radiusd_selinux(8)

1radiusd_selinux(8)          SELinux Policy radiusd          radiusd_selinux(8)
2
3
4

NAME

6       radiusd_selinux  -  Security Enhanced Linux Policy for the radiusd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  radiusd  processes  via  flexible
11       mandatory access control.
12
13       The  radiusd processes execute with the radiusd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep radiusd_t
20
21
22

ENTRYPOINTS

24       The  radiusd_t  SELinux type can be entered via the radiusd_exec_t file
25       type.
26
27       The default entrypoint paths for the radiusd_t domain are  the  follow‐
28       ing:
29
30       /etc/cron.(daily|monthly)/radiusd,
31       /etc/cron.((daily)|(weekly)|(monthly))/freeradius,   /usr/sbin/radiusd,
32       /usr/sbin/freeradius
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       radiusd  policy  is very flexible allowing users to setup their radiusd
42       processes in as secure a method as possible.
43
44       The following process types are defined for radiusd:
45
46       radiusd_t
47
48       Note: semanage permissive -a radiusd_t can be used to make the  process
49       type  radiusd_t  permissive. SELinux does not deny access to permissive
50       process types, but the AVC (SELinux denials) messages are still  gener‐
51       ated.
52
53

BOOLEANS

55       SELinux policy is customizable based on least access required.  radiusd
56       policy is extremely flexible and has several booleans that allow you to
57       manipulate  the  policy and run radiusd with the tightest access possi‐
58       ble.
59
60
61
62       If you want to determine whether radius can use JIT compiler, you  must
63       turn on the radius_use_jit boolean. Disabled by default.
64
65       setsebool -P radius_use_jit 1
66
67
68
69       If you want to allow users to resolve user passwd entries directly from
70       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
71       gin_nsswitch_use_ldap boolean. Disabled by default.
72
73       setsebool -P authlogin_nsswitch_use_ldap 1
74
75
76
77       If you want to allow all daemons to write corefiles to /, you must turn
78       on the daemons_dump_core boolean. Disabled by default.
79
80       setsebool -P daemons_dump_core 1
81
82
83
84       If you want to enable cluster mode for daemons, you must  turn  on  the
85       daemons_enable_cluster_mode boolean. Enabled by default.
86
87       setsebool -P daemons_enable_cluster_mode 1
88
89
90
91       If  you want to allow all daemons to use tcp wrappers, you must turn on
92       the daemons_use_tcp_wrapper boolean. Disabled by default.
93
94       setsebool -P daemons_use_tcp_wrapper 1
95
96
97
98       If you want to allow all daemons the ability to  read/write  terminals,
99       you must turn on the daemons_use_tty boolean. Disabled by default.
100
101       setsebool -P daemons_use_tty 1
102
103
104
105       If  you  want  to deny any process from ptracing or debugging any other
106       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
107       default.
108
109       setsebool -P deny_ptrace 1
110
111
112
113       If  you  want  to  allow  any  process  to mmap any file on system with
114       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
115       ean. Enabled by default.
116
117       setsebool -P domain_can_mmap_files 1
118
119
120
121       If  you want to allow all domains write to kmsg_device, while kernel is
122       executed with systemd.log_target=kmsg parameter, you must turn  on  the
123       domain_can_write_kmsg boolean. Disabled by default.
124
125       setsebool -P domain_can_write_kmsg 1
126
127
128
129       If you want to allow all domains to use other domains file descriptors,
130       you must turn on the domain_fd_use boolean. Enabled by default.
131
132       setsebool -P domain_fd_use 1
133
134
135
136       If you want to allow all domains to have the kernel load  modules,  you
137       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
138       default.
139
140       setsebool -P domain_kernel_load_modules 1
141
142
143
144       If you want to allow all domains to execute in fips_mode, you must turn
145       on the fips_mode boolean. Enabled by default.
146
147       setsebool -P fips_mode 1
148
149
150
151       If you want to enable reading of urandom for all domains, you must turn
152       on the global_ssp boolean. Disabled by default.
153
154       setsebool -P global_ssp 1
155
156
157
158       If you want to allow confined applications to run  with  kerberos,  you
159       must turn on the kerberos_enabled boolean. Enabled by default.
160
161       setsebool -P kerberos_enabled 1
162
163
164
165       If  you  want  to  allow  system  to run with NIS, you must turn on the
166       nis_enabled boolean. Disabled by default.
167
168       setsebool -P nis_enabled 1
169
170
171
172       If you want to allow confined applications to use nscd  shared  memory,
173       you must turn on the nscd_use_shm boolean. Disabled by default.
174
175       setsebool -P nscd_use_shm 1
176
177
178

PORT TYPES

180       SELinux defines port types to represent TCP and UDP ports.
181
182       You  can  see  the  types associated with a port by using the following
183       command:
184
185       semanage port -l
186
187
188       Policy governs the access  confined  processes  have  to  these  ports.
189       SELinux  radiusd  policy is very flexible allowing users to setup their
190       radiusd processes in as secure a method as possible.
191
192       The following port types are defined for radiusd:
193
194
195       radius_port_t
196
197
198
199       Default Defined Ports:
200                 tcp 1645,1812,18120-18121
201                 udp 1645,1812,18120-18121
202

MANAGED FILES

204       The SELinux process type radiusd_t can manage files  labeled  with  the
205       following file types.  The paths listed are the default paths for these
206       file types.  Note the processes UID still need to have DAC permissions.
207
208       cluster_conf_t
209
210            /etc/cluster(/.*)?
211
212       cluster_var_lib_t
213
214            /var/lib/pcsd(/.*)?
215            /var/lib/cluster(/.*)?
216            /var/lib/openais(/.*)?
217            /var/lib/pengine(/.*)?
218            /var/lib/corosync(/.*)?
219            /usr/lib/heartbeat(/.*)?
220            /var/lib/heartbeat(/.*)?
221            /var/lib/pacemaker(/.*)?
222
223       cluster_var_run_t
224
225            /var/run/crm(/.*)?
226            /var/run/cman_.*
227            /var/run/rsctmp(/.*)?
228            /var/run/aisexec.*
229            /var/run/heartbeat(/.*)?
230            /var/run/corosync-qnetd(/.*)?
231            /var/run/corosync-qdevice(/.*)?
232            /var/run/cpglockd.pid
233            /var/run/corosync.pid
234            /var/run/rgmanager.pid
235            /var/run/cluster/rgmanager.sk
236
237       faillog_t
238
239            /var/log/btmp.*
240            /var/log/faillog.*
241            /var/log/tallylog.*
242            /var/run/faillock(/.*)?
243
244       krb5_host_rcache_t
245
246            /var/cache/krb5rcache(/.*)?
247            /var/tmp/nfs_0
248            /var/tmp/DNS_25
249            /var/tmp/host_0
250            /var/tmp/imap_0
251            /var/tmp/HTTP_23
252            /var/tmp/HTTP_48
253            /var/tmp/ldap_55
254            /var/tmp/ldap_487
255            /var/tmp/ldapmap1_0
256
257       radiusd_etc_rw_t
258
259            /etc/raddb/db.daily
260
261       radiusd_log_t
262
263            /var/log/radius(/.*)?
264            /var/log/radutmp.*
265            /var/log/radwtmp.*
266            /var/log/radacct(/.*)?
267            /var/log/radius.log.*
268            /var/log/freeradius(/.*)?
269            /var/log/radiusd-freeradius(/.*)?
270
271       radiusd_var_lib_t
272
273            /var/lib/radiusd(/.*)?
274
275       radiusd_var_run_t
276
277            /var/run/radiusd(/.*)?
278            /var/run/radiusd.pid
279
280       root_t
281
282            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
283            /
284            /initrd
285
286       security_t
287
288            /selinux
289
290

FILE CONTEXTS

292       SELinux requires files to have an extended attribute to define the file
293       type.
294
295       You can see the context of a file using the -Z option to ls
296
297       Policy  governs  the  access  confined  processes  have to these files.
298       SELinux radiusd policy is very flexible allowing users to  setup  their
299       radiusd processes in as secure a method as possible.
300
301       EQUIVALENCE DIRECTORIES
302
303
304       radiusd  policy  stores data with multiple different file context types
305       under the /var/run/radiusd directory.  If you would like to  store  the
306       data  in a different directory you can use the semanage command to cre‐
307       ate an equivalence mapping.  If you wanted to store this data under the
308       /srv dirctory you would execute the following command:
309
310       semanage fcontext -a -e /var/run/radiusd /srv/radiusd
311       restorecon -R -v /srv/radiusd
312
313       radiusd  policy  stores data with multiple different file context types
314       under the /var/log/radius directory.  If you would like  to  store  the
315       data  in a different directory you can use the semanage command to cre‐
316       ate an equivalence mapping.  If you wanted to store this data under the
317       /srv dirctory you would execute the following command:
318
319       semanage fcontext -a -e /var/log/radius /srv/radius
320       restorecon -R -v /srv/radius
321
322       STANDARD FILE CONTEXT
323
324       SELinux  defines  the file context types for the radiusd, if you wanted
325       to store files with these types in a diffent paths, you need to execute
326       the  semanage  command  to  sepecify  alternate  labeling  and then use
327       restorecon to put the labels on disk.
328
329       semanage  fcontext   -a   -t   radiusd_var_run_t   '/srv/myradiusd_con‐
330       tent(/.*)?'
331       restorecon -R -v /srv/myradiusd_content
332
333       Note:  SELinux  often  uses  regular expressions to specify labels that
334       match multiple files.
335
336       The following file types are defined for radiusd:
337
338
339
340       radiusd_etc_rw_t
341
342       - Set files with the radiusd_etc_rw_t type, if you want  to  treat  the
343       files as radiusd etc read/write content.
344
345
346
347       radiusd_etc_t
348
349       -  Set  files with the radiusd_etc_t type, if you want to store radiusd
350       files in the /etc directories.
351
352
353
354       radiusd_exec_t
355
356       - Set files with the radiusd_exec_t type, if you want to transition  an
357       executable to the radiusd_t domain.
358
359
360       Paths:
361            /etc/cron.(daily|monthly)/radiusd,
362            /etc/cron.((daily)|(weekly)|(monthly))/freeradius,
363            /usr/sbin/radiusd, /usr/sbin/freeradius
364
365
366       radiusd_initrc_exec_t
367
368       - Set files with the radiusd_initrc_exec_t type, if you want to transi‐
369       tion an executable to the radiusd_initrc_t domain.
370
371
372
373       radiusd_log_t
374
375       - Set files with the radiusd_log_t type, if you want to treat the  data
376       as radiusd log data, usually stored under the /var/log directory.
377
378
379       Paths:
380            /var/log/radius(/.*)?,   /var/log/radutmp.*,   /var/log/radwtmp.*,
381            /var/log/radacct(/.*)?,  /var/log/radius.log.*,   /var/log/freera‐
382            dius(/.*)?, /var/log/radiusd-freeradius(/.*)?
383
384
385       radiusd_unit_file_t
386
387       - Set files with the radiusd_unit_file_t type, if you want to treat the
388       files as radiusd unit content.
389
390
391
392       radiusd_var_lib_t
393
394       - Set files with the radiusd_var_lib_t type, if you want to  store  the
395       radiusd files under the /var/lib directory.
396
397
398
399       radiusd_var_run_t
400
401       -  Set  files with the radiusd_var_run_t type, if you want to store the
402       radiusd files under the /run or /var/run directory.
403
404
405       Paths:
406            /var/run/radiusd(/.*)?, /var/run/radiusd.pid
407
408
409       Note: File context can be temporarily modified with the chcon  command.
410       If  you want to permanently change the file context you need to use the
411       semanage fcontext command.  This will modify the SELinux labeling data‐
412       base.  You will need to use restorecon to apply the labels.
413
414

COMMANDS

416       semanage  fcontext  can also be used to manipulate default file context
417       mappings.
418
419       semanage permissive can also be used to manipulate  whether  or  not  a
420       process type is permissive.
421
422       semanage  module can also be used to enable/disable/install/remove pol‐
423       icy modules.
424
425       semanage port can also be used to manipulate the port definitions
426
427       semanage boolean can also be used to manipulate the booleans
428
429
430       system-config-selinux is a GUI tool available to customize SELinux pol‐
431       icy settings.
432
433

AUTHOR

435       This manual page was auto-generated using sepolicy manpage .
436
437