lsassd_selinux(8)

1lsassd_selinux(8)            SELinux Policy lsassd           lsassd_selinux(8)
2
3
4

NAME

6       lsassd_selinux  -  Security  Enhanced  Linux Policy for the lsassd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  lsassd  processes  via  flexible
11       mandatory access control.
12
13       The  lsassd  processes  execute with the lsassd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep lsassd_t
20
21
22

ENTRYPOINTS

24       The  lsassd_t  SELinux  type  can  be  entered  via  the lsassd_exec_t,
25       user_home_t file types.
26
27       The default entrypoint paths for the lsassd_t domain are the following:
28
29       /usr/sbin/lsassd, /home/[^/]*/.+, /home/staff/.+
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       lsassd policy is very flexible allowing users  to  setup  their  lsassd
39       processes in as secure a method as possible.
40
41       The following process types are defined for lsassd:
42
43       lsassd_t
44
45       Note:  semanage  permissive -a lsassd_t can be used to make the process
46       type lsassd_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   lsassd
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run lsassd with the tightest access possible.
55
56
57
58       If you want to allow all daemons to write corefiles to /, you must turn
59       on the allow_daemons_dump_core boolean. Disabled by default.
60
61       setsebool -P allow_daemons_dump_core 1
62
63
64
65       If  you want to allow all daemons to use tcp wrappers, you must turn on
66       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
67
68       setsebool -P allow_daemons_use_tcp_wrapper 1
69
70
71
72       If you want to allow all daemons the ability to  read/write  terminals,
73       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
74       default.
75
76       setsebool -P allow_daemons_use_tty 1
77
78
79
80       If you want to allow all domains to use other domains file descriptors,
81       you must turn on the allow_domain_fd_use boolean. Enabled by default.
82
83       setsebool -P allow_domain_fd_use 1
84
85
86
87       If  you  want  to allow confined applications to run with kerberos, you
88       must turn on the allow_kerberos boolean. Enabled by default.
89
90       setsebool -P allow_kerberos 1
91
92
93
94       If you want to allow sysadm to debug or ptrace all processes, you  must
95       turn on the allow_ptrace boolean. Disabled by default.
96
97       setsebool -P allow_ptrace 1
98
99
100
101       If  you  want  to enable cluster mode for daemons, you must turn on the
102       daemons_enable_cluster_mode boolean. Disabled by default.
103
104       setsebool -P daemons_enable_cluster_mode 1
105
106
107
108       If you want to allow all domains to have the kernel load  modules,  you
109       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
110       default.
111
112       setsebool -P domain_kernel_load_modules 1
113
114
115
116       If you want to allow all domains to execute in fips_mode, you must turn
117       on the fips_mode boolean. Enabled by default.
118
119       setsebool -P fips_mode 1
120
121
122
123       If you want to enable reading of urandom for all domains, you must turn
124       on the global_ssp boolean. Disabled by default.
125
126       setsebool -P global_ssp 1
127
128
129
130       If you want to enable support for upstart as the init program, you must
131       turn on the init_upstart boolean. Enabled by default.
132
133       setsebool -P init_upstart 1
134
135
136
137       If  you  want  to  support  NFS  home directories, you must turn on the
138       use_nfs_home_dirs boolean. Disabled by default.
139
140       setsebool -P use_nfs_home_dirs 1
141
142
143
144       If you want to support SAMBA home directories, you  must  turn  on  the
145       use_samba_home_dirs boolean. Disabled by default.
146
147       setsebool -P use_samba_home_dirs 1
148
149
150

MANAGED FILES

152       The  SELinux  process  type  lsassd_t can manage files labeled with the
153       following file types.  The paths listed are the default paths for these
154       file types.  Note the processes UID still need to have DAC permissions.
155
156       cifs_t
157
158
159       cluster_conf_t
160
161            /etc/cluster(/.*)?
162
163       cluster_var_lib_t
164
165            /var/lib(64)?/openais(/.*)?
166            /var/lib(64)?/pengine(/.*)?
167            /var/lib(64)?/corosync(/.*)?
168            /usr/lib(64)?/heartbeat(/.*)?
169            /var/lib(64)?/heartbeat(/.*)?
170            /var/lib(64)?/pacemaker(/.*)?
171            /var/lib/cluster(/.*)?
172
173       cluster_var_run_t
174
175            /var/run/crm(/.*)?
176            /var/run/cman_.*
177            /var/run/rsctmp(/.*)?
178            /var/run/aisexec.*
179            /var/run/heartbeat(/.*)?
180            /var/run/cpglockd.pid
181            /var/run/corosync.pid
182            /var/run/rgmanager.pid
183            /var/run/cluster/rgmanager.sk
184
185       etc_runtime_t
186
187            /[^/]+
188            /etc/mtab.*
189            /etc/blkid(/.*)?
190            /etc/nologin.*
191            /etc/zipl.conf.*
192            /etc/smartd.conf.*
193            /etc/.fstab.hal..+
194            /etc/sysconfig/ip6?tables.save
195            /halt
196            /etc/motd
197            /fastboot
198            /poweroff
199            /etc/issue
200            /etc/cmtab
201            /forcefsck
202            /.autofsck
203            /.suspended
204            /fsckoptions
205            /etc/HOSTNAME
206            /.autorelabel
207            /etc/securetty
208            /etc/nohotplug
209            /etc/issue.net
210            /etc/killpower
211            /etc/ioctl.save
212            /etc/reader.conf
213            /etc/fstab.REVOKE
214            /etc/mtab.fuselock
215            /etc/network/ifstate
216            /etc/sysconfig/hwconf
217            /etc/ptal/ptal-printd-like
218            /etc/xorg.conf.d/00-system-setup-keyboard.conf
219
220       etc_t
221
222            /etc/.*
223            /var/db/.*.db
224            /usr/etc(/.*)?
225            /var/ftp/etc(/.*)?
226            /usr/local/etc(/.*)?
227            /var/lib/openshift/.limits.d(/.*)?
228            /var/lib/openshift/.openshift-proxy.d(/.*)?
229            /var/lib/openshift/.stickshift-proxy.d(/.*)?
230            /var/lib/stickshift/.limits.d(/.*)?
231            /var/lib/stickshift/.stickshift-proxy.d(/.*)?
232            /var/named/chroot/etc(/.*)?
233            /etc/ipsec.d/examples(/.*)?
234            /var/spool/postfix/etc(/.*)?
235            /etc
236            /etc/cups/client.conf
237
238       initrc_tmp_t
239
240
241       krb5_keytab_t
242
243            /etc/krb5.keytab
244            /etc/krb5kdc/kadm5.keytab
245            /var/kerberos/krb5kdc/kadm5.keytab
246
247       likewise_etc_t
248
249            /etc/likewise-open(/.*)?
250
251       lsassd_tmp_t
252
253
254       lsassd_var_lib_t
255
256            /var/lib/likewise-open/lsasd.err
257            /var/lib/likewise-open/db/sam.db
258            /var/lib/likewise-open/krb5ccr_lsass
259            /var/lib/likewise-open/db/lsass-adcache.db
260            /var/lib/likewise-open/db/lsass-adstate.filedb
261
262       lsassd_var_run_t
263
264            /var/run/lsassd.pid
265
266       mnt_t
267
268            /mnt(/[^/]*)
269            /mnt(/[^/]*)?
270            /rhev(/[^/]*)?
271            /media(/[^/]*)
272            /media(/[^/]*)?
273            /etc/rhgb(/.*)?
274            /media/.hal-.*
275            /net
276            /afs
277            /rhev
278            /misc
279
280       nfs_t
281
282
283       root_t
284
285            /
286            /initrd
287
288       security_t
289
290
291       tmp_t
292
293            /tmp
294            /usr/tmp
295            /var/tmp
296            /tmp-inst
297            /var/tmp-inst
298            /var/tmp/vi.recover
299
300       user_home_type
301
302            all user home files
303
304

FILE CONTEXTS

306       SELinux requires files to have an extended attribute to define the file
307       type.
308
309       You can see the context of a file using the -Z option to ls
310
311       Policy governs the access  confined  processes  have  to  these  files.
312       SELinux  lsassd  policy  is very flexible allowing users to setup their
313       lsassd processes in as secure a method as possible.
314
315       STANDARD FILE CONTEXT
316
317       SELinux defines the file context types for the lsassd, if you wanted to
318       store  files  with  these types in a diffent paths, you need to execute
319       the semanage command  to  sepecify  alternate  labeling  and  then  use
320       restorecon to put the labels on disk.
321
322       semanage   fcontext   -a   -t  lsassd_var_socket_t  '/srv/mylsassd_con‐
323       tent(/.*)?'
324       restorecon -R -v /srv/mylsassd_content
325
326       Note: SELinux often uses regular expressions  to  specify  labels  that
327       match multiple files.
328
329       The following file types are defined for lsassd:
330
331
332
333       lsassd_exec_t
334
335       -  Set  files with the lsassd_exec_t type, if you want to transition an
336       executable to the lsassd_t domain.
337
338
339
340       lsassd_tmp_t
341
342       - Set files with the lsassd_tmp_t type, if you  want  to  store  lsassd
343       temporary files in the /tmp directories.
344
345
346
347       lsassd_var_lib_t
348
349       -  Set  files  with the lsassd_var_lib_t type, if you want to store the
350       lsassd files under the /var/lib directory.
351
352
353       Paths:
354            /var/lib/likewise-open/lsasd.err,               /var/lib/likewise-
355            open/db/sam.db,              /var/lib/likewise-open/krb5ccr_lsass,
356            /var/lib/likewise-open/db/lsass-adcache.db,     /var/lib/likewise-
357            open/db/lsass-adstate.filedb
358
359
360       lsassd_var_run_t
361
362       -  Set  files  with the lsassd_var_run_t type, if you want to store the
363       lsassd files under the /run or /var/run directory.
364
365
366
367       lsassd_var_socket_t
368
369       - Set files with the lsassd_var_socket_t type, if you want to treat the
370       files as lsassd var socket data.
371
372
373       Paths:
374            /var/lib/likewise-open/.ntlmd,     /var/lib/likewise-open/.lsassd,
375            /var/lib/likewise-open/rpc/lsass
376
377
378       Note: File context can be temporarily modified with the chcon  command.
379       If  you want to permanently change the file context you need to use the
380       semanage fcontext command.  This will modify the SELinux labeling data‐
381       base.  You will need to use restorecon to apply the labels.
382
383

COMMANDS

385       semanage  fcontext  can also be used to manipulate default file context
386       mappings.
387
388       semanage permissive can also be used to manipulate  whether  or  not  a
389       process type is permissive.
390
391       semanage  module can also be used to enable/disable/install/remove pol‐
392       icy modules.
393
394       semanage boolean can also be used to manipulate the booleans
395
396
397       system-config-selinux is a GUI tool available to customize SELinux pol‐
398       icy settings.
399
400

AUTHOR

402       This manual page was auto-generated using sepolicy manpage .
403
404