udev_selinux(8)

1udev_selinux(8)               SELinux Policy udev              udev_selinux(8)
2
3
4

NAME

6       udev_selinux - Security Enhanced Linux Policy for the udev processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the udev processes via flexible manda‐
10       tory access control.
11
12       The udev processes execute with the udev_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep udev_t
19
20
21

ENTRYPOINTS

23       The udev_t SELinux type can  be  entered  via  the  udev_helper_exec_t,
24       udev_exec_t file types.
25
26       The default entrypoint paths for the udev_t domain are the following:
27
28       /etc/dev.d/.+,   /etc/udev/scripts/.+,   /etc/hotplug.d/default/udev.*,
29       /sbin/udev, /sbin/udevd, /bin/udevadm,  /sbin/udevadm,  /sbin/udevsend,
30       /usr/sbin/udev,   /lib/udev/udevd,   /sbin/udevstart,  /usr/sbin/udevd,
31       /sbin/start_udev, /usr/bin/udevadm,  /usr/bin/udevinfo,  /usr/sbin/ude‐
32       vadm,   /lib/udev/udev-acl,   /usr/sbin/udevsend,  /usr/sbin/udevstart,
33       /usr/lib/udev/udevd,    /sbin/wait_for_sysfs,     /usr/sbin/start_udev,
34       /usr/lib/udev/udev-acl, /usr/sbin/wait_for_sysfs, /usr/lib/systemd/sys‐
35       temd-udevd
36

PROCESS TYPES

38       SELinux defines process types (domains) for each process running on the
39       system
40
41       You can see the context of a process using the -Z option to ps
42
43       Policy  governs  the  access confined processes have to files.  SELinux
44       udev policy is very flexible allowing users to setup  their  udev  pro‐
45       cesses in as secure a method as possible.
46
47       The following process types are defined for udev:
48
49       udev_t
50
51       Note:  semanage  permissive  -a  udev_t can be used to make the process
52       type udev_t permissive. SELinux does  not  deny  access  to  permissive
53       process  types, but the AVC (SELinux denials) messages are still gener‐
54       ated.
55
56

BOOLEANS

58       SELinux policy is customizable based on least  access  required.   udev
59       policy is extremely flexible and has several booleans that allow you to
60       manipulate the policy and run udev with the tightest access possible.
61
62
63
64       If you want to allow users to resolve user passwd entries directly from
65       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
66       gin_nsswitch_use_ldap boolean. Disabled by default.
67
68       setsebool -P authlogin_nsswitch_use_ldap 1
69
70
71
72       If you want to allow all daemons to write corefiles to /, you must turn
73       on the daemons_dump_core boolean. Disabled by default.
74
75       setsebool -P daemons_dump_core 1
76
77
78
79       If  you  want  to enable cluster mode for daemons, you must turn on the
80       daemons_enable_cluster_mode boolean. Enabled by default.
81
82       setsebool -P daemons_enable_cluster_mode 1
83
84
85
86       If you want to allow all daemons to use tcp wrappers, you must turn  on
87       the daemons_use_tcp_wrapper boolean. Disabled by default.
88
89       setsebool -P daemons_use_tcp_wrapper 1
90
91
92
93       If  you  want to allow all daemons the ability to read/write terminals,
94       you must turn on the daemons_use_tty boolean. Disabled by default.
95
96       setsebool -P daemons_use_tty 1
97
98
99
100       If you want to deny user domains applications to map a memory region as
101       both  executable  and  writable,  this  is dangerous and the executable
102       should be reported in bugzilla, you must turn on the deny_execmem bool‐
103       ean. Enabled by default.
104
105       setsebool -P deny_execmem 1
106
107
108
109       If  you  want  to deny any process from ptracing or debugging any other
110       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
111       default.
112
113       setsebool -P deny_ptrace 1
114
115
116
117       If  you  want  to  allow  any  process  to mmap any file on system with
118       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
119       ean. Enabled by default.
120
121       setsebool -P domain_can_mmap_files 1
122
123
124
125       If  you want to allow all domains write to kmsg_device, while kernel is
126       executed with systemd.log_target=kmsg parameter, you must turn  on  the
127       domain_can_write_kmsg boolean. Disabled by default.
128
129       setsebool -P domain_can_write_kmsg 1
130
131
132
133       If you want to allow all domains to use other domains file descriptors,
134       you must turn on the domain_fd_use boolean. Enabled by default.
135
136       setsebool -P domain_fd_use 1
137
138
139
140       If you want to allow all domains to have the kernel load  modules,  you
141       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
142       default.
143
144       setsebool -P domain_kernel_load_modules 1
145
146
147
148       If you want to allow all domains to execute in fips_mode, you must turn
149       on the fips_mode boolean. Enabled by default.
150
151       setsebool -P fips_mode 1
152
153
154
155       If you want to enable reading of urandom for all domains, you must turn
156       on the global_ssp boolean. Disabled by default.
157
158       setsebool -P global_ssp 1
159
160
161
162       If you want to allow confined applications to run  with  kerberos,  you
163       must turn on the kerberos_enabled boolean. Enabled by default.
164
165       setsebool -P kerberos_enabled 1
166
167
168
169       If  you  want  to control the ability to mmap a low area of the address
170       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
171       the mmap_low_allowed boolean. Disabled by default.
172
173       setsebool -P mmap_low_allowed 1
174
175
176
177       If  you  want  to  allow  system  to run with NIS, you must turn on the
178       nis_enabled boolean. Disabled by default.
179
180       setsebool -P nis_enabled 1
181
182
183
184       If you want to allow confined applications to use nscd  shared  memory,
185       you must turn on the nscd_use_shm boolean. Disabled by default.
186
187       setsebool -P nscd_use_shm 1
188
189
190
191       If  you  want  to  disable  kernel module loading, you must turn on the
192       secure_mode_insmod boolean. Enabled by default.
193
194       setsebool -P secure_mode_insmod 1
195
196
197
198       If you want to boolean to determine whether the system permits  loading
199       policy,  setting enforcing mode, and changing boolean values.  Set this
200       to true and you have to reboot to set it back, you  must  turn  on  the
201       secure_mode_policyload boolean. Enabled by default.
202
203       setsebool -P secure_mode_policyload 1
204
205
206
207       If  you  want to allow unconfined executables to make their heap memory
208       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
209       badly  coded  executable, but could indicate an attack. This executable
210       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
211       uxuser_execheap boolean. Disabled by default.
212
213       setsebool -P selinuxuser_execheap 1
214
215
216
217       If  you  want  to  allow  all  unconfined  executables to use libraries
218       requiring text relocation that are  not  labeled  textrel_shlib_t,  you
219       must turn on the selinuxuser_execmod boolean. Enabled by default.
220
221       setsebool -P selinuxuser_execmod 1
222
223
224
225       If  you  want  to allow unconfined executables to make their stack exe‐
226       cutable.  This should never, ever be necessary.  Probably  indicates  a
227       badly  coded  executable, but could indicate an attack. This executable
228       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
229       stack boolean. Enabled by default.
230
231       setsebool -P selinuxuser_execstack 1
232
233
234
235       If you want to support X userspace object manager, you must turn on the
236       xserver_object_manager boolean. Enabled by default.
237
238       setsebool -P xserver_object_manager 1
239
240
241

MANAGED FILES

243       The SELinux process type udev_t can manage files labeled with the  fol‐
244       lowing  file  types.   The paths listed are the default paths for these
245       file types.  Note the processes UID still need to have DAC permissions.
246
247       file_type
248
249            all files on the system
250
251

FILE CONTEXTS

253       SELinux requires files to have an extended attribute to define the file
254       type.
255
256       You can see the context of a file using the -Z option to ls
257
258       Policy  governs  the  access  confined  processes  have to these files.
259       SELinux udev policy is very flexible allowing users to setup their udev
260       processes in as secure a method as possible.
261
262       STANDARD FILE CONTEXT
263
264       SELinux  defines  the file context types for the udev, if you wanted to
265       store files with these types in a diffent paths, you  need  to  execute
266       the  semanage  command  to  sepecify  alternate  labeling  and then use
267       restorecon to put the labels on disk.
268
269       semanage fcontext -a -t udev_var_run_t '/srv/myudev_content(/.*)?'
270       restorecon -R -v /srv/myudev_content
271
272       Note: SELinux often uses regular expressions  to  specify  labels  that
273       match multiple files.
274
275       The following file types are defined for udev:
276
277
278
279       udev_etc_t
280
281       -  Set  files with the udev_etc_t type, if you want to store udev files
282       in the /etc directories.
283
284
285
286       udev_exec_t
287
288       - Set files with the udev_exec_t type, if you  want  to  transition  an
289       executable to the udev_t domain.
290
291
292       Paths:
293            /sbin/udev,  /sbin/udevd,  /bin/udevadm, /sbin/udevadm, /sbin/ude‐
294            vsend,    /usr/sbin/udev,    /lib/udev/udevd,     /sbin/udevstart,
295            /usr/sbin/udevd,        /sbin/start_udev,        /usr/bin/udevadm,
296            /usr/bin/udevinfo,     /usr/sbin/udevadm,      /lib/udev/udev-acl,
297            /usr/sbin/udevsend,    /usr/sbin/udevstart,   /usr/lib/udev/udevd,
298            /sbin/wait_for_sysfs,  /usr/sbin/start_udev,   /usr/lib/udev/udev-
299            acl, /usr/sbin/wait_for_sysfs, /usr/lib/systemd/systemd-udevd
300
301
302       udev_helper_exec_t
303
304       - Set files with the udev_helper_exec_t type, if you want to transition
305       an executable to the udev_helper_t domain.
306
307
308       Paths:
309            /etc/dev.d/.+, /etc/udev/scripts/.+, /etc/hotplug.d/default/udev.*
310
311
312       udev_rules_t
313
314       - Set files with the udev_rules_t type, if you want to treat the  files
315       as udev rules data.
316
317
318
319       udev_tmp_t
320
321       -  Set files with the udev_tmp_t type, if you want to store udev tempo‐
322       rary files in the /tmp directories.
323
324
325
326       udev_var_run_t
327
328       - Set files with the udev_var_run_t type, if you want to store the udev
329       files under the /run or /var/run directory.
330
331
332       Paths:
333            /dev/.udev(/.*)?,   /var/run/udev(/.*)?,   /var/run/libgpod(/.*)?,
334            /var/run/PackageKit/udev(/.*)?, /dev/.udevdb, /dev/udev.tbl
335
336
337       Note: File context can be temporarily modified with the chcon  command.
338       If  you want to permanently change the file context you need to use the
339       semanage fcontext command.  This will modify the SELinux labeling data‐
340       base.  You will need to use restorecon to apply the labels.
341
342

COMMANDS

344       semanage  fcontext  can also be used to manipulate default file context
345       mappings.
346
347       semanage permissive can also be used to manipulate  whether  or  not  a
348       process type is permissive.
349
350       semanage  module can also be used to enable/disable/install/remove pol‐
351       icy modules.
352
353       semanage boolean can also be used to manipulate the booleans
354
355
356       system-config-selinux is a GUI tool available to customize SELinux pol‐
357       icy settings.
358
359

AUTHOR

361       This manual page was auto-generated using sepolicy manpage .
362
363