Selinux in Linux

Selinux in Linux

 

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in RHEL4 and significantly enhanced in RHEL5.

SELinux has 3 basic modes of operation out of which Enforcing is set as the default mode

• Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actions
• Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues
• Disabled: SELinux is turned off

The SELinux mode can be viewed and changed by using the SELinux Management GUI tool available on the Administration menu or from the command line by running ‘system-config-selinux’ (the SELinux Management GUI tool is part of the policycoreutils-gui package and is not installed by default).

Users who prefer the command line may use the ‘sestatus’ command to view the current SELinux status:

# sestatus

SELinux status: enabled

SELinuxfs mount: /selinux

Current mode: enforcing

Mode from config file: enforcing

Policy version: 21

Policy from config file: targeted

The ‘setenforce’ command may be used to switch between Enforcing andPermissive modes on the fly but note that these changes do not persist through a system reboot.

To make changes persistent through a system reboot, edit the SELINUX= line in /etc/selinux/config for either ‘enforcing’, ‘permissive’, or ‘disabled’. For example, SELINUX=permissive.

SELinux has 3 forms of access control:

• Type Enforcement (TE): Type Enforcement is the primary mechanism of access control used in the targeted policy
• Role-Based Access Control (RBAC): Based around SELinux users (not necessarily the same as the Linux user), but not used in the default targeted policy
• Multi-Level Security (MLS): Not used and often hidden in the default targeted policy.

All processes and files have an SELinux security context. Lets see these in action by looking at the SELinux security context of our Apache homepage, index.html: $ ls -Z /var/www/html/index.html  -rw-r–r–   phil phil system_u:object_r:httpd_sys_content_t /var/www/html/index.html

Now lets look at the SELinux security context of the Apache web server process, httpd:

$ ps axZ | grep httpd

system_u:system_r:httpd_t         3234 ?                Ss             0:00             /usr/sbin/httpd

Finally, lets look at the SELinux security context of a file in our home directory:

$ ls -Z /home/phil/myfile.txt

-rw-r–r–                 phil phil                 user_u:object_r:user_home_t             /home/phil/myfile.txt

where we see the type is user_home_t, the default type for files in a users home directory.

The SELinux Troubleshooting tool is provided by the setroubleshoot package and is installed by default. The tool may be launched from the System menu or from the command line:

$ sealert -b

Those not running an X server may generate human-readable reports from the command line:

sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txt

Lets look at some examples.

Using Apache as an example, suppose you want to change the DocumentRoot to serve web pages from a location other than the default /var/www/html directory. Suppose we create a directory (or maybe a mount point) at /html and create our index.html file there:

# mkdir /html

# touch /html/index.html

# ls -Z /html/index.html

-rw-r–r– root root user_u:object_r:default_t /html/index.html

# ls -Z | grep html

drwxr-xr-x root root user_u:object_r:default_t html

we see that both the directory /html and file /html/index.html have the security context type default_t. If we start our web browser and try to view the page SELinux will deny access and log the error because the directory and file(s) have the wrong security context. We need to set the correct security context type for Apache of httpd_sys_content_t:

# chcon -v –type=httpd_sys_content_t /html

context of /html changed to user_u:object_r:httpd_sys_content_t

# chcon -v –type=httpd_sys_content_t /html/index.html

context of /html/index.html changed to user_u:object_r:httpd_sys_content_t

# ls -Z /html/index.html

-rw-r–r– root root user_u:object_r:httpd_sys_content_t /html/index.html

# ls -Z | grep html

drwxr-xr-x root root user_u:object_r:httpd_sys_content_t html

Equally we could have set both in one go using the -R recursive switch:

# chcon -Rv –type=httpd_sys_content_t /html

Modifying security contexts in this manner will persist between reboots unless the complete filesystem is relabeled (see later). To make the security context changes permanent, even through a complete filesystem relabel, we can use the SELinux Management Tool or the ‘semanage’ command from the command line:

semanage fcontext -a -t httpd_sys_content_t “/html(/.*)?”

The ‘restorecon’ command may be used to restore file(s) default SELinux security contexts.

To restore just the index.html file, we would use:

# restorecon -v /var/www/html/index.html

or to recursively restore the default security contexts for the whole directory:

# restorecon -Rv /var/www/html

we can use restorecon with the -n switch to prevent any relabelling occurring:

# restorecon -Rv -n /var/www/html

RELABEL COMPLETE FILESYSTEM

Sometimes it is necessary to relabel the complete filesystem although this should only be necessary when enabling SELinux after it has been disabled or when changing the SELinux policy from the default targeted policy to strict. To automatically relabel the complete filesystem upon reboot, do:

# touch /.autorelabel

# reboot

We may want a service such as Apache to be allowed to bind and listen for incoming connections on a non-standard port. By default, the SELinux policy will only allow services access to recognized ports associated with those services. If we wanted to allow Apache to listen on tcp port 81, we can add a rule to allow that using the ‘semanage’ command:

# semanage port -a -t http_port_t -p tcp 81

A full list of ports that services are permitted access by SELinux can be obtained with:

There is a separate Wiki page dealing with booleans.

WHICH BOOLEAN DO I NEED?

getsebool -a 

will show you all available booleans on your system which can be changed by you. So take a look at the list that gives you and check the booleans which might be interesting for you against the list below to see if it really does what you think it does.

admin@forge:~$/usr/sbin/getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_bugzilla_script_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_nagios_script_anon_write --> off allow_httpd_squid_script_anon_write --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> off httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_rotatelogs_disable_trans --> off httpd_ssi_exec --> off httpd_suexec_disable_trans --> off httpd_tty_comm --> on

 httpd_unified --> on

httpd_can_network_connect looks interesting – let us check with the list below:

httpd_can_network_connect (HTTPD Service):: Allow HTTPD scripts and modules to connect to the network.

Looks like it could be the one you need …

setsebool -P httpd_can_network_connect on

will turn that on for you. Et voilà – it works.

system-config-selinux from the policycoreutils-gui package has the same list as the one below. So if you have a GUI available you probably are better off installing that package and making the changes there.

For all others: Here is the 

acct_disable_trans (SELinux Service Protection)

Disable SELinux protection for acct daemon

allow_cvs_read_shadow (CVS)

Allow cvs daemon to read shadow

allow_daemons_dump_core (Admin)

Allow all daemons to write corefiles to /.

allow_daemons_use_tty (Admin)

Allow all daemons the ability to use unallocated ttys.

allow_execheap (Memory Protection)

Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

allow_execmem (Memory Protection)

Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla

allow_execmod (Memory Protection)

Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t

allow_execstack (Memory Protection)

Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

allow_ftpd_full_access (FTP)

Allow ftpd to full access to the system

allow_ftpd_anon_write (FTP)

Allow ftpd to upload files to directories labeled public_content_rw_t

allow_ftpd_use_cifs (FTP)

Allow ftp servers to use cifs used for public file transfer services.

allow_ftpd_use_nfs (FTP)

Allow ftp servers to use nfs used for public file transfer services.

allow_gpg_execstack (Memory Protection)

Allow gpg executable stack

allow_gssd_read_tmp (NFS)

Allow gssd to read temp directory.

allow_httpd_anon_write (HTTPD Service)

Allow httpd daemon to write files in directories labeled public_content_rw_t

allow_httpd_mod_auth_pam (HTTPD Service)

Allow Apache to use mod_auth_pam.

allow_httpd_sys_script_anon_write (HTTPD Service)

Allow httpd scripts to write files in directories labeled public_content_rw_t

allow_java_execstack (Memory Protection)

Allow java executable stack

allow_kerberos (Kerberos)

Allow daemons to use kerberos files

allow_mount_anyfile (Mount)

Allow mount to mount any file

allow_mounton_anydir (Mount)

Allow mount to mount any dir

allow_mplayer_execstack (Memory Protection)

Allow mplayer executable stack

allow_nfsd_anon_write (NFS)

Allow nfs servers to modify public files used for public file transfer services.

allow_polyinstantiation (Polyinstatiation)

Enable polyinstantiated directory support.

allow_ptrace (Compatibility)

Allow sysadm_t to debug or ptrace applications

allow_rsync_anon_write (rsync)

Allow rsync to write files in directories labeled public_content_rw_t

allow_smbd_anon_write (Samba)

Allow Samba to write files in directories labeled public_content_rw_t

allow_ssh_keysign (SSH)

Allow ssh to run ssh-keysign

allow_unconfined_execmem_dyntrans (Memory Protection)

Allow unconfined to dyntrans to unconfined_execmem

allow_user_mysql_connect (Databases)

Allow user to connect to mysql socket

allow_user_postgresql_connect (Databases)

Allow user to connect to postgres socket

allow_write_xshm (XServer)

Allow clients to write to X shared memory

allow_ypbind (NIS)

Allow daemons to run with NIS

allow_zebra_write_config (Zebra)

Allow zebra daemon to write it configuration files

amanda_disable_trans (SELinux Service Protection)

Disable SELinux protection for amanda

amavis_disable_trans (SELinux Service Protection)

Disable SELinux protection for amavis

apmd_disable_trans (SELinux Service Protection)

Disable SELinux protection for apmd daemon

arpwatch_disable_trans (SELinux Service Protection)

Disable SELinux protection for arpwatch daemon

auditd_disable_trans (SELinux Service Protection)

Disable SELinux protection for auditd daemon

automount_disable_trans (Mount)

Disable SELinux protection for automount daemon

avahi_disable_trans (SELinux Service Protection)

Disable SELinux protection for avahi

bluetooth_disable_trans (SELinux Service Protection)

Disable SELinux protection for bluetooth daemon

canna_disable_trans (SELinux Service Protection)

Disable SELinux protection for canna daemon

cardmgr_disable_trans (SELinux Service Protection)

Disable SELinux protection for cardmgr daemon

ccs_disable_trans (SELinux Service Protection)

Disable SELinux protection for Cluster Server

cdrecord_read_content (User Privs)

Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files

ciped_disable_trans (SELinux Service Protection)

Disable SELinux protection for ciped daemon

clamd_disable_trans (SELinux Service Protection)

Disable SELinux protection for clamd daemon

clamscan_disable_trans (SELinux Service Protection)

Disable SELinux protection for clamscan

clvmd_disable_trans (SELinux Service Protection)

Disable SELinux protection for clvmd

comsat_disable_trans (SELinux Service Protection)

Disable SELinux protection for comsat daemon

courier_authdaemon_disable_trans (SELinux Service Protection)

Disable SELinux protection for courier daemon

courier_pcp_disable_trans (SELinux Service Protection)

Disable SELinux protection for courier daemon

courier_pop_disable_trans (SELinux Service Protection)

Disable SELinux protection for courier daemon

courier_sqwebmail_disable_trans (SELinux Service Protection)

Disable SELinux protection for courier daemon

courier_tcpd_disable_trans (SELinux Service Protection)

Disable SELinux protection for courier daemon

cpucontrol_disable_trans (SELinux Service Protection)

Disable SELinux protection for cpucontrol daemon

cpuspeed_disable_trans (SELinux Service Protection)

Disable SELinux protection for cpuspeed daemon

cron_can_relabel (Cron)

Allow system cron jobs to relabel filesystem for restoring file contexts.

crond_disable_trans (Cron)

Disable SELinux protection for crond daemon

cupsd_config_disable_trans (Printing)

Disable SELinux protection for cupsd backend server

cupsd_disable_trans (Printing)

Disable SELinux protection for cupsd daemon

cupsd_lpd_disable_trans (Printing)

Disable SELinux protection for cupsd_lpd

cvs_disable_trans (CVS)

Disable SELinux protection for cvs daemon

cyrus_disable_trans (SELinux Service Protection)

Disable SELinux protection for cyrus daemon

dbskkd_disable_trans (SELinux Service Protection)

Disable SELinux protection for dbskkd daemon

dbusd_disable_trans (SELinux Service Protection)

Disable SELinux protection for dbusd daemon

dccd_disable_trans (SELinux Service Protection)

Disable SELinux protection for dccd

dccifd_disable_trans (SELinux Service Protection)

Disable SELinux protection for dccifd

dccm_disable_trans (SELinux Service Protection)

Disable SELinux protection for dccm

ddt_client_disable_trans (SELinux Service Protection)

Disable SELinux protection for ddt daemon

devfsd_disable_trans (SELinux Service Protection)

Disable SELinux protection for devfsd daemon

dhcpc_disable_trans (SELinux Service Protection)

Disable SELinux protection for dhcpc daemon

dhcpd_disable_trans (SELinux Service Protection)

Disable SELinux protection for dhcpd daemon

dictd_disable_trans (SELinux Service Protection)

Disable SELinux protection for dictd daemon

direct_sysadm_daemon (Admin)

Allow sysadm_t to directly start daemons

disable_evolution_trans (Web Applications)

Disable SELinux protection for Evolution

disable_games_trans (Games)

Disable SELinux protection for games

disable_mozilla_trans (Web Applications)

Disable SELinux protection for the web browsers

disable_thunderbird_trans (Web Applications)

Disable SELinux protection for Thunderbird

distccd_disable_trans (SELinux Service Protection)

Disable SELinux protection for distccd daemon

dmesg_disable_trans (SELinux Service Protection)

Disable SELinux protection for dmesg daemon

dnsmasq_disable_trans (SELinux Service Protection)

Disable SELinux protection for dnsmasq daemon

dovecot_disable_trans (SELinux Service Protection)

Disable SELinux protection for dovecot daemon

entropyd_disable_trans (SELinux Service Protection)

Disable SELinux protection for entropyd daemon

fcron_crond (Cron)

Enable extra rules in the cron domain to support fcron.

fetchmail_disable_trans (SELinux Service Protection)

Disable SELinux protection for fetchmail

fingerd_disable_trans (SELinux Service Protection)

Disable SELinux protection for fingerd daemon

freshclam_disable_trans (SELinux Service Protection)

Disable SELinux protection for freshclam daemon

fsdaemon_disable_trans (SELinux Service Protection)

Disable SELinux protection for fsdaemon daemon

ftpd_disable_trans (FTP)

Disable SELinux protection for ftpd daemon

ftpd_is_daemon (FTP)

Allow ftpd to run directly without inetd

ftp_home_dir (FTP)

Allow ftp to read/write files in the user home directories

global_ssp (Admin)

This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom.

gpm_disable_trans (SELinux Service Protection)

Disable SELinux protection for gpm daemon

gssd_disable_trans (NFS)

Disable SELinux protection for gss daemon

hald_disable_trans (SELinux Service Protection)

Disable SELinux protection for hal daemon

hide_broken_symptoms (Compatibility)

Do not audit things that we know to be broken but which are not security risks

hostname_disable_trans (SELinux Service Protection)

Disable SELinux protection for hostname daemon

hotplug_disable_trans (SELinux Service Protection)

Disable SELinux protection for hotplug daemon

howl_disable_trans (SELinux Service Protection)

Disable SELinux protection for howl daemon

hplip_disable_trans (Printing)

Disable SELinux protection for cups hplip daemon

httpd_builtin_scripting (HTTPD Service)

Allow HTTPD to support built-in scripting

httpd_can_network_connect_db (HTTPD Service)

Allow HTTPD scripts and modules to network connect to databases.

httpd_can_network_connect (HTTPD Service)

Allow HTTPD scripts and modules to connect to the network.

httpd_can_network_relay (HTTPD Service)

Allow httpd to act as a relay.

httpd_disable_trans (HTTPD Service)

Disable SELinux protection for httpd daemon

httpd_enable_cgi (HTTPD Service)

Allow HTTPD cgi support

httpd_enable_ftp_server (HTTPD Service)

Allow HTTPD to run as a ftp server

httpd_enable_homedirs (HTTPD Service)

Allow HTTPD to read home directories

httpd_rotatelogs_disable_trans (SELinux Service Protection)

Disable SELinux protection for httpd rotatelogs

httpd_ssi_exec (HTTPD Service)

Allow HTTPD to run SSI executables in the same domain as system CGI scripts.

httpd_suexec_disable_trans (HTTPD Service)

Disable SELinux protection for http suexec

httpd_tty_comm (HTTPD Service)

Unify HTTPD to communicate with the terminal. Needed for handling certificates.

httpd_unified (HTTPD Service)

Unify HTTPD handling of all content files.

hwclock_disable_trans (SELinux Service Protection)

Disable SELinux protection for hwclock daemon

i18n_input_disable_trans (SELinux Service Protection)

Disable SELinux protection for i18n daemon

imazesrv_disable_trans (SELinux Service Protection)

Disable SELinux protection for imazesrv daemon

inetd_child_disable_trans (SELinux Service Protection)

Disable SELinux protection for inetd child daemons

inetd_disable_trans (SELinux Service Protection)

Disable SELinux protection for inetd daemon

innd_disable_trans (SELinux Service Protection)

Disable SELinux protection for innd daemon

iptables_disable_trans (SELinux Service Protection)

Disable SELinux protection for iptables daemon

ircd_disable_trans (SELinux Service Protection)

Disable SELinux protection for ircd daemon

irqbalance_disable_trans (SELinux Service Protection)

Disable SELinux protection for irqbalance daemon

iscsid_disable_trans (SELinux Service Protection)

Disable SELinux protection for iscsi daemon

jabberd_disable_trans (SELinux Service Protection)

Disable SELinux protection for jabberd daemon

kadmind_disable_trans (Kerberos)

Disable SELinux protection for kadmind daemon

klogd_disable_trans (SELinux Service Protection)

Disable SELinux protection for klogd daemon

krb5kdc_disable_trans (Kerberos)

Disable SELinux protection for krb5kdc daemon

ktalkd_disable_trans (SELinux Service Protection)

Disable SELinux protection for ktalk daemons

kudzu_disable_trans (SELinux Service Protection)

Disable SELinux protection for kudzu daemon

locate_disable_trans (SELinux Service Protection)

Disable SELinux protection for locate daemon

lpd_disable_trans (SELinux Service Protection)

Disable SELinux protection for lpd daemon

lrrd_disable_trans (SELinux Service Protection)

Disable SELinux protection for lrrd daemon

lvm_disable_trans (SELinux Service Protection)

Disable SELinux protection for lvm daemon

mailman_mail_disable_trans (SELinux Service Protection)

Disable SELinux protection for mailman

mail_read_content (Web Applications)

Allow evolution and thunderbird to read user files

mdadm_disable_trans (SELinux Service Protection)

Disable SELinux protection for mdadm daemon

monopd_disable_trans (SELinux Service Protection)

Disable SELinux protection for monopd daemon

mozilla_read_content (Web Applications)

Allow the mozilla browser to read user files

mrtg_disable_trans (SELinux Service Protection)

Disable SELinux protection for mrtg daemon

mysqld_disable_trans (Databases)

Disable SELinux protection for mysqld daemon

nagios_disable_trans (SELinux Service Protection)

Disable SELinux protection for nagios daemon

named_disable_trans (Name Service)

Disable SELinux protection for named daemon

named_write_master_zones (Name Service)

Allow named to overwrite master zone files

nessusd_disable_trans (SELinux Service Protection)

Disable SELinux protection for nessusd daemon

NetworkManager_disable_trans (SELinux Service Protection)

Disable SELinux protection for NetworkManager

nfsd_disable_trans (NFS)

Disable SELinux protection for nfsd daemon

nfs_export_all_ro (NFS)

Allow NFS to share any file/directory read only

nfs_export_all_rw (NFS)

Allow NFS to share any file/directory read/write

nmbd_disable_trans (Samba)

Disable SELinux protection for nmbd daemon

nrpe_disable_trans (SELinux Service Protection)

Disable SELinux protection for nrpe daemon

nscd_disable_trans (Name Service)

Disable SELinux protection for nscd daemon

nsd_disable_trans (SELinux Service Protection)

Disable SELinux protection for nsd daemon

ntpd_disable_trans (SELinux Service Protection)

Disable SELinux protection for ntpd daemon

oddjob_disable_trans (SELinux Service Protection)

Disable SELinux protection for oddjob

oddjob_mkhomedir_disable_trans (SELinux Service Protection)

Disable SELinux protection for oddjob_mkhomedir

openvpn_disable_trans (SELinux Service Protection)

Disable SELinux protection for openvpn daemon

pam_console_disable_trans (SELinux Service Protection)

Disable SELinux protection for pam daemon

pegasus_disable_trans (SELinux Service Protection)

Disable SELinux protection for pegasus

perdition_disable_trans (SELinux Service Protection)

Disable SELinux protection for perdition daemon

portmap_disable_trans (SELinux Service Protection)

Disable SELinux protection for portmap daemon

portslave_disable_trans (SELinux Service Protection)

Disable SELinux protection for portslave daemon

postfix_disable_trans (SELinux Service Protection)

Disable SELinux protection for postfix

postgresql_disable_trans (Databases)

Disable SELinux protection for postgresql daemon

pppd_can_insmod (pppd)

Allow pppd daemon to insert modules into the kernel

pppd_disable_trans (pppd)

Disable SELinux protection for pppd daemon

pppd_disable_trans (pppd)

Disable SELinux protection for the mozilla ppp daemon

pppd_for_user (pppd)

Allow pppd to be run for a regular user.

pptp_disable_trans (SELinux Service Protection)

Disable SELinux protection for pptp

prelink_disable_trans (SELinux Service Protection)

Disable SELinux protection for prelink daemon

privoxy_disable_trans (SELinux Service Protection)

Disable SELinux protection for privoxy daemon

ptal_disable_trans (SELinux Service Protection)

Disable SELinux protection for ptal daemon

pxe_disable_trans (SELinux Service Protection)

Disable SELinux protection for pxe daemon

pyzord_disable_trans (SELinux Service Protection)

Disable SELinux protection for pyzord

quota_disable_trans (SELinux Service Protection)

Disable SELinux protection for quota daemon

radiusd_disable_trans (SELinux Service Protection)

Disable SELinux protection for radiusd daemon

radvd_disable_trans (SELinux Service Protection)

Disable SELinux protection for radvd daemon

rdisc_disable_trans (SELinux Service Protection)

Disable SELinux protection for rdisc

readahead_disable_trans (SELinux Service Protection)

Disable SELinux protection for readahead

read_default_t (Admin)

Allow programs to read files in non-standard locations default_t

read_untrusted_content (Web Applications)

Allow programs to read untrusted content without relabel

restorecond_disable_trans (SELinux Service Protection)

Disable SELinux protection for restorecond

rhgb_disable_trans (SELinux Service Protection)

Disable SELinux protection for rhgb daemon

ricci_disable_trans (SELinux Service Protection)

Disable SELinux protection for ricci

ricci_modclusterd_disable_trans (SELinux Service Protection)

Disable SELinux protection for ricci_modclusterd

rlogind_disable_trans (SELinux Service Protection)

Disable SELinux protection for rlogind daemon

rpcd_disable_trans (SELinux Service Protection)

Disable SELinux protection for rpcd daemon

rshd_disable_trans (SELinux Service Protection)

Disable SELinux protection for rshd

rsync_disable_trans (rsync)

Disable SELinux protection for rsync daemon

run_ssh_inetd (SSH)

Allow ssh to run from inetd instead of as a daemon

samba_enable_home_dirs (Samba)

Allow Samba to share users home directories

samba_share_nfs (Samba)

Allow Samba to share nfs directories

allow_saslauthd_read_shadow (SASL authentication server)

Allow sasl authentication server to read /etc/shadow

saslauthd_disable_trans (SASL authentication server)

Disable SELinux protection for saslauthd daemon

scannerdaemon_disable_trans (SELinux Service Protection)

Disable SELinux protection for scannerdaemon daemon

secure_mode (Admin)

Do not allow transition to sysadm_t, sudo and su effected

secure_mode_insmod (Admin)

Do not allow any processes to load kernel modules

secure_mode_policyload (Admin)

Do not allow any processes to modify kernel SELinux policy

sendmail_disable_trans (SELinux Service Protection)

Disable SELinux protection for sendmail daemon

setrans_disable_trans (SELinux Service Protection)

Disable SELinux protection for setrans

setroubleshootd_disable_trans (SELinux Service Protection)

Disable SELinux protection for setroublesoot daemon

slapd_disable_trans (SELinux Service Protection)

Disable SELinux protection for slapd daemon

slrnpull_disable_trans (SELinux Service Protection)

Disable SELinux protection for slrnpull daemon

smbd_disable_trans (Samba)

Disable SELinux protection for smbd daemon

snmpd_disable_trans (SELinux Service Protection)

Disable SELinux protection for snmpd daemon

snort_disable_trans (SELinux Service Protection)

Disable SELinux protection for snort daemon

soundd_disable_trans (SELinux Service Protection)

Disable SELinux protection for soundd daemon

sound_disable_trans (SELinux Service Protection)

Disable SELinux protection for sound daemon

spamassassin_can_network (Spam Assassin)

Allow Spam Assasin daemon network access

spamd_disable_trans (spam Protection)

Disable SELinux protection for spamd daemon

spamd_enable_home_dirs (spam Protection)

Allow spamd to access home directories

spammassasin_can_network (spam Protection)

Allow spammassasin to access the network

speedmgmt_disable_trans (SELinux Service Protection)

Disable SELinux protection for speedmgmt daemon

squid_connect_any (Squid)

Allow squid daemon to connect to the network

squid_disable_trans (Squid)

Disable SELinux protection for squid daemon

ssh_keygen_disable_trans (SSH)

Disable SELinux protection for ssh daemon

ssh_sysadm_login (SSH)

Allow ssh logins as sysadm_r:sysadm_t

staff_read_sysadm_file (Admin)

Allow staff_r users to search the sysadm home dir and read files such as ~/.bashrc

stunnel_disable_trans (Universal SSL tunnel)

Disable SELinux protection for stunnel daemon

stunnel_is_daemon (Universal SSL tunnel)

Allow stunnel daemon to run as standalone, outside of xinetd

swat_disable_trans (SELinux Service Protection)

Disable SELinux protection for swat daemon

sxid_disable_trans (SELinux Service Protection)

Disable SELinux protection for sxid daemon

syslogd_disable_trans (SELinux Service Protection)

Disable SELinux protection for syslogd daemon

system_crond_disable_trans (SELinux Service Protection)

Disable SELinux protection for system cron jobs

tcpd_disable_trans (SELinux Service Protection)

Disable SELinux protection for tcp daemon

telnetd_disable_trans (SELinux Service Protection)

Disable SELinux protection for telnet daemon

tftpd_disable_trans (SELinux Service Protection)

Disable SELinux protection for tftpd daemon

transproxy_disable_trans (SELinux Service Protection)

Disable SELinux protection for transproxy daemon

udev_disable_trans (SELinux Service Protection)

Disable SELinux protection for udev daemon

uml_switch_disable_trans (SELinux Service Protection)

Disable SELinux protection for uml daemon

unlimitedInetd (Admin)

Allow xinetd to run unconfined, including any services it starts that do not have a domain transition explicitly defined.

unlimitedRC (Admin)

Allow rc scripts to run unconfined, including any daemon started by an rc script that does not have a domain transition explicitly defined.

unlimitedRPM (Admin)

Allow rpm to run unconfined.

unlimitedUtils (Admin)

Allow privileged utilities like hotplug and insmod to run unconfined.

updfstab_disable_trans (SELinux Service Protection)

Disable SELinux protection for updfstab daemon

uptimed_disable_trans (SELinux Service Protection)

Disable SELinux protection for uptimed daemon

use_lpd_server (Printing)

Use lpd server instead of cups

use_nfs_home_dirs (NFS)

Support NFS home directories

user_canbe_sysadm (User Privs)

Allow user_r to reach sysadm_r via su, sudo, or userhelper. Otherwise, only staff_r can do so.

user_can_mount (Mount)

Allow users to execute the mount command

user_direct_mouse (User Privs)

Allow regular users direct mouse access only allow the X server

user_dmesg (User Privs)

Allow users to run the dmesg command

user_net_control (User Privs)

Allow users to control network interfaces also needs USERCTL=true

user_ping (User Privs)

Allow normal user to execute ping

user_rw_noexattrfile (User Privs)

Allow user to r/w noextattrfile FAT, CDROM, FLOPPY

user_rw_usb (User Privs)

Allow users to rw usb devices

user_tcp_server (User Privs)

Allow users to run TCP servers bind to ports and accept connection from the same domain and outside users disabling this forces FTP passive mode and may change other protocols

user_ttyfile_stat (User Privs)

Allow user to stat ttyfiles

use_samba_home_dirs (Samba)

Allow users to login with CIFS home directories

uucpd_disable_trans (SELinux Service Protection)

Disable SELinux protection for uucpd daemon

vmware_disable_trans (SELinux Service Protection)

Disable SELinux protection for vmware daemon

watchdog_disable_trans (SELinux Service Protection)

Disable SELinux protection for watchdog daemon

winbind_disable_trans (Samba)

Disable SELinux protection for winbind daemon

write_untrusted_content (Web Applications)

Allow web applications to write untrusted content to disk implies read

xdm_disable_trans (SELinux Service Protection)

Disable SELinux protection for xdm daemon

xdm_sysadm_login (XServer)

Allow xdm logins as sysadm_r:sysadm_t

xend_disable_trans (SELinux Service Protection)

Disable SELinux protection for xen daemon

xen_use_raw_disk (XEN)

Allow xen to read/write physical disk devices

xfs_disable_trans (SELinux Service Protection)

Disable SELinux protection for xfs daemon

xm_disable_trans (SELinux Service Protection)

Disable SELinux protection for xen constrol

ypbind_disable_trans (NIS)

Disable SELinux protection for ypbind daemon

yppasswdd_disable_trans (NIS)

Disable SELinux protection for NIS Password Daemon

ypserv_disable_trans (SELinux Service Protection)

Disable SELinux protection for ypserv daemon

ypxfr_disable_trans (NIS)

Disable SELinux protection for NIS Transfer Daemon

zebra_disable_trans (SELinux Service Protection)

Disable SELinux protection for zebra daemon

httpd_use_cifs (HTTPD Service)

Allow httpd to access samba/cifs file systems.

httpd_use_nfs (HTTPD Service)

Allow httpd to access nfs file systems.

samba_domain_controller (Samba)

Allow samba to act as the domain controller, add users, groups and change passwords

samba_export_all_ro (Samba)

Allow Samba to share any file/directory read only

samba_export_all_rw (Samba)

Allow Samba to share any file/directory read/write

webadm_manage_users_files (HTTPD Service)

Allow httpd to access nfs file systems.

webadm_read_users_files (HTTPD Service)

Allow httpd to access nfs file systems.