1staff_wine_selinux(8)      SELinux Policy staff_wine     staff_wine_selinux(8)
2
3
4

NAME

6       staff_wine_selinux  - Security Enhanced Linux Policy for the staff_wine
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the staff_wine processes  via  flexible
11       mandatory access control.
12
13       The  staff_wine  processes  execute with the staff_wine_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep staff_wine_t
20
21
22

ENTRYPOINTS

24       The  staff_wine_t  SELinux  type  can  be  entered via the user_home_t,
25       wine_exec_t file types.
26
27       The default entrypoint paths for the staff_wine_t domain are  the  fol‐
28       lowing:
29
30       /home/[^/]+/.+,    /usr/bin/wine.*,   /opt/teamviewer(/.*)?/bin/wine.*,
31       /opt/google/picasa(/.*)?/bin/wdi,  /opt/google/picasa(/.*)?/bin/wine.*,
32       /opt/google/picasa(/.*)?/bin/msiexec,                   /opt/google/pi‐
33       casa(/.*)?/bin/notepad,           /opt/google/picasa(/.*)?/bin/progman,
34       /opt/google/picasa(/.*)?/bin/regedit,                   /opt/google/pi‐
35       casa(/.*)?/bin/regsvr32,        /opt/google/picasa(/.*)?/Picasa3/.*exe,
36       /opt/google/picasa(/.*)?/bin/uninstaller,     /opt/cxoffice/bin/wine.*,
37       /opt/picasa/wine/bin/wine.*,    /usr/bin/msiexec,     /usr/bin/notepad,
38       /usr/bin/regedit,        /usr/bin/regsvr32,       /usr/bin/uninstaller,
39       /home/[^/]+/cxoffice/bin/wine.+
40

PROCESS TYPES

42       SELinux defines process types (domains) for each process running on the
43       system
44
45       You can see the context of a process using the -Z option to ps
46
47       Policy  governs  the  access confined processes have to files.  SELinux
48       staff_wine policy is  very  flexible  allowing  users  to  setup  their
49       staff_wine processes in as secure a method as possible.
50
51       The following process types are defined for staff_wine:
52
53       staff_wine_t
54
55       Note:  semanage  permissive  -a  staff_wine_t  can  be used to make the
56       process type staff_wine_t permissive. SELinux does not deny  access  to
57       permissive  process  types,  but the AVC (SELinux denials) messages are
58       still generated.
59
60

BOOLEANS

62       SELinux  policy  is  customizable  based  on  least  access   required.
63       staff_wine  policy  is extremely flexible and has several booleans that
64       allow you to manipulate the policy and run staff_wine with the tightest
65       access possible.
66
67
68
69       If  you  want  to control the ability to mmap a low area of the address
70       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
71       the mmap_low_allowed boolean. Disabled by default.
72
73       setsebool -P mmap_low_allowed 1
74
75
76
77       If  you  want  to  support  NFS  home directories, you must turn on the
78       use_nfs_home_dirs boolean. Disabled by default.
79
80       setsebool -P use_nfs_home_dirs 1
81
82
83
84       If you want to support SAMBA home directories, you  must  turn  on  the
85       use_samba_home_dirs boolean. Disabled by default.
86
87       setsebool -P use_samba_home_dirs 1
88
89
90

MANAGED FILES

92       The SELinux process type staff_wine_t can manage files labeled with the
93       following file types.  The paths listed are the default paths for these
94       file types.  Note the processes UID still need to have DAC permissions.
95
96       alsa_home_t
97
98            /home/[^/]+/.asoundrc
99
100       chrome_sandbox_tmpfs_t
101
102
103       games_data_t
104
105            /var/games(/.*)?
106            /var/lib/games(/.*)?
107
108       gpg_agent_tmp_t
109
110            /home/[^/]+/.gnupg/log-socket
111
112       krb5_host_rcache_t
113
114            /var/tmp/krb5_0.rcache2
115            /var/cache/krb5rcache(/.*)?
116            /var/tmp/nfs_0
117            /var/tmp/DNS_25
118            /var/tmp/host_0
119            /var/tmp/imap_0
120            /var/tmp/HTTP_23
121            /var/tmp/HTTP_48
122            /var/tmp/ldap_55
123            /var/tmp/ldap_487
124            /var/tmp/ldapmap1_0
125
126       mail_spool_t
127
128            /var/mail(/.*)?
129            /var/spool/imap(/.*)?
130            /var/spool/mail(/.*)?
131            /var/spool/smtpd(/.*)?
132
133       mqueue_spool_t
134
135            /var/spool/(client)?mqueue(/.*)?
136            /var/spool/mqueue.in(/.*)?
137
138       pulseaudio_tmpfs_t
139
140
141       pulseaudio_tmpfsfile
142
143
144       session_dbusd_tmp_t
145
146            /var/run/user/[0-9]+/bus
147            /var/run/user/[0-9]+/dbus(/.*)?
148            /var/run/user/[0-9]+/dbus-1(/.*)?
149
150       usbfs_t
151
152
153       user_fonts_cache_t
154
155            /root/.fontconfig(/.*)?
156            /root/.fonts/auto(/.*)?
157            /root/.fonts.cache-.*
158            /root/.cache/fontconfig(/.*)?
159            /home/[^/]+/.fontconfig(/.*)?
160            /home/[^/]+/.fonts/auto(/.*)?
161            /home/[^/]+/.fonts.cache-.*
162            /home/[^/]+/.cache/fontconfig(/.*)?
163
164       user_home_type
165
166            all user home files
167
168       user_tmp_t
169
170            /dev/shm/mono.*
171            /var/run/user/[^/]+
172            /tmp/.ICE-unix(/.*)?
173            /tmp/.X11-unix(/.*)?
174            /dev/shm/pulse-shm.*
175            /tmp/.X0-lock
176            /var/run/user
177            /tmp/hsperfdata_root
178            /var/tmp/hsperfdata_root
179            /home/[^/]+/tmp
180            /home/[^/]+/.tmp
181            /var/run/user/[0-9]+
182            /tmp/gconfd-[^/]+
183
184       user_tmp_type
185
186            all user tmp files
187
188       wine_home_t
189
190            /home/[^/]+/.wine(/.*)?
191
192       xserver_tmpfs_t
193
194
195

COMMANDS

197       semanage  fcontext  can also be used to manipulate default file context
198       mappings.
199
200       semanage permissive can also be used to manipulate  whether  or  not  a
201       process type is permissive.
202
203       semanage  module can also be used to enable/disable/install/remove pol‐
204       icy modules.
205
206       semanage boolean can also be used to manipulate the booleans
207
208
209       system-config-selinux is a GUI tool available to customize SELinux pol‐
210       icy settings.
211
212

AUTHOR

214       This manual page was auto-generated using sepolicy manpage .
215
216

SEE ALSO

218       selinux(8), staff_wine(8), semanage(8), restorecon(8), chcon(1), sepol‐
219       icy(8), setsebool(8)
220
221
222
223staff_wine                         22-05-27              staff_wine_selinux(8)
Impressum