rpm_selinux(8)

1rpm_selinux(8)                SELinux Policy rpm                rpm_selinux(8)
2
3
4

NAME

6       rpm_selinux - Security Enhanced Linux Policy for the rpm processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the rpm processes via flexible manda‐
10       tory access control.
11
12       The rpm processes execute with the rpm_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep rpm_t
19
20
21

ENTRYPOINTS

23       The rpm_t SELinux  type  can  be  entered  via  the  rpm_script_exec_t,
24       rpm_exec_t, debuginfo_exec_t file types.
25
26       The default entrypoint paths for the rpm_t domain are the following:
27
28       /usr/bin/dnf-[0-9]+,                 /usr/sbin/rhn_check-[0-9]+.[0-9]+,
29       /usr/libexec/yumDBUSBackend.py, /bin/rpm,  /usr/bin/dnf,  /usr/bin/rpm,
30       /usr/bin/yum,      /usr/bin/zif,     /usr/sbin/pup,     /usr/bin/smart,
31       /usr/sbin/bcfg2, /usr/sbin/pirut, /usr/bin/apt-get,  /bin/yum-builddep,
32       /usr/sbin/up2date,        /usr/bin/apt-shell,       /usr/bin/repoquery,
33       /usr/sbin/synaptic,      /usr/sbin/yum-cron,       /usr/sbin/rhn_check,
34       /usr/sbin/rhnreg_ks,    /usr/bin/anaconda-yum,   /usr/bin/yum-builddep,
35       /usr/sbin/packagekitd, /usr/bin/dnf-automatic,  /usr/sbin/yum-updatesd,
36       /usr/bin/yum-deprecated,  /usr/bin/package-cleanup,  /usr/libexec/pack‐
37       agekitd,   /usr/bin/fedora-rmdevelrpms,    /usr/bin/rpmdev-rmdevelrpms,
38       /usr/sbin/system-install-packages,   /usr/share/yumex/yum_childtask.py,
39       /usr/sbin/yum-complete-transaction, /usr/share/yumex/yumex-yum-backend,
40       /usr/libexec/rhc/rhc-package-manager-worker,   /usr/libexec/pegasus/py‐
41       cmpiLMI_Software-cimprovagt,  /usr/libexec/dnf-utils,   /usr/bin/debug‐
42       info-install
43

PROCESS TYPES

45       SELinux defines process types (domains) for each process running on the
46       system
47
48       You can see the context of a process using the -Z option to ps
49
50       Policy governs the access confined processes have  to  files.   SELinux
51       rpm policy is very flexible allowing users to setup their rpm processes
52       in as secure a method as possible.
53
54       The following process types are defined for rpm:
55
56       rpm_t, rpmdb_t, rpm_script_t
57
58       Note: semanage permissive -a rpm_t can be used to make the process type
59       rpm_t  permissive.  SELinux  does not deny access to permissive process
60       types, but the AVC (SELinux denials) messages are still generated.
61
62

BOOLEANS

64       SELinux policy is customizable based on  least  access  required.   rpm
65       policy is extremely flexible and has several booleans that allow you to
66       manipulate the policy and run rpm with the tightest access possible.
67
68
69
70       If you want to control the ability to mmap a low area  of  the  address
71       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
72       the mmap_low_allowed boolean. Disabled by default.
73
74       setsebool -P mmap_low_allowed 1
75
76
77
78       If you want to allow system to run with  NIS,  you  must  turn  on  the
79       nis_enabled boolean. Disabled by default.
80
81       setsebool -P nis_enabled 1
82
83
84
85       If  you want to disable kernel module loading, you must turn on the se‐
86       cure_mode_insmod boolean. Disabled by default.
87
88       setsebool -P secure_mode_insmod 1
89
90
91
92       If you want to allow unconfined executables to make their  heap  memory
93       executable.   Doing  this  is  a  really bad idea. Probably indicates a
94       badly coded executable, but could indicate an attack.  This  executable
95       should  be  reported  in bugzilla, you must turn on the selinuxuser_ex‐
96       echeap boolean. Disabled by default.
97
98       setsebool -P selinuxuser_execheap 1
99
100
101
102       If you want to allow unconfined executables to make  their  stack  exe‐
103       cutable.   This  should  never, ever be necessary. Probably indicates a
104       badly coded executable, but could indicate an attack.  This  executable
105       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
106       stack boolean. Enabled by default.
107
108       setsebool -P selinuxuser_execstack 1
109
110
111

MANAGED FILES

113       The SELinux process type rpm_t can manage files labeled with  the  fol‐
114       lowing  file  types.   The paths listed are the default paths for these
115       file types.  Note the processes UID still need to have DAC permissions.
116
117       file_type
118
119            all files on the system
120
121

FILE CONTEXTS

123       SELinux requires files to have an extended attribute to define the file
124       type.
125
126       You can see the context of a file using the -Z option to ls
127
128       Policy  governs  the  access  confined  processes  have to these files.
129       SELinux rpm policy is very flexible allowing users to setup  their  rpm
130       processes in as secure a method as possible.
131
132       EQUIVALENCE DIRECTORIES
133
134
135       rpm policy stores data with multiple different file context types under
136       the /var/lib/rpm directory.  If you would like to store the data  in  a
137       different  directory  you  can  use  the  semanage command to create an
138       equivalence mapping.  If you wanted to store this data under  the  /srv
139       directory you would execute the following command:
140
141       semanage fcontext -a -e /var/lib/rpm /srv/rpm
142       restorecon -R -v /srv/rpm
143
144       STANDARD FILE CONTEXT
145
146       SELinux  defines  the  file context types for the rpm, if you wanted to
147       store files with these types in a different paths, you need to  execute
148       the  semanage  command  to  specify alternate labeling and then use re‐
149       storecon to put the labels on disk.
150
151       semanage fcontext -a -t rpm_exec_t '/srv/rpm/content(/.*)?'
152       restorecon -R -v /srv/myrpm_content
153
154       Note: SELinux often uses regular expressions  to  specify  labels  that
155       match multiple files.
156
157       The following file types are defined for rpm:
158
159
160
161       rpm_exec_t
162
163       - Set files with the rpm_exec_t type, if you want to transition an exe‐
164       cutable to the rpm_t domain.
165
166
167       Paths:
168            /usr/bin/dnf-[0-9]+,            /usr/sbin/rhn_check-[0-9]+.[0-9]+,
169            /usr/libexec/yumDBUSBackend.py,       /bin/rpm,      /usr/bin/dnf,
170            /usr/bin/rpm,    /usr/bin/yum,    /usr/bin/zif,     /usr/sbin/pup,
171            /usr/bin/smart,  /usr/sbin/bcfg2,  /usr/sbin/pirut,  /usr/bin/apt-
172            get,  /bin/yum-builddep,  /usr/sbin/up2date,   /usr/bin/apt-shell,
173            /usr/bin/repoquery,     /usr/sbin/synaptic,    /usr/sbin/yum-cron,
174            /usr/sbin/rhn_check,  /usr/sbin/rhnreg_ks,  /usr/bin/anaconda-yum,
175            /usr/bin/yum-builddep,  /usr/sbin/packagekitd,  /usr/bin/dnf-auto‐
176            matic,      /usr/sbin/yum-updatesd,       /usr/bin/yum-deprecated,
177            /usr/bin/package-cleanup,  /usr/libexec/packagekitd,  /usr/bin/fe‐
178            dora-rmdevelrpms,  /usr/bin/rpmdev-rmdevelrpms,  /usr/sbin/system-
179            install-packages,               /usr/share/yumex/yum_childtask.py,
180            /usr/sbin/yum-complete-transaction,    /usr/share/yumex/yumex-yum-
181            backend,              /usr/libexec/rhc/rhc-package-manager-worker,
182            /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt
183
184
185       rpm_file_t
186
187       - Set files with the rpm_file_t type, if you want to treat the files as
188       rpm content.
189
190
191
192       rpm_log_t
193
194       -  Set  files with the rpm_log_t type, if you want to treat the data as
195       rpm log data, usually stored under the /var/log directory.
196
197
198       Paths:
199            /var/log/dnf.log.*,    /var/log/dnf.rpm.log.*,    /var/log/dnf.li‐
200            brepo.log.*,         /var/log/hawkey.*,        /var/log/up2date.*,
201            /var/log/yum.log.*
202
203
204       rpm_script_exec_t
205
206       - Set files with the rpm_script_exec_t type, if you want to  transition
207       an executable to the rpm_script_t domain.
208
209
210
211       rpm_script_tmp_t
212
213       -  Set  files  with the rpm_script_tmp_t type, if you want to store rpm
214       script temporary files in the /tmp directories.
215
216
217
218       rpm_script_tmpfs_t
219
220       - Set files with the rpm_script_tmpfs_t type, if you want to store  rpm
221       script files on a tmpfs file system.
222
223
224
225       rpm_tmp_t
226
227       - Set files with the rpm_tmp_t type, if you want to store rpm temporary
228       files in the /tmp directories.
229
230
231
232       rpm_tmpfs_t
233
234       - Set files with the rpm_tmpfs_t type, if you want to store  rpm  files
235       on a tmpfs file system.
236
237
238
239       rpm_var_cache_t
240
241       -  Set  files  with  the rpm_var_cache_t type, if you want to store the
242       files under the /var/cache directory.
243
244
245       Paths:
246            /var/cache/dnf(/.*)?,                        /var/cache/yum(/.*)?,
247            /var/spool/up2date(/.*)?, /var/cache/PackageKit(/.*)?
248
249
250       rpm_var_lib_t
251
252       -  Set  files with the rpm_var_lib_t type, if you want to store the rpm
253       files under the /var/lib directory.
254
255
256       Paths:
257            /var/lib/dnf(/.*)?,    /var/lib/rpm(/.*)?,     /var/lib/yum(/.*)?,
258            /var/lib/PackageKit(/.*)?,            /usr/lib/sysimage/rpm(/.*)?,
259            /var/lib/alternatives(/.*)?, /var/lib/rpmrebuilddb.*(/.*)?
260
261
262       rpm_var_run_t
263
264       - Set files with the rpm_var_run_t type, if you want to store  the  rpm
265       files under the /run or /var/run directory.
266
267
268       Paths:
269            /var/run/yum.*, /var/run/PackageKit(/.*)?
270
271
272       rpmdb_exec_t
273
274       -  Set  files  with the rpmdb_exec_t type, if you want to transition an
275       executable to the rpmdb_t domain.
276
277
278       Paths:
279            /usr/bin/rpmdb, /usr/lib/rpm/rpmdb_migrate
280
281
282       rpmdb_tmp_t
283
284       - Set files with the rpmdb_tmp_t type, if you want to store rpmdb  tem‐
285       porary files in the /tmp directories.
286
287
288
289       Note:  File context can be temporarily modified with the chcon command.
290       If you want to permanently change the file context you need to use  the
291       semanage fcontext command.  This will modify the SELinux labeling data‐
292       base.  You will need to use restorecon to apply the labels.
293
294

COMMANDS

296       semanage fcontext can also be used to manipulate default  file  context
297       mappings.
298
299       semanage  permissive  can  also  be used to manipulate whether or not a
300       process type is permissive.
301
302       semanage module can also be used to enable/disable/install/remove  pol‐
303       icy modules.
304
305       semanage boolean can also be used to manipulate the booleans
306
307
308       system-config-selinux is a GUI tool available to customize SELinux pol‐
309       icy settings.
310
311

AUTHOR

313       This manual page was auto-generated using sepolicy manpage .
314
315