1staff_wine_selinux(8) SELinux Policy staff_wine staff_wine_selinux(8)
2
3
4
6 staff_wine_selinux - Security Enhanced Linux Policy for the staff_wine
7 processes
8
10 Security-Enhanced Linux secures the staff_wine processes via flexible
11 mandatory access control.
12
13 The staff_wine processes execute with the staff_wine_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep staff_wine_t
20
21
22
24 The staff_wine_t SELinux type can be entered via the wine_exec_t,
25 user_home_t file types.
26
27 The default entrypoint paths for the staff_wine_t domain are the fol‐
28 lowing:
29
30 /usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*, /opt/google/pi‐
31 casa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*,
32 /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/pi‐
33 casa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman,
34 /opt/google/picasa(/.*)?/bin/regedit, /opt/google/pi‐
35 casa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe,
36 /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*,
37 /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad,
38 /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller,
39 /home/[^/]+/cxoffice/bin/wine.+, /home/[^/]+/.+
40
42 SELinux defines process types (domains) for each process running on the
43 system
44
45 You can see the context of a process using the -Z option to ps
46
47 Policy governs the access confined processes have to files. SELinux
48 staff_wine policy is very flexible allowing users to setup their
49 staff_wine processes in as secure a method as possible.
50
51 The following process types are defined for staff_wine:
52
53 staff_wine_t
54
55 Note: semanage permissive -a staff_wine_t can be used to make the
56 process type staff_wine_t permissive. SELinux does not deny access to
57 permissive process types, but the AVC (SELinux denials) messages are
58 still generated.
59
60
62 SELinux policy is customizable based on least access required.
63 staff_wine policy is extremely flexible and has several booleans that
64 allow you to manipulate the policy and run staff_wine with the tightest
65 access possible.
66
67
68
69 If you want to control the ability to mmap a low area of the address
70 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
71 the mmap_low_allowed boolean. Disabled by default.
72
73 setsebool -P mmap_low_allowed 1
74
75
76
77 If you want to allow system to run with NIS, you must turn on the
78 nis_enabled boolean. Disabled by default.
79
80 setsebool -P nis_enabled 1
81
82
83
84 If you want to support NFS home directories, you must turn on the
85 use_nfs_home_dirs boolean. Disabled by default.
86
87 setsebool -P use_nfs_home_dirs 1
88
89
90
91 If you want to support SAMBA home directories, you must turn on the
92 use_samba_home_dirs boolean. Disabled by default.
93
94 setsebool -P use_samba_home_dirs 1
95
96
97
98 If you want to determine whether attempts by wine to mmap low regions
99 should be silently blocked, you must turn on the wine_mmap_zero_ignore
100 boolean. Disabled by default.
101
102 setsebool -P wine_mmap_zero_ignore 1
103
104
105
107 The SELinux process type staff_wine_t can manage files labeled with the
108 following file types. The paths listed are the default paths for these
109 file types. Note the processes UID still need to have DAC permissions.
110
111 alsa_home_t
112
113 /home/[^/]+/.asoundrc
114
115 chrome_sandbox_tmpfs_t
116
117
118 games_data_t
119
120 /var/games(/.*)?
121 /var/lib/games(/.*)?
122
123 gpg_agent_tmp_t
124
125 /home/[^/]+/.gnupg/log-socket
126
127 krb5_host_rcache_t
128
129 /var/tmp/krb5_0.rcache2
130 /var/cache/krb5rcache(/.*)?
131 /var/tmp/nfs_0
132 /var/tmp/DNS_25
133 /var/tmp/host_0
134 /var/tmp/imap_0
135 /var/tmp/HTTP_23
136 /var/tmp/HTTP_48
137 /var/tmp/ldap_55
138 /var/tmp/ldap_487
139 /var/tmp/ldapmap1_0
140
141 mail_spool_t
142
143 /var/mail(/.*)?
144 /var/spool/imap(/.*)?
145 /var/spool/mail(/.*)?
146 /var/spool/smtpd(/.*)?
147
148 mqueue_spool_t
149
150 /var/spool/(client)?mqueue(/.*)?
151 /var/spool/mqueue.in(/.*)?
152
153 pulseaudio_tmpfs_t
154
155
156 pulseaudio_tmpfsfile
157
158
159 session_dbusd_tmp_t
160
161 /var/run/user/[0-9]+/bus
162 /var/run/user/[0-9]+/dbus(/.*)?
163 /var/run/user/[0-9]+/dbus-1(/.*)?
164
165 usbfs_t
166
167
168 user_fonts_cache_t
169
170 /root/.fontconfig(/.*)?
171 /root/.fonts/auto(/.*)?
172 /root/.fonts.cache-.*
173 /root/.cache/fontconfig(/.*)?
174 /home/[^/]+/.fontconfig(/.*)?
175 /home/[^/]+/.fonts/auto(/.*)?
176 /home/[^/]+/.fonts.cache-.*
177 /home/[^/]+/.cache/fontconfig(/.*)?
178
179 user_home_type
180
181 all user home files
182
183 user_tmp_t
184
185 /dev/shm/mono.*
186 /var/run/user/[^/]+
187 /tmp/.ICE-unix(/.*)?
188 /tmp/.X11-unix(/.*)?
189 /dev/shm/pulse-shm.*
190 /tmp/.X0-lock
191 /var/run/user
192 /tmp/hsperfdata_root
193 /var/tmp/hsperfdata_root
194 /home/[^/]+/tmp
195 /home/[^/]+/.tmp
196 /var/run/user/[0-9]+
197 /tmp/gconfd-[^/]+
198
199 user_tmp_type
200
201 all user tmp files
202
203 wine_home_t
204
205 /home/[^/]+/.wine(/.*)?
206
207 xserver_tmpfs_t
208
209
210
212 semanage fcontext can also be used to manipulate default file context
213 mappings.
214
215 semanage permissive can also be used to manipulate whether or not a
216 process type is permissive.
217
218 semanage module can also be used to enable/disable/install/remove pol‐
219 icy modules.
220
221 semanage boolean can also be used to manipulate the booleans
222
223
224 system-config-selinux is a GUI tool available to customize SELinux pol‐
225 icy settings.
226
227
229 This manual page was auto-generated using sepolicy manpage .
230
231
233 selinux(8), staff_wine(8), semanage(8), restorecon(8), chcon(1), sepol‐
234 icy(8), setsebool(8)
235
236
237
238staff_wine 23-10-20 staff_wine_selinux(8)