1system_cronjob_selinux(8)SELinux Policy system_cronjobsystem_cronjob_selinux(8)
2
3
4
6 system_cronjob_selinux - Security Enhanced Linux Policy for the sys‐
7 tem_cronjob processes
8
10 Security-Enhanced Linux secures the system_cronjob processes via flexi‐
11 ble mandatory access control.
12
13 The system_cronjob processes execute with the system_cronjob_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep system_cronjob_t
20
21
22
24 The system_cronjob_t SELinux type can be entered via the sys‐
25 tem_cron_spool_t, anacron_exec_t, usr_t, shell_exec_t, bin_t, nfs_t,
26 cifs_t, fusefs_t file types.
27
28 The default entrypoint paths for the system_cronjob_t domain are the
29 following:
30
31 All executeables with the default executable label, usually stored in
32 /usr/bin and /usr/sbin. /etc/cron.d(/.*)?, /var/spool/anacron(/.*)?,
33 /etc/crontab, /var/spool/fcron/systab, /var/spool/fcron/new.systab,
34 /var/spool/fcron/systab.orig, /usr/sbin/anacron, /opt/.*, /usr/.*,
35 /emul/.*, /export(/.*)?, /ostree(/.*)?, /usr/doc(/.*)?/lib(/.*)?,
36 /usr/inclu.e(/.*)?, /usr/share/rpm(/.*)?,
37 /usr/share/doc(/.*)?/README.*, /usr/lib/modules(/.*)/vmlinuz,
38 /usr/lib/modules(/.*)/initramfs.img, /usr/lib/sysimage(/.*)?,
39 /usr/lib/ostree-boot(/.*)?, /opt, /usr, /emul, /bin/d?ash, /bin/ksh.*,
40 /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh,
41 /bin/bash, /bin/fish, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash,
42 /bin/bash2, /usr/bin/esh, /sbin/nologin, /usr/bin/bash, /usr/bin/fish,
43 /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash,
44 /usr/bin/bash2, /usr/sbin/sesh, /usr/sbin/smrsh, /usr/bin/scponly,
45 /usr/libexec/sesh, /usr/sbin/nologin, /usr/bin/git-shell,
46 /usr/sbin/scponlyc, /usr/libexec/sudo/sesh, /usr/bin/cockpit-bridge,
47 /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell,
48 /var/run/user/[^/]*/gvfs
49
51 SELinux defines process types (domains) for each process running on the
52 system
53
54 You can see the context of a process using the -Z option to ps
55
56 Policy governs the access confined processes have to files. SELinux
57 system_cronjob policy is very flexible allowing users to setup their
58 system_cronjob processes in as secure a method as possible.
59
60 The following process types are defined for system_cronjob:
61
62 system_cronjob_t
63
64 Note: semanage permissive -a system_cronjob_t can be used to make the
65 process type system_cronjob_t permissive. SELinux does not deny access
66 to permissive process types, but the AVC (SELinux denials) messages are
67 still generated.
68
69
71 SELinux policy is customizable based on least access required. sys‐
72 tem_cronjob policy is extremely flexible and has several booleans that
73 allow you to manipulate the policy and run system_cronjob with the
74 tightest access possible.
75
76
77
78 If you want to allow users to resolve user passwd entries directly from
79 ldap rather then using a sssd server, you must turn on the authlo‐
80 gin_nsswitch_use_ldap boolean. Disabled by default.
81
82 setsebool -P authlogin_nsswitch_use_ldap 1
83
84
85
86 If you want to allow system cron jobs to relabel filesystem for restor‐
87 ing file contexts, you must turn on the cron_can_relabel boolean.
88 Enabled by default.
89
90 setsebool -P cron_can_relabel 1
91
92
93
94 If you want to allow system cronjob to be executed on on NFS, CIFS or
95 FUSE filesystem, you must turn on the cron_system_cronjob_use_shares
96 boolean. Disabled by default.
97
98 setsebool -P cron_system_cronjob_use_shares 1
99
100
101
102 If you want to deny user domains applications to map a memory region as
103 both executable and writable, this is dangerous and the executable
104 should be reported in bugzilla, you must turn on the deny_execmem bool‐
105 ean. Enabled by default.
106
107 setsebool -P deny_execmem 1
108
109
110
111 If you want to allow all domains to execute in fips_mode, you must turn
112 on the fips_mode boolean. Enabled by default.
113
114 setsebool -P fips_mode 1
115
116
117
118 If you want to allow confined applications to run with kerberos, you
119 must turn on the kerberos_enabled boolean. Enabled by default.
120
121 setsebool -P kerberos_enabled 1
122
123
124
125 If you want to control the ability to mmap a low area of the address
126 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
127 the mmap_low_allowed boolean. Disabled by default.
128
129 setsebool -P mmap_low_allowed 1
130
131
132
133 If you want to allow system to run with NIS, you must turn on the
134 nis_enabled boolean. Disabled by default.
135
136 setsebool -P nis_enabled 1
137
138
139
140 If you want to allow confined applications to use nscd shared memory,
141 you must turn on the nscd_use_shm boolean. Disabled by default.
142
143 setsebool -P nscd_use_shm 1
144
145
146
147 If you want to disable kernel module loading, you must turn on the
148 secure_mode_insmod boolean. Enabled by default.
149
150 setsebool -P secure_mode_insmod 1
151
152
153
154 If you want to allow unconfined executables to make their heap memory
155 executable. Doing this is a really bad idea. Probably indicates a
156 badly coded executable, but could indicate an attack. This executable
157 should be reported in bugzilla, you must turn on the selin‐
158 uxuser_execheap boolean. Disabled by default.
159
160 setsebool -P selinuxuser_execheap 1
161
162
163
164 If you want to allow unconfined executables to make their stack exe‐
165 cutable. This should never, ever be necessary. Probably indicates a
166 badly coded executable, but could indicate an attack. This executable
167 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
168 stack boolean. Enabled by default.
169
170 setsebool -P selinuxuser_execstack 1
171
172
173
175 The SELinux process type system_cronjob_t can manage files labeled with
176 the following file types. The paths listed are the default paths for
177 these file types. Note the processes UID still need to have DAC per‐
178 missions.
179
180 file_type
181
182 all files on the system
183
184
186 semanage fcontext can also be used to manipulate default file context
187 mappings.
188
189 semanage permissive can also be used to manipulate whether or not a
190 process type is permissive.
191
192 semanage module can also be used to enable/disable/install/remove pol‐
193 icy modules.
194
195 semanage boolean can also be used to manipulate the booleans
196
197
198 system-config-selinux is a GUI tool available to customize SELinux pol‐
199 icy settings.
200
201
203 This manual page was auto-generated using sepolicy manpage .
204
205
207 selinux(8), system_cronjob(8), semanage(8), restorecon(8), chcon(1),
208 sepolicy(8), setsebool(8)
209
210
211
212system_cronjob 19-05-30 system_cronjob_selinux(8)