1staff_wine_selinux(8)      SELinux Policy staff_wine     staff_wine_selinux(8)
2
3
4

NAME

6       staff_wine_selinux  - Security Enhanced Linux Policy for the staff_wine
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the staff_wine processes  via  flexible
11       mandatory access control.
12
13       The  staff_wine  processes  execute with the staff_wine_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep staff_wine_t
20
21
22

ENTRYPOINTS

24       The  staff_wine_t  SELinux  type  can  be  entered via the wine_exec_t,
25       user_home_t file types.
26
27       The default entrypoint paths for the staff_wine_t domain are  the  fol‐
28       lowing:
29
30       /usr/bin/wine.*,    /opt/teamviewer(/.*)?/bin/wine.*,   /opt/google/pi‐
31       casa(/.*)?/bin/wdi,                /opt/google/picasa(/.*)?/bin/wine.*,
32       /opt/google/picasa(/.*)?/bin/msiexec,                   /opt/google/pi‐
33       casa(/.*)?/bin/notepad,           /opt/google/picasa(/.*)?/bin/progman,
34       /opt/google/picasa(/.*)?/bin/regedit,                   /opt/google/pi‐
35       casa(/.*)?/bin/regsvr32,        /opt/google/picasa(/.*)?/Picasa3/.*exe,
36       /opt/google/picasa(/.*)?/bin/uninstaller,     /opt/cxoffice/bin/wine.*,
37       /opt/picasa/wine/bin/wine.*,    /usr/bin/msiexec,     /usr/bin/notepad,
38       /usr/bin/regedit,        /usr/bin/regsvr32,       /usr/bin/uninstaller,
39       /home/[^/]+/cxoffice/bin/wine.+, /home/[^/]+/.+
40

PROCESS TYPES

42       SELinux defines process types (domains) for each process running on the
43       system
44
45       You can see the context of a process using the -Z option to ps
46
47       Policy  governs  the  access confined processes have to files.  SELinux
48       staff_wine policy is  very  flexible  allowing  users  to  setup  their
49       staff_wine processes in as secure a method as possible.
50
51       The following process types are defined for staff_wine:
52
53       staff_wine_t
54
55       Note:  semanage  permissive  -a  staff_wine_t  can  be used to make the
56       process type staff_wine_t permissive. SELinux does not deny  access  to
57       permissive  process  types,  but the AVC (SELinux denials) messages are
58       still generated.
59
60

BOOLEANS

62       SELinux  policy  is  customizable  based  on  least  access   required.
63       staff_wine  policy  is extremely flexible and has several booleans that
64       allow you to manipulate the policy and run staff_wine with the tightest
65       access possible.
66
67
68
69       If  you  want  to control the ability to mmap a low area of the address
70       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
71       the mmap_low_allowed boolean. Disabled by default.
72
73       setsebool -P mmap_low_allowed 1
74
75
76
77       If  you  want  to  allow  system  to run with NIS, you must turn on the
78       nis_enabled boolean. Disabled by default.
79
80       setsebool -P nis_enabled 1
81
82
83
84       If you want to support NFS home  directories,  you  must  turn  on  the
85       use_nfs_home_dirs boolean. Disabled by default.
86
87       setsebool -P use_nfs_home_dirs 1
88
89
90
91       If  you  want  to  support SAMBA home directories, you must turn on the
92       use_samba_home_dirs boolean. Disabled by default.
93
94       setsebool -P use_samba_home_dirs 1
95
96
97
98       If you want to determine whether attempts by wine to mmap  low  regions
99       should  be silently blocked, you must turn on the wine_mmap_zero_ignore
100       boolean. Disabled by default.
101
102       setsebool -P wine_mmap_zero_ignore 1
103
104
105

MANAGED FILES

107       The SELinux process type staff_wine_t can manage files labeled with the
108       following file types.  The paths listed are the default paths for these
109       file types.  Note the processes UID still need to have DAC permissions.
110
111       alsa_home_t
112
113            /home/[^/]+/.asoundrc
114
115       chrome_sandbox_tmpfs_t
116
117
118       games_data_t
119
120            /var/games(/.*)?
121            /var/lib/games(/.*)?
122
123       gpg_agent_tmp_t
124
125            /home/[^/]+/.gnupg/log-socket
126
127       krb5_host_rcache_t
128
129            /var/tmp/krb5_0.rcache2
130            /var/cache/krb5rcache(/.*)?
131            /var/tmp/nfs_0
132            /var/tmp/DNS_25
133            /var/tmp/host_0
134            /var/tmp/imap_0
135            /var/tmp/HTTP_23
136            /var/tmp/HTTP_48
137            /var/tmp/ldap_55
138            /var/tmp/ldap_487
139            /var/tmp/ldapmap1_0
140
141       mail_spool_t
142
143            /var/mail(/.*)?
144            /var/spool/imap(/.*)?
145            /var/spool/mail(/.*)?
146            /var/spool/smtpd(/.*)?
147
148       mqueue_spool_t
149
150            /var/spool/(client)?mqueue(/.*)?
151            /var/spool/mqueue.in(/.*)?
152
153       pulseaudio_tmpfs_t
154
155
156       pulseaudio_tmpfsfile
157
158
159       session_dbusd_tmp_t
160
161            /var/run/user/[0-9]+/bus
162            /var/run/user/[0-9]+/dbus(/.*)?
163            /var/run/user/[0-9]+/dbus-1(/.*)?
164
165       usbfs_t
166
167
168       user_fonts_cache_t
169
170            /root/.fontconfig(/.*)?
171            /root/.fonts/auto(/.*)?
172            /root/.fonts.cache-.*
173            /root/.cache/fontconfig(/.*)?
174            /home/[^/]+/.fontconfig(/.*)?
175            /home/[^/]+/.fonts/auto(/.*)?
176            /home/[^/]+/.fonts.cache-.*
177            /home/[^/]+/.cache/fontconfig(/.*)?
178
179       user_home_type
180
181            all user home files
182
183       user_tmp_t
184
185            /dev/shm/mono.*
186            /var/run/user/[^/]+
187            /tmp/.ICE-unix(/.*)?
188            /tmp/.X11-unix(/.*)?
189            /dev/shm/pulse-shm.*
190            /tmp/.X0-lock
191            /var/run/user
192            /tmp/hsperfdata_root
193            /var/tmp/hsperfdata_root
194            /home/[^/]+/tmp
195            /home/[^/]+/.tmp
196            /var/run/user/[0-9]+
197            /tmp/gconfd-[^/]+
198
199       user_tmp_type
200
201            all user tmp files
202
203       wine_home_t
204
205            /home/[^/]+/.wine(/.*)?
206
207       xserver_tmpfs_t
208
209
210

COMMANDS

212       semanage fcontext can also be used to manipulate default  file  context
213       mappings.
214
215       semanage  permissive  can  also  be used to manipulate whether or not a
216       process type is permissive.
217
218       semanage module can also be used to enable/disable/install/remove  pol‐
219       icy modules.
220
221       semanage boolean can also be used to manipulate the booleans
222
223
224       system-config-selinux is a GUI tool available to customize SELinux pol‐
225       icy settings.
226
227

AUTHOR

229       This manual page was auto-generated using sepolicy manpage .
230
231

SEE ALSO

233       selinux(8), staff_wine(8), semanage(8), restorecon(8), chcon(1), sepol‐
234       icy(8), setsebool(8)
235
236
237
238staff_wine                         23-10-20              staff_wine_selinux(8)
Impressum