system_cronjob_selinux(8)

1system_cronjob_selinux(8)SELinux Policy system_cronjobsystem_cronjob_selinux(8)
2
3
4

NAME

6       system_cronjob_selinux  -  Security  Enhanced Linux Policy for the sys‐
7       tem_cronjob processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the system_cronjob processes via flexi‐
11       ble mandatory access control.
12
13       The  system_cronjob processes execute with the system_cronjob_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep system_cronjob_t
20
21
22

ENTRYPOINTS

24       The  system_cronjob_t SELinux type can be entered via the shell_exec_t,
25       usr_t, bin_t,  system_cron_spool_t,  anacron_exec_t,  fusefs_t,  nfs_t,
26       cifs_t file types.
27
28       The  default  entrypoint  paths for the system_cronjob_t domain are the
29       following:
30
31       All executables with the default executable label,  usually  stored  in
32       /usr/bin    and   /usr/sbin.    /bin/d?ash,   /bin/ksh.*,   /bin/zsh.*,
33       /usr/bin/d?ash, /usr/bin/ksh.*,  /usr/bin/zsh.*,  /bin/esh,  /bin/bash,
34       /bin/fish,  /bin/mksh,  /bin/sash,  /bin/tcsh,  /bin/yash,  /bin/bash2,
35       /usr/bin/esh,     /sbin/nologin,     /usr/bin/bash,      /usr/bin/fish,
36       /usr/bin/mksh,     /usr/bin/sash,     /usr/bin/tcsh,     /usr/bin/yash,
37       /usr/bin/bash2,  /usr/sbin/sesh,   /usr/sbin/smrsh,   /usr/bin/scponly,
38       /usr/libexec/sesh,        /usr/sbin/nologin,        /usr/bin/git-shell,
39       /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,   /usr/bin/cockpit-bridge,
40       /usr/libexec/cockpit-agent,  /usr/libexec/git-core/git-shell,  /opt/.*,
41       /usr/.*,        /emul/.*,         /export(/.*)?,         /ostree(/.*)?,
42       /usr/doc(/.*)?/lib(/.*)?,   /usr/inclu.e(/.*)?,   /usr/share/rpm(/.*)?,
43       /usr/share/doc(/.*)?/README.*,           /usr/lib/modules(/.*)/vmlinuz,
44       /usr/lib/modules(/.*)/initramfs.img,           /usr/lib/sysimage(/.*)?,
45       /usr/lib/ostree-boot(/.*)?,  /opt,  /usr,   /emul,   /etc/cron.d(/.*)?,
46       /var/spool/anacron(/.*)?,     /etc/crontab,    /var/spool/fcron/systab,
47       /var/spool/fcron/new.systab,              /var/spool/fcron/systab.orig,
48       /usr/sbin/anacron, /var/run/user/[0-9]+/gvfs
49

PROCESS TYPES

51       SELinux defines process types (domains) for each process running on the
52       system
53
54       You can see the context of a process using the -Z option to ps
55
56       Policy governs the access confined processes have  to  files.   SELinux
57       system_cronjob  policy  is  very flexible allowing users to setup their
58       system_cronjob processes in as secure a method as possible.
59
60       The following process types are defined for system_cronjob:
61
62       system_cronjob_t
63
64       Note: semanage permissive -a system_cronjob_t can be used to  make  the
65       process  type system_cronjob_t permissive. SELinux does not deny access
66       to permissive process types, but the AVC (SELinux denials) messages are
67       still generated.
68
69

BOOLEANS

71       SELinux  policy  is  customizable based on least access required.  sys‐
72       tem_cronjob policy is extremely flexible and has several booleans  that
73       allow  you  to  manipulate  the  policy and run system_cronjob with the
74       tightest access possible.
75
76
77
78       If you want to allow system cron jobs to relabel filesystem for restor‐
79       ing  file contexts, you must turn on the cron_can_relabel boolean. Dis‐
80       abled by default.
81
82       setsebool -P cron_can_relabel 1
83
84
85
86       If you want to allow system cronjob to be executed on on NFS,  CIFS  or
87       FUSE  filesystem,  you  must turn on the cron_system_cronjob_use_shares
88       boolean. Disabled by default.
89
90       setsebool -P cron_system_cronjob_use_shares 1
91
92
93
94       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
95       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
96       Enabled by default.
97
98       setsebool -P daemons_dontaudit_scheduling 1
99
100
101
102       If you want to deny user domains applications to map a memory region as
103       both  executable  and  writable,  this  is dangerous and the executable
104       should be reported in bugzilla, you must turn on the deny_execmem bool‐
105       ean. Disabled by default.
106
107       setsebool -P deny_execmem 1
108
109
110
111       If  you  want  to control the ability to mmap a low area of the address
112       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
113       the mmap_low_allowed boolean. Disabled by default.
114
115       setsebool -P mmap_low_allowed 1
116
117
118
119       If  you  want  to  allow  system  to run with NIS, you must turn on the
120       nis_enabled boolean. Disabled by default.
121
122       setsebool -P nis_enabled 1
123
124
125
126       If you want to disable kernel module loading, you must turn on the  se‐
127       cure_mode_insmod boolean. Disabled by default.
128
129       setsebool -P secure_mode_insmod 1
130
131
132
133       If  you  want to allow unconfined executables to make their heap memory
134       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
135       badly  coded  executable, but could indicate an attack. This executable
136       should be reported in bugzilla, you must turn  on  the  selinuxuser_ex‐
137       echeap boolean. Disabled by default.
138
139       setsebool -P selinuxuser_execheap 1
140
141
142
143       If  you  want  to allow unconfined executables to make their stack exe‐
144       cutable.  This should never, ever be necessary.  Probably  indicates  a
145       badly  coded  executable, but could indicate an attack. This executable
146       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
147       stack boolean. Enabled by default.
148
149       setsebool -P selinuxuser_execstack 1
150
151
152

MANAGED FILES

154       The SELinux process type system_cronjob_t can manage files labeled with
155       the following file types.  The paths listed are the default  paths  for
156       these  file  types.  Note the processes UID still need to have DAC per‐
157       missions.
158
159       file_type
160
161            all files on the system
162
163

COMMANDS

165       semanage fcontext can also be used to manipulate default  file  context
166       mappings.
167
168       semanage  permissive  can  also  be used to manipulate whether or not a
169       process type is permissive.
170
171       semanage module can also be used to enable/disable/install/remove  pol‐
172       icy modules.
173
174       semanage boolean can also be used to manipulate the booleans
175
176
177       system-config-selinux is a GUI tool available to customize SELinux pol‐
178       icy settings.
179
180

AUTHOR

182       This manual page was auto-generated using sepolicy manpage .
183
184