unconfined_service_selinux(8)

1unconfined_service_selinSuExL(i8n)ux Policy unconfined_suenrcvoincfeined_service_selinux(8)
2
3
4

NAME

6       unconfined_service_selinux  -  Security  Enhanced  Linux Policy for the
7       unconfined_service processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the  unconfined_service  processes  via
11       flexible mandatory access control.
12
13       The  unconfined_service processes execute with the unconfined_service_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep unconfined_service_t
20
21
22

ENTRYPOINTS

24       The  unconfined_service_t  SELinux  type  can be entered via the bin_t,
25       usr_t, shell_exec_t file types.
26
27       The default entrypoint paths for the  unconfined_service_t  domain  are
28       the following:
29
30       All  executeables  with the default executable label, usually stored in
31       /usr/bin and /usr/sbin.   /opt/.*,  /usr/.*,  /emul/.*,  /export(/.*)?,
32       /ostree(/.*)?,       /usr/doc(/.*)?/lib(/.*)?,      /usr/inclu.e(/.*)?,
33       /usr/share/rpm(/.*)?,   /usr/share/doc(/.*)?/README.*,    /usr/lib/mod‐
34       ules(/.*)/vmlinuz, /usr/lib/modules(/.*)/initramfs.img, /usr/lib/sysim‐
35       age(/.*)?, /usr/lib/ostree-boot(/.*)?, /opt, /usr,  /emul,  /bin/d?ash,
36       /bin/ksh.*, /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*,
37       /bin/esh,  /bin/bash,  /bin/fish,  /bin/mksh,   /bin/sash,   /bin/tcsh,
38       /bin/yash,   /bin/bash2,  /usr/bin/esh,  /sbin/nologin,  /usr/bin/bash,
39       /usr/bin/fish,     /usr/bin/mksh,     /usr/bin/sash,     /usr/bin/tcsh,
40       /usr/bin/yash,    /usr/bin/bash2,    /usr/sbin/sesh,   /usr/sbin/smrsh,
41       /usr/bin/scponly, /usr/libexec/sesh,  /usr/sbin/nologin,  /usr/bin/git-
42       shell,  /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,  /usr/bin/cockpit-
43       bridge, /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell
44

PROCESS TYPES

46       SELinux defines process types (domains) for each process running on the
47       system
48
49       You can see the context of a process using the -Z option to ps
50
51       Policy  governs  the  access confined processes have to files.  SELinux
52       unconfined_service policy is very  flexible  allowing  users  to  setup
53       their unconfined_service processes in as secure a method as possible.
54
55       The following process types are defined for unconfined_service:
56
57       unconfined_service_t
58
59       Note:  semanage  permissive -a unconfined_service_t can be used to make
60       the process type unconfined_service_t permissive. SELinux does not deny
61       access  to permissive process types, but the AVC (SELinux denials) mes‐
62       sages are still generated.
63
64

BOOLEANS

66       SELinux policy is customizable based on least access required.   uncon‐
67       fined_service  policy  is  extremely  flexible and has several booleans
68       that allow you to manipulate the policy and run unconfined_service with
69       the tightest access possible.
70
71
72
73       If you want to deny user domains applications to map a memory region as
74       both executable and writable, this  is  dangerous  and  the  executable
75       should be reported in bugzilla, you must turn on the deny_execmem bool‐
76       ean. Enabled by default.
77
78       setsebool -P deny_execmem 1
79
80
81
82       If you want to allow all domains to execute in fips_mode, you must turn
83       on the fips_mode boolean. Enabled by default.
84
85       setsebool -P fips_mode 1
86
87
88
89       If  you  want  to control the ability to mmap a low area of the address
90       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
91       the mmap_low_allowed boolean. Disabled by default.
92
93       setsebool -P mmap_low_allowed 1
94
95
96
97       If  you  want  to  disable  kernel module loading, you must turn on the
98       secure_mode_insmod boolean. Enabled by default.
99
100       setsebool -P secure_mode_insmod 1
101
102
103
104       If you want to allow unconfined executables to make their  heap  memory
105       executable.   Doing  this  is  a  really bad idea. Probably indicates a
106       badly coded executable, but could indicate an attack.  This  executable
107       should   be   reported  in  bugzilla,  you  must  turn  on  the  selin‐
108       uxuser_execheap boolean. Disabled by default.
109
110       setsebool -P selinuxuser_execheap 1
111
112
113
114       If you want to allow unconfined executables to make  their  stack  exe‐
115       cutable.   This  should  never, ever be necessary. Probably indicates a
116       badly coded executable, but could indicate an attack.  This  executable
117       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
118       stack boolean. Enabled by default.
119
120       setsebool -P selinuxuser_execstack 1
121
122
123

MANAGED FILES

125       The SELinux process type unconfined_service_t can manage files  labeled
126       with  the following file types.  The paths listed are the default paths
127       for these file types.  Note the processes UID still need  to  have  DAC
128       permissions.
129
130       file_type
131
132            all files on the system
133
134

COMMANDS

136       semanage  fcontext  can also be used to manipulate default file context
137       mappings.
138
139       semanage permissive can also be used to manipulate  whether  or  not  a
140       process type is permissive.
141
142       semanage  module can also be used to enable/disable/install/remove pol‐
143       icy modules.
144
145       semanage boolean can also be used to manipulate the booleans
146
147
148       system-config-selinux is a GUI tool available to customize SELinux pol‐
149       icy settings.
150
151

AUTHOR

153       This manual page was auto-generated using sepolicy manpage .
154
155