1staff_wine_selinux(8)      SELinux Policy staff_wine     staff_wine_selinux(8)
2
3
4

NAME

6       staff_wine_selinux  - Security Enhanced Linux Policy for the staff_wine
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the staff_wine processes  via  flexible
11       mandatory access control.
12
13       The  staff_wine  processes  execute with the staff_wine_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep staff_wine_t
20
21
22

ENTRYPOINTS

24       The  staff_wine_t  SELinux  type  can  be  entered via the wine_exec_t,
25       user_home_t file types.
26
27       The default entrypoint paths for the staff_wine_t domain are  the  fol‐
28       lowing:
29
30       /usr/bin/wine.*,                      /opt/teamviewer(/.*)?/bin/wine.*,
31       /opt/google/picasa(/.*)?/bin/wdi,  /opt/google/picasa(/.*)?/bin/wine.*,
32       /opt/google/picasa(/.*)?/bin/msiexec,
33       /opt/google/picasa(/.*)?/bin/notepad,
34       /opt/google/picasa(/.*)?/bin/progman,
35       /opt/google/picasa(/.*)?/bin/regedit,
36       /opt/google/picasa(/.*)?/bin/regsvr32,
37       /opt/google/picasa(/.*)?/Picasa3/.*exe,
38       /opt/google/picasa(/.*)?/bin/uninstaller,     /opt/cxoffice/bin/wine.*,
39       /opt/picasa/wine/bin/wine.*,    /usr/bin/msiexec,     /usr/bin/notepad,
40       /usr/bin/regedit,        /usr/bin/regsvr32,       /usr/bin/uninstaller,
41       /home/[^/]+/cxoffice/bin/wine.+, /home/[^/]+/.+
42

PROCESS TYPES

44       SELinux defines process types (domains) for each process running on the
45       system
46
47       You can see the context of a process using the -Z option to ps
48
49       Policy  governs  the  access confined processes have to files.  SELinux
50       staff_wine policy is  very  flexible  allowing  users  to  setup  their
51       staff_wine processes in as secure a method as possible.
52
53       The following process types are defined for staff_wine:
54
55       staff_wine_t
56
57       Note:  semanage  permissive  -a  staff_wine_t  can  be used to make the
58       process type staff_wine_t permissive. SELinux does not deny  access  to
59       permissive  process  types,  but the AVC (SELinux denials) messages are
60       still generated.
61
62

BOOLEANS

64       SELinux  policy  is  customizable  based  on  least  access   required.
65       staff_wine  policy  is extremely flexible and has several booleans that
66       allow you to manipulate the policy and run staff_wine with the tightest
67       access possible.
68
69
70
71       If  you  want  to control the ability to mmap a low area of the address
72       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
73       the mmap_low_allowed boolean. Disabled by default.
74
75       setsebool -P mmap_low_allowed 1
76
77
78
79       If  you  want  to  support  NFS  home directories, you must turn on the
80       use_nfs_home_dirs boolean. Enabled by default.
81
82       setsebool -P use_nfs_home_dirs 1
83
84
85
86       If you want to support SAMBA home directories, you  must  turn  on  the
87       use_samba_home_dirs boolean. Disabled by default.
88
89       setsebool -P use_samba_home_dirs 1
90
91
92

MANAGED FILES

94       The SELinux process type staff_wine_t can manage files labeled with the
95       following file types.  The paths listed are the default paths for these
96       file types.  Note the processes UID still need to have DAC permissions.
97
98       alsa_home_t
99
100            /home/[^/]+/.asoundrc
101
102       anon_inodefs_t
103
104
105       cgroup_t
106
107            /sys/fs/cgroup
108
109       chrome_sandbox_tmpfs_t
110
111
112       games_data_t
113
114            /var/games(/.*)?
115            /var/lib/games(/.*)?
116
117       mail_spool_t
118
119            /var/mail(/.*)?
120            /var/spool/imap(/.*)?
121            /var/spool/mail(/.*)?
122            /var/spool/smtpd(/.*)?
123
124       mqueue_spool_t
125
126            /var/spool/(client)?mqueue(/.*)?
127            /var/spool/mqueue.in(/.*)?
128
129       pulseaudio_tmpfsfile
130
131
132       usbfs_t
133
134
135       user_fonts_cache_t
136
137            /root/.fontconfig(/.*)?
138            /root/.fonts/auto(/.*)?
139            /root/.fonts.cache-.*
140            /root/.cache/fontconfig(/.*)?
141            /home/[^/]+/.fontconfig(/.*)?
142            /home/[^/]+/.fonts/auto(/.*)?
143            /home/[^/]+/.fonts.cache-.*
144            /home/[^/]+/.cache/fontconfig(/.*)?
145
146       user_home_type
147
148            all user home files
149
150       wine_home_t
151
152            /home/[^/]+/.wine(/.*)?
153
154

COMMANDS

156       semanage  fcontext  can also be used to manipulate default file context
157       mappings.
158
159       semanage permissive can also be used to manipulate  whether  or  not  a
160       process type is permissive.
161
162       semanage  module can also be used to enable/disable/install/remove pol‐
163       icy modules.
164
165       semanage boolean can also be used to manipulate the booleans
166
167
168       system-config-selinux is a GUI tool available to customize SELinux pol‐
169       icy settings.
170
171

AUTHOR

173       This manual page was auto-generated using sepolicy manpage .
174
175

SEE ALSO

177       selinux(8), staff_wine(8), semanage(8), restorecon(8), chcon(1), sepol‐
178       icy(8), setsebool(8)
179
180
181
182staff_wine                         20-05-05              staff_wine_selinux(8)
Impressum