1dirsrvadmin_unconfSiEnLeidn_usxcrPioplti_csyeldiinrusxr(v8ad)dimrisnr_vuandcmoinnf_iunnecdo_nsfcirniepdt_script_selinux(8)
2
3
4
6 dirsrvadmin_unconfined_script_selinux - Security Enhanced Linux Policy
7 for the dirsrvadmin_unconfined_script processes
8
10 Security-Enhanced Linux secures the dirsrvadmin_unconfined_script pro‐
11 cesses via flexible mandatory access control.
12
13 The dirsrvadmin_unconfined_script processes execute with the dirsrvad‐
14 min_unconfined_script_t SELinux type. You can check if you have these
15 processes running by executing the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep dirsrvadmin_unconfined_script_t
20
21
22
24 The dirsrvadmin_unconfined_script_t SELinux type can be entered via the
25 dirsrvadmin_unconfined_script_exec_t, shell_exec_t file types.
26
27 The default entrypoint paths for the dirsrvadmin_unconfined_script_t
28 domain are the following:
29
30 /usr/lib/dirsrv/cgi-bin/ds_create, /usr/lib/dirsrv/cgi-bin/ds_remove,
31 /bin/d?ash, /bin/ksh.*, /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*,
32 /usr/bin/zsh.*, /bin/esh, /bin/bash, /bin/fish, /bin/mksh, /bin/sash,
33 /bin/tcsh, /bin/yash, /bin/bash2, /usr/bin/esh, /sbin/nologin,
34 /usr/bin/bash, /usr/bin/fish, /usr/bin/mksh, /usr/bin/sash,
35 /usr/bin/tcsh, /usr/bin/yash, /usr/bin/bash2, /usr/sbin/sesh,
36 /usr/sbin/smrsh, /usr/bin/scponly, /usr/libexec/sesh, /usr/sbin/nolo‐
37 gin, /usr/bin/git-shell, /usr/sbin/scponlyc, /usr/libexec/sudo/sesh,
38 /usr/bin/cockpit-bridge, /usr/libexec/cockpit-agent, /usr/libexec/git-
39 core/git-shell
40
42 SELinux defines process types (domains) for each process running on the
43 system
44
45 You can see the context of a process using the -Z option to ps
46
47 Policy governs the access confined processes have to files. SELinux
48 dirsrvadmin_unconfined_script policy is very flexible allowing users to
49 setup their dirsrvadmin_unconfined_script processes in as secure a
50 method as possible.
51
52 The following process types are defined for dirsrvadmin_uncon‐
53 fined_script:
54
55 dirsrvadmin_unconfined_script_t
56
57 Note: semanage permissive -a dirsrvadmin_unconfined_script_t can be
58 used to make the process type dirsrvadmin_unconfined_script_t permis‐
59 sive. SELinux does not deny access to permissive process types, but the
60 AVC (SELinux denials) messages are still generated.
61
62
64 SELinux policy is customizable based on least access required. dirsr‐
65 vadmin_unconfined_script policy is extremely flexible and has several
66 booleans that allow you to manipulate the policy and run dirsrvad‐
67 min_unconfined_script with the tightest access possible.
68
69
70
71 If you want to deny user domains applications to map a memory region as
72 both executable and writable, this is dangerous and the executable
73 should be reported in bugzilla, you must turn on the deny_execmem bool‐
74 ean. Enabled by default.
75
76 setsebool -P deny_execmem 1
77
78
79
80 If you want to allow all domains to execute in fips_mode, you must turn
81 on the fips_mode boolean. Enabled by default.
82
83 setsebool -P fips_mode 1
84
85
86
87 If you want to control the ability to mmap a low area of the address
88 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
89 the mmap_low_allowed boolean. Disabled by default.
90
91 setsebool -P mmap_low_allowed 1
92
93
94
95 If you want to disable kernel module loading, you must turn on the
96 secure_mode_insmod boolean. Enabled by default.
97
98 setsebool -P secure_mode_insmod 1
99
100
101
102 If you want to allow unconfined executables to make their heap memory
103 executable. Doing this is a really bad idea. Probably indicates a
104 badly coded executable, but could indicate an attack. This executable
105 should be reported in bugzilla, you must turn on the selin‐
106 uxuser_execheap boolean. Disabled by default.
107
108 setsebool -P selinuxuser_execheap 1
109
110
111
112 If you want to allow unconfined executables to make their stack exe‐
113 cutable. This should never, ever be necessary. Probably indicates a
114 badly coded executable, but could indicate an attack. This executable
115 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
116 stack boolean. Disabled by default.
117
118 setsebool -P selinuxuser_execstack 1
119
120
121
123 The SELinux process type dirsrvadmin_unconfined_script_t can manage
124 files labeled with the following file types. The paths listed are the
125 default paths for these file types. Note the processes UID still need
126 to have DAC permissions.
127
128 file_type
129
130 all files on the system
131
132
134 SELinux requires files to have an extended attribute to define the file
135 type.
136
137 You can see the context of a file using the -Z option to ls
138
139 Policy governs the access confined processes have to these files.
140 SELinux dirsrvadmin_unconfined_script policy is very flexible allowing
141 users to setup their dirsrvadmin_unconfined_script processes in as
142 secure a method as possible.
143
144 The following file types are defined for dirsrvadmin_unconfined_script:
145
146
147
148 dirsrvadmin_unconfined_script_exec_t
149
150 - Set files with the dirsrvadmin_unconfined_script_exec_t type, if you
151 want to transition an executable to the dirsrvadmin_unconfined_script_t
152 domain.
153
154
155 Paths:
156 /usr/lib/dirsrv/cgi-bin/ds_create, /usr/lib/dirsrv/cgi-
157 bin/ds_remove
158
159
160 Note: File context can be temporarily modified with the chcon command.
161 If you want to permanently change the file context you need to use the
162 semanage fcontext command. This will modify the SELinux labeling data‐
163 base. You will need to use restorecon to apply the labels.
164
165
167 semanage fcontext can also be used to manipulate default file context
168 mappings.
169
170 semanage permissive can also be used to manipulate whether or not a
171 process type is permissive.
172
173 semanage module can also be used to enable/disable/install/remove pol‐
174 icy modules.
175
176 semanage boolean can also be used to manipulate the booleans
177
178
179 system-config-selinux is a GUI tool available to customize SELinux pol‐
180 icy settings.
181
182
184 This manual page was auto-generated using sepolicy manpage .
185
186
188 selinux(8), dirsrvadmin_unconfined_script(8), semanage(8), restore‐
189 con(8), chcon(1), sepolicy(8), setsebool(8)
190
191
192
193dirsrvadmin_unconfined_script 19-1d2i-r0s2rvadmin_unconfined_script_selinux(8)