1mount_selinux(8)             SELinux Policy mount             mount_selinux(8)
2
3
4

NAME

6       mount_selinux - Security Enhanced Linux Policy for the mount processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the mount processes via flexible manda‐
10       tory access control.
11
12       The mount processes execute with the  mount_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep mount_t
19
20
21

ENTRYPOINTS

23       The mount_t SELinux type can  be  entered  via  the  fusermount_exec_t,
24       mount_exec_t file types.
25
26       The default entrypoint paths for the mount_t domain are the following:
27
28       /bin/fusermount[0-9]?,     /usr/bin/fusermount[0-9]?,     /bin/mount.*,
29       /bin/umount.*,   /sbin/mount.*,    /sbin/umount.*,    /usr/bin/mount.*,
30       /usr/bin/umount.*, /usr/sbin/mount.*, /usr/sbin/umount.*
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       mount  policy is very flexible allowing users to setup their mount pro‐
40       cesses in as secure a method as possible.
41
42       The following process types are defined for mount:
43
44       mount_t, mount_ecryptfs_t
45
46       Note: semanage permissive -a mount_t can be used to  make  the  process
47       type  mount_t  permissive.  SELinux  does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is customizable based on least access required.  mount
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate the policy and run mount with the tightest access possible.
56
57
58
59       If you want to deny user domains applications to map a memory region as
60       both executable and writable, this  is  dangerous  and  the  executable
61       should be reported in bugzilla, you must turn on the deny_execmem bool‐
62       ean. Enabled by default.
63
64       setsebool -P deny_execmem 1
65
66
67
68       If you want to control the ability to mmap a low area  of  the  address
69       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
70       the mmap_low_allowed boolean. Disabled by default.
71
72       setsebool -P mmap_low_allowed 1
73
74
75
76       If you want to disable kernel module loading,  you  must  turn  on  the
77       secure_mode_insmod boolean. Enabled by default.
78
79       setsebool -P secure_mode_insmod 1
80
81
82
83       If  you  want to allow unconfined executables to make their heap memory
84       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
85       badly  coded  executable, but could indicate an attack. This executable
86       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
87       uxuser_execheap boolean. Disabled by default.
88
89       setsebool -P selinuxuser_execheap 1
90
91
92
93       If  you  want  to allow unconfined executables to make their stack exe‐
94       cutable.  This should never, ever be necessary.  Probably  indicates  a
95       badly  coded  executable, but could indicate an attack. This executable
96       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
97       stack boolean. Disabled by default.
98
99       setsebool -P selinuxuser_execstack 1
100
101
102

PORT TYPES

104       SELinux defines port types to represent TCP and UDP ports.
105
106       You  can  see  the  types associated with a port by using the following
107       command:
108
109       semanage port -l
110
111
112       Policy governs the access  confined  processes  have  to  these  ports.
113       SELinux  mount  policy  is  very flexible allowing users to setup their
114       mount processes in as secure a method as possible.
115
116       The following port types are defined for mount:
117
118
119       mountd_port_t
120
121
122
123       Default Defined Ports:
124                 tcp 20048
125                 udp 20048
126

MANAGED FILES

128       The SELinux process type mount_t can manage files labeled with the fol‐
129       lowing  file  types.   The paths listed are the default paths for these
130       file types.  Note the processes UID still need to have DAC permissions.
131
132       file_type
133
134            all files on the system
135
136

FILE CONTEXTS

138       SELinux requires files to have an extended attribute to define the file
139       type.
140
141       You can see the context of a file using the -Z option to ls
142
143       Policy  governs  the  access  confined  processes  have to these files.
144       SELinux mount policy is very flexible allowing  users  to  setup  their
145       mount processes in as secure a method as possible.
146
147       STANDARD FILE CONTEXT
148
149       SELinux  defines the file context types for the mount, if you wanted to
150       store files with these types in a diffent paths, you  need  to  execute
151       the  semanage  command  to  sepecify  alternate  labeling  and then use
152       restorecon to put the labels on disk.
153
154       semanage  fcontext  -a  -t  mount_ecryptfs_tmpfs_t   '/srv/mymount_con‐
155       tent(/.*)?'
156       restorecon -R -v /srv/mymount_content
157
158       Note:  SELinux  often  uses  regular expressions to specify labels that
159       match multiple files.
160
161       The following file types are defined for mount:
162
163
164
165       mount_ecryptfs_exec_t
166
167       - Set files with the mount_ecryptfs_exec_t type, if you want to transi‐
168       tion an executable to the mount_ecryptfs_t domain.
169
170
171       Paths:
172            /usr/sbin/mount.ecryptfs,               /usr/sbin/umount.ecryptfs,
173            /usr/sbin/mount.ecryptfs_private,   /usr/sbin/umount.ecryptfs_pri‐
174            vate
175
176
177       mount_ecryptfs_tmpfs_t
178
179       -  Set files with the mount_ecryptfs_tmpfs_t type, if you want to store
180       mount ecryptfs files on a tmpfs file system.
181
182
183
184       mount_exec_t
185
186       - Set files with the mount_exec_t type, if you want  to  transition  an
187       executable to the mount_t domain.
188
189
190       Paths:
191            /bin/mount.*,    /bin/umount.*,   /sbin/mount.*,   /sbin/umount.*,
192            /usr/bin/mount.*,      /usr/bin/umount.*,       /usr/sbin/mount.*,
193            /usr/sbin/umount.*
194
195
196       mount_loopback_t
197
198       -  Set  files  with the mount_loopback_t type, if you want to treat the
199       files as mount loopback data.
200
201
202
203       mount_tmp_t
204
205       - Set files with the mount_tmp_t type, if you want to store mount  tem‐
206       porary files in the /tmp directories.
207
208
209
210       mount_var_run_t
211
212       -  Set  files  with  the mount_var_run_t type, if you want to store the
213       mount files under the /run or /var/run directory.
214
215
216       Paths:
217            /run/mount(/.*)?,     /dev/.mount(/.*)?,     /var/run/mount(/.*)?,
218            /var/run/davfs2(/.*)?, /var/cache/davfs2(/.*)?
219
220
221       Note:  File context can be temporarily modified with the chcon command.
222       If you want to permanently change the file context you need to use  the
223       semanage fcontext command.  This will modify the SELinux labeling data‐
224       base.  You will need to use restorecon to apply the labels.
225
226

COMMANDS

228       semanage fcontext can also be used to manipulate default  file  context
229       mappings.
230
231       semanage  permissive  can  also  be used to manipulate whether or not a
232       process type is permissive.
233
234       semanage module can also be used to enable/disable/install/remove  pol‐
235       icy modules.
236
237       semanage port can also be used to manipulate the port definitions
238
239       semanage boolean can also be used to manipulate the booleans
240
241
242       system-config-selinux is a GUI tool available to customize SELinux pol‐
243       icy settings.
244
245

AUTHOR

247       This manual page was auto-generated using sepolicy manpage .
248
249

SEE ALSO

251       selinux(8),  mount(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
252       icy(8),             setsebool(8),            mount_ecryptfs_selinux(8),
253       mount_ecryptfs_selinux(8)
254
255
256
257mount                              20-05-05                   mount_selinux(8)
Impressum