1udev_selinux(8)               SELinux Policy udev              udev_selinux(8)
2
3
4

NAME

6       udev_selinux - Security Enhanced Linux Policy for the udev processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the udev processes via flexible manda‐
10       tory access control.
11
12       The udev processes execute with the udev_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep udev_t
19
20
21

ENTRYPOINTS

23       The  udev_t  SELinux  type  can  be  entered   via   the   udev_exec_t,
24       udev_helper_exec_t file types.
25
26       The default entrypoint paths for the udev_t domain are the following:
27
28       /sbin/udev,  /sbin/udevd,  /bin/udevadm, /sbin/udevadm, /sbin/udevsend,
29       /usr/sbin/udev,  /lib/udev/udevd,   /sbin/udevstart,   /usr/sbin/udevd,
30       /sbin/start_udev,  /usr/bin/udevadm,  /usr/bin/udevinfo, /usr/sbin/ude‐
31       vadm,  /lib/udev/udev-acl,   /usr/sbin/udevsend,   /usr/lib/udev/udevd,
32       /usr/sbin/udevstart,     /sbin/wait_for_sysfs,    /usr/sbin/start_udev,
33       /usr/lib/udev/udev-acl, /usr/sbin/wait_for_sysfs, /usr/lib/systemd/sys‐
34       temd-udevd,      /etc/dev.d/.+,     /etc/udev/scripts/.+,     /etc/hot‐
35       plug.d/default/udev.*
36

PROCESS TYPES

38       SELinux defines process types (domains) for each process running on the
39       system
40
41       You can see the context of a process using the -Z option to ps
42
43       Policy  governs  the  access confined processes have to files.  SELinux
44       udev policy is very flexible allowing users to setup  their  udev  pro‐
45       cesses in as secure a method as possible.
46
47       The following process types are defined for udev:
48
49       udev_t
50
51       Note:  semanage  permissive  -a  udev_t can be used to make the process
52       type udev_t permissive. SELinux does  not  deny  access  to  permissive
53       process  types, but the AVC (SELinux denials) messages are still gener‐
54       ated.
55
56

BOOLEANS

58       SELinux policy is customizable based on least  access  required.   udev
59       policy is extremely flexible and has several booleans that allow you to
60       manipulate the policy and run udev with the tightest access possible.
61
62
63
64       If you want to control the ability to mmap a low area  of  the  address
65       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
66       the mmap_low_allowed boolean. Disabled by default.
67
68       setsebool -P mmap_low_allowed 1
69
70
71
72       If you want to disable kernel module loading,  you  must  turn  on  the
73       secure_mode_insmod boolean. Enabled by default.
74
75       setsebool -P secure_mode_insmod 1
76
77
78
79       If  you  want to allow unconfined executables to make their heap memory
80       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
81       badly  coded  executable, but could indicate an attack. This executable
82       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
83       uxuser_execheap boolean. Disabled by default.
84
85       setsebool -P selinuxuser_execheap 1
86
87
88
89       If  you  want  to allow unconfined executables to make their stack exe‐
90       cutable.  This should never, ever be necessary.  Probably  indicates  a
91       badly  coded  executable, but could indicate an attack. This executable
92       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
93       stack boolean. Disabled by default.
94
95       setsebool -P selinuxuser_execstack 1
96
97
98

MANAGED FILES

100       The  SELinux process type udev_t can manage files labeled with the fol‐
101       lowing file types.  The paths listed are the default  paths  for  these
102       file types.  Note the processes UID still need to have DAC permissions.
103
104       file_type
105
106            all files on the system
107
108

FILE CONTEXTS

110       SELinux requires files to have an extended attribute to define the file
111       type.
112
113       You can see the context of a file using the -Z option to ls
114
115       Policy governs the access  confined  processes  have  to  these  files.
116       SELinux udev policy is very flexible allowing users to setup their udev
117       processes in as secure a method as possible.
118
119       STANDARD FILE CONTEXT
120
121       SELinux defines the file context types for the udev, if you  wanted  to
122       store  files  with  these types in a diffent paths, you need to execute
123       the semanage command  to  sepecify  alternate  labeling  and  then  use
124       restorecon to put the labels on disk.
125
126       semanage fcontext -a -t udev_tmp_t '/srv/myudev_content(/.*)?'
127       restorecon -R -v /srv/myudev_content
128
129       Note:  SELinux  often  uses  regular expressions to specify labels that
130       match multiple files.
131
132       The following file types are defined for udev:
133
134
135
136       udev_etc_t
137
138       - Set files with the udev_etc_t type, if you want to store  udev  files
139       in the /etc directories.
140
141
142
143       udev_exec_t
144
145       -  Set  files  with  the udev_exec_t type, if you want to transition an
146       executable to the udev_t domain.
147
148
149       Paths:
150            /sbin/udev, /sbin/udevd, /bin/udevadm,  /sbin/udevadm,  /sbin/ude‐
151            vsend,     /usr/sbin/udev,    /lib/udev/udevd,    /sbin/udevstart,
152            /usr/sbin/udevd,        /sbin/start_udev,        /usr/bin/udevadm,
153            /usr/bin/udevinfo,      /usr/sbin/udevadm,     /lib/udev/udev-acl,
154            /usr/sbin/udevsend,   /usr/lib/udev/udevd,    /usr/sbin/udevstart,
155            /sbin/wait_for_sysfs,   /usr/sbin/start_udev,  /usr/lib/udev/udev-
156            acl, /usr/sbin/wait_for_sysfs, /usr/lib/systemd/systemd-udevd
157
158
159       udev_helper_exec_t
160
161       - Set files with the udev_helper_exec_t type, if you want to transition
162       an executable to the udev_helper_t domain.
163
164
165       Paths:
166            /etc/dev.d/.+, /etc/udev/scripts/.+, /etc/hotplug.d/default/udev.*
167
168
169       udev_rules_t
170
171       -  Set files with the udev_rules_t type, if you want to treat the files
172       as udev rules data.
173
174
175
176       udev_tmp_t
177
178       - Set files with the udev_tmp_t type, if you want to store udev  tempo‐
179       rary files in the /tmp directories.
180
181
182
183       udev_var_run_t
184
185       - Set files with the udev_var_run_t type, if you want to store the udev
186       files under the /run or /var/run directory.
187
188
189       Paths:
190            /dev/.udev(/.*)?,   /var/run/udev(/.*)?,   /var/run/libgpod(/.*)?,
191            /var/run/PackageKit/udev(/.*)?, /dev/.udevdb, /dev/udev.tbl
192
193
194       Note:  File context can be temporarily modified with the chcon command.
195       If you want to permanently change the file context you need to use  the
196       semanage fcontext command.  This will modify the SELinux labeling data‐
197       base.  You will need to use restorecon to apply the labels.
198
199

COMMANDS

201       semanage fcontext can also be used to manipulate default  file  context
202       mappings.
203
204       semanage  permissive  can  also  be used to manipulate whether or not a
205       process type is permissive.
206
207       semanage module can also be used to enable/disable/install/remove  pol‐
208       icy modules.
209
210       semanage boolean can also be used to manipulate the booleans
211
212
213       system-config-selinux is a GUI tool available to customize SELinux pol‐
214       icy settings.
215
216

AUTHOR

218       This manual page was auto-generated using sepolicy manpage .
219
220

SEE ALSO

222       selinux(8), udev(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
223       setsebool(8)
224
225
226
227udev                               20-05-05                    udev_selinux(8)
Impressum