1anaconda_selinux(8) SELinux Policy anaconda anaconda_selinux(8)
2
3
4
6 anaconda_selinux - Security Enhanced Linux Policy for the anaconda pro‐
7 cesses
8
10 Security-Enhanced Linux secures the anaconda processes via flexible
11 mandatory access control.
12
13 The anaconda processes execute with the anaconda_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep anaconda_t
20
21
22
24 The anaconda_t SELinux type can be entered via the anaconda_exec_t file
25 type.
26
27 The default entrypoint paths for the anaconda_t domain are the follow‐
28 ing:
29
30
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 anaconda policy is very flexible allowing users to setup their anaconda
40 processes in as secure a method as possible.
41
42 The following process types are defined for anaconda:
43
44 anaconda_t
45
46 Note: semanage permissive -a anaconda_t can be used to make the process
47 type anaconda_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. ana‐
54 conda policy is extremely flexible and has several booleans that allow
55 you to manipulate the policy and run anaconda with the tightest access
56 possible.
57
58
59
60 If you want to control the ability to mmap a low area of the address
61 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
62 the mmap_low_allowed boolean. Disabled by default.
63
64 setsebool -P mmap_low_allowed 1
65
66
67
68 If you want to disable kernel module loading, you must turn on the se‐
69 cure_mode_insmod boolean. Enabled by default.
70
71 setsebool -P secure_mode_insmod 1
72
73
74
75 If you want to allow unconfined executables to make their heap memory
76 executable. Doing this is a really bad idea. Probably indicates a
77 badly coded executable, but could indicate an attack. This executable
78 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
79 echeap boolean. Disabled by default.
80
81 setsebool -P selinuxuser_execheap 1
82
83
84
85 If you want to allow unconfined executables to make their stack exe‐
86 cutable. This should never, ever be necessary. Probably indicates a
87 badly coded executable, but could indicate an attack. This executable
88 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
89 stack boolean. Enabled by default.
90
91 setsebool -P selinuxuser_execstack 1
92
93
94
96 The SELinux process type anaconda_t can manage files labeled with the
97 following file types. The paths listed are the default paths for these
98 file types. Note the processes UID still need to have DAC permissions.
99
100 file_type
101
102 all files on the system
103
104
106 semanage fcontext can also be used to manipulate default file context
107 mappings.
108
109 semanage permissive can also be used to manipulate whether or not a
110 process type is permissive.
111
112 semanage module can also be used to enable/disable/install/remove pol‐
113 icy modules.
114
115 semanage boolean can also be used to manipulate the booleans
116
117
118 system-config-selinux is a GUI tool available to customize SELinux pol‐
119 icy settings.
120
121
123 This manual page was auto-generated using sepolicy manpage .
124
125
127 selinux(8), anaconda(8), semanage(8), restorecon(8), chcon(1), sepol‐
128 icy(8), setsebool(8)
129
130
131
132anaconda 21-06-09 anaconda_selinux(8)