1staff_wine_selinux(8) SELinux Policy staff_wine staff_wine_selinux(8)
2
3
4
6 staff_wine_selinux - Security Enhanced Linux Policy for the staff_wine
7 processes
8
10 Security-Enhanced Linux secures the staff_wine processes via flexible
11 mandatory access control.
12
13 The staff_wine processes execute with the staff_wine_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep staff_wine_t
20
21
22
24 The staff_wine_t SELinux type can be entered via the user_home_t,
25 wine_exec_t file types.
26
27 The default entrypoint paths for the staff_wine_t domain are the fol‐
28 lowing:
29
30 /home/[^/]+/.+, /usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*,
31 /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*,
32 /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/pi‐
33 casa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman,
34 /opt/google/picasa(/.*)?/bin/regedit, /opt/google/pi‐
35 casa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe,
36 /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*,
37 /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad,
38 /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller,
39 /home/[^/]+/cxoffice/bin/wine.+
40
42 SELinux defines process types (domains) for each process running on the
43 system
44
45 You can see the context of a process using the -Z option to ps
46
47 Policy governs the access confined processes have to files. SELinux
48 staff_wine policy is very flexible allowing users to setup their
49 staff_wine processes in as secure a method as possible.
50
51 The following process types are defined for staff_wine:
52
53 staff_wine_t
54
55 Note: semanage permissive -a staff_wine_t can be used to make the
56 process type staff_wine_t permissive. SELinux does not deny access to
57 permissive process types, but the AVC (SELinux denials) messages are
58 still generated.
59
60
62 SELinux policy is customizable based on least access required.
63 staff_wine policy is extremely flexible and has several booleans that
64 allow you to manipulate the policy and run staff_wine with the tightest
65 access possible.
66
67
68
69 If you want to control the ability to mmap a low area of the address
70 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
71 the mmap_low_allowed boolean. Disabled by default.
72
73 setsebool -P mmap_low_allowed 1
74
75
76
77 If you want to support NFS home directories, you must turn on the
78 use_nfs_home_dirs boolean. Disabled by default.
79
80 setsebool -P use_nfs_home_dirs 1
81
82
83
84 If you want to support SAMBA home directories, you must turn on the
85 use_samba_home_dirs boolean. Disabled by default.
86
87 setsebool -P use_samba_home_dirs 1
88
89
90
92 The SELinux process type staff_wine_t can manage files labeled with the
93 following file types. The paths listed are the default paths for these
94 file types. Note the processes UID still need to have DAC permissions.
95
96 alsa_home_t
97
98 /home/[^/]+/.asoundrc
99
100 chrome_sandbox_tmpfs_t
101
102
103 games_data_t
104
105 /var/games(/.*)?
106 /var/lib/games(/.*)?
107
108 gpg_agent_tmp_t
109
110 /home/[^/]+/.gnupg/log-socket
111
112 krb5_host_rcache_t
113
114 /var/tmp/krb5_0.rcache2
115 /var/cache/krb5rcache(/.*)?
116 /var/tmp/nfs_0
117 /var/tmp/DNS_25
118 /var/tmp/host_0
119 /var/tmp/imap_0
120 /var/tmp/HTTP_23
121 /var/tmp/HTTP_48
122 /var/tmp/ldap_55
123 /var/tmp/ldap_487
124 /var/tmp/ldapmap1_0
125
126 mail_spool_t
127
128 /var/mail(/.*)?
129 /var/spool/imap(/.*)?
130 /var/spool/mail(/.*)?
131 /var/spool/smtpd(/.*)?
132
133 mqueue_spool_t
134
135 /var/spool/(client)?mqueue(/.*)?
136 /var/spool/mqueue.in(/.*)?
137
138 pulseaudio_tmpfs_t
139
140
141 pulseaudio_tmpfsfile
142
143
144 session_dbusd_tmp_t
145
146 /var/run/user/[0-9]+/bus
147 /var/run/user/[0-9]+/dbus(/.*)?
148 /var/run/user/[0-9]+/dbus-1(/.*)?
149
150 usbfs_t
151
152
153 user_fonts_cache_t
154
155 /root/.fontconfig(/.*)?
156 /root/.fonts/auto(/.*)?
157 /root/.fonts.cache-.*
158 /root/.cache/fontconfig(/.*)?
159 /home/[^/]+/.fontconfig(/.*)?
160 /home/[^/]+/.fonts/auto(/.*)?
161 /home/[^/]+/.fonts.cache-.*
162 /home/[^/]+/.cache/fontconfig(/.*)?
163
164 user_home_type
165
166 all user home files
167
168 user_tmp_t
169
170 /dev/shm/mono.*
171 /var/run/user/[^/]+
172 /tmp/.ICE-unix(/.*)?
173 /tmp/.X11-unix(/.*)?
174 /dev/shm/pulse-shm.*
175 /tmp/.X0-lock
176 /var/run/user
177 /tmp/hsperfdata_root
178 /var/tmp/hsperfdata_root
179 /home/[^/]+/tmp
180 /home/[^/]+/.tmp
181 /var/run/user/[0-9]+
182 /tmp/gconfd-[^/]+
183
184 user_tmp_type
185
186 all user tmp files
187
188 wine_home_t
189
190 /home/[^/]+/.wine(/.*)?
191
192 xserver_tmpfs_t
193
194
195
197 semanage fcontext can also be used to manipulate default file context
198 mappings.
199
200 semanage permissive can also be used to manipulate whether or not a
201 process type is permissive.
202
203 semanage module can also be used to enable/disable/install/remove pol‐
204 icy modules.
205
206 semanage boolean can also be used to manipulate the booleans
207
208
209 system-config-selinux is a GUI tool available to customize SELinux pol‐
210 icy settings.
211
212
214 This manual page was auto-generated using sepolicy manpage .
215
216
218 selinux(8), staff_wine(8), semanage(8), restorecon(8), chcon(1), sepol‐
219 icy(8), setsebool(8)
220
221
222
223staff_wine 22-05-27 staff_wine_selinux(8)