sysadm_selinux(8)

1sysadm_selinux(8)     sysadm SELinux Policy documentation    sysadm_selinux(8)
2
3
4

NAME

6       sysadm_u - General system administration role - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       sysadm_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  sysadm_r.  The default role has a default
13       type, sysadm_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       sysadm_u:sysadm_r:sysadm_t:s0 - s0:c0.c1023
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the sysadm_u
37       user, you would execute:
38
39       semanage login -m -s sysadm_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user sysadm,
43       you would execute:
44
45       $ semanage login -a -s sysadm_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user  sysadm_u  is  an admin user. It means that a mapped
51       Linux user to this SELinux user is intended for administrative actions.
52       Usually this is assigned to a root Linux user.
53
54

SUDO

56       The SELinux user sysadm can execute sudo.
57
58       You  can set up sudo to allow sysadm to transition to an administrative
59       domain:
60
61       Add one or more of the following record to sudoers using visudo.
62
63
64       USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
65       sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
66
67       You might also need to add one or more  of  these  new  roles  to  your
68       SELinux user record.
69
70       List the SELinux roles your SELinux user can reach by executing:
71
72       $ semanage user -l |grep selinux_name
73
74       Modify the roles list and add sysadm_r to this list.
75
76       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
77       sysadm_u
78
79       For more details you can see semanage man page.
80
81
82       USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
83       sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
84
85       You might also need to add one or more  of  these  new  roles  to  your
86       SELinux user record.
87
88       List the SELinux roles your SELinux user can reach by executing:
89
90       $ semanage user -l |grep selinux_name
91
92       Modify the roles list and add sysadm_r to this list.
93
94       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
95       sysadm_u
96
97       For more details you can see semanage man page.
98
99
100       USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
101       sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
102
103       You might also need to add one or more  of  these  new  roles  to  your
104       SELinux user record.
105
106       List the SELinux roles your SELinux user can reach by executing:
107
108       $ semanage user -l |grep selinux_name
109
110       Modify the roles list and add sysadm_r to this list.
111
112       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
113       sysadm_u
114
115       For more details you can see semanage man page.
116
117
118       USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
119       sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
120
121       You might also need to add one or more  of  these  new  roles  to  your
122       SELinux user record.
123
124       List the SELinux roles your SELinux user can reach by executing:
125
126       $ semanage user -l |grep selinux_name
127
128       Modify the roles list and add sysadm_r to this list.
129
130       $  semanage  user  -m  -R 'sysadm_r user_r staff_r secadm_r auditadm_r'
131       sysadm_u
132
133       For more details you can see semanage man page.
134
135
136       The SELinux type sysadm_t is not allowed to execute sudo.
137
138

X WINDOWS LOGIN

140       The SELinux user sysadm_u is able to X Windows login.
141
142

NETWORK

144       The SELinux user sysadm_u is able to listen on the following tcp ports.
145
146              389,636,3268,3269,7389
147
148              all ports with out defined types
149
150              32768-60999
151
152              all ports > 1024
153
154
155       The SELinux user sysadm_u is able  to  connect  to  the  following  tcp
156       ports.
157
158              8955
159
160              53,853
161
162              all ports
163
164              5432,9898
165
166              389,636,3268,3269,7389
167
168              111
169
170              all ports < 1024
171
172              32768-60999
173
174              all ports with out defined types
175
176              88,750,4444
177
178              9080
179
180
181       The SELinux user sysadm_u is able to listen on the following udp ports.
182
183              all ports with out defined types
184
185              123
186
187              32768-60999
188
189              all ports > 1024
190
191
192       The  SELinux  user  sysadm_u  is  able  to connect to the following tcp
193       ports.
194
195              8955
196
197              53,853
198
199              all ports
200
201              5432,9898
202
203              389,636,3268,3269,7389
204
205              111
206
207              all ports < 1024
208
209              32768-60999
210
211              all ports with out defined types
212
213              88,750,4444
214
215              9080
216
217

BOOLEANS

219       SELinux policy is customizable based on least access required.   sysadm
220       policy is extremely flexible and has several booleans that allow you to
221       manipulate the policy and run sysadm with the tightest access possible.
222
223
224
225       If you want to allow users to resolve user passwd entries directly from
226       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
227       gin_nsswitch_use_ldap boolean. Disabled by default.
228
229       setsebool -P authlogin_nsswitch_use_ldap 1
230
231
232
233       If you want to determine whether crond can execute  jobs  in  the  user
234       domain  as  opposed to the the generic cronjob domain, you must turn on
235       the cron_userdomain_transition boolean. Enabled by default.
236
237       setsebool -P cron_userdomain_transition 1
238
239
240
241       If you want to deny all system processes and Linux users to  use  blue‐
242       tooth wireless technology, you must turn on the deny_bluetooth boolean.
243       Enabled by default.
244
245       setsebool -P deny_bluetooth 1
246
247
248
249       If you want to deny user domains applications to map a memory region as
250       both  executable  and  writable,  this  is dangerous and the executable
251       should be reported in bugzilla, you must turn on the deny_execmem bool‐
252       ean. Enabled by default.
253
254       setsebool -P deny_execmem 1
255
256
257
258       If  you  want  to deny any process from ptracing or debugging any other
259       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
260       default.
261
262       setsebool -P deny_ptrace 1
263
264
265
266       If you want to allow all domains to execute in fips_mode, you must turn
267       on the fips_mode boolean. Enabled by default.
268
269       setsebool -P fips_mode 1
270
271
272
273       If you want to determine whether calling user domains can  execute  Git
274       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
275       sion_users boolean. Disabled by default.
276
277       setsebool -P git_session_users 1
278
279
280
281       If you want to allow confined applications to run  with  kerberos,  you
282       must turn on the kerberos_enabled boolean. Disabled by default.
283
284       setsebool -P kerberos_enabled 1
285
286
287
288       If  you  want  to  allow  system  to run with NIS, you must turn on the
289       nis_enabled boolean. Disabled by default.
290
291       setsebool -P nis_enabled 1
292
293
294
295       If you want to allow confined applications to use nscd  shared  memory,
296       you must turn on the nscd_use_shm boolean. Disabled by default.
297
298       setsebool -P nscd_use_shm 1
299
300
301
302       If  you  want  to  determine  whether  calling user domains can execute
303       Polipo daemon in the polipo_session_t domain,  you  must  turn  on  the
304       polipo_session_users boolean. Disabled by default.
305
306       setsebool -P polipo_session_users 1
307
308
309
310       If  you  want  to allow unconfined executables to make their stack exe‐
311       cutable.  This should never, ever be necessary.  Probably  indicates  a
312       badly  coded  executable, but could indicate an attack. This executable
313       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
314       stack boolean. Disabled by default.
315
316       setsebool -P selinuxuser_execstack 1
317
318
319
320       If  you  want  to allow users to connect to the local mysql server, you
321       must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by
322       default.
323
324       setsebool -P selinuxuser_mysql_connect_enabled 1
325
326
327
328       If  you  want to allow users to connect to PostgreSQL, you must turn on
329       the   selinuxuser_postgresql_connect_enabled   boolean.   Disabled   by
330       default.
331
332       setsebool -P selinuxuser_postgresql_connect_enabled 1
333
334
335
336       If  you want to allow user to r/w files on filesystems that do not have
337       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
338       uxuser_rw_noexattrfile boolean. Disabled by default.
339
340       setsebool -P selinuxuser_rw_noexattrfile 1
341
342
343
344       If you want to allow users to run TCP servers (bind to ports and accept
345       connection from the same domain  and  outside  users)   disabling  this
346       forces  FTP  passive mode and may change other protocols, you must turn
347       on the selinuxuser_tcp_server boolean. Disabled by default.
348
349       setsebool -P selinuxuser_tcp_server 1
350
351
352
353       If you want to allow users to run UDP servers (bind to ports and accept
354       connection  from the same domain and outside users)  disabling this may
355       break avahi discovering services on the network and other  udp  related
356       services, you must turn on the selinuxuser_udp_server boolean. Disabled
357       by default.
358
359       setsebool -P selinuxuser_udp_server 1
360
361
362
363       If you want to allow user  to use ssh chroot environment, you must turn
364       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
365
366       setsebool -P selinuxuser_use_ssh_chroot 1
367
368
369
370       If  you  want  to  support  NFS  home directories, you must turn on the
371       use_nfs_home_dirs boolean. Enabled by default.
372
373       setsebool -P use_nfs_home_dirs 1
374
375
376
377       If you want to support SAMBA home directories, you  must  turn  on  the
378       use_samba_home_dirs boolean. Disabled by default.
379
380       setsebool -P use_samba_home_dirs 1
381
382
383

HOME_EXEC

385       The SELinux user sysadm_u is able execute home content files.
386
387

TRANSITIONS

389       Three things can happen when sysadm_t attempts to execute a program.
390
391       1. SELinux Policy can deny sysadm_t from executing the program.
392
393
394
395       2. SELinux Policy can allow sysadm_t to execute the program in the cur‐
396       rent user type.
397
398              Execute the following to see the types  that  the  SELinux  user
399              sysadm_t can execute without transitioning:
400
401              sesearch -A -s sysadm_t -c file -p execute_no_trans
402
403
404
405       3.  SELinux can allow sysadm_t to execute the program and transition to
406       a new type.
407
408              Execute the following to see the types  that  the  SELinux  user
409              sysadm_t can execute and transition:
410
411              $ sesearch -A -s sysadm_t -c process -p transition
412
413
414

MANAGED FILES

416       The  SELinux  process  type  sysadm_t can manage files labeled with the
417       following file types.  The paths listed are the default paths for these
418       file types.  Note the processes UID still need to have DAC permissions.
419
420       adjtime_t
421
422            /etc/adjtime
423
424       admin_home_t
425
426            /root(/.*)?
427
428       anon_inodefs_t
429
430
431       auditd_etc_t
432
433            /etc/audit(/.*)?
434
435       auditd_log_t
436
437            /var/log/audit(/.*)?
438            /var/log/audit.log.*
439
440       auth_cache_t
441
442            /var/cache/coolkey(/.*)?
443
444       boolean_type
445
446
447       cgroup_t
448
449            /sys/fs/cgroup
450
451       chrome_sandbox_tmpfs_t
452
453
454       cifs_t
455
456
457       default_context_t
458
459            /etc/selinux/([^/]*/)?contexts(/.*)?
460            /root/.default_contexts
461
462       dirsrv_config_t
463
464            /etc/dirsrv(/.*)?
465
466       dirsrv_var_lib_t
467
468            /var/lib/dirsrv(/.*)?
469
470       dirsrv_var_log_t
471
472            /var/log/dirsrv(/.*)?
473
474       dirsrv_var_run_t
475
476            /var/run/slapd.*
477            /var/run/dirsrv(/.*)?
478
479       dosfs_t
480
481
482       etc_aliases_t
483
484            /etc/mail/.*.db
485            /etc/mail/aliases.*
486            /etc/postfix/aliases.*
487            /etc/aliases
488            /etc/aliases.db
489
490       etc_runtime_t
491
492            /[^/]+
493            /etc/mtab.*
494            /etc/blkid(/.*)?
495            /etc/nologin.*
496            /etc/.fstab.hal..+
497            /halt
498            /fastboot
499            /poweroff
500            /.autofsck
501            /etc/cmtab
502            /forcefsck
503            /.suspended
504            /fsckoptions
505            /.autorelabel
506            /etc/.updated
507            /var/.updated
508            /etc/killpower
509            /etc/nohotplug
510            /etc/securetty
511            /etc/ioctl.save
512            /etc/fstab.REVOKE
513            /etc/network/ifstate
514            /etc/sysconfig/hwconf
515            /etc/ptal/ptal-printd-like
516            /etc/xorg.conf.d/00-system-setup-keyboard.conf
517            /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
518
519       faillog_t
520
521            /var/log/btmp.*
522            /var/log/faillog.*
523            /var/log/tallylog.*
524            /var/run/faillock(/.*)?
525
526       file_context_t
527
528            /etc/selinux/([^/]*/)?contexts/files(/.*)?
529
530       gconf_tmp_t
531
532            /tmp/gconfd-[^/]+/.*
533
534       git_user_content_t
535
536            /home/[^/]+/public_git(/.*)?
537
538       gkeyringd_tmp_t
539
540            /var/run/user/[^/]*/keyring.*
541
542       gnome_home_type
543
544
545       hwloc_var_run_t
546
547            /var/run/hwloc(/.*)?
548
549       iceauth_home_t
550
551            /root/.DCOP.*
552            /root/.ICEauthority.*
553            /home/[^/]+/.DCOP.*
554            /home/[^/]+/.ICEauthority.*
555
556       irc_home_t
557
558            /home/[^/]+/.irssi(/.*)?
559            /home/[^/]+/irclog(/.*)?
560            /home/[^/]+/.ircmotd
561
562       irc_tmp_t
563
564
565       irssi_home_t
566
567
568       krb5_host_rcache_t
569
570            /var/cache/krb5rcache(/.*)?
571            /var/tmp/nfs_0
572            /var/tmp/DNS_25
573            /var/tmp/host_0
574            /var/tmp/imap_0
575            /var/tmp/HTTP_23
576            /var/tmp/HTTP_48
577            /var/tmp/ldap_55
578            /var/tmp/ldap_487
579            /var/tmp/ldapmap1_0
580
581       krb5_keytab_t
582
583            /var/kerberos/krb5(/.*)?
584            /etc/krb5.keytab
585            /etc/krb5kdc/kadm5.keytab
586            /var/kerberos/krb5kdc/kadm5.keytab
587
588       mail_spool_t
589
590            /var/mail(/.*)?
591            /var/spool/imap(/.*)?
592            /var/spool/mail(/.*)?
593            /var/spool/smtpd(/.*)?
594
595       mpd_user_data_t
596
597
598       mqueue_spool_t
599
600            /var/spool/(client)?mqueue(/.*)?
601            /var/spool/mqueue.in(/.*)?
602
603       nfs_t
604
605
606       non_security_file_type
607
608
609       noxattrfs
610
611            all files on file systems which do not support extended attributes
612
613       ntp_drift_t
614
615            /var/lib/ntp(/.*)?
616            /etc/ntp/data(/.*)?
617            /var/lib/sntp(/.*)?
618            /var/lib/sntp-kod(/.*)?
619
620       ntpd_key_t
621
622            /etc/ntp/crypto(/.*)?
623            /etc/ntp/keys
624
625       ntpd_log_t
626
627            /var/log/ntp.*
628            /var/log/xntpd.*
629            /var/log/ntpstats(/.*)?
630
631       ntpd_tmp_t
632
633
634       ntpd_unit_file_t
635
636            /usr/lib/systemd/system/ntpd.*
637
638       ntpd_var_run_t
639
640            /var/run/ntpd.pid
641
642       policy_src_t
643
644            /usr/lib/selinux(/.*)?
645
646       postfix_data_t
647
648            /var/lib/postfix.*
649
650       postfix_etc_t
651
652            /etc/postfix.*
653
654       postfix_map_tmp_t
655
656
657       postfix_prng_t
658
659            /etc/postfix/prng_exch
660
661       postfix_public_t
662
663            /var/spool/postfix/public(/.*)?
664
665       postfix_spool_type
666
667
668       postfix_var_run_t
669
670            /var/spool/postfix/pid/.*
671
672       postgresql_db_t
673
674            /var/lib/pgsql(/.*)?
675            /var/lib/sepgsql(/.*)?
676            /var/lib/postgres(ql)?(/.*)?
677            /usr/share/jonas/pgsql(/.*)?
678            /usr/lib/pgsql/test/regress(/.*)?
679
680       postgresql_etc_t
681
682            /etc/postgresql(/.*)?
683            /etc/sysconfig/pgsql(/.*)?
684
685       postgresql_log_t
686
687            /var/lib/pgsql/.*.log
688            /var/log/rhdb/rhdb(/.*)?
689            /var/log/postgresql(/.*)?
690            /var/log/postgres.log.*
691            /var/lib/pgsql/logfile(/.*)?
692            /var/lib/pgsql/data/log(/.*)?
693            /var/log/sepostgresql.log.*
694            /var/lib/pgsql/data/pg_log(/.*)?
695            /var/lib/sepgsql/pgstartup.log
696
697       postgresql_tmp_t
698
699
700       postgresql_var_run_t
701
702            /var/run/postgresql(/.*)?
703
704       rpm_log_t
705
706            /var/log/hawkey.*
707            /var/log/up2date.*
708            /var/log/yum.log.*
709
710       screen_home_t
711
712            /root/.screen(/.*)?
713            /home/[^/]+/.screen(/.*)?
714            /home/[^/]+/.screenrc
715            /home/[^/]+/.tmux.conf
716
717       security_t
718
719            /selinux
720
721       selinux_config_t
722
723            /etc/selinux(/.*)?
724            /etc/selinux/([^/]*/)?seusers
725            /etc/selinux/([^/]*/)?users(/.*)?
726            /etc/selinux/([^/]*/)?setrans.conf
727            /var/lib/sepolgen(/.*)?
728
729       selinux_login_config_t
730
731            /etc/selinux/([^/]*/)?logins(/.*)?
732
733       semanage_store_t
734
735            /etc/selinux/([^/]*/)?policy(/.*)?
736            /etc/selinux/(minimum|mls|targeted)/active(/.*)?
737            /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
738            /var/lib/selinux(/.*)?
739            /etc/share/selinux/mls(/.*)?
740            /etc/share/selinux/targeted(/.*)?
741
742       session_dbusd_tmp_t
743
744            /var/run/user(/.*)?/dbus-[0-9]*(/.*)?
745            /var/run/user/[^/]*/systemd(/.*)?
746
747       slapd_cert_t
748
749            /etc/openldap/certs(/.*)?
750
751       slapd_db_t
752
753            /var/lib/ldap(/.*)?
754            /etc/openldap/slapd.d(/.*)?
755            /var/lib/openldap-data(/.*)?
756            /var/lib/openldap-ldbm(/.*)?
757            /var/lib/openldap-slurpd(/.*)?
758
759       slapd_etc_t
760
761            /etc/ldap/slapd.conf
762
763       slapd_keytab_t
764
765
766       slapd_lock_t
767
768            /var/lock/subsys/ldap
769            /var/lock/subsys/slapd
770
771       slapd_replog_t
772
773            /var/lib/ldap/replog(/.*)?
774
775       slapd_tmp_t
776
777
778       slapd_unit_file_t
779
780            /usr/lib/systemd/system/slapd.*
781
782       slapd_var_run_t
783
784            /var/run/openldap(/.*)?
785            /var/run/ldapi
786            /var/run/slapd.pid
787            /var/run/slapd.args
788
789       ssh_home_t
790
791            /var/lib/[^/]+/.ssh(/.*)?
792            /root/.ssh(/.*)?
793            /var/lib/one/.ssh(/.*)?
794            /var/lib/pgsql/.ssh(/.*)?
795            /var/lib/openshift/[^/]+/.ssh(/.*)?
796            /var/lib/amanda/.ssh(/.*)?
797            /var/lib/stickshift/[^/]+/.ssh(/.*)?
798            /var/lib/gitolite/.ssh(/.*)?
799            /var/lib/nocpulse/.ssh(/.*)?
800            /var/lib/gitolite3/.ssh(/.*)?
801            /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
802            /root/.shosts
803            /home/[^/]+/.ssh(/.*)?
804            /home/[^/]+/.ansible/cp/.*
805            /home/[^/]+/.shosts
806
807       sysctl_type
808
809
810       systemd_passwd_var_run_t
811
812            /var/run/systemd/ask-password(/.*)?
813            /var/run/systemd/ask-password-block(/.*)?
814
815       systemd_unit_file_type
816
817
818       tracefs_t
819
820
821       usbfs_t
822
823
824       user_cron_spool_t
825
826            /var/spool/at(/.*)?
827            /var/spool/cron
828            /var/spool/cron/[^/]+
829
830       user_fonts_cache_t
831
832            /root/.fontconfig(/.*)?
833            /root/.fonts/auto(/.*)?
834            /root/.fonts.cache-.*
835            /root/.cache/fontconfig(/.*)?
836            /home/[^/]+/.fontconfig(/.*)?
837            /home/[^/]+/.fonts/auto(/.*)?
838            /home/[^/]+/.fonts.cache-.*
839            /home/[^/]+/.cache/fontconfig(/.*)?
840
841       user_fonts_config_t
842
843            /root/.fonts.d(/.*)?
844            /root/.config/fontconfig(/.*)?
845            /root/.fonts.conf
846            /home/[^/]+/.fonts.d(/.*)?
847            /home/[^/]+/.config/fontconfig(/.*)?
848            /home/[^/]+/.fonts.conf
849
850       user_fonts_t
851
852            /root/.fonts(/.*)?
853            /tmp/.font-unix(/.*)?
854            /home/[^/]+/.fonts(/.*)?
855            /home/[^/]+/.local/share/fonts(/.*)?
856
857       user_home_t
858
859            /home/[^/]+/.+
860
861       user_home_type
862
863            all user home files
864
865       user_tmp_t
866
867            /dev/shm/mono.*
868            /var/run/user(/.*)?
869            /tmp/.ICE-unix(/.*)?
870            /tmp/.X11-unix(/.*)?
871            /dev/shm/pulse-shm.*
872            /tmp/.X0-lock
873            /tmp/hsperfdata_root
874            /var/tmp/hsperfdata_root
875            /home/[^/]+/tmp
876            /home/[^/]+/.tmp
877            /tmp/gconfd-[^/]+
878
879       user_tmp_type
880
881            all user tmp files
882
883       var_auth_t
884
885            /var/ace(/.*)?
886            /var/rsa(/.*)?
887            /var/lib/abl(/.*)?
888            /var/lib/rsa(/.*)?
889            /var/lib/pam_ssh(/.*)?
890            /var/run/pam_ssh(/.*)?
891            /var/lib/pam_shield(/.*)?
892            /var/opt/quest/vas/vasd(/.*)?
893            /var/lib/google-authenticator(/.*)?
894
895       vmware_conf_t
896
897            /home/[^/]+/.vmware[^/]*/.*.cfg
898
899       vmware_file_t
900
901            /home/[^/]+/vmware(/.*)?
902            /home/[^/]+/.vmware(/.*)?
903
904       vmware_tmp_t
905
906
907       vmware_tmpfs_t
908
909
910       wireshark_home_t
911
912            /home/[^/]+/.wireshark(/.*)?
913
914       wireshark_tmp_t
915
916
917       wireshark_tmpfs_t
918
919
920       xauth_home_t
921
922            /root/.Xauth.*
923            /root/.xauth.*
924            /root/.Xauthority.*
925            /root/.serverauth.*
926            /var/lib/pqsql/.xauth.*
927            /var/lib/pqsql/.Xauthority.*
928            /var/lib/nxserver/home/.xauth.*
929            /var/lib/nxserver/home/.Xauthority.*
930            /home/[^/]+/.Xauth.*
931            /home/[^/]+/.xauth.*
932            /home/[^/]+/.Xauthority.*
933            /home/[^/]+/.serverauth.*
934
935       xserver_tmpfs_t
936
937
938

COMMANDS

940       semanage  fcontext  can also be used to manipulate default file context
941       mappings.
942
943       semanage permissive can also be used to manipulate  whether  or  not  a
944       process type is permissive.
945
946       semanage  module can also be used to enable/disable/install/remove pol‐
947       icy modules.
948
949       semanage boolean can also be used to manipulate the booleans
950
951
952       system-config-selinux is a GUI tool available to customize SELinux pol‐
953       icy settings.
954
955

AUTHOR

957       This manual page was auto-generated using sepolicy manpage .
958
959