1user_wine_selinux(8) SELinux Policy user_wine user_wine_selinux(8)
2
3
4
6 user_wine_selinux - Security Enhanced Linux Policy for the user_wine
7 processes
8
10 Security-Enhanced Linux secures the user_wine processes via flexible
11 mandatory access control.
12
13 The user_wine processes execute with the user_wine_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep user_wine_t
20
21
22
24 The user_wine_t SELinux type can be entered via the wine_exec_t,
25 user_home_t file types.
26
27 The default entrypoint paths for the user_wine_t domain are the follow‐
28 ing:
29
30 /usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*, /opt/google/pi‐
31 casa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*,
32 /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/pi‐
33 casa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman,
34 /opt/google/picasa(/.*)?/bin/regedit, /opt/google/pi‐
35 casa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe,
36 /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*,
37 /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad,
38 /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller,
39 /home/[^/]+/cxoffice/bin/wine.+, /home/[^/]+/.+
40
42 SELinux defines process types (domains) for each process running on the
43 system
44
45 You can see the context of a process using the -Z option to ps
46
47 Policy governs the access confined processes have to files. SELinux
48 user_wine policy is very flexible allowing users to setup their
49 user_wine processes in as secure a method as possible.
50
51 The following process types are defined for user_wine:
52
53 user_wine_t
54
55 Note: semanage permissive -a user_wine_t can be used to make the
56 process type user_wine_t permissive. SELinux does not deny access to
57 permissive process types, but the AVC (SELinux denials) messages are
58 still generated.
59
60
62 SELinux policy is customizable based on least access required.
63 user_wine policy is extremely flexible and has several booleans that
64 allow you to manipulate the policy and run user_wine with the tightest
65 access possible.
66
67
68
69 If you want to control the ability to mmap a low area of the address
70 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
71 the mmap_low_allowed boolean. Disabled by default.
72
73 setsebool -P mmap_low_allowed 1
74
75
76
77 If you want to support NFS home directories, you must turn on the
78 use_nfs_home_dirs boolean. Disabled by default.
79
80 setsebool -P use_nfs_home_dirs 1
81
82
83
84 If you want to support SAMBA home directories, you must turn on the
85 use_samba_home_dirs boolean. Disabled by default.
86
87 setsebool -P use_samba_home_dirs 1
88
89
90
92 The SELinux process type user_wine_t can manage files labeled with the
93 following file types. The paths listed are the default paths for these
94 file types. Note the processes UID still need to have DAC permissions.
95
96 alsa_home_t
97
98 /home/[^/]+/.asoundrc
99
100 chrome_sandbox_tmpfs_t
101
102
103 games_data_t
104
105 /var/games(/.*)?
106 /var/lib/games(/.*)?
107
108 gpg_agent_tmp_t
109
110 /home/[^/]+/.gnupg/log-socket
111
112 krb5_host_rcache_t
113
114 /var/tmp/krb5_0.rcache2
115 /var/cache/krb5rcache(/.*)?
116 /var/tmp/nfs_0
117 /var/tmp/DNS_25
118 /var/tmp/host_0
119 /var/tmp/imap_0
120 /var/tmp/HTTP_23
121 /var/tmp/HTTP_48
122 /var/tmp/ldap_55
123 /var/tmp/ldap_487
124 /var/tmp/ldapmap1_0
125
126 mail_spool_t
127
128 /var/mail(/.*)?
129 /var/spool/imap(/.*)?
130 /var/spool/mail(/.*)?
131 /var/spool/smtpd(/.*)?
132
133 mqueue_spool_t
134
135 /var/spool/(client)?mqueue(/.*)?
136 /var/spool/mqueue.in(/.*)?
137
138 pulseaudio_tmpfs_t
139
140
141 pulseaudio_tmpfsfile
142
143
144 session_dbusd_tmp_t
145
146 /var/run/user/[0-9]+/dbus(/.*)?
147
148 usbfs_t
149
150
151 user_fonts_cache_t
152
153 /root/.fontconfig(/.*)?
154 /root/.fonts/auto(/.*)?
155 /root/.fonts.cache-.*
156 /root/.cache/fontconfig(/.*)?
157 /home/[^/]+/.fontconfig(/.*)?
158 /home/[^/]+/.fonts/auto(/.*)?
159 /home/[^/]+/.fonts.cache-.*
160 /home/[^/]+/.cache/fontconfig(/.*)?
161
162 user_home_type
163
164 all user home files
165
166 user_tmp_t
167
168 /dev/shm/mono.*
169 /var/run/user(/.*)?
170 /tmp/.ICE-unix(/.*)?
171 /tmp/.X11-unix(/.*)?
172 /dev/shm/pulse-shm.*
173 /tmp/.X0-lock
174 /tmp/hsperfdata_root
175 /var/tmp/hsperfdata_root
176 /home/[^/]+/tmp
177 /home/[^/]+/.tmp
178 /tmp/gconfd-[^/]+
179
180 user_tmp_type
181
182 all user tmp files
183
184 wine_home_t
185
186 /home/[^/]+/.wine(/.*)?
187
188 xserver_tmpfs_t
189
190
191
193 semanage fcontext can also be used to manipulate default file context
194 mappings.
195
196 semanage permissive can also be used to manipulate whether or not a
197 process type is permissive.
198
199 semanage module can also be used to enable/disable/install/remove pol‐
200 icy modules.
201
202 semanage boolean can also be used to manipulate the booleans
203
204
205 system-config-selinux is a GUI tool available to customize SELinux pol‐
206 icy settings.
207
208
210 This manual page was auto-generated using sepolicy manpage .
211
212
214 selinux(8), user_wine(8), semanage(8), restorecon(8), chcon(1), sepol‐
215 icy(8), setsebool(8)
216
217
218
219user_wine 21-06-09 user_wine_selinux(8)