1rlogind_selinux(8)          SELinux Policy rlogind          rlogind_selinux(8)
2
3
4

NAME

6       rlogind_selinux  -  Security Enhanced Linux Policy for the rlogind pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  rlogind  processes  via  flexible
11       mandatory access control.
12
13       The  rlogind processes execute with the rlogind_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep rlogind_t
20
21
22

ENTRYPOINTS

24       The  rlogind_t  SELinux type can be entered via the rlogind_exec_t file
25       type.
26
27       The default entrypoint paths for the rlogind_t domain are  the  follow‐
28       ing:
29
30       /usr/lib/telnetlogin, /usr/sbin/in.rlogind, /usr/kerberos/sbin/klogind
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       rlogind  policy  is very flexible allowing users to setup their rlogind
40       processes in as secure a method as possible.
41
42       The following process types are defined for rlogind:
43
44       rlogind_t
45
46       Note: semanage permissive -a rlogind_t can be used to make the  process
47       type  rlogind_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  rlogind
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run rlogind with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Enabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88
89       If  you  want to allow confined applications to use nscd shared memory,
90       you must turn on the nscd_use_shm boolean. Disabled by default.
91
92       setsebool -P nscd_use_shm 1
93
94
95
96       If you want to enable polyinstantiated directory support, you must turn
97       on the polyinstantiation_enabled boolean. Disabled by default.
98
99       setsebool -P polyinstantiation_enabled 1
100
101
102

PORT TYPES

104       SELinux defines port types to represent TCP and UDP ports.
105
106       You  can  see  the  types associated with a port by using the following
107       command:
108
109       semanage port -l
110
111
112       Policy governs the access  confined  processes  have  to  these  ports.
113       SELinux  rlogind  policy is very flexible allowing users to setup their
114       rlogind processes in as secure a method as possible.
115
116       The following port types are defined for rlogind:
117
118
119       rlogin_port_t
120
121
122
123       Default Defined Ports:
124                 tcp 543,2105
125
126
127       rlogind_port_t
128
129
130
131       Default Defined Ports:
132                 tcp 513
133

MANAGED FILES

135       The SELinux process type rlogind_t can manage files  labeled  with  the
136       following file types.  The paths listed are the default paths for these
137       file types.  Note the processes UID still need to have DAC permissions.
138
139       auth_cache_t
140
141            /var/cache/coolkey(/.*)?
142
143       auth_home_t
144
145            /root/.yubico(/.*)?
146            /root/.google_authenticator
147            /root/.google_authenticator~
148            /home/[^/]+/.yubico(/.*)?
149            /home/[^/]+/.google_authenticator
150            /home/[^/]+/.google_authenticator~
151
152       cgroup_t
153
154            /sys/fs/cgroup
155
156       cluster_conf_t
157
158            /etc/cluster(/.*)?
159
160       cluster_var_lib_t
161
162            /var/lib/pcsd(/.*)?
163            /var/lib/cluster(/.*)?
164            /var/lib/openais(/.*)?
165            /var/lib/pengine(/.*)?
166            /var/lib/corosync(/.*)?
167            /usr/lib/heartbeat(/.*)?
168            /var/lib/heartbeat(/.*)?
169            /var/lib/pacemaker(/.*)?
170
171       cluster_var_run_t
172
173            /var/run/crm(/.*)?
174            /var/run/cman_.*
175            /var/run/rsctmp(/.*)?
176            /var/run/aisexec.*
177            /var/run/heartbeat(/.*)?
178            /var/run/corosync-qnetd(/.*)?
179            /var/run/corosync-qdevice(/.*)?
180            /var/run/corosync.pid
181            /var/run/cpglockd.pid
182            /var/run/rgmanager.pid
183            /var/run/cluster/rgmanager.sk
184
185       faillog_t
186
187            /var/log/btmp.*
188            /var/log/faillog.*
189            /var/log/tallylog.*
190            /var/run/faillock(/.*)?
191
192       initrc_var_run_t
193
194            /var/run/utmp
195            /var/run/random-seed
196            /var/run/runlevel.dir
197            /var/run/setmixer_flag
198
199       kdbusfs_t
200
201
202       krb5_host_rcache_t
203
204            /var/cache/krb5rcache(/.*)?
205            /var/tmp/nfs_0
206            /var/tmp/DNS_25
207            /var/tmp/host_0
208            /var/tmp/imap_0
209            /var/tmp/HTTP_23
210            /var/tmp/HTTP_48
211            /var/tmp/ldap_55
212            /var/tmp/ldap_487
213            /var/tmp/ldapmap1_0
214
215       lastlog_t
216
217            /var/log/lastlog.*
218
219       pam_var_run_t
220
221            /var/(db|adm)/sudo(/.*)?
222            /var/lib/sudo(/.*)?
223            /var/run/sudo(/.*)?
224            /var/run/motd.d(/.*)?
225            /var/run/sepermit(/.*)?
226            /var/run/pam_mount(/.*)?
227            /var/run/motd
228
229       rlogind_tmp_t
230
231
232       rlogind_var_run_t
233
234
235       root_t
236
237            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
238            /
239            /initrd
240
241       security_t
242
243            /selinux
244
245       user_tmp_t
246
247            /dev/shm/mono.*
248            /var/run/user(/.*)?
249            /tmp/.ICE-unix(/.*)?
250            /tmp/.X11-unix(/.*)?
251            /dev/shm/pulse-shm.*
252            /tmp/.X0-lock
253            /tmp/hsperfdata_root
254            /var/tmp/hsperfdata_root
255            /home/[^/]+/tmp
256            /home/[^/]+/.tmp
257            /tmp/gconfd-[^/]+
258
259       var_auth_t
260
261            /var/ace(/.*)?
262            /var/rsa(/.*)?
263            /var/lib/abl(/.*)?
264            /var/lib/rsa(/.*)?
265            /var/lib/pam_ssh(/.*)?
266            /var/run/pam_ssh(/.*)?
267            /var/lib/pam_shield(/.*)?
268            /var/opt/quest/vas/vasd(/.*)?
269            /var/lib/google-authenticator(/.*)?
270
271       wtmp_t
272
273            /var/log/wtmp.*
274
275

FILE CONTEXTS

277       SELinux requires files to have an extended attribute to define the file
278       type.
279
280       You can see the context of a file using the -Z option to ls
281
282       Policy  governs  the  access  confined  processes  have to these files.
283       SELinux rlogind policy is very flexible allowing users to  setup  their
284       rlogind processes in as secure a method as possible.
285
286       STANDARD FILE CONTEXT
287
288       SELinux  defines  the file context types for the rlogind, if you wanted
289       to store files with these types in a diffent paths, you need to execute
290       the  semanage  command  to  sepecify  alternate  labeling  and then use
291       restorecon to put the labels on disk.
292
293       semanage  fcontext   -a   -t   rlogind_var_run_t   '/srv/myrlogind_con‐
294       tent(/.*)?'
295       restorecon -R -v /srv/myrlogind_content
296
297       Note:  SELinux  often  uses  regular expressions to specify labels that
298       match multiple files.
299
300       The following file types are defined for rlogind:
301
302
303
304       rlogind_exec_t
305
306       - Set files with the rlogind_exec_t type, if you want to transition  an
307       executable to the rlogind_t domain.
308
309
310       Paths:
311            /usr/lib/telnetlogin,        /usr/sbin/in.rlogind,       /usr/ker‐
312            beros/sbin/klogind
313
314
315       rlogind_home_t
316
317       - Set files with the rlogind_home_t type, if you want to store  rlogind
318       files in the users home directory.
319
320
321       Paths:
322            /root/.rhosts,         /root/.rlogin,         /home/[^/]+/.rhosts,
323            /home/[^/]+/.rlogin
324
325
326       rlogind_keytab_t
327
328       - Set files with the rlogind_keytab_t type, if you want  to  treat  the
329       files as kerberos keytab files.
330
331
332
333       rlogind_tmp_t
334
335       -  Set  files with the rlogind_tmp_t type, if you want to store rlogind
336       temporary files in the /tmp directories.
337
338
339
340       rlogind_var_run_t
341
342       - Set files with the rlogind_var_run_t type, if you want to  store  the
343       rlogind files under the /run or /var/run directory.
344
345
346
347       Note:  File context can be temporarily modified with the chcon command.
348       If you want to permanently change the file context you need to use  the
349       semanage fcontext command.  This will modify the SELinux labeling data‐
350       base.  You will need to use restorecon to apply the labels.
351
352

COMMANDS

354       semanage fcontext can also be used to manipulate default  file  context
355       mappings.
356
357       semanage  permissive  can  also  be used to manipulate whether or not a
358       process type is permissive.
359
360       semanage module can also be used to enable/disable/install/remove  pol‐
361       icy modules.
362
363       semanage port can also be used to manipulate the port definitions
364
365       semanage boolean can also be used to manipulate the booleans
366
367
368       system-config-selinux is a GUI tool available to customize SELinux pol‐
369       icy settings.
370
371

AUTHOR

373       This manual page was auto-generated using sepolicy manpage .
374
375

SEE ALSO

377       selinux(8), rlogind(8), semanage(8),  restorecon(8),  chcon(1),  sepol‐
378       icy(8), setsebool(8)
379
380
381
382rlogind                            19-05-30                 rlogind_selinux(8)
Impressum