Current File : //proc/self/root/kunden/usr/share/selinux/devel/html/svc_run.html

<!-- Creator     : groff version 1.22.4 -->
<!-- CreationDate: Thu Apr 10 20:00:00 2025 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta name="generator" content="groff -Thtml, see www.gnu.org">
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<meta name="Content-Style" content="text/css">
<style type="text/css">
       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
       h1      { text-align: center }
</style>
<title>svc_run_selinux</title>

</head>
<body>

<h1 align="center">svc_run_selinux</h1>

<a href="#NAME">NAME</a><br>
<a href="#DESCRIPTION">DESCRIPTION</a><br>
<a href="#ENTRYPOINTS">ENTRYPOINTS</a><br>
<a href="#PROCESS TYPES">PROCESS TYPES</a><br>
<a href="#BOOLEANS">BOOLEANS</a><br>
<a href="#FILE CONTEXTS">FILE CONTEXTS</a><br>
<a href="#COMMANDS">COMMANDS</a><br>
<a href="#AUTHOR">AUTHOR</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>

<hr>


<h2>NAME
<a name="NAME"></a>
</h2>



<p style="margin-left:11%; margin-top: 1em">svc_run_selinux
&minus; Security Enhanced Linux Policy for the svc_run
processes</p>

<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
</h2>



<p style="margin-left:11%; margin-top: 1em">Security-Enhanced
Linux secures the svc_run processes via flexible mandatory
access control.</p>

<p style="margin-left:11%; margin-top: 1em">The svc_run
processes execute with the svc_run_t SELinux type. You can
check if you have these processes running by executing the
<b>ps</b> command with the <b>&minus;Z</b> qualifier.</p>

<p style="margin-left:11%; margin-top: 1em">For
example:</p>

<p style="margin-left:11%; margin-top: 1em"><b>ps -eZ |
grep svc_run_t</b></p>

<h2>ENTRYPOINTS
<a name="ENTRYPOINTS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">The svc_run_t
SELinux type can be entered via the <b>svc_run_exec_t</b>
file type.</p>

<p style="margin-left:11%; margin-top: 1em">The default
entrypoint paths for the svc_run_t domain are the
following:</p>


<p style="margin-left:11%; margin-top: 1em">/var/service/.*/run.*,
/var/service/.*/log/run, /var/qmail/supervise/.*/run,
/var/qmail/supervise/.*/log/run, /usr/bin/envdir,
/usr/bin/fghack, /usr/bin/setlock, /var/axfrdns/run,
/var/tinydns/run, /usr/bin/pgrphack, /var/dnscache/run,
/usr/bin/envuidgid, /usr/bin/setuidgid, /usr/bin/softlimit,
/var/axfrdns/log/run, /var/tinydns/log/run,
/var/dnscache/log/run</p>

<h2>PROCESS TYPES
<a name="PROCESS TYPES"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">SELinux defines
process types (domains) for each process running on the
system</p>

<p style="margin-left:11%; margin-top: 1em">You can see the
context of a process using the <b>&minus;Z</b> option to
<b>ps</b></p>

<p style="margin-left:11%; margin-top: 1em">Policy governs
the access confined processes have to files. SELinux svc_run
policy is very flexible allowing users to setup their
svc_run processes in as secure a method as possible.</p>

<p style="margin-left:11%; margin-top: 1em">The following
process types are defined for svc_run:</p>


<p style="margin-left:11%; margin-top: 1em"><b>svc_run_t</b></p>

<p style="margin-left:11%; margin-top: 1em">Note:
<b>semanage permissive -a svc_run_t</b> can be used to make
the process type svc_run_t permissive. SELinux does not deny
access to permissive process types, but the AVC (SELinux
denials) messages are still generated.</p>

<h2>BOOLEANS
<a name="BOOLEANS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">SELinux policy
is customizable based on least access required. svc_run
policy is extremely flexible and has several booleans that
allow you to manipulate the policy and run svc_run with the
tightest access possible.</p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow all domains to execute in fips_mode, you must turn on
the fips_mode boolean. Enabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
fips_mode 1</b></p>

<h2>FILE CONTEXTS
<a name="FILE CONTEXTS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">SELinux
requires files to have an extended attribute to define the
file type.</p>

<p style="margin-left:11%; margin-top: 1em">You can see the
context of a file using the <b>&minus;Z</b> option to
<b>ls</b></p>

<p style="margin-left:11%; margin-top: 1em">Policy governs
the access confined processes have to these files. SELinux
svc_run policy is very flexible allowing users to setup
their svc_run processes in as secure a method as
possible.</p>

<p style="margin-left:11%; margin-top: 1em"><i>The
following file types are defined for svc_run:</i></p>


<p style="margin-left:11%; margin-top: 1em"><b>svc_run_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the svc_run_exec_t type, if you want to transition an
executable to the svc_run_t domain. <br>
Paths:</p>

<p style="margin-left:18%;">/var/service/.*/run.*,
/var/service/.*/log/run, /var/qmail/supervise/.*/run,
/var/qmail/supervise/.*/log/run, /usr/bin/envdir,
/usr/bin/fghack, /usr/bin/setlock, /var/axfrdns/run,
/var/tinydns/run, /usr/bin/pgrphack, /var/dnscache/run,
/usr/bin/envuidgid, /usr/bin/setuidgid, /usr/bin/softlimit,
/var/axfrdns/log/run, /var/tinydns/log/run,
/var/dnscache/log/run</p>

<p style="margin-left:11%; margin-top: 1em">Note: File
context can be temporarily modified with the chcon command.
If you want to permanently change the file context you need
to use the <b>semanage fcontext</b> command. This will
modify the SELinux labeling database. You will need to use
<b>restorecon</b> to apply the labels.</p>

<h2>COMMANDS
<a name="COMMANDS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em"><b>semanage
fcontext</b> can also be used to manipulate default file
context mappings.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
permissive</b> can also be used to manipulate whether or not
a process type is permissive.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
module</b> can also be used to enable/disable/install/remove
policy modules.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
boolean</b> can also be used to manipulate the booleans</p>


<p style="margin-left:11%; margin-top: 1em"><b>system-config-selinux</b>
is a GUI tool available to customize SELinux policy
settings.</p>

<h2>AUTHOR
<a name="AUTHOR"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">This manual
page was auto-generated using <b>sepolicy manpage .</b></p>

<h2>SEE ALSO
<a name="SEE ALSO"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">selinux(8),
svc_run(8), semanage(8), restorecon(8), chcon(1),
sepolicy(8), setsebool(8)</p>
<hr>
</body>
</html>