NetworkManager_dispatcher_custom_selinux(8)

1NetworkManager_diSsEpLaitncuhxerP_ocluisctyomN_estewloNirenktuMwxao(nr8ak)gMearn_adgiesrp_adticshpeart_cchuesrt_ocmustom_selinux(8)
2
3
4

NAME

6       NetworkManager_dispatcher_custom_selinux - Security Enhanced Linux Pol‐
7       icy for the NetworkManager_dispatcher_custom processes
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  NetworkManager_dispatcher_custom
11       processes via flexible mandatory access control.
12
13       The  NetworkManager_dispatcher_custom  processes  execute with the Net‐
14       workManager_dispatcher_custom_t SELinux type. You can check if you have
15       these  processes running by executing the ps command with the -Z quali‐
16       fier.
17
18       For example:
19
20       ps -eZ | grep NetworkManager_dispatcher_custom_t
21
22
23

ENTRYPOINTS

25       The NetworkManager_dispatcher_custom_t SELinux type can be entered  via
26       the NetworkManager_dispatcher_script_t file type.
27
28       The default entrypoint paths for the NetworkManager_dispatcher_custom_t
29       domain are the following:
30
31       /etc/NetworkManager/dispatcher.d(/.*)?,    /usr/lib/NetworkManager/dis‐
32       patcher.d(/.*)?
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       NetworkManager_dispatcher_custom policy is very flexible allowing users
42       to setup their NetworkManager_dispatcher_custom processes in as  secure
43       a method as possible.
44
45       The   following  process  types  are  defined  for  NetworkManager_dis‐
46       patcher_custom:
47
48       NetworkManager_dispatcher_custom_t
49
50       Note: semanage permissive -a NetworkManager_dispatcher_custom_t can  be
51       used  to  make the process type NetworkManager_dispatcher_custom_t per‐
52       missive. SELinux does not deny access to permissive process types,  but
53       the AVC (SELinux denials) messages are still generated.
54
55

BOOLEANS

57       SELinux  policy  is  customizable based on least access required.  Net‐
58       workManager_dispatcher_custom policy is extremely flexible and has sev‐
59       eral  booleans that allow you to manipulate the policy and run Network‐
60       Manager_dispatcher_custom with the tightest access possible.
61
62
63
64       If you want to deny user domains applications to map a memory region as
65       both  executable  and  writable,  this  is dangerous and the executable
66       should be reported in bugzilla, you must turn on the deny_execmem bool‐
67       ean. Enabled by default.
68
69       setsebool -P deny_execmem 1
70
71
72
73       If  you  want  to control the ability to mmap a low area of the address
74       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
75       the mmap_low_allowed boolean. Disabled by default.
76
77       setsebool -P mmap_low_allowed 1
78
79
80
81       If  you want to disable kernel module loading, you must turn on the se‐
82       cure_mode_insmod boolean. Enabled by default.
83
84       setsebool -P secure_mode_insmod 1
85
86
87
88       If you want to allow unconfined executables to make their  heap  memory
89       executable.   Doing  this  is  a  really bad idea. Probably indicates a
90       badly coded executable, but could indicate an attack.  This  executable
91       should  be  reported  in bugzilla, you must turn on the selinuxuser_ex‐
92       echeap boolean. Disabled by default.
93
94       setsebool -P selinuxuser_execheap 1
95
96
97
98       If you want to allow unconfined executables to make  their  stack  exe‐
99       cutable.   This  should  never, ever be necessary. Probably indicates a
100       badly coded executable, but could indicate an attack.  This  executable
101       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
102       stack boolean. Enabled by default.
103
104       setsebool -P selinuxuser_execstack 1
105
106
107

MANAGED FILES

109       The SELinux process type NetworkManager_dispatcher_custom_t can  manage
110       files  labeled with the following file types.  The paths listed are the
111       default paths for these file types.  Note the processes UID still  need
112       to have DAC permissions.
113
114       file_type
115
116            all files on the system
117
118

COMMANDS

120       semanage  fcontext  can also be used to manipulate default file context
121       mappings.
122
123       semanage permissive can also be used to manipulate  whether  or  not  a
124       process type is permissive.
125
126       semanage  module can also be used to enable/disable/install/remove pol‐
127       icy modules.
128
129       semanage boolean can also be used to manipulate the booleans
130
131
132       system-config-selinux is a GUI tool available to customize SELinux pol‐
133       icy settings.
134
135

AUTHOR

137       This manual page was auto-generated using sepolicy manpage .
138
139