1mount_selinux(8)             SELinux Policy mount             mount_selinux(8)
2
3
4

NAME

6       mount_selinux - Security Enhanced Linux Policy for the mount processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the mount processes via flexible manda‐
10       tory access control.
11
12       The mount processes execute with the  mount_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep mount_t
19
20
21

ENTRYPOINTS

23       The mount_t SELinux type can  be  entered  via  the  fusermount_exec_t,
24       mount_exec_t file types.
25
26       The default entrypoint paths for the mount_t domain are the following:
27
28       /bin/fusermount[0-9]?,     /usr/bin/fusermount[0-9]?,     /bin/mount.*,
29       /bin/umount.*,   /sbin/mount.*,    /sbin/umount.*,    /usr/bin/mount.*,
30       /usr/bin/umount.*, /usr/sbin/mount.*, /usr/sbin/umount.*
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       mount  policy is very flexible allowing users to setup their mount pro‐
40       cesses in as secure a method as possible.
41
42       The following process types are defined for mount:
43
44       mount_t, mount_ecryptfs_t
45
46       Note: semanage permissive -a mount_t can be used to  make  the  process
47       type  mount_t  permissive.  SELinux  does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is customizable based on least access required.  mount
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate the policy and run mount with the tightest access possible.
56
57
58
59       If you want to deny user domains applications to map a memory region as
60       both executable and writable, this  is  dangerous  and  the  executable
61       should be reported in bugzilla, you must turn on the deny_execmem bool‐
62       ean. Disabled by default.
63
64       setsebool -P deny_execmem 1
65
66
67
68       If you want to control the ability to mmap a low area  of  the  address
69       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
70       the mmap_low_allowed boolean. Disabled by default.
71
72       setsebool -P mmap_low_allowed 1
73
74
75
76       If you want to allow system to run with  NIS,  you  must  turn  on  the
77       nis_enabled boolean. Disabled by default.
78
79       setsebool -P nis_enabled 1
80
81
82
83       If  you want to disable kernel module loading, you must turn on the se‐
84       cure_mode_insmod boolean. Disabled by default.
85
86       setsebool -P secure_mode_insmod 1
87
88
89
90       If you want to allow unconfined executables to make their  heap  memory
91       executable.   Doing  this  is  a  really bad idea. Probably indicates a
92       badly coded executable, but could indicate an attack.  This  executable
93       should  be  reported  in bugzilla, you must turn on the selinuxuser_ex‐
94       echeap boolean. Disabled by default.
95
96       setsebool -P selinuxuser_execheap 1
97
98
99
100       If you want to allow unconfined executables to make  their  stack  exe‐
101       cutable.   This  should  never, ever be necessary. Probably indicates a
102       badly coded executable, but could indicate an attack.  This  executable
103       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
104       stack boolean. Enabled by default.
105
106       setsebool -P selinuxuser_execstack 1
107
108
109

PORT TYPES

111       SELinux defines port types to represent TCP and UDP ports.
112
113       You can see the types associated with a port  by  using  the  following
114       command:
115
116       semanage port -l
117
118
119       Policy  governs  the  access  confined  processes  have to these ports.
120       SELinux mount policy is very flexible allowing  users  to  setup  their
121       mount processes in as secure a method as possible.
122
123       The following port types are defined for mount:
124
125
126       mountd_port_t
127
128
129
130       Default Defined Ports:
131                 tcp 20048
132                 udp 20048
133

MANAGED FILES

135       The SELinux process type mount_t can manage files labeled with the fol‐
136       lowing file types.  The paths listed are the default  paths  for  these
137       file types.  Note the processes UID still need to have DAC permissions.
138
139       file_type
140
141            all files on the system
142
143

FILE CONTEXTS

145       SELinux requires files to have an extended attribute to define the file
146       type.
147
148       You can see the context of a file using the -Z option to ls
149
150       Policy governs the access  confined  processes  have  to  these  files.
151       SELinux  mount  policy  is  very flexible allowing users to setup their
152       mount processes in as secure a method as possible.
153
154       STANDARD FILE CONTEXT
155
156       SELinux defines the file context types for the mount, if you wanted  to
157       store  files with these types in a different paths, you need to execute
158       the semanage command to specify alternate labeling  and  then  use  re‐
159       storecon to put the labels on disk.
160
161       semanage fcontext -a -t mount_exec_t '/srv/mount/content(/.*)?'
162       restorecon -R -v /srv/mymount_content
163
164       Note:  SELinux  often  uses  regular expressions to specify labels that
165       match multiple files.
166
167       The following file types are defined for mount:
168
169
170
171       mount_ecryptfs_exec_t
172
173       - Set files with the mount_ecryptfs_exec_t type, if you want to transi‐
174       tion an executable to the mount_ecryptfs_t domain.
175
176
177       Paths:
178            /usr/sbin/mount.ecryptfs,               /usr/sbin/umount.ecryptfs,
179            /usr/sbin/mount.ecryptfs_private,   /usr/sbin/umount.ecryptfs_pri‐
180            vate
181
182
183       mount_ecryptfs_tmpfs_t
184
185       -  Set files with the mount_ecryptfs_tmpfs_t type, if you want to store
186       mount ecryptfs files on a tmpfs file system.
187
188
189
190       mount_exec_t
191
192       - Set files with the mount_exec_t type, if you want  to  transition  an
193       executable to the mount_t domain.
194
195
196       Paths:
197            /bin/mount.*,    /bin/umount.*,   /sbin/mount.*,   /sbin/umount.*,
198            /usr/bin/mount.*,      /usr/bin/umount.*,       /usr/sbin/mount.*,
199            /usr/sbin/umount.*
200
201
202       mount_loopback_t
203
204       -  Set  files  with the mount_loopback_t type, if you want to treat the
205       files as mount loopback data.
206
207
208
209       mount_tmp_t
210
211       - Set files with the mount_tmp_t type, if you want to store mount  tem‐
212       porary files in the /tmp directories.
213
214
215
216       mount_var_run_t
217
218       -  Set  files  with  the mount_var_run_t type, if you want to store the
219       mount files under the /run or /var/run directory.
220
221
222       Paths:
223            /run/mount(/.*)?,     /dev/.mount(/.*)?,     /var/run/mount(/.*)?,
224            /var/run/davfs2(/.*)?, /var/cache/davfs2(/.*)?
225
226
227       Note:  File context can be temporarily modified with the chcon command.
228       If you want to permanently change the file context you need to use  the
229       semanage fcontext command.  This will modify the SELinux labeling data‐
230       base.  You will need to use restorecon to apply the labels.
231
232

COMMANDS

234       semanage fcontext can also be used to manipulate default  file  context
235       mappings.
236
237       semanage  permissive  can  also  be used to manipulate whether or not a
238       process type is permissive.
239
240       semanage module can also be used to enable/disable/install/remove  pol‐
241       icy modules.
242
243       semanage port can also be used to manipulate the port definitions
244
245       semanage boolean can also be used to manipulate the booleans
246
247
248       system-config-selinux is a GUI tool available to customize SELinux pol‐
249       icy settings.
250
251

AUTHOR

253       This manual page was auto-generated using sepolicy manpage .
254
255

SEE ALSO

257       selinux(8),  mount(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
258       icy(8),             setsebool(8),            mount_ecryptfs_selinux(8),
259       mount_ecryptfs_selinux(8)
260
261
262
263mount                              23-10-20                   mount_selinux(8)
Impressum