1plymouth_selinux(8)         SELinux Policy plymouth        plymouth_selinux(8)
2
3
4

NAME

6       plymouth_selinux - Security Enhanced Linux Policy for the plymouth pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  plymouth  processes  via  flexible
11       mandatory access control.
12
13       The  plymouth  processes  execute with the plymouth_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep plymouth_t
20
21
22

ENTRYPOINTS

24       The plymouth_t SELinux type can be entered via the plymouth_exec_t file
25       type.
26
27       The default entrypoint paths for the plymouth_t domain are the  follow‐
28       ing:
29
30       /bin/plymouth, /usr/bin/plymouth
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       plymouth policy is very flexible allowing users to setup their plymouth
40       processes in as secure a method as possible.
41
42       The following process types are defined for plymouth:
43
44       plymouth_t, plymouthd_t
45
46       Note: semanage permissive -a plymouth_t can be used to make the process
47       type  plymouth_t permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is  customizable based on least access required.  ply‐
54       mouth policy is extremely flexible and has several booleans that  allow
55       you  to manipulate the policy and run plymouth with the tightest access
56       possible.
57
58
59
60       If you want to deny any process from ptracing or  debugging  any  other
61       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
62       default.
63
64       setsebool -P deny_ptrace 1
65
66
67
68       If you want to allow any process  to  mmap  any  file  on  system  with
69       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
70       ean. Enabled by default.
71
72       setsebool -P domain_can_mmap_files 1
73
74
75
76       If you want to allow all domains write to kmsg_device, while kernel  is
77       executed  with  systemd.log_target=kmsg parameter, you must turn on the
78       domain_can_write_kmsg boolean. Disabled by default.
79
80       setsebool -P domain_can_write_kmsg 1
81
82
83
84       If you want to allow all domains to use other domains file descriptors,
85       you must turn on the domain_fd_use boolean. Enabled by default.
86
87       setsebool -P domain_fd_use 1
88
89
90
91       If  you  want to allow all domains to have the kernel load modules, you
92       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
93       default.
94
95       setsebool -P domain_kernel_load_modules 1
96
97
98
99       If you want to allow all domains to execute in fips_mode, you must turn
100       on the fips_mode boolean. Enabled by default.
101
102       setsebool -P fips_mode 1
103
104
105
106       If you want to enable reading of urandom for all domains, you must turn
107       on the global_ssp boolean. Disabled by default.
108
109       setsebool -P global_ssp 1
110
111
112

FILE CONTEXTS

114       SELinux requires files to have an extended attribute to define the file
115       type.
116
117       You can see the context of a file using the -Z option to ls
118
119       Policy governs the access  confined  processes  have  to  these  files.
120       SELinux  plymouth policy is very flexible allowing users to setup their
121       plymouth processes in as secure a method as possible.
122
123       STANDARD FILE CONTEXT
124
125       SELinux defines the file context types for the plymouth, if you  wanted
126       to store files with these types in a diffent paths, you need to execute
127       the semanage command  to  sepecify  alternate  labeling  and  then  use
128       restorecon to put the labels on disk.
129
130       semanage   fcontext  -a  -t  plymouthd_var_run_t  '/srv/myplymouth_con‐
131       tent(/.*)?'
132       restorecon -R -v /srv/myplymouth_content
133
134       Note: SELinux often uses regular expressions  to  specify  labels  that
135       match multiple files.
136
137       The following file types are defined for plymouth:
138
139
140
141       plymouth_exec_t
142
143       - Set files with the plymouth_exec_t type, if you want to transition an
144       executable to the plymouth_t domain.
145
146
147       Paths:
148            /bin/plymouth, /usr/bin/plymouth
149
150
151       plymouthd_exec_t
152
153       - Set files with the plymouthd_exec_t type, if you want  to  transition
154       an executable to the plymouthd_t domain.
155
156
157       Paths:
158            /sbin/plymouthd, /usr/sbin/plymouthd
159
160
161       plymouthd_spool_t
162
163       -  Set  files with the plymouthd_spool_t type, if you want to store the
164       plymouthd files under the /var/spool directory.
165
166
167
168       plymouthd_var_lib_t
169
170       - Set files with the plymouthd_var_lib_t type, if you want to store the
171       plymouthd files under the /var/lib directory.
172
173
174
175       plymouthd_var_log_t
176
177       - Set files with the plymouthd_var_log_t type, if you want to treat the
178       data as plymouthd var log  data,  usually  stored  under  the  /var/log
179       directory.
180
181
182
183       plymouthd_var_run_t
184
185       - Set files with the plymouthd_var_run_t type, if you want to store the
186       plymouthd files under the /run or /var/run directory.
187
188
189
190       Note: File context can be temporarily modified with the chcon  command.
191       If  you want to permanently change the file context you need to use the
192       semanage fcontext command.  This will modify the SELinux labeling data‐
193       base.  You will need to use restorecon to apply the labels.
194
195

COMMANDS

197       semanage  fcontext  can also be used to manipulate default file context
198       mappings.
199
200       semanage permissive can also be used to manipulate  whether  or  not  a
201       process type is permissive.
202
203       semanage  module can also be used to enable/disable/install/remove pol‐
204       icy modules.
205
206       semanage boolean can also be used to manipulate the booleans
207
208
209       system-config-selinux is a GUI tool available to customize SELinux pol‐
210       icy settings.
211
212

AUTHOR

214       This manual page was auto-generated using sepolicy manpage .
215
216

SEE ALSO

218       selinux(8),  plymouth(8),  semanage(8), restorecon(8), chcon(1), sepol‐
219       icy(8) , setsebool(8)
220
221
222
223plymouth                           19-04-25                plymouth_selinux(8)
Impressum