1unconfined_cronjob_selinSuExL(i8n)ux Policy unconfined_curnocnojnofbined_cronjob_selinux(8)
2
3
4
6 unconfined_cronjob_selinux - Security Enhanced Linux Policy for the
7 unconfined_cronjob processes
8
10 Security-Enhanced Linux secures the unconfined_cronjob processes via
11 flexible mandatory access control.
12
13 The unconfined_cronjob processes execute with the unconfined_cronjob_t
14 SELinux type. You can check if you have these processes running by exe‐
15 cuting the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep unconfined_cronjob_t
20
21
22
24 SELinux defines process types (domains) for each process running on the
25 system
26
27 You can see the context of a process using the -Z option to ps
28
29 Policy governs the access confined processes have to files. SELinux
30 unconfined_cronjob policy is very flexible allowing users to setup
31 their unconfined_cronjob processes in as secure a method as possible.
32
33 The following process types are defined for unconfined_cronjob:
34
35 unconfined_cronjob_t
36
37 Note: semanage permissive -a unconfined_cronjob_t can be used to make
38 the process type unconfined_cronjob_t permissive. SELinux does not deny
39 access to permissive process types, but the AVC (SELinux denials) mes‐
40 sages are still generated.
41
42
44 SELinux policy is customizable based on least access required. uncon‐
45 fined_cronjob policy is extremely flexible and has several booleans
46 that allow you to manipulate the policy and run unconfined_cronjob with
47 the tightest access possible.
48
49
50
51 If you want to deny user domains applications to map a memory region as
52 both executable and writable, this is dangerous and the executable
53 should be reported in bugzilla, you must turn on the deny_execmem bool‐
54 ean. Enabled by default.
55
56 setsebool -P deny_execmem 1
57
58
59
60 If you want to deny any process from ptracing or debugging any other
61 processes, you must turn on the deny_ptrace boolean. Enabled by
62 default.
63
64 setsebool -P deny_ptrace 1
65
66
67
68 If you want to allow any process to mmap any file on system with
69 attribute file_type, you must turn on the domain_can_mmap_files bool‐
70 ean. Enabled by default.
71
72 setsebool -P domain_can_mmap_files 1
73
74
75
76 If you want to allow all domains write to kmsg_device, while kernel is
77 executed with systemd.log_target=kmsg parameter, you must turn on the
78 domain_can_write_kmsg boolean. Disabled by default.
79
80 setsebool -P domain_can_write_kmsg 1
81
82
83
84 If you want to allow all domains to use other domains file descriptors,
85 you must turn on the domain_fd_use boolean. Enabled by default.
86
87 setsebool -P domain_fd_use 1
88
89
90
91 If you want to allow all domains to have the kernel load modules, you
92 must turn on the domain_kernel_load_modules boolean. Disabled by
93 default.
94
95 setsebool -P domain_kernel_load_modules 1
96
97
98
99 If you want to allow all domains to execute in fips_mode, you must turn
100 on the fips_mode boolean. Enabled by default.
101
102 setsebool -P fips_mode 1
103
104
105
106 If you want to enable reading of urandom for all domains, you must turn
107 on the global_ssp boolean. Disabled by default.
108
109 setsebool -P global_ssp 1
110
111
112
113 If you want to control the ability to mmap a low area of the address
114 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
115 the mmap_low_allowed boolean. Disabled by default.
116
117 setsebool -P mmap_low_allowed 1
118
119
120
121 If you want to disable kernel module loading, you must turn on the
122 secure_mode_insmod boolean. Enabled by default.
123
124 setsebool -P secure_mode_insmod 1
125
126
127
128 If you want to boolean to determine whether the system permits loading
129 policy, setting enforcing mode, and changing boolean values. Set this
130 to true and you have to reboot to set it back, you must turn on the
131 secure_mode_policyload boolean. Enabled by default.
132
133 setsebool -P secure_mode_policyload 1
134
135
136
137 If you want to allow unconfined executables to make their heap memory
138 executable. Doing this is a really bad idea. Probably indicates a
139 badly coded executable, but could indicate an attack. This executable
140 should be reported in bugzilla, you must turn on the selin‐
141 uxuser_execheap boolean. Disabled by default.
142
143 setsebool -P selinuxuser_execheap 1
144
145
146
147 If you want to allow all unconfined executables to use libraries
148 requiring text relocation that are not labeled textrel_shlib_t, you
149 must turn on the selinuxuser_execmod boolean. Enabled by default.
150
151 setsebool -P selinuxuser_execmod 1
152
153
154
155 If you want to allow unconfined executables to make their stack exe‐
156 cutable. This should never, ever be necessary. Probably indicates a
157 badly coded executable, but could indicate an attack. This executable
158 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
159 stack boolean. Enabled by default.
160
161 setsebool -P selinuxuser_execstack 1
162
163
164
165 If you want to support X userspace object manager, you must turn on the
166 xserver_object_manager boolean. Enabled by default.
167
168 setsebool -P xserver_object_manager 1
169
170
171
173 The SELinux process type unconfined_cronjob_t can manage files labeled
174 with the following file types. The paths listed are the default paths
175 for these file types. Note the processes UID still need to have DAC
176 permissions.
177
178 file_type
179
180 all files on the system
181
182
184 semanage fcontext can also be used to manipulate default file context
185 mappings.
186
187 semanage permissive can also be used to manipulate whether or not a
188 process type is permissive.
189
190 semanage module can also be used to enable/disable/install/remove pol‐
191 icy modules.
192
193 semanage boolean can also be used to manipulate the booleans
194
195
196 system-config-selinux is a GUI tool available to customize SELinux pol‐
197 icy settings.
198
199
201 This manual page was auto-generated using sepolicy manpage .
202
203
205 selinux(8), unconfined_cronjob(8), semanage(8), restorecon(8),
206 chcon(1), sepolicy(8) , setsebool(8)
207
208
209
210unconfined_cronjob 19-04-25 unconfined_cronjob_selinux(8)