system_cronjob_selinux(8)

1system_cronjob_selinux(8)SELinux Policy system_cronjobsystem_cronjob_selinux(8)
2
3
4

NAME

6       system_cronjob_selinux  -  Security  Enhanced Linux Policy for the sys‐
7       tem_cronjob processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the system_cronjob processes via flexi‐
11       ble mandatory access control.
12
13       The  system_cronjob processes execute with the system_cronjob_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep system_cronjob_t
20
21
22

ENTRYPOINTS

24       The   system_cronjob_t  SELinux  type  can  be  entered  via  the  sys‐
25       tem_cron_spool_t, anacron_exec_t, usr_t, bin_t,  shell_exec_t,  cifs_t,
26       nfs_t, fusefs_t file types.
27
28       The  default  entrypoint  paths for the system_cronjob_t domain are the
29       following:
30
31       All executeables with the default executable label, usually  stored  in
32       /usr/bin  and  /usr/sbin.  /etc/cron.d(/.*)?, /var/spool/anacron(/.*)?,
33       /etc/crontab,   /var/spool/fcron/systab,   /var/spool/fcron/new.systab,
34       /var/spool/fcron/systab.orig,   /usr/sbin/anacron,   /usr/.*,  /opt/.*,
35       /emul/.*,   /ostree(/.*)?,   /export(/.*)?,   /usr/doc(/.*)?/lib(/.*)?,
36       /usr/inclu.e(/.*)?,  /usr/share/doc(/.*)?/README.*,  /usr, /opt, /emul,
37       /bin/d?ash,  /bin/zsh.*,  /bin/ksh.*,  /usr/bin/d?ash,  /usr/bin/ksh.*,
38       /usr/bin/zsh.*,  /bin/esh,  /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash,
39       /bin/bash,   /bin/fish,   /bin/bash2,   /usr/bin/esh,    /usr/bin/sash,
40       /usr/bin/tcsh,     /usr/bin/yash,     /usr/bin/mksh,     /usr/bin/fish,
41       /usr/bin/bash,    /sbin/nologin,    /usr/sbin/sesh,     /usr/bin/bash2,
42       /usr/sbin/smrsh,          /usr/bin/scponly,          /usr/sbin/nologin,
43       /usr/libexec/sesh,       /usr/sbin/scponlyc,        /usr/bin/git-shell,
44       /usr/libexec/sudo/sesh,  /usr/bin/cockpit-bridge, /usr/libexec/cockpit-
45       agent, /usr/libexec/git-core/git-shell, /var/run/user/[^/]*/gvfs
46

PROCESS TYPES

48       SELinux defines process types (domains) for each process running on the
49       system
50
51       You can see the context of a process using the -Z option to ps
52
53       Policy  governs  the  access confined processes have to files.  SELinux
54       system_cronjob policy is very flexible allowing users  to  setup  their
55       system_cronjob processes in as secure a method as possible.
56
57       The following process types are defined for system_cronjob:
58
59       system_cronjob_t
60
61       Note:  semanage  permissive -a system_cronjob_t can be used to make the
62       process type system_cronjob_t permissive. SELinux does not deny  access
63       to permissive process types, but the AVC (SELinux denials) messages are
64       still generated.
65
66

BOOLEANS

68       SELinux policy is customizable based on least  access  required.   sys‐
69       tem_cronjob  policy is extremely flexible and has several booleans that
70       allow you to manipulate the policy  and  run  system_cronjob  with  the
71       tightest access possible.
72
73
74
75       If you want to allow users to resolve user passwd entries directly from
76       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
77       gin_nsswitch_use_ldap boolean. Disabled by default.
78
79       setsebool -P authlogin_nsswitch_use_ldap 1
80
81
82
83       If you want to allow system cron jobs to relabel filesystem for restor‐
84       ing file contexts, you must turn on the cron_can_relabel boolean.  Dis‐
85       abled by default.
86
87       setsebool -P cron_can_relabel 1
88
89
90
91       If  you  want to allow system cronjob to be executed on on NFS, CIFS or
92       FUSE filesystem, you must turn  on  the  cron_system_cronjob_use_shares
93       boolean. Disabled by default.
94
95       setsebool -P cron_system_cronjob_use_shares 1
96
97
98
99       If you want to allow all daemons to write corefiles to /, you must turn
100       on the daemons_dump_core boolean. Disabled by default.
101
102       setsebool -P daemons_dump_core 1
103
104
105
106       If you want to enable cluster mode for daemons, you must  turn  on  the
107       daemons_enable_cluster_mode boolean. Enabled by default.
108
109       setsebool -P daemons_enable_cluster_mode 1
110
111
112
113       If  you want to allow all daemons to use tcp wrappers, you must turn on
114       the daemons_use_tcp_wrapper boolean. Disabled by default.
115
116       setsebool -P daemons_use_tcp_wrapper 1
117
118
119
120       If you want to allow all daemons the ability to  read/write  terminals,
121       you must turn on the daemons_use_tty boolean. Disabled by default.
122
123       setsebool -P daemons_use_tty 1
124
125
126
127       If you want to deny user domains applications to map a memory region as
128       both executable and writable, this  is  dangerous  and  the  executable
129       should be reported in bugzilla, you must turn on the deny_execmem bool‐
130       ean. Enabled by default.
131
132       setsebool -P deny_execmem 1
133
134
135
136       If you want to deny any process from ptracing or  debugging  any  other
137       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
138       default.
139
140       setsebool -P deny_ptrace 1
141
142
143
144       If you want to allow any process  to  mmap  any  file  on  system  with
145       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
146       ean. Enabled by default.
147
148       setsebool -P domain_can_mmap_files 1
149
150
151
152       If you want to allow all domains write to kmsg_device, while kernel  is
153       executed  with  systemd.log_target=kmsg parameter, you must turn on the
154       domain_can_write_kmsg boolean. Disabled by default.
155
156       setsebool -P domain_can_write_kmsg 1
157
158
159
160       If you want to allow all domains to use other domains file descriptors,
161       you must turn on the domain_fd_use boolean. Enabled by default.
162
163       setsebool -P domain_fd_use 1
164
165
166
167       If  you  want to allow all domains to have the kernel load modules, you
168       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
169       default.
170
171       setsebool -P domain_kernel_load_modules 1
172
173
174
175       If you want to allow all domains to execute in fips_mode, you must turn
176       on the fips_mode boolean. Enabled by default.
177
178       setsebool -P fips_mode 1
179
180
181
182       If you want to enable reading of urandom for all domains, you must turn
183       on the global_ssp boolean. Disabled by default.
184
185       setsebool -P global_ssp 1
186
187
188
189       If  you  want  to allow confined applications to run with kerberos, you
190       must turn on the kerberos_enabled boolean. Enabled by default.
191
192       setsebool -P kerberos_enabled 1
193
194
195
196       If you want to control the ability to mmap a low area  of  the  address
197       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
198       the mmap_low_allowed boolean. Disabled by default.
199
200       setsebool -P mmap_low_allowed 1
201
202
203
204       If you want to allow system to run with  NIS,  you  must  turn  on  the
205       nis_enabled boolean. Disabled by default.
206
207       setsebool -P nis_enabled 1
208
209
210
211       If  you  want to allow confined applications to use nscd shared memory,
212       you must turn on the nscd_use_shm boolean. Disabled by default.
213
214       setsebool -P nscd_use_shm 1
215
216
217
218       If you want to disable kernel module loading,  you  must  turn  on  the
219       secure_mode_insmod boolean. Enabled by default.
220
221       setsebool -P secure_mode_insmod 1
222
223
224
225       If  you want to boolean to determine whether the system permits loading
226       policy, setting enforcing mode, and changing boolean values.  Set  this
227       to  true  and  you  have to reboot to set it back, you must turn on the
228       secure_mode_policyload boolean. Enabled by default.
229
230       setsebool -P secure_mode_policyload 1
231
232
233
234       If you want to allow unconfined executables to make their  heap  memory
235       executable.   Doing  this  is  a  really bad idea. Probably indicates a
236       badly coded executable, but could indicate an attack.  This  executable
237       should   be   reported  in  bugzilla,  you  must  turn  on  the  selin‐
238       uxuser_execheap boolean. Disabled by default.
239
240       setsebool -P selinuxuser_execheap 1
241
242
243
244       If you want to  allow  all  unconfined  executables  to  use  libraries
245       requiring  text  relocation  that  are not labeled textrel_shlib_t, you
246       must turn on the selinuxuser_execmod boolean. Enabled by default.
247
248       setsebool -P selinuxuser_execmod 1
249
250
251
252       If you want to allow unconfined executables to make  their  stack  exe‐
253       cutable.   This  should  never, ever be necessary. Probably indicates a
254       badly coded executable, but could indicate an attack.  This  executable
255       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
256       stack boolean. Enabled by default.
257
258       setsebool -P selinuxuser_execstack 1
259
260
261
262       If you want to support X userspace object manager, you must turn on the
263       xserver_object_manager boolean. Enabled by default.
264
265       setsebool -P xserver_object_manager 1
266
267
268

MANAGED FILES

270       The SELinux process type system_cronjob_t can manage files labeled with
271       the following file types.  The paths listed are the default  paths  for
272       these  file  types.  Note the processes UID still need to have DAC per‐
273       missions.
274
275       file_type
276
277            all files on the system
278
279

COMMANDS

281       semanage fcontext can also be used to manipulate default  file  context
282       mappings.
283
284       semanage  permissive  can  also  be used to manipulate whether or not a
285       process type is permissive.
286
287       semanage module can also be used to enable/disable/install/remove  pol‐
288       icy modules.
289
290       semanage boolean can also be used to manipulate the booleans
291
292
293       system-config-selinux is a GUI tool available to customize SELinux pol‐
294       icy settings.
295
296

AUTHOR

298       This manual page was auto-generated using sepolicy manpage .
299
300