1unconfined_selinux(8)unconfined SELinux Policy documentatiounnconfined_selinux(8)
2
3
4

NAME

6       unconfined_r - Unconfined user role - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       SELinux  supports  Roles  Based Access Control (RBAC), some Linux roles
11       are login roles, while other roles need to be transition into.
12
13       Note: Examples in this man page will use the staff_u SELinux user.
14
15       Non login roles are usually used for administrative tasks. For example,
16       tasks  that  require root privileges.  Roles control which types a user
17       can run processes with. Roles often  have  default  types  assigned  to
18       them.
19
20       The default type for the unconfined_r role is unconfined_t.
21
22       The newrole program to transition directly to this role.
23
24       newrole -r unconfined_r -t unconfined_t
25
26       sudo is the preferred method to do transition from one role to another.
27       You setup sudo to transition to unconfined_r by adding a  similar  line
28       to the /etc/sudoers file.
29
30       USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
31
32       sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
33
34       When  using  a  non  login role, you need to setup SELinux so that your
35       SELinux user can reach unconfined_r role.
36
37       Execute the following to see all of the assigned SELinux roles:
38
39       semanage user -l
40
41       You need to add unconfined_r to the staff_u user.  You could setup  the
42       staff_u  user  to  be  able to use the unconfined_r role with a command
43       like:
44
45       $ semanage user -m -R 'staff_r system_r unconfined_r' staff_u
46
47
48

BOOLEANS

50       SELinux policy is customizable based on least access required.   uncon‐
51       fined  policy is extremely flexible and has several booleans that allow
52       you to manipulate the policy and run unconfined with the  tightest  ac‐
53       cess possible.
54
55
56
57       If  you  want to allow a unconfined user to dynamically transition to a
58       new context using setcon, you must turn on the  unconfined_dyntrans_all
59       boolean. Disabled by default.
60
61       setsebool -P unconfined_dyntrans_all 1
62
63
64
65       If  you  want  to  allow  unconfined users to transition to the Mozilla
66       plugin domain when running xulrunner plugin-container, you must turn on
67       the unconfined_mozilla_plugin_transition boolean. Enabled by default.
68
69       setsebool -P unconfined_mozilla_plugin_transition 1
70
71
72
73       If you want to determine whether crond can execute jobs in the user do‐
74       main as opposed to the the generic cronjob domain, you must turn on the
75       cron_userdomain_transition boolean. Enabled by default.
76
77       setsebool -P cron_userdomain_transition 1
78
79
80
81       If you want to deny user domains applications to map a memory region as
82       both executable and writable, this  is  dangerous  and  the  executable
83       should be reported in bugzilla, you must turn on the deny_execmem bool‐
84       ean. Enabled by default.
85
86       setsebool -P deny_execmem 1
87
88
89
90       If you want to control the ability to mmap a low area  of  the  address
91       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
92       the mmap_low_allowed boolean. Disabled by default.
93
94       setsebool -P mmap_low_allowed 1
95
96
97
98       If you want to disable kernel module loading, you must turn on the  se‐
99       cure_mode_insmod boolean. Enabled by default.
100
101       setsebool -P secure_mode_insmod 1
102
103
104
105       If  you  want to allow unconfined executables to make their heap memory
106       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
107       badly  coded  executable, but could indicate an attack. This executable
108       should be reported in bugzilla, you must turn  on  the  selinuxuser_ex‐
109       echeap boolean. Disabled by default.
110
111       setsebool -P selinuxuser_execheap 1
112
113
114
115       If  you  want  to allow unconfined executables to make their stack exe‐
116       cutable.  This should never, ever be necessary.  Probably  indicates  a
117       badly  coded  executable, but could indicate an attack. This executable
118       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
119       stack boolean. Enabled by default.
120
121       setsebool -P selinuxuser_execstack 1
122
123
124

MANAGED FILES

126       The SELinux process type unconfined_t can manage files labeled with the
127       following file types.  The paths listed are the default paths for these
128       file types.  Note the processes UID still need to have DAC permissions.
129
130       file_type
131
132            all files on the system
133
134

COMMANDS

136       semanage  fcontext  can also be used to manipulate default file context
137       mappings.
138
139       semanage permissive can also be used to manipulate  whether  or  not  a
140       process type is permissive.
141
142       semanage  module can also be used to enable/disable/install/remove pol‐
143       icy modules.
144
145       semanage boolean can also be used to manipulate the booleans
146
147
148       system-config-selinux is a GUI tool available to customize SELinux pol‐
149       icy settings.
150
151

AUTHOR

153       This manual page was auto-generated using sepolicy manpage .
154
155

SEE ALSO

157       selinux(8), unconfined(8), semanage(8), restorecon(8), chcon(1), sepol‐
158       icy(8),     setsebool(8),     unconfined_cronjob_selinux(8),     uncon‐
159       fined_dbusd_selinux(8),       unconfined_mount_selinux(8),       uncon‐
160       fined_munin_plugin_selinux(8),  unconfined_sendmail_selinux(8),  uncon‐
161       fined_service_selinux(8)
162
163
164
165mgrepl@redhat.com                 unconfined             unconfined_selinux(8)
Impressum