1xdm_selinux(8) SELinux Policy xdm xdm_selinux(8)
2
6 xdm_selinux - Security Enhanced Linux Policy for the xdm processes
7
9 Security-Enhanced Linux secures the xdm processes via flexible manda‐
10 tory access control.
11 The xdm processes execute with the xdm_t SELinux type. You can check if
13 you have these processes running by executing the ps command with the
14 -Z qualifier.
15 For example:
17 ps -eZ | grep xdm_t
19
23 The xdm_t SELinux type can be entered via the xdm_exec_t file type.
24 The default entrypoint paths for the xdm_t domain are the following:
26 /usr/s?bin/gdm(3)?, /usr/s?bin/lightdm*, /usr/s?bin/[mxgkw]dm,
28 /usr/s?bin/gdm-binary, /usr/s?bin/lxdm(-binary)?,
29 /usr/X11R6/bin/[xgkw]dm, /usr/bin/razor-lightdm-.*, /usr/bin/sddm,
30 /usr/bin/slim, /usr/bin/gpe-dm, /opt/kde3/bin/kdm, /usr/sbin/mdm-
31 binary, /usr/bin/sddm-greeter, /etc/rc.d/init.d/x11-common,
32 /usr/libexec/gdm-disable-wayland
33
35 SELinux defines process types (domains) for each process running on the
36 system
37 You can see the context of a process using the -Z option to ps
39 Policy governs the access confined processes have to files. SELinux
41 xdm policy is very flexible allowing users to setup their xdm processes
42 in as secure a method as possible.
43 The following process types are defined for xdm:
45 xdm_t, xdm_unconfined_t
47 Note: semanage permissive -a xdm_t can be used to make the process type
49 xdm_t permissive. SELinux does not deny access to permissive process
50 types, but the AVC (SELinux denials) messages are still generated.
51
54 SELinux policy is customizable based on least access required. xdm
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run xdm with the tightest access possible.
57 If you want to allows xdm_t to bind on vnc_port_t(5910), you must turn
61 on the xdm_bind_vnc_tcp_port boolean. Disabled by default.
62 setsebool -P xdm_bind_vnc_tcp_port 1
64 If you want to allow the graphical login program to execute bootloader,
68 you must turn on the xdm_exec_bootloader boolean. Disabled by default.
69 setsebool -P xdm_exec_bootloader 1
71 If you want to allow the graphical login program to login directly as
75 sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Dis‐
76 abled by default.
77 setsebool -P xdm_sysadm_login 1
79 If you want to allow the graphical login program to create files in
83 HOME dirs as xdm_home_t, you must turn on the xdm_write_home boolean.
84 Disabled by default.
85 setsebool -P xdm_write_home 1
87 If you want to allow users to resolve user passwd entries directly from
91 ldap rather then using a sssd server, you must turn on the authlo‐
92 gin_nsswitch_use_ldap boolean. Disabled by default.
93 setsebool -P authlogin_nsswitch_use_ldap 1
95 If you want to deny user domains applications to map a memory region as
99 both executable and writable, this is dangerous and the executable
100 should be reported in bugzilla, you must turn on the deny_execmem bool‐
101 ean. Enabled by default.
102 setsebool -P deny_execmem 1
104 If you want to deny any process from ptracing or debugging any other
108 processes, you must turn on the deny_ptrace boolean. Enabled by
109 default.
110 setsebool -P deny_ptrace 1
112 If you want to allow all domains to execute in fips_mode, you must turn
116 on the fips_mode boolean. Enabled by default.
117 setsebool -P fips_mode 1
119 If you want to allow confined applications to run with kerberos, you
123 must turn on the kerberos_enabled boolean. Enabled by default.
124 setsebool -P kerberos_enabled 1
126 If you want to allow system to run with NIS, you must turn on the
130 nis_enabled boolean. Disabled by default.
131 setsebool -P nis_enabled 1
133 If you want to allow confined applications to use nscd shared memory,
137 you must turn on the nscd_use_shm boolean. Enabled by default.
138 setsebool -P nscd_use_shm 1
140 If you want to enable polyinstantiated directory support, you must turn
144 on the polyinstantiation_enabled boolean. Disabled by default.
145 setsebool -P polyinstantiation_enabled 1
147 If you want to allow unconfined executables to make their stack exe‐
151 cutable. This should never, ever be necessary. Probably indicates a
152 badly coded executable, but could indicate an attack. This executable
153 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
154 stack boolean. Enabled by default.
155 setsebool -P selinuxuser_execstack 1
157 If you want to support ecryptfs home directories, you must turn on the
161 use_ecryptfs_home_dirs boolean. Disabled by default.
162 setsebool -P use_ecryptfs_home_dirs 1
164 If you want to support fusefs home directories, you must turn on the
168 use_fusefs_home_dirs boolean. Disabled by default.
169 setsebool -P use_fusefs_home_dirs 1
171 If you want to support NFS home directories, you must turn on the
175 use_nfs_home_dirs boolean. Disabled by default.
176 setsebool -P use_nfs_home_dirs 1
178 If you want to support SAMBA home directories, you must turn on the
182 use_samba_home_dirs boolean. Disabled by default.
183 setsebool -P use_samba_home_dirs 1
185
189 SELinux defines port types to represent TCP and UDP ports.
190 You can see the types associated with a port by using the following
192 command:
193 semanage port -l
195 Policy governs the access confined processes have to these ports.
198 SELinux xdm policy is very flexible allowing users to setup their xdm
199 processes in as secure a method as possible.
200 The following port types are defined for xdm:
202 xdmcp_port_t
205 Default Defined Ports:
209 tcp 177
210 udp 177
211
213 The SELinux process type xdm_t can manage files labeled with the fol‐
214 lowing file types. The paths listed are the default paths for these
215 file types. Note the processes UID still need to have DAC permissions.
216 anon_inodefs_t
218 auth_cache_t
221 /var/cache/coolkey(/.*)?
223 auth_home_t
225 /root/.yubico(/.*)?
227 /root/.google_authenticator
228 /root/.google_authenticator~
229 /home/[^/]+/.yubico(/.*)?
230 /home/[^/]+/.google_authenticator
231 /home/[^/]+/.google_authenticator~
232 cgroup_t
234 /sys/fs/cgroup
236 cifs_t
238 ecryptfs_t
241 /home/[^/]+/.Private(/.*)?
243 /home/[^/]+/.ecryptfs(/.*)?
244 etc_runtime_t
246 /[^/]+
248 /etc/mtab.*
249 /etc/blkid(/.*)?
250 /etc/nologin.*
251 /etc/.fstab.hal..+
252 /halt
253 /fastboot
254 /poweroff
255 /.autofsck
256 /etc/cmtab
257 /forcefsck
258 /.suspended
259 /fsckoptions
260 /.autorelabel
261 /etc/.updated
262 /var/.updated
263 /etc/killpower
264 /etc/nohotplug
265 /etc/securetty
266 /etc/ioctl.save
267 /etc/fstab.REVOKE
268 /etc/network/ifstate
269 /etc/sysconfig/hwconf
270 /etc/ptal/ptal-printd-like
271 /etc/sysconfig/iptables.save
272 /etc/xorg.conf.d/00-system-setup-keyboard.conf
273 /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
274 faillog_t
276 /var/log/btmp.*
278 /var/log/faillog.*
279 /var/log/tallylog.*
280 /var/run/faillock(/.*)?
281 fonts_cache_t
283 /var/cache/fontconfig(/.*)?
285 fusefs_t
287 /var/run/user/[^/]*/gvfs
289 gconf_home_t
291 /root/.local.*
293 /root/.gconf(d)?(/.*)?
294 /home/[^/]+/.local.*
295 /home/[^/]+/.gconf(d)?(/.*)?
296 gnome_home_type
298 initrc_var_run_t
301 /var/run/utmp
303 /var/run/random-seed
304 /var/run/runlevel.dir
305 /var/run/setmixer_flag
306 kdbusfs_t
308 krb5_host_rcache_t
311 /var/cache/krb5rcache(/.*)?
313 /var/tmp/nfs_0
314 /var/tmp/DNS_25
315 /var/tmp/host_0
316 /var/tmp/imap_0
317 /var/tmp/HTTP_23
318 /var/tmp/HTTP_48
319 /var/tmp/ldap_55
320 /var/tmp/ldap_487
321 /var/tmp/ldapmap1_0
322 lastlog_t
324 /var/log/lastlog.*
326 locale_t
328 /etc/locale.conf
330 /etc/vconsole.conf
331 /usr/lib/locale(/.*)?
332 /usr/share/locale(/.*)?
333 /usr/share/zoneinfo(/.*)?
334 /usr/share/X11/locale(/.*)?
335 /etc/timezone
336 /etc/localtime
337 /etc/sysconfig/clock
338 /etc/avahi/etc/localtime
339 /var/empty/sshd/etc/localtime
340 /var/named/chroot/etc/localtime
341 /var/spool/postfix/etc/localtime
342 nfs_t
344 pam_var_console_t
347 /var/run/console(/.*)?
349 pam_var_run_t
351 /var/(db|adm)/sudo(/.*)?
353 /var/lib/sudo(/.*)?
354 /var/run/sudo(/.*)?
355 /var/run/sepermit(/.*)?
356 /var/run/pam_mount(/.*)?
357 security_t
359 /selinux
361 sysfs_t
363 /sys(/.*)?
365 systemd_passwd_var_run_t
367 /var/run/systemd/ask-password(/.*)?
369 /var/run/systemd/ask-password-block(/.*)?
370 user_fonts_t
372 /root/.fonts(/.*)?
374 /tmp/.font-unix(/.*)?
375 /home/[^/]+/.fonts(/.*)?
376 /home/[^/]+/.local/share/fonts(/.*)?
377 user_tmp_t
379 /dev/shm/mono.*
381 /var/run/user(/.*)?
382 /tmp/.ICE-unix(/.*)?
383 /tmp/.X11-unix(/.*)?
384 /dev/shm/pulse-shm.*
385 /tmp/.X0-lock
386 /tmp/hsperfdata_root
387 /var/tmp/hsperfdata_root
388 /home/[^/]+/tmp
389 /home/[^/]+/.tmp
390 /tmp/gconfd-[^/]+
391 user_tmp_type
393 all user tmp files
395 var_auth_t
397 /var/ace(/.*)?
399 /var/rsa(/.*)?
400 /var/lib/abl(/.*)?
401 /var/lib/rsa(/.*)?
402 /var/lib/pam_ssh(/.*)?
403 /var/run/pam_ssh(/.*)?
404 /var/lib/pam_shield(/.*)?
405 /var/opt/quest/vas/vasd(/.*)?
406 /var/lib/google-authenticator(/.*)?
407 wtmp_t
409 /var/log/wtmp.*
411 xauth_home_t
413 /root/.Xauth.*
415 /root/.xauth.*
416 /root/.Xauthority.*
417 /root/.serverauth.*
418 /var/lib/pqsql/.xauth.*
419 /var/lib/pqsql/.Xauthority.*
420 /var/lib/nxserver/home/.xauth.*
421 /var/lib/nxserver/home/.Xauthority.*
422 /home/[^/]+/.Xauth.*
423 /home/[^/]+/.xauth.*
424 /home/[^/]+/.Xauthority.*
425 /home/[^/]+/.serverauth.*
426 xdm_home_t
428 /root/.dmrc.*
430 /root/.wayland-errors.*
431 /root/.xsession-errors.*
432 /home/[^/]+/.dmrc.*
433 /home/[^/]+/.cache/gdm(/.*)?
434 /home/[^/]+/.wayland-errors.*
435 /home/[^/]+/.xsession-errors.*
436 /home/[^/]+/.local/share/xorg(/.*)?
437 xdm_lock_t
439 xdm_log_t
442 /var/log/[mkwx]dm.log.*
444 /var/log/mdm(/.*)?
445 /var/log/lxdm.log.*
446 /var/log/slim.log.*
447 xdm_rw_etc_t
449 /etc/X11/wdm(/.*)?
451 /etc/opt/VirtualGL(/.*)?
452 xdm_spool_t
454 /var/spool/[mg]dm(/.*)?
456 xdm_tmpfs_t
458 xdm_var_lib_t
461 /var/lib/[mxkwg]dm(/.*)?
463 /var/cache/[mg]dm(/.*)?
464 /var/lib/gdm(3)?(/.*)?
465 /var/lib/lxdm(/.*)?
466 /var/lib/sddm(/.*)?
467 /var/lib/lightdm(/.*)?
468 /var/cache/lightdm(/.*)?
469 /var/lib/lightdm-data(/.*)?
470 xdm_var_run_t
472 /etc/kde[34]?/kdm/backgroundrc
474 /var/run/[kgm]dm(/.*)?
475 /var/run/gdm(3)?.pid
476 /var/run/gdm(3)?(/.*)?
477 /usr/lib/qt-.*/etc/settings(/.*)?
478 /var/run/slim.*
479 /var/run/lxdm(/.*)?
480 /var/run/sddm(/.*)?
481 /var/run/xauth(/.*)?
482 /var/run/xdmctl(/.*)?
483 /var/run/lightdm(/.*)?
484 /var/run/systemd/multi-session-x(/.*)?
485 /var/run/xdm.pid
486 /var/run/lxdm.pid
487 /var/run/lxdm.auth
488 /var/run/gdm_socket
489 xkb_var_lib_t
491 /var/lib/xkb(/.*)?
493 /usr/X11R6/lib/X11/xkb/.*
494 /usr/X11R6/lib/X11/xkb
495 xserver_log_t
497 /var/[xgkw]dm(/.*)?
499 /usr/var/[xgkw]dm(/.*)?
500 /var/log/gdm(3)?(/.*)?
501 /var/log/Xorg.*
502 /var/log/XFree86.*
503 /var/log/lightdm(/.*)?
504 /var/log/nvidia-installer.log.*
505 xserver_tmpfs_t
507
511 SELinux requires files to have an extended attribute to define the file
512 type.
513 You can see the context of a file using the -Z option to ls
515 Policy governs the access confined processes have to these files.
517 SELinux xdm policy is very flexible allowing users to setup their xdm
518 processes in as secure a method as possible.
519 EQUIVALENCE DIRECTORIES
521 xdm policy stores data with multiple different file context types under
524 the /var/lib/lightdm directory. If you would like to store the data in
525 a different directory you can use the semanage command to create an
526 equivalence mapping. If you wanted to store this data under the /srv
527 dirctory you would execute the following command:
528 semanage fcontext -a -e /var/lib/lightdm /srv/lightdm
530 restorecon -R -v /srv/lightdm
531 xdm policy stores data with multiple different file context types under
533 the /var/run/gdm(3)? directory. If you would like to store the data in
534 a different directory you can use the semanage command to create an
535 equivalence mapping. If you wanted to store this data under the /srv
536 dirctory you would execute the following command:
537 semanage fcontext -a -e /var/run/gdm(3)? /srv/gdm(3)?
539 restorecon -R -v /srv/gdm(3)?
540 xdm policy stores data with multiple different file context types under
542 the /var/run/lxdm directory. If you would like to store the data in a
543 different directory you can use the semanage command to create an
544 equivalence mapping. If you wanted to store this data under the /srv
545 dirctory you would execute the following command:
546 semanage fcontext -a -e /var/run/lxdm /srv/lxdm
548 restorecon -R -v /srv/lxdm
549 STANDARD FILE CONTEXT
551 SELinux defines the file context types for the xdm, if you wanted to
553 store files with these types in a diffent paths, you need to execute
554 the semanage command to sepecify alternate labeling and then use
555 restorecon to put the labels on disk.
556 semanage fcontext -a -t xdm_log_t '/srv/myxdm_content(/.*)?'
558 restorecon -R -v /srv/myxdm_content
559 Note: SELinux often uses regular expressions to specify labels that
561 match multiple files.
562 The following file types are defined for xdm:
564 xdm_etc_t
568 - Set files with the xdm_etc_t type, if you want to store xdm files in
570 the /etc directories.
571 xdm_exec_t
575 - Set files with the xdm_exec_t type, if you want to transition an exe‐
577 cutable to the xdm_t domain.
578 Paths:
581 /usr/s?bin/gdm(3)?, /usr/s?bin/lightdm*, /usr/s?bin/[mxgkw]dm,
582 /usr/s?bin/gdm-binary, /usr/s?bin/lxdm(-binary)?,
583 /usr/X11R6/bin/[xgkw]dm, /usr/bin/razor-lightdm-.*, /usr/bin/sddm,
584 /usr/bin/slim, /usr/bin/gpe-dm, /opt/kde3/bin/kdm, /usr/sbin/mdm-
585 binary, /usr/bin/sddm-greeter, /etc/rc.d/init.d/x11-common,
586 /usr/libexec/gdm-disable-wayland
587 xdm_home_t
590 - Set files with the xdm_home_t type, if you want to store xdm files in
592 the users home directory.
593 Paths:
596 /root/.dmrc.*, /root/.wayland-errors.*, /root/.xsession-errors.*,
597 /home/[^/]+/.dmrc.*, /home/[^/]+/.cache/gdm(/.*)?,
598 /home/[^/]+/.wayland-errors.*, /home/[^/]+/.xsession-errors.*,
599 /home/[^/]+/.local/share/xorg(/.*)?
600 xdm_lock_t
603 - Set files with the xdm_lock_t type, if you want to treat the files as
605 xdm lock data, stored under the /var/lock directory
606 xdm_log_t
610 - Set files with the xdm_log_t type, if you want to treat the data as
612 xdm log data, usually stored under the /var/log directory.
613 Paths:
616 /var/log/[mkwx]dm.log.*, /var/log/mdm(/.*)?, /var/log/lxdm.log.*,
617 /var/log/slim.log.*
618 xdm_rw_etc_t
621 - Set files with the xdm_rw_etc_t type, if you want to store xdm rw
623 files in the /etc directories.
624 Paths:
627 /etc/X11/wdm(/.*)?, /etc/opt/VirtualGL(/.*)?
628 xdm_spool_t
631 - Set files with the xdm_spool_t type, if you want to store the xdm
633 files under the /var/spool directory.
634 xdm_tmpfs_t
638 - Set files with the xdm_tmpfs_t type, if you want to store xdm files
640 on a tmpfs file system.
641 xdm_unconfined_exec_t
645 - Set files with the xdm_unconfined_exec_t type, if you want to transi‐
647 tion an executable to the xdm_unconfined_t domain.
648 Paths:
651 /etc/[mg]dm/Init(/.*)?, /etc/[mg]dm/PostLogin(/.*)?,
652 /etc/[mg]dm/PreSession(/.*)?, /etc/[mg]dm/PostSession(/.*)?
653 xdm_var_lib_t
656 - Set files with the xdm_var_lib_t type, if you want to store the xdm
658 files under the /var/lib directory.
659 Paths:
662 /var/lib/[mxkwg]dm(/.*)?, /var/cache/[mg]dm(/.*)?,
663 /var/lib/gdm(3)?(/.*)?, /var/lib/lxdm(/.*)?, /var/lib/sddm(/.*)?,
664 /var/lib/lightdm(/.*)?, /var/cache/lightdm(/.*)?,
665 /var/lib/lightdm-data(/.*)?
666 xdm_var_run_t
669 - Set files with the xdm_var_run_t type, if you want to store the xdm
671 files under the /run or /var/run directory.
672 Paths:
675 /etc/kde[34]?/kdm/backgroundrc, /var/run/[kgm]dm(/.*)?,
676 /var/run/gdm(3)?.pid, /var/run/gdm(3)?(/.*)?,
677 /usr/lib/qt-.*/etc/settings(/.*)?, /var/run/slim.*,
678 /var/run/lxdm(/.*)?, /var/run/sddm(/.*)?, /var/run/xauth(/.*)?,
679 /var/run/xdmctl(/.*)?, /var/run/lightdm(/.*)?, /var/run/sys‐
680 temd/multi-session-x(/.*)?, /var/run/xdm.pid, /var/run/lxdm.pid,
681 /var/run/lxdm.auth, /var/run/gdm_socket
682 Note: File context can be temporarily modified with the chcon command.
685 If you want to permanently change the file context you need to use the
686 semanage fcontext command. This will modify the SELinux labeling data‐
687 base. You will need to use restorecon to apply the labels.
688
691 semanage fcontext can also be used to manipulate default file context
692 mappings.
693 semanage permissive can also be used to manipulate whether or not a
695 process type is permissive.
696 semanage module can also be used to enable/disable/install/remove pol‐
698 icy modules.
699 semanage port can also be used to manipulate the port definitions
701 semanage boolean can also be used to manipulate the booleans
703 system-config-selinux is a GUI tool available to customize SELinux pol‐
706 icy settings.
707
710 This manual page was auto-generated using sepolicy manpage .
711
714 selinux(8), xdm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
715 setsebool(8), xdm_unconfined_selinux(8), xdm_unconfined_selinux(8)
716xdm 19-10-08 xdm_selinux(8)