pulseaudio_selinux(8)

1pulseaudio_selinux(8)      SELinux Policy pulseaudio     pulseaudio_selinux(8)
2
3
4

NAME

6       pulseaudio_selinux  - Security Enhanced Linux Policy for the pulseaudio
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the pulseaudio processes  via  flexible
11       mandatory access control.
12
13       The  pulseaudio  processes  execute with the pulseaudio_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pulseaudio_t
20
21
22

ENTRYPOINTS

24       The  pulseaudio_t SELinux type can be entered via the pulseaudio_exec_t
25       file type.
26
27       The default entrypoint paths for the pulseaudio_t domain are  the  fol‐
28       lowing:
29
30       /usr/bin/pulseaudio
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       pulseaudio  policy  is  very  flexible  allowing  users  to setup their
40       pulseaudio processes in as secure a method as possible.
41
42       The following process types are defined for pulseaudio:
43
44       pulseaudio_t
45
46       Note: semanage permissive -a pulseaudio_t  can  be  used  to  make  the
47       process  type  pulseaudio_t permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       pulseaudio policy is extremely flexible and has several  booleans  that
55       allow you to manipulate the policy and run pulseaudio with the tightest
56       access possible.
57
58
59
60       If you want to deny all system processes and Linux users to  use  blue‐
61       tooth wireless technology, you must turn on the deny_bluetooth boolean.
62       Disabled by default.
63
64       setsebool -P deny_bluetooth 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to  allow  system  to run with NIS, you must turn on the
76       nis_enabled boolean. Disabled by default.
77
78       setsebool -P nis_enabled 1
79
80
81
82       If you want to allow regular users direct dri device access,  you  must
83       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
84
85       setsebool -P selinuxuser_direct_dri_enabled 1
86
87
88
89       If  you  want  to  support  NFS  home directories, you must turn on the
90       use_nfs_home_dirs boolean. Disabled by default.
91
92       setsebool -P use_nfs_home_dirs 1
93
94
95
96       If you want to support SAMBA home directories, you  must  turn  on  the
97       use_samba_home_dirs boolean. Disabled by default.
98
99       setsebool -P use_samba_home_dirs 1
100
101
102
103       If  you  want  to allows clients to write to the X server shared memory
104       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
105       abled by default.
106
107       setsebool -P xserver_clients_write_xshm 1
108
109
110

PORT TYPES

112       SELinux defines port types to represent TCP and UDP ports.
113
114       You  can  see  the  types associated with a port by using the following
115       command:
116
117       semanage port -l
118
119
120       Policy governs the access  confined  processes  have  to  these  ports.
121       SELinux  pulseaudio  policy  is  very  flexible allowing users to setup
122       their pulseaudio processes in as secure a method as possible.
123
124       The following port types are defined for pulseaudio:
125
126
127       pulseaudio_port_t
128
129
130
131       Default Defined Ports:
132                 tcp 4713
133                 udp 4713
134

MANAGED FILES

136       The SELinux process type pulseaudio_t can manage files labeled with the
137       following file types.  The paths listed are the default paths for these
138       file types.  Note the processes UID still need to have DAC permissions.
139
140       cifs_t
141
142
143       krb5_host_rcache_t
144
145            /var/tmp/krb5_0.rcache2
146            /var/cache/krb5rcache(/.*)?
147            /var/tmp/nfs_0
148            /var/tmp/DNS_25
149            /var/tmp/host_0
150            /var/tmp/imap_0
151            /var/tmp/HTTP_23
152            /var/tmp/HTTP_48
153            /var/tmp/ldap_55
154            /var/tmp/ldap_487
155            /var/tmp/ldapmap1_0
156
157       pulseaudio_var_lib_t
158
159            /var/lib/pulse(/.*)?
160
161       pulseaudio_var_run_t
162
163            /var/run/pulse(/.*)?
164
165       user_tmp_type
166
167            all user tmp files
168
169       virt_tmpfs_type
170
171
172

FILE CONTEXTS

174       SELinux requires files to have an extended attribute to define the file
175       type.
176
177       You can see the context of a file using the -Z option to ls
178
179       Policy  governs  the  access  confined  processes  have to these files.
180       SELinux pulseaudio policy is very  flexible  allowing  users  to  setup
181       their pulseaudio processes in as secure a method as possible.
182
183       STANDARD FILE CONTEXT
184
185       SELinux  defines  the  file  context  types  for the pulseaudio, if you
186       wanted to store files with these types in a different paths,  you  need
187       to  execute the semanage command to specify alternate labeling and then
188       use restorecon to put the labels on disk.
189
190       semanage  fcontext  -a   -t   pulseaudio_exec_t   '/srv/pulseaudio/con‐
191       tent(/.*)?'
192       restorecon -R -v /srv/mypulseaudio_content
193
194       Note:  SELinux  often  uses  regular expressions to specify labels that
195       match multiple files.
196
197       The following file types are defined for pulseaudio:
198
199
200
201       pulseaudio_exec_t
202
203       - Set files with the pulseaudio_exec_t type, if you want to  transition
204       an executable to the pulseaudio_t domain.
205
206
207
208       pulseaudio_home_t
209
210       -  Set  files  with  the  pulseaudio_home_t  type, if you want to store
211       pulseaudio files in the users home directory.
212
213
214       Paths:
215            /root/.pulse(/.*)?,  /root/.config/pulse(/.*)?,   /root/.esd_auth,
216            /root/.pulse-cookie,  /home/[^/]+/.pulse(/.*)?,  /home/[^/]+/.con‐
217            fig/pulse(/.*)?, /home/[^/]+/.esd_auth, /home/[^/]+/.pulse-cookie
218
219
220       pulseaudio_tmpfs_t
221
222       - Set files with the pulseaudio_tmpfs_t type,  if  you  want  to  store
223       pulseaudio files on a tmpfs file system.
224
225
226
227       pulseaudio_var_lib_t
228
229       -  Set  files  with the pulseaudio_var_lib_t type, if you want to store
230       the pulseaudio files under the /var/lib directory.
231
232
233
234       pulseaudio_var_run_t
235
236       - Set files with the pulseaudio_var_run_t type, if you  want  to  store
237       the pulseaudio files under the /run or /var/run directory.
238
239
240
241       Note:  File context can be temporarily modified with the chcon command.
242       If you want to permanently change the file context you need to use  the
243       semanage fcontext command.  This will modify the SELinux labeling data‐
244       base.  You will need to use restorecon to apply the labels.
245
246

COMMANDS

248       semanage fcontext can also be used to manipulate default  file  context
249       mappings.
250
251       semanage  permissive  can  also  be used to manipulate whether or not a
252       process type is permissive.
253
254       semanage module can also be used to enable/disable/install/remove  pol‐
255       icy modules.
256
257       semanage port can also be used to manipulate the port definitions
258
259       semanage boolean can also be used to manipulate the booleans
260
261
262       system-config-selinux is a GUI tool available to customize SELinux pol‐
263       icy settings.
264
265

AUTHOR

267       This manual page was auto-generated using sepolicy manpage .
268
269