1system_cronjob_selinux(8)SELinux Policy system_cronjobsystem_cronjob_selinux(8)
2
3
4
6 system_cronjob_selinux - Security Enhanced Linux Policy for the sys‐
7 tem_cronjob processes
8
10 Security-Enhanced Linux secures the system_cronjob processes via flexi‐
11 ble mandatory access control.
12
13 The system_cronjob processes execute with the system_cronjob_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep system_cronjob_t
20
21
22
24 The system_cronjob_t SELinux type can be entered via the shell_exec_t,
25 usr_t, bin_t, system_cron_spool_t, anacron_exec_t, fusefs_t, nfs_t,
26 cifs_t file types.
27
28 The default entrypoint paths for the system_cronjob_t domain are the
29 following:
30
31 All executables with the default executable label, usually stored in
32 /usr/bin and /usr/sbin. /bin/d?ash, /bin/ksh.*, /bin/zsh.*,
33 /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/bash,
34 /bin/fish, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash2,
35 /usr/bin/esh, /sbin/nologin, /usr/bin/bash, /usr/bin/fish,
36 /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash,
37 /usr/bin/bash2, /usr/sbin/sesh, /usr/sbin/smrsh, /usr/bin/scponly,
38 /usr/libexec/sesh, /usr/sbin/nologin, /usr/bin/git-shell,
39 /usr/sbin/scponlyc, /usr/libexec/sudo/sesh, /usr/bin/cockpit-bridge,
40 /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell, /opt/.*,
41 /usr/.*, /emul/.*, /export(/.*)?, /ostree(/.*)?,
42 /usr/doc(/.*)?/lib(/.*)?, /usr/inclu.e(/.*)?, /usr/share/rpm(/.*)?,
43 /usr/share/doc(/.*)?/README.*, /usr/lib/modules(/.*)/vmlinuz,
44 /usr/lib/modules(/.*)/initramfs.img, /usr/lib/sysimage(/.*)?,
45 /usr/lib/ostree-boot(/.*)?, /opt, /usr, /emul, /etc/cron.d(/.*)?,
46 /var/spool/anacron(/.*)?, /etc/crontab, /var/spool/fcron/systab,
47 /var/spool/fcron/new.systab, /var/spool/fcron/systab.orig,
48 /usr/sbin/anacron, /var/run/user/[0-9]+/gvfs
49
51 SELinux defines process types (domains) for each process running on the
52 system
53
54 You can see the context of a process using the -Z option to ps
55
56 Policy governs the access confined processes have to files. SELinux
57 system_cronjob policy is very flexible allowing users to setup their
58 system_cronjob processes in as secure a method as possible.
59
60 The following process types are defined for system_cronjob:
61
62 system_cronjob_t
63
64 Note: semanage permissive -a system_cronjob_t can be used to make the
65 process type system_cronjob_t permissive. SELinux does not deny access
66 to permissive process types, but the AVC (SELinux denials) messages are
67 still generated.
68
69
71 SELinux policy is customizable based on least access required. sys‐
72 tem_cronjob policy is extremely flexible and has several booleans that
73 allow you to manipulate the policy and run system_cronjob with the
74 tightest access possible.
75
76
77
78 If you want to allow system cron jobs to relabel filesystem for restor‐
79 ing file contexts, you must turn on the cron_can_relabel boolean. Dis‐
80 abled by default.
81
82 setsebool -P cron_can_relabel 1
83
84
85
86 If you want to allow system cronjob to be executed on on NFS, CIFS or
87 FUSE filesystem, you must turn on the cron_system_cronjob_use_shares
88 boolean. Disabled by default.
89
90 setsebool -P cron_system_cronjob_use_shares 1
91
92
93
94 If you want to dontaudit all daemons scheduling requests (setsched,
95 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
96 Enabled by default.
97
98 setsebool -P daemons_dontaudit_scheduling 1
99
100
101
102 If you want to deny user domains applications to map a memory region as
103 both executable and writable, this is dangerous and the executable
104 should be reported in bugzilla, you must turn on the deny_execmem bool‐
105 ean. Disabled by default.
106
107 setsebool -P deny_execmem 1
108
109
110
111 If you want to control the ability to mmap a low area of the address
112 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
113 the mmap_low_allowed boolean. Disabled by default.
114
115 setsebool -P mmap_low_allowed 1
116
117
118
119 If you want to allow system to run with NIS, you must turn on the
120 nis_enabled boolean. Disabled by default.
121
122 setsebool -P nis_enabled 1
123
124
125
126 If you want to disable kernel module loading, you must turn on the se‐
127 cure_mode_insmod boolean. Disabled by default.
128
129 setsebool -P secure_mode_insmod 1
130
131
132
133 If you want to allow unconfined executables to make their heap memory
134 executable. Doing this is a really bad idea. Probably indicates a
135 badly coded executable, but could indicate an attack. This executable
136 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
137 echeap boolean. Disabled by default.
138
139 setsebool -P selinuxuser_execheap 1
140
141
142
143 If you want to allow unconfined executables to make their stack exe‐
144 cutable. This should never, ever be necessary. Probably indicates a
145 badly coded executable, but could indicate an attack. This executable
146 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
147 stack boolean. Enabled by default.
148
149 setsebool -P selinuxuser_execstack 1
150
151
152
154 The SELinux process type system_cronjob_t can manage files labeled with
155 the following file types. The paths listed are the default paths for
156 these file types. Note the processes UID still need to have DAC per‐
157 missions.
158
159 file_type
160
161 all files on the system
162
163
165 semanage fcontext can also be used to manipulate default file context
166 mappings.
167
168 semanage permissive can also be used to manipulate whether or not a
169 process type is permissive.
170
171 semanage module can also be used to enable/disable/install/remove pol‐
172 icy modules.
173
174 semanage boolean can also be used to manipulate the booleans
175
176
177 system-config-selinux is a GUI tool available to customize SELinux pol‐
178 icy settings.
179
180
182 This manual page was auto-generated using sepolicy manpage .
183
184
186 selinux(8), system_cronjob(8), semanage(8), restorecon(8), chcon(1),
187 sepolicy(8), setsebool(8)
188
189
190
191system_cronjob 23-12-15 system_cronjob_selinux(8)