update_modules_selinux(8)

1update_modules_selinux(8)SELinux Policy update_modulesupdate_modules_selinux(8)
2
3
4

NAME

6       update_modules_selinux   -  Security  Enhanced  Linux  Policy  for  the
7       update_modules processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the update_modules processes via flexi‐
11       ble mandatory access control.
12
13       The  update_modules processes execute with the update_modules_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep update_modules_t
20
21
22

ENTRYPOINTS

24       The  update_modules_t  SELinux  type can be entered via the update_mod‐
25       ules_exec_t file type.
26
27       The default entrypoint paths for the update_modules_t  domain  are  the
28       following:
29
30       /sbin/modules-update,  /sbin/update-modules,  /usr/sbin/modules-update,
31       /usr/sbin/update-modules, /sbin/generate-modprobe.conf,  /usr/sbin/gen‐
32       erate-modprobe.conf
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       update_modules  policy  is  very flexible allowing users to setup their
42       update_modules processes in as secure a method as possible.
43
44       The following process types are defined for update_modules:
45
46       update_modules_t
47
48       Note: semanage permissive -a update_modules_t can be used to  make  the
49       process  type update_modules_t permissive. SELinux does not deny access
50       to permissive process types, but the AVC (SELinux denials) messages are
51       still generated.
52
53

BOOLEANS

55       SELinux   policy  is  customizable  based  on  least  access  required.
56       update_modules policy is extremely flexible and  has  several  booleans
57       that allow you to manipulate the policy and run update_modules with the
58       tightest access possible.
59
60
61
62       If you want to allow all domains to execute in fips_mode, you must turn
63       on the fips_mode boolean. Enabled by default.
64
65       setsebool -P fips_mode 1
66
67
68

MANAGED FILES

70       The SELinux process type update_modules_t can manage files labeled with
71       the following file types.  The paths listed are the default  paths  for
72       these  file  types.  Note the processes UID still need to have DAC per‐
73       missions.
74
75       modules_conf_t
76
77            /etc/modprobe.d(/.*)?
78            /etc/modules.conf.*
79            /etc/modprobe.conf.*
80            /lib/modules/modprobe.conf
81            /usr/lib/modules/modprobe.conf
82
83       modules_dep_t
84
85
86       update_modules_tmp_t
87
88
89

FILE CONTEXTS

91       SELinux requires files to have an extended attribute to define the file
92       type.
93
94       You can see the context of a file using the -Z option to ls
95
96       Policy  governs  the  access  confined  processes  have to these files.
97       SELinux update_modules policy is very flexible allowing users to  setup
98       their update_modules processes in as secure a method as possible.
99
100       STANDARD FILE CONTEXT
101
102       SELinux  defines  the file context types for the update_modules, if you
103       wanted to store files with these types in a diffent paths, you need  to
104       execute  the  semanage  command to sepecify alternate labeling and then
105       use restorecon to put the labels on disk.
106
107       semanage  fcontext  -a  -t   update_modules_tmp_t   '/srv/myupdate_mod‐
108       ules_content(/.*)?'
109       restorecon -R -v /srv/myupdate_modules_content
110
111       Note:  SELinux  often  uses  regular expressions to specify labels that
112       match multiple files.
113
114       The following file types are defined for update_modules:
115
116
117
118       update_modules_exec_t
119
120       - Set files with the update_modules_exec_t type, if you want to transi‐
121       tion an executable to the update_modules_t domain.
122
123
124       Paths:
125            /sbin/modules-update,   /sbin/update-modules,   /usr/sbin/modules-
126            update,  /usr/sbin/update-modules,   /sbin/generate-modprobe.conf,
127            /usr/sbin/generate-modprobe.conf
128
129
130       update_modules_tmp_t
131
132       -  Set  files  with the update_modules_tmp_t type, if you want to store
133       update modules temporary files in the /tmp directories.
134
135
136
137       Note: File context can be temporarily modified with the chcon  command.
138       If  you want to permanently change the file context you need to use the
139       semanage fcontext command.  This will modify the SELinux labeling data‐
140       base.  You will need to use restorecon to apply the labels.
141
142

COMMANDS

144       semanage  fcontext  can also be used to manipulate default file context
145       mappings.
146
147       semanage permissive can also be used to manipulate  whether  or  not  a
148       process type is permissive.
149
150       semanage  module can also be used to enable/disable/install/remove pol‐
151       icy modules.
152
153       semanage boolean can also be used to manipulate the booleans
154
155
156       system-config-selinux is a GUI tool available to customize SELinux pol‐
157       icy settings.
158
159

AUTHOR

161       This manual page was auto-generated using sepolicy manpage .
162
163