1lsassd_selinux(8)            SELinux Policy lsassd           lsassd_selinux(8)
2
3
4

NAME

6       lsassd_selinux  -  Security  Enhanced  Linux Policy for the lsassd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  lsassd  processes  via  flexible
11       mandatory access control.
12
13       The  lsassd  processes  execute with the lsassd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep lsassd_t
20
21
22

ENTRYPOINTS

24       The  lsassd_t  SELinux  type  can be entered via the lsassd_exec_t file
25       type.
26
27       The default entrypoint paths for the lsassd_t domain are the following:
28
29       /usr/sbin/lsassd, /opt/likewise/sbin/lsassd
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       lsassd policy is very flexible allowing users  to  setup  their  lsassd
39       processes in as secure a method as possible.
40
41       The following process types are defined for lsassd:
42
43       lsassd_t
44
45       Note:  semanage  permissive -a lsassd_t can be used to make the process
46       type lsassd_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   lsassd
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run lsassd with the tightest access possible.
55
56
57
58       If you want to allow all daemons to write corefiles to /, you must turn
59       on the daemons_dump_core boolean. Disabled by default.
60
61       setsebool -P daemons_dump_core 1
62
63
64
65       If  you  want  to enable cluster mode for daemons, you must turn on the
66       daemons_enable_cluster_mode boolean. Enabled by default.
67
68       setsebool -P daemons_enable_cluster_mode 1
69
70
71
72       If you want to allow all daemons to use tcp wrappers, you must turn  on
73       the daemons_use_tcp_wrapper boolean. Disabled by default.
74
75       setsebool -P daemons_use_tcp_wrapper 1
76
77
78
79       If  you  want to allow all daemons the ability to read/write terminals,
80       you must turn on the daemons_use_tty boolean. Disabled by default.
81
82       setsebool -P daemons_use_tty 1
83
84
85
86       If you want to deny any process from ptracing or  debugging  any  other
87       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
88       default.
89
90       setsebool -P deny_ptrace 1
91
92
93
94       If you want to allow any process  to  mmap  any  file  on  system  with
95       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
96       ean. Enabled by default.
97
98       setsebool -P domain_can_mmap_files 1
99
100
101
102       If you want to allow all domains write to kmsg_device, while kernel  is
103       executed  with  systemd.log_target=kmsg parameter, you must turn on the
104       domain_can_write_kmsg boolean. Disabled by default.
105
106       setsebool -P domain_can_write_kmsg 1
107
108
109
110       If you want to allow all domains to use other domains file descriptors,
111       you must turn on the domain_fd_use boolean. Enabled by default.
112
113       setsebool -P domain_fd_use 1
114
115
116
117       If  you  want to allow all domains to have the kernel load modules, you
118       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
119       default.
120
121       setsebool -P domain_kernel_load_modules 1
122
123
124
125       If you want to allow all domains to execute in fips_mode, you must turn
126       on the fips_mode boolean. Enabled by default.
127
128       setsebool -P fips_mode 1
129
130
131
132       If you want to enable reading of urandom for all domains, you must turn
133       on the global_ssp boolean. Disabled by default.
134
135       setsebool -P global_ssp 1
136
137
138
139       If  you  want  to allow confined applications to run with kerberos, you
140       must turn on the kerberos_enabled boolean. Enabled by default.
141
142       setsebool -P kerberos_enabled 1
143
144
145

MANAGED FILES

147       The SELinux process type lsassd_t can manage  files  labeled  with  the
148       following file types.  The paths listed are the default paths for these
149       file types.  Note the processes UID still need to have DAC permissions.
150
151       cluster_conf_t
152
153            /etc/cluster(/.*)?
154
155       cluster_var_lib_t
156
157            /var/lib/pcsd(/.*)?
158            /var/lib/cluster(/.*)?
159            /var/lib/openais(/.*)?
160            /var/lib/pengine(/.*)?
161            /var/lib/corosync(/.*)?
162            /usr/lib/heartbeat(/.*)?
163            /var/lib/heartbeat(/.*)?
164            /var/lib/pacemaker(/.*)?
165
166       cluster_var_run_t
167
168            /var/run/crm(/.*)?
169            /var/run/cman_.*
170            /var/run/rsctmp(/.*)?
171            /var/run/aisexec.*
172            /var/run/heartbeat(/.*)?
173            /var/run/corosync-qnetd(/.*)?
174            /var/run/corosync-qdevice(/.*)?
175            /var/run/cpglockd.pid
176            /var/run/corosync.pid
177            /var/run/rgmanager.pid
178            /var/run/cluster/rgmanager.sk
179
180       etc_runtime_t
181
182            /[^/]+
183            /etc/mtab.*
184            /etc/blkid(/.*)?
185            /etc/nologin.*
186            /etc/.fstab.hal..+
187            /halt
188            /fastboot
189            /poweroff
190            /etc/cmtab
191            /forcefsck
192            /.autofsck
193            /.suspended
194            /fsckoptions
195            /var/.updated
196            /etc/.updated
197            /.autorelabel
198            /etc/securetty
199            /etc/nohotplug
200            /etc/killpower
201            /etc/ioctl.save
202            /etc/fstab.REVOKE
203            /etc/network/ifstate
204            /etc/sysconfig/hwconf
205            /etc/ptal/ptal-printd-like
206            /etc/sysconfig/iptables.save
207            /etc/xorg.conf.d/00-system-setup-keyboard.conf
208            /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
209
210       etc_t
211
212            /etc/.*
213            /usr/etc(/.*)?
214            /var/ftp/etc(/.*)?
215            /var/lib/openshift/.limits.d(/.*)?
216            /var/lib/openshift/.openshift-proxy.d(/.*)?
217            /var/lib/openshift/.stickshift-proxy.d(/.*)?
218            /var/lib/stickshift/.limits.d(/.*)?
219            /var/lib/stickshift/.stickshift-proxy.d(/.*)?
220            /var/named/chroot/etc(/.*)?
221            /etc/ipsec.d/examples(/.*)?
222            /var/spool/postfix/etc(/.*)?
223            /etc
224            /etc/cups/client.conf
225
226       krb5_keytab_t
227
228            /etc/krb5.keytab
229            /etc/krb5kdc/kadm5.keytab
230            /var/kerberos/krb5kdc/kadm5.keytab
231
232       likewise_etc_t
233
234            /etc/likewise-open(/.*)?
235
236       lsassd_tmp_t
237
238
239       lsassd_var_lib_t
240
241            /var/lib/likewise/krb5cc.*
242            /var/lib/likewise-open/krb5cc.*
243            /var/lib/likewise/krb5ccr_lsass..*
244            /var/lib/likewise-open/krb5ccr_lsass..*
245            /var/lib/likewise/db/lsass-adcache.filedb..*
246            /var/lib/likewise-open/db/lsass-adcache.filedb..*
247            /var/lib/likewise/lsasd.err
248            /var/lib/likewise/db/sam.db
249            /var/lib/likewise/krb5ccr_lsass
250            /var/lib/likewise-open/lsasd.err
251            /var/lib/likewise-open/db/sam.db
252            /var/lib/likewise-open/krb5ccr_lsass
253            /var/lib/likewise/db/lsass-adcache.db
254            /var/lib/likewise/db/lsass-adstate.filedb
255            /var/lib/likewise-open/db/lsass-adcache.db
256            /var/lib/likewise-open/db/lsass-adstate.filedb
257
258       lsassd_var_run_t
259
260            /var/run/lsassd.pid
261
262       root_t
263
264            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
265            /
266            /initrd
267
268       security_t
269
270            /selinux
271
272       user_home_t
273
274            /home/[^/]+/.+
275
276

FILE CONTEXTS

278       SELinux requires files to have an extended attribute to define the file
279       type.
280
281       You can see the context of a file using the -Z option to ls
282
283       Policy  governs  the  access  confined  processes  have to these files.
284       SELinux lsassd policy is very flexible allowing users  to  setup  their
285       lsassd processes in as secure a method as possible.
286
287       STANDARD FILE CONTEXT
288
289       SELinux defines the file context types for the lsassd, if you wanted to
290       store files with these types in a diffent paths, you  need  to  execute
291       the  semanage  command  to  sepecify  alternate  labeling  and then use
292       restorecon to put the labels on disk.
293
294       semanage  fcontext  -a   -t   lsassd_var_socket_t   '/srv/mylsassd_con‐
295       tent(/.*)?'
296       restorecon -R -v /srv/mylsassd_content
297
298       Note:  SELinux  often  uses  regular expressions to specify labels that
299       match multiple files.
300
301       The following file types are defined for lsassd:
302
303
304
305       lsassd_exec_t
306
307       - Set files with the lsassd_exec_t type, if you want to  transition  an
308       executable to the lsassd_t domain.
309
310
311       Paths:
312            /usr/sbin/lsassd, /opt/likewise/sbin/lsassd
313
314
315       lsassd_tmp_t
316
317       -  Set  files  with  the lsassd_tmp_t type, if you want to store lsassd
318       temporary files in the /tmp directories.
319
320
321
322       lsassd_var_lib_t
323
324       - Set files with the lsassd_var_lib_t type, if you want  to  store  the
325       lsassd files under the /var/lib directory.
326
327
328       Paths:
329            /var/lib/likewise/krb5cc.*,       /var/lib/likewise-open/krb5cc.*,
330            /var/lib/likewise/krb5ccr_lsass..*,             /var/lib/likewise-
331            open/krb5ccr_lsass..*,                 /var/lib/likewise/db/lsass-
332            adcache.filedb..*,                /var/lib/likewise-open/db/lsass-
333            adcache.filedb..*,   /var/lib/likewise/lsasd.err,   /var/lib/like‐
334            wise/db/sam.db,  /var/lib/likewise/krb5ccr_lsass,   /var/lib/like‐
335            wise-open/lsasd.err,             /var/lib/likewise-open/db/sam.db,
336            /var/lib/likewise-open/krb5ccr_lsass,  /var/lib/likewise/db/lsass-
337            adcache.db,             /var/lib/likewise/db/lsass-adstate.filedb,
338            /var/lib/likewise-open/db/lsass-adcache.db,     /var/lib/likewise-
339            open/db/lsass-adstate.filedb
340
341
342       lsassd_var_run_t
343
344       -  Set  files  with the lsassd_var_run_t type, if you want to store the
345       lsassd files under the /run or /var/run directory.
346
347
348
349       lsassd_var_socket_t
350
351       - Set files with the lsassd_var_socket_t type, if you want to treat the
352       files as lsassd var socket data.
353
354
355       Paths:
356            /var/lib/likewise/.ntlmd,               /var/lib/likewise/.lsassd,
357            /var/lib/likewise/rpc/lsass,        /var/lib/likewise-open/.ntlmd,
358            /var/lib/likewise-open/.lsassd, /var/lib/likewise-open/rpc/lsass
359
360
361       Note:  File context can be temporarily modified with the chcon command.
362       If you want to permanently change the file context you need to use  the
363       semanage fcontext command.  This will modify the SELinux labeling data‐
364       base.  You will need to use restorecon to apply the labels.
365
366

COMMANDS

368       semanage fcontext can also be used to manipulate default  file  context
369       mappings.
370
371       semanage  permissive  can  also  be used to manipulate whether or not a
372       process type is permissive.
373
374       semanage module can also be used to enable/disable/install/remove  pol‐
375       icy modules.
376
377       semanage boolean can also be used to manipulate the booleans
378
379
380       system-config-selinux is a GUI tool available to customize SELinux pol‐
381       icy settings.
382
383

AUTHOR

385       This manual page was auto-generated using sepolicy manpage .
386
387

SEE ALSO

389       selinux(8), lsassd(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
390       icy(8) , setsebool(8)
391
392
393
394lsassd                             19-04-25                  lsassd_selinux(8)
Impressum