1unconfined_dbusd_selinux(S8E)Linux Policy unconfined_dbuunscdonfined_dbusd_selinux(8)
2
3
4

NAME

6       unconfined_dbusd_selinux  -  Security  Enhanced  Linux  Policy  for the
7       unconfined_dbusd processes
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  unconfined_dbusd  processes  via
11       flexible mandatory access control.
12
13       The  unconfined_dbusd  processes  execute  with  the unconfined_dbusd_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep unconfined_dbusd_t
20
21
22

ENTRYPOINTS

24       The unconfined_dbusd_t SELinux type can be entered via the dbusd_exec_t
25       file type.
26
27       The default entrypoint paths for the unconfined_dbusd_t domain are  the
28       following:
29
30       /usr/bin/dbus-daemon(-1)?,  /bin/dbus-daemon,  /lib/dbus-1/dbus-daemon-
31       launch-helper,               /usr/lib/dbus-1/dbus-daemon-launch-helper,
32       /usr/libexec/dbus-1/dbus-daemon-launch-helper
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       unconfined_dbusd  policy is very flexible allowing users to setup their
42       unconfined_dbusd processes in as secure a method as possible.
43
44       The following process types are defined for unconfined_dbusd:
45
46       unconfined_dbusd_t
47
48       Note: semanage permissive -a unconfined_dbusd_t can be used to make the
49       process  type  unconfined_dbusd_t  permissive.  SELinux  does  not deny
50       access to permissive process types, but the AVC (SELinux denials)  mes‐
51       sages are still generated.
52
53

BOOLEANS

55       SELinux  policy is customizable based on least access required.  uncon‐
56       fined_dbusd policy is extremely flexible and has several booleans  that
57       allow  you  to  manipulate the policy and run unconfined_dbusd with the
58       tightest access possible.
59
60
61
62       If you want to allow users to resolve user passwd entries directly from
63       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
64       gin_nsswitch_use_ldap boolean. Disabled by default.
65
66       setsebool -P authlogin_nsswitch_use_ldap 1
67
68
69
70       If you want to deny user domains applications to map a memory region as
71       both  executable  and  writable,  this  is dangerous and the executable
72       should be reported in bugzilla, you must turn on the deny_execmem bool‐
73       ean. Enabled by default.
74
75       setsebool -P deny_execmem 1
76
77
78
79       If  you  want  to deny any process from ptracing or debugging any other
80       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
81       default.
82
83       setsebool -P deny_ptrace 1
84
85
86
87       If  you  want  to  allow  any  process  to mmap any file on system with
88       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
89       ean. Enabled by default.
90
91       setsebool -P domain_can_mmap_files 1
92
93
94
95       If  you want to allow all domains write to kmsg_device, while kernel is
96       executed with systemd.log_target=kmsg parameter, you must turn  on  the
97       domain_can_write_kmsg boolean. Disabled by default.
98
99       setsebool -P domain_can_write_kmsg 1
100
101
102
103       If you want to allow all domains to use other domains file descriptors,
104       you must turn on the domain_fd_use boolean. Enabled by default.
105
106       setsebool -P domain_fd_use 1
107
108
109
110       If you want to allow all domains to have the kernel load  modules,  you
111       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
112       default.
113
114       setsebool -P domain_kernel_load_modules 1
115
116
117
118       If you want to allow all domains to execute in fips_mode, you must turn
119       on the fips_mode boolean. Enabled by default.
120
121       setsebool -P fips_mode 1
122
123
124
125       If you want to enable reading of urandom for all domains, you must turn
126       on the global_ssp boolean. Disabled by default.
127
128       setsebool -P global_ssp 1
129
130
131
132       If you want to allow confined applications to run  with  kerberos,  you
133       must turn on the kerberos_enabled boolean. Enabled by default.
134
135       setsebool -P kerberos_enabled 1
136
137
138
139       If  you  want  to control the ability to mmap a low area of the address
140       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
141       the mmap_low_allowed boolean. Disabled by default.
142
143       setsebool -P mmap_low_allowed 1
144
145
146
147       If  you  want  to  allow  system  to run with NIS, you must turn on the
148       nis_enabled boolean. Disabled by default.
149
150       setsebool -P nis_enabled 1
151
152
153
154       If you want to allow confined applications to use nscd  shared  memory,
155       you must turn on the nscd_use_shm boolean. Disabled by default.
156
157       setsebool -P nscd_use_shm 1
158
159
160
161       If  you  want  to  disable  kernel module loading, you must turn on the
162       secure_mode_insmod boolean. Enabled by default.
163
164       setsebool -P secure_mode_insmod 1
165
166
167
168       If you want to boolean to determine whether the system permits  loading
169       policy,  setting enforcing mode, and changing boolean values.  Set this
170       to true and you have to reboot to set it back, you  must  turn  on  the
171       secure_mode_policyload boolean. Enabled by default.
172
173       setsebool -P secure_mode_policyload 1
174
175
176
177       If  you  want to allow unconfined executables to make their heap memory
178       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
179       badly  coded  executable, but could indicate an attack. This executable
180       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
181       uxuser_execheap boolean. Disabled by default.
182
183       setsebool -P selinuxuser_execheap 1
184
185
186
187       If  you  want  to  allow  all  unconfined  executables to use libraries
188       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
189       must turn on the selinuxuser_execmod boolean. Enabled by default.
190
191       setsebool -P selinuxuser_execmod 1
192
193
194
195       If  you  want  to allow unconfined executables to make their stack exe‐
196       cutable.  This should never, ever be necessary.  Probably  indicates  a
197       badly  coded  executable, but could indicate an attack. This executable
198       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
199       stack boolean. Enabled by default.
200
201       setsebool -P selinuxuser_execstack 1
202
203
204
205       If  you want to support ecryptfs home directories, you must turn on the
206       use_ecryptfs_home_dirs boolean. Disabled by default.
207
208       setsebool -P use_ecryptfs_home_dirs 1
209
210
211
212       If you want to support fusefs home directories, you must  turn  on  the
213       use_fusefs_home_dirs boolean. Disabled by default.
214
215       setsebool -P use_fusefs_home_dirs 1
216
217
218
219       If  you  want  to  support  NFS  home directories, you must turn on the
220       use_nfs_home_dirs boolean. Disabled by default.
221
222       setsebool -P use_nfs_home_dirs 1
223
224
225
226       If you want to support SAMBA home directories, you  must  turn  on  the
227       use_samba_home_dirs boolean. Disabled by default.
228
229       setsebool -P use_samba_home_dirs 1
230
231
232
233       If you want to support X userspace object manager, you must turn on the
234       xserver_object_manager boolean. Enabled by default.
235
236       setsebool -P xserver_object_manager 1
237
238
239

MANAGED FILES

241       The SELinux process type unconfined_dbusd_t can  manage  files  labeled
242       with  the following file types.  The paths listed are the default paths
243       for these file types.  Note the processes UID still need  to  have  DAC
244       permissions.
245
246       file_type
247
248            all files on the system
249
250

COMMANDS

252       semanage  fcontext  can also be used to manipulate default file context
253       mappings.
254
255       semanage permissive can also be used to manipulate  whether  or  not  a
256       process type is permissive.
257
258       semanage  module can also be used to enable/disable/install/remove pol‐
259       icy modules.
260
261       semanage boolean can also be used to manipulate the booleans
262
263
264       system-config-selinux is a GUI tool available to customize SELinux pol‐
265       icy settings.
266
267

AUTHOR

269       This manual page was auto-generated using sepolicy manpage .
270
271

SEE ALSO

273       selinux(8),  unconfined_dbusd(8), semanage(8), restorecon(8), chcon(1),
274       sepolicy(8) , setsebool(8)
275
276
277
278unconfined_dbusd                   19-04-25        unconfined_dbusd_selinux(8)