1mount_selinux(8) SELinux Policy mount mount_selinux(8)
2
3
4
6 mount_selinux - Security Enhanced Linux Policy for the mount processes
7
9 Security-Enhanced Linux secures the mount processes via flexible manda‐
10 tory access control.
11
12 The mount processes execute with the mount_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep mount_t
19
20
21
23 The mount_t SELinux type can be entered via the mount_exec_t, fuser‐
24 mount_exec_t file types.
25
26 The default entrypoint paths for the mount_t domain are the following:
27
28 /bin/mount.*, /bin/umount.*, /sbin/mount.*, /sbin/umount.*,
29 /usr/bin/mount.*, /usr/bin/umount.*, /usr/sbin/mount.*,
30 /usr/sbin/umount.*, /bin/fusermount, /usr/bin/fusermount
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 mount policy is very flexible allowing users to setup their mount pro‐
40 cesses in as secure a method as possible.
41
42 The following process types are defined for mount:
43
44 mount_t, mount_ecryptfs_t
45
46 Note: semanage permissive -a mount_t can be used to make the process
47 type mount_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. mount
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run mount with the tightest access possible.
56
57
58
59 If you want to allow the mount commands to mount any directory or file,
60 you must turn on the mount_anyfile boolean. Enabled by default.
61
62 setsebool -P mount_anyfile 1
63
64
65
66 If you want to allow users to resolve user passwd entries directly from
67 ldap rather then using a sssd server, you must turn on the authlo‐
68 gin_nsswitch_use_ldap boolean. Disabled by default.
69
70 setsebool -P authlogin_nsswitch_use_ldap 1
71
72
73
74 If you want to deny user domains applications to map a memory region as
75 both executable and writable, this is dangerous and the executable
76 should be reported in bugzilla, you must turn on the deny_execmem bool‐
77 ean. Enabled by default.
78
79 setsebool -P deny_execmem 1
80
81
82
83 If you want to allow all domains to execute in fips_mode, you must turn
84 on the fips_mode boolean. Enabled by default.
85
86 setsebool -P fips_mode 1
87
88
89
90 If you want to allow confined applications to run with kerberos, you
91 must turn on the kerberos_enabled boolean. Enabled by default.
92
93 setsebool -P kerberos_enabled 1
94
95
96
97 If you want to control the ability to mmap a low area of the address
98 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
99 the mmap_low_allowed boolean. Disabled by default.
100
101 setsebool -P mmap_low_allowed 1
102
103
104
105 If you want to allow system to run with NIS, you must turn on the
106 nis_enabled boolean. Disabled by default.
107
108 setsebool -P nis_enabled 1
109
110
111
112 If you want to allow confined applications to use nscd shared memory,
113 you must turn on the nscd_use_shm boolean. Enabled by default.
114
115 setsebool -P nscd_use_shm 1
116
117
118
119 If you want to disable kernel module loading, you must turn on the
120 secure_mode_insmod boolean. Enabled by default.
121
122 setsebool -P secure_mode_insmod 1
123
124
125
126 If you want to allow unconfined executables to make their heap memory
127 executable. Doing this is a really bad idea. Probably indicates a
128 badly coded executable, but could indicate an attack. This executable
129 should be reported in bugzilla, you must turn on the selin‐
130 uxuser_execheap boolean. Disabled by default.
131
132 setsebool -P selinuxuser_execheap 1
133
134
135
136 If you want to allow unconfined executables to make their stack exe‐
137 cutable. This should never, ever be necessary. Probably indicates a
138 badly coded executable, but could indicate an attack. This executable
139 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
140 stack boolean. Enabled by default.
141
142 setsebool -P selinuxuser_execstack 1
143
144
145
147 SELinux defines port types to represent TCP and UDP ports.
148
149 You can see the types associated with a port by using the following
150 command:
151
152 semanage port -l
153
154
155 Policy governs the access confined processes have to these ports.
156 SELinux mount policy is very flexible allowing users to setup their
157 mount processes in as secure a method as possible.
158
159 The following port types are defined for mount:
160
161
162 mountd_port_t
163
164
165
166 Default Defined Ports:
167 tcp 20048
168 udp 20048
169
171 The SELinux process type mount_t can manage files labeled with the fol‐
172 lowing file types. The paths listed are the default paths for these
173 file types. Note the processes UID still need to have DAC permissions.
174
175 file_type
176
177 all files on the system
178
179
181 SELinux requires files to have an extended attribute to define the file
182 type.
183
184 You can see the context of a file using the -Z option to ls
185
186 Policy governs the access confined processes have to these files.
187 SELinux mount policy is very flexible allowing users to setup their
188 mount processes in as secure a method as possible.
189
190 STANDARD FILE CONTEXT
191
192 SELinux defines the file context types for the mount, if you wanted to
193 store files with these types in a diffent paths, you need to execute
194 the semanage command to sepecify alternate labeling and then use
195 restorecon to put the labels on disk.
196
197 semanage fcontext -a -t mount_ecryptfs_tmpfs_t '/srv/mymount_con‐
198 tent(/.*)?'
199 restorecon -R -v /srv/mymount_content
200
201 Note: SELinux often uses regular expressions to specify labels that
202 match multiple files.
203
204 The following file types are defined for mount:
205
206
207
208 mount_ecryptfs_exec_t
209
210 - Set files with the mount_ecryptfs_exec_t type, if you want to transi‐
211 tion an executable to the mount_ecryptfs_t domain.
212
213
214 Paths:
215 /usr/sbin/mount.ecryptfs, /usr/sbin/umount.ecryptfs,
216 /usr/sbin/mount.ecryptfs_private, /usr/sbin/umount.ecryptfs_pri‐
217 vate
218
219
220 mount_ecryptfs_tmpfs_t
221
222 - Set files with the mount_ecryptfs_tmpfs_t type, if you want to store
223 mount ecryptfs files on a tmpfs file system.
224
225
226
227 mount_exec_t
228
229 - Set files with the mount_exec_t type, if you want to transition an
230 executable to the mount_t domain.
231
232
233 Paths:
234 /bin/mount.*, /bin/umount.*, /sbin/mount.*, /sbin/umount.*,
235 /usr/bin/mount.*, /usr/bin/umount.*, /usr/sbin/mount.*,
236 /usr/sbin/umount.*
237
238
239 mount_loopback_t
240
241 - Set files with the mount_loopback_t type, if you want to treat the
242 files as mount loopback data.
243
244
245
246 mount_tmp_t
247
248 - Set files with the mount_tmp_t type, if you want to store mount tem‐
249 porary files in the /tmp directories.
250
251
252
253 mount_var_run_t
254
255 - Set files with the mount_var_run_t type, if you want to store the
256 mount files under the /run or /var/run directory.
257
258
259 Paths:
260 /run/mount(/.*)?, /dev/.mount(/.*)?, /var/run/mount(/.*)?,
261 /var/run/davfs2(/.*)?, /var/cache/davfs2(/.*)?
262
263
264 Note: File context can be temporarily modified with the chcon command.
265 If you want to permanently change the file context you need to use the
266 semanage fcontext command. This will modify the SELinux labeling data‐
267 base. You will need to use restorecon to apply the labels.
268
269
271 semanage fcontext can also be used to manipulate default file context
272 mappings.
273
274 semanage permissive can also be used to manipulate whether or not a
275 process type is permissive.
276
277 semanage module can also be used to enable/disable/install/remove pol‐
278 icy modules.
279
280 semanage port can also be used to manipulate the port definitions
281
282 semanage boolean can also be used to manipulate the booleans
283
284
285 system-config-selinux is a GUI tool available to customize SELinux pol‐
286 icy settings.
287
288
290 This manual page was auto-generated using sepolicy manpage .
291
292
294 selinux(8), mount(8), semanage(8), restorecon(8), chcon(1), sepol‐
295 icy(8), setsebool(8), mount_ecryptfs_selinux(8),
296 mount_ecryptfs_selinux(8)
297
298
299
300mount 19-10-08 mount_selinux(8)