1livecd_selinux(8)            SELinux Policy livecd           livecd_selinux(8)
2
3
4

NAME

6       livecd_selinux  -  Security  Enhanced  Linux Policy for the livecd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  livecd  processes  via  flexible
11       mandatory access control.
12
13       The  livecd  processes  execute with the livecd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep livecd_t
20
21
22

ENTRYPOINTS

24       The  livecd_t  SELinux  type  can be entered via the livecd_exec_t file
25       type.
26
27       The default entrypoint paths for the livecd_t domain are the following:
28
29       /usr/bin/livecd-creator
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       livecd policy is very flexible allowing users  to  setup  their  livecd
39       processes in as secure a method as possible.
40
41       The following process types are defined for livecd:
42
43       livecd_t
44
45       Note:  semanage  permissive -a livecd_t can be used to make the process
46       type livecd_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   livecd
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run livecd with the tightest access possible.
55
56
57
58       If you want to deny user domains applications to map a memory region as
59       both  executable  and  writable,  this  is dangerous and the executable
60       should be reported in bugzilla, you must turn on the deny_execmem bool‐
61       ean. Enabled by default.
62
63       setsebool -P deny_execmem 1
64
65
66
67       If  you  want  to deny any process from ptracing or debugging any other
68       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
69       default.
70
71       setsebool -P deny_ptrace 1
72
73
74
75       If you want to allow all domains to execute in fips_mode, you must turn
76       on the fips_mode boolean. Enabled by default.
77
78       setsebool -P fips_mode 1
79
80
81
82       If you want to control the ability to mmap a low area  of  the  address
83       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
84       the mmap_low_allowed boolean. Disabled by default.
85
86       setsebool -P mmap_low_allowed 1
87
88
89
90       If you want to disable kernel module loading,  you  must  turn  on  the
91       secure_mode_insmod boolean. Enabled by default.
92
93       setsebool -P secure_mode_insmod 1
94
95
96
97       If  you  want to allow unconfined executables to make their heap memory
98       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
99       badly  coded  executable, but could indicate an attack. This executable
100       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
101       uxuser_execheap boolean. Disabled by default.
102
103       setsebool -P selinuxuser_execheap 1
104
105
106
107       If  you  want  to allow unconfined executables to make their stack exe‐
108       cutable.  This should never, ever be necessary.  Probably  indicates  a
109       badly  coded  executable, but could indicate an attack. This executable
110       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
111       stack boolean. Enabled by default.
112
113       setsebool -P selinuxuser_execstack 1
114
115
116

MANAGED FILES

118       The  SELinux  process  type  livecd_t can manage files labeled with the
119       following file types.  The paths listed are the default paths for these
120       file types.  Note the processes UID still need to have DAC permissions.
121
122       file_type
123
124            all files on the system
125
126

FILE CONTEXTS

128       SELinux requires files to have an extended attribute to define the file
129       type.
130
131       You can see the context of a file using the -Z option to ls
132
133       Policy governs the access  confined  processes  have  to  these  files.
134       SELinux  livecd  policy  is very flexible allowing users to setup their
135       livecd processes in as secure a method as possible.
136
137       STANDARD FILE CONTEXT
138
139       SELinux defines the file context types for the livecd, if you wanted to
140       store  files  with  these types in a diffent paths, you need to execute
141       the semanage command  to  sepecify  alternate  labeling  and  then  use
142       restorecon to put the labels on disk.
143
144       semanage fcontext -a -t livecd_tmp_t '/srv/mylivecd_content(/.*)?'
145       restorecon -R -v /srv/mylivecd_content
146
147       Note:  SELinux  often  uses  regular expressions to specify labels that
148       match multiple files.
149
150       The following file types are defined for livecd:
151
152
153
154       livecd_exec_t
155
156       - Set files with the livecd_exec_t type, if you want to  transition  an
157       executable to the livecd_t domain.
158
159
160
161       livecd_tmp_t
162
163       -  Set  files  with  the livecd_tmp_t type, if you want to store livecd
164       temporary files in the /tmp directories.
165
166
167
168       Note: File context can be temporarily modified with the chcon  command.
169       If  you want to permanently change the file context you need to use the
170       semanage fcontext command.  This will modify the SELinux labeling data‐
171       base.  You will need to use restorecon to apply the labels.
172
173

COMMANDS

175       semanage  fcontext  can also be used to manipulate default file context
176       mappings.
177
178       semanage permissive can also be used to manipulate  whether  or  not  a
179       process type is permissive.
180
181       semanage  module can also be used to enable/disable/install/remove pol‐
182       icy modules.
183
184       semanage boolean can also be used to manipulate the booleans
185
186
187       system-config-selinux is a GUI tool available to customize SELinux pol‐
188       icy settings.
189
190

AUTHOR

192       This manual page was auto-generated using sepolicy manpage .
193
194

SEE ALSO

196       selinux(8),  livecd(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
197       icy(8), setsebool(8)
198
199
200
201livecd                             19-05-30                  livecd_selinux(8)
Impressum