1user_wine_selinux(8)       SELinux Policy user_wine       user_wine_selinux(8)
2
3
4

NAME

6       user_wine_selinux  -  Security  Enhanced Linux Policy for the user_wine
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the user_wine  processes  via  flexible
11       mandatory access control.
12
13       The  user_wine processes execute with the user_wine_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep user_wine_t
20
21
22

ENTRYPOINTS

24       The  user_wine_t  SELinux  type  can  be  entered  via the wine_exec_t,
25       user_home_t file types.
26
27       The default entrypoint paths for the user_wine_t domain are the follow‐
28       ing:
29
30       /usr/bin/wine.*,    /opt/teamviewer(/.*)?/bin/wine.*,   /opt/google/pi‐
31       casa(/.*)?/bin/wdi,                /opt/google/picasa(/.*)?/bin/wine.*,
32       /opt/google/picasa(/.*)?/bin/msiexec,                   /opt/google/pi‐
33       casa(/.*)?/bin/notepad,           /opt/google/picasa(/.*)?/bin/progman,
34       /opt/google/picasa(/.*)?/bin/regedit,                   /opt/google/pi‐
35       casa(/.*)?/bin/regsvr32,        /opt/google/picasa(/.*)?/Picasa3/.*exe,
36       /opt/google/picasa(/.*)?/bin/uninstaller,     /opt/cxoffice/bin/wine.*,
37       /opt/picasa/wine/bin/wine.*,    /usr/bin/msiexec,     /usr/bin/notepad,
38       /usr/bin/regedit,        /usr/bin/regsvr32,       /usr/bin/uninstaller,
39       /home/[^/]+/cxoffice/bin/wine.+, /home/[^/]+/.+
40

PROCESS TYPES

42       SELinux defines process types (domains) for each process running on the
43       system
44
45       You can see the context of a process using the -Z option to ps
46
47       Policy  governs  the  access confined processes have to files.  SELinux
48       user_wine policy  is  very  flexible  allowing  users  to  setup  their
49       user_wine processes in as secure a method as possible.
50
51       The following process types are defined for user_wine:
52
53       user_wine_t
54
55       Note:  semanage  permissive  -a  user_wine_t  can  be  used to make the
56       process type user_wine_t permissive. SELinux does not  deny  access  to
57       permissive  process  types,  but the AVC (SELinux denials) messages are
58       still generated.
59
60

BOOLEANS

62       SELinux  policy  is  customizable  based  on  least  access   required.
63       user_wine  policy  is  extremely flexible and has several booleans that
64       allow you to manipulate the policy and run user_wine with the  tightest
65       access possible.
66
67
68
69       If  you  want  to control the ability to mmap a low area of the address
70       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
71       the mmap_low_allowed boolean. Disabled by default.
72
73       setsebool -P mmap_low_allowed 1
74
75
76
77       If  you  want  to  support  NFS  home directories, you must turn on the
78       use_nfs_home_dirs boolean. Disabled by default.
79
80       setsebool -P use_nfs_home_dirs 1
81
82
83
84       If you want to support SAMBA home directories, you  must  turn  on  the
85       use_samba_home_dirs boolean. Disabled by default.
86
87       setsebool -P use_samba_home_dirs 1
88
89
90

MANAGED FILES

92       The  SELinux process type user_wine_t can manage files labeled with the
93       following file types.  The paths listed are the default paths for these
94       file types.  Note the processes UID still need to have DAC permissions.
95
96       alsa_home_t
97
98            /home/[^/]+/.asoundrc
99
100       chrome_sandbox_tmpfs_t
101
102
103       games_data_t
104
105            /var/games(/.*)?
106            /var/lib/games(/.*)?
107
108       gpg_agent_tmp_t
109
110            /home/[^/]+/.gnupg/log-socket
111
112       krb5_host_rcache_t
113
114            /var/tmp/krb5_0.rcache2
115            /var/cache/krb5rcache(/.*)?
116            /var/tmp/nfs_0
117            /var/tmp/DNS_25
118            /var/tmp/host_0
119            /var/tmp/imap_0
120            /var/tmp/HTTP_23
121            /var/tmp/HTTP_48
122            /var/tmp/ldap_55
123            /var/tmp/ldap_487
124            /var/tmp/ldapmap1_0
125
126       mail_spool_t
127
128            /var/mail(/.*)?
129            /var/spool/imap(/.*)?
130            /var/spool/mail(/.*)?
131            /var/spool/smtpd(/.*)?
132
133       mqueue_spool_t
134
135            /var/spool/(client)?mqueue(/.*)?
136            /var/spool/mqueue.in(/.*)?
137
138       pulseaudio_tmpfs_t
139
140
141       pulseaudio_tmpfsfile
142
143
144       session_dbusd_tmp_t
145
146            /var/run/user/[0-9]+/dbus(/.*)?
147
148       usbfs_t
149
150
151       user_fonts_cache_t
152
153            /root/.fontconfig(/.*)?
154            /root/.fonts/auto(/.*)?
155            /root/.fonts.cache-.*
156            /root/.cache/fontconfig(/.*)?
157            /home/[^/]+/.fontconfig(/.*)?
158            /home/[^/]+/.fonts/auto(/.*)?
159            /home/[^/]+/.fonts.cache-.*
160            /home/[^/]+/.cache/fontconfig(/.*)?
161
162       user_home_type
163
164            all user home files
165
166       user_tmp_t
167
168            /dev/shm/mono.*
169            /var/run/user(/.*)?
170            /tmp/.ICE-unix(/.*)?
171            /tmp/.X11-unix(/.*)?
172            /dev/shm/pulse-shm.*
173            /tmp/.X0-lock
174            /tmp/hsperfdata_root
175            /var/tmp/hsperfdata_root
176            /home/[^/]+/tmp
177            /home/[^/]+/.tmp
178            /tmp/gconfd-[^/]+
179
180       user_tmp_type
181
182            all user tmp files
183
184       wine_home_t
185
186            /home/[^/]+/.wine(/.*)?
187
188       xserver_tmpfs_t
189
190
191

COMMANDS

193       semanage  fcontext  can also be used to manipulate default file context
194       mappings.
195
196       semanage permissive can also be used to manipulate  whether  or  not  a
197       process type is permissive.
198
199       semanage  module can also be used to enable/disable/install/remove pol‐
200       icy modules.
201
202       semanage boolean can also be used to manipulate the booleans
203
204
205       system-config-selinux is a GUI tool available to customize SELinux pol‐
206       icy settings.
207
208

AUTHOR

210       This manual page was auto-generated using sepolicy manpage .
211
212

SEE ALSO

214       selinux(8),  user_wine(8), semanage(8), restorecon(8), chcon(1), sepol‐
215       icy(8), setsebool(8)
216
217
218
219user_wine                          21-06-09               user_wine_selinux(8)
Impressum