
172
173       If  you  want to disallow programs, such as newrole, from transitioning
174       to administrative user domains, you must turn on the secure_mode  bool‐
175       ean. Enabled by default.
176
177       setsebool -P secure_mode 1
178
179
180
181       If  you  want to allow regular users direct dri device access, you must
182       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
183
184       setsebool -P selinuxuser_direct_dri_enabled 1
185
186
187
188       If you want to allow users to connect to PostgreSQL, you must  turn  on
189       the   selinuxuser_postgresql_connect_enabled   boolean.   Disabled   by
190       default.
191
192       setsebool -P selinuxuser_postgresql_connect_enabled 1
193
194
195
196       If you want to allow user to r/w files on filesystems that do not  have
197       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
198       uxuser_rw_noexattrfile boolean. Enabled by default.
199
200       setsebool -P selinuxuser_rw_noexattrfile 1
201
202
203
204       If you want to allow user music sharing, you must turn  on  the  selin‐
205       uxuser_share_music boolean. Disabled by default.
206
207       setsebool -P selinuxuser_share_music 1
208
209
210
211       If you want to allow users to run TCP servers (bind to ports and accept
212       connection from the same domain  and  outside  users)   disabling  this
213       forces  FTP  passive mode and may change other protocols, you must turn
214       on the selinuxuser_tcp_server boolean. Disabled by default.
215
216       setsebool -P selinuxuser_tcp_server 1
217
218
219
220       If you want to allow users to run UDP servers (bind to ports and accept
221       connection  from the same domain and outside users)  disabling this may
222       break avahi discovering services on the network and other  udp  related
223       services, you must turn on the selinuxuser_udp_server boolean. Disabled
224       by default.
225
226       setsebool -P selinuxuser_udp_server 1
227
228
229
230       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
231       the ssh_sysadm_login boolean. Disabled by default.
232
233       setsebool -P ssh_sysadm_login 1
234
235
236
237       If  you  want  to  support  NFS  home directories, you must turn on the
238       use_nfs_home_dirs boolean. Disabled by default.
239
240       setsebool -P use_nfs_home_dirs 1
241
242
243
244       If you want to support SAMBA home directories, you  must  turn  on  the
245       use_samba_home_dirs boolean. Disabled by default.
246
247       setsebool -P use_samba_home_dirs 1
248
249
250
251       If  you  want to allow the graphical login program to login directly as
252       sysadm_r:sysadm_t, you  must  turn  on  the  xdm_sysadm_login  boolean.
253       Enabled by default.
254
255       setsebool -P xdm_sysadm_login 1
256
257
258
259       If  you  want  to allows clients to write to the X server shared memory
260       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
261       abled by default.
262
263       setsebool -P xserver_clients_write_xshm 1
264
265
266
267       If you want to support X userspace object manager, you must turn on the
268       xserver_object_manager boolean. Enabled by default.
269
270       setsebool -P xserver_object_manager 1
271
272
273

MANAGED FILES

275       The SELinux process type staff_wine_t can manage files labeled with the
276       following file types.  The paths listed are the default paths for these
277       file types.  Note the processes UID still need to have DAC permissions.
278
279       anon_inodefs_t
280
281
282       cgroup_t
283
284            /sys/fs/cgroup
285
286       chrome_sandbox_tmpfs_t
287
288
289       cifs_t
290
291
292       games_data_t
293
294            /var/games(/.*)?
295            /var/lib/games(/.*)?
296
297       gpg_agent_tmp_t
298
299            /home/[^/]+/.gnupg/log-socket
300
301       iceauth_home_t
302
303            /root/.DCOP.*
304            /root/.ICEauthority.*
305            /home/[^/]+/.DCOP.*
306            /home/[^/]+/.ICEauthority.*
307
308       mail_spool_t
309
310            /var/mail(/.*)?
311            /var/spool/imap(/.*)?
312            /var/spool/mail(/.*)?
313            /var/spool/smtpd(/.*)?
314
315       mqueue_spool_t
316
317            /var/spool/(client)?mqueue(/.*)?
318            /var/spool/mqueue.in(/.*)?
319
320       noxattrfs
321
322            all files on file systems which do not support extended attributes
323
324       pulseaudio_tmpfs_t
325
326
327       pulseaudio_tmpfsfile
328
329
330       usbfs_t
331
332
333       user_fonts_cache_t
334
335            /root/.fontconfig(/.*)?
336            /root/.fonts/auto(/.*)?
337            /root/.fonts.cache-.*
338            /home/[^/]+/.fontconfig(/.*)?
339            /home/[^/]+/.fonts/auto(/.*)?
340            /home/[^/]+/.fonts.cache-.*
341
342       user_fonts_t
343
344            /root/.fonts(/.*)?
345            /tmp/.font-unix(/.*)?
346            /home/[^/]+/.fonts(/.*)?
347            /home/[^/]+/.local/share/fonts(/.*)?
348
349       user_home_type
350
351            all user home files
352
353       user_tmp_t
354
355            /dev/shm/mono.*
356            /var/run/user(/.*)?
357            /tmp/.X11-unix(/.*)?
358            /tmp/.ICE-unix(/.*)?
359            /dev/shm/pulse-shm.*
360            /tmp/.X0-lock
361            /tmp/hsperfdata_root
362            /var/tmp/hsperfdata_root
363            /home/[^/]+/tmp
364            /home/[^/]+/.tmp
365            /tmp/gconfd-[^/]+
366
367       user_tmp_type
368
369            all user tmp files
370
371       xauth_home_t
372
373            /root/.xauth.*
374            /root/.Xauth.*
375            /root/.serverauth.*
376            /root/.Xauthority.*
377            /var/lib/pqsql/.xauth.*
378            /var/lib/pqsql/.Xauthority.*
379            /var/lib/nxserver/home/.xauth.*
380            /var/lib/nxserver/home/.Xauthority.*
381            /home/[^/]+/.xauth.*
382            /home/[^/]+/.Xauth.*
383            /home/[^/]+/.serverauth.*
384            /home/[^/]+/.Xauthority.*
385
386       xserver_tmpfs_t
387
388
389

COMMANDS

391       semanage fcontext can also be used to manipulate default  file  context
392       mappings.
393
394       semanage  permissive  can  also  be used to manipulate whether or not a
395       process type is permissive.
396
397       semanage module can also be used to enable/disable/install/remove  pol‐
398       icy modules.
399
400       semanage boolean can also be used to manipulate the booleans
401
402
403       system-config-selinux is a GUI tool available to customize SELinux pol‐
404       icy settings.
405
406

AUTHOR

408       This manual page was auto-generated using sepolicy manpage .
409
410