1ntpd_selinux(8)               SELinux Policy ntpd              ntpd_selinux(8)
2
3
4

NAME

6       ntpd_selinux - Security Enhanced Linux Policy for the ntpd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the ntpd processes via flexible manda‐
10       tory access control.
11
12       The ntpd processes execute with the ntpd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep ntpd_t
19
20
21

ENTRYPOINTS

23       The  ntpd_t  SELinux  type  can  be  entered  via  the  ntpdate_exec_t,
24       ntpd_exec_t file types.
25
26       The default entrypoint paths for the ntpd_t domain are the following:
27
28       /usr/sbin/sntp,     /usr/sbin/ntpdate,    /usr/libexec/ntpdate-wrapper,
29       /etc/cron.(daily|weekly)/ntp-server,  /etc/cron.(daily|weekly)/ntp-sim‐
30       ple, /usr/sbin/ntpd
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       ntpd  policy  is  very flexible allowing users to setup their ntpd pro‐
40       cesses in as secure a method as possible.
41
42       The following process types are defined for ntpd:
43
44       ntpd_t
45
46       Note: semanage permissive -a ntpd_t can be used  to  make  the  process
47       type  ntpd_t  permissive.  SELinux  does  not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is  customizable based on least access required.  ntpd
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate the policy and run ntpd with the tightest access possible.
56
57
58
59       If you want to allow users to resolve user passwd entries directly from
60       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
61       gin_nsswitch_use_ldap boolean. Disabled by default.
62
63       setsebool -P authlogin_nsswitch_use_ldap 1
64
65
66
67       If you want to allow all domains to execute in fips_mode, you must turn
68       on the fips_mode boolean. Enabled by default.
69
70       setsebool -P fips_mode 1
71
72
73
74       If you want to allow confined applications to run  with  kerberos,  you
75       must turn on the kerberos_enabled boolean. Enabled by default.
76
77       setsebool -P kerberos_enabled 1
78
79
80
81       If  you  want  to  allow  system  to run with NIS, you must turn on the
82       nis_enabled boolean. Disabled by default.
83
84       setsebool -P nis_enabled 1
85
86
87
88       If you want to allow confined applications to use nscd  shared  memory,
89       you must turn on the nscd_use_shm boolean. Disabled by default.
90
91       setsebool -P nscd_use_shm 1
92
93
94
95       If  you  want  to  support  NFS  home directories, you must turn on the
96       use_nfs_home_dirs boolean. Disabled by default.
97
98       setsebool -P use_nfs_home_dirs 1
99
100
101
102       If you want to support SAMBA home directories, you  must  turn  on  the
103       use_samba_home_dirs boolean. Disabled by default.
104
105       setsebool -P use_samba_home_dirs 1
106
107
108

PORT TYPES

110       SELinux defines port types to represent TCP and UDP ports.
111
112       You  can  see  the  types associated with a port by using the following
113       command:
114
115       semanage port -l
116
117
118       Policy governs the access  confined  processes  have  to  these  ports.
119       SELinux ntpd policy is very flexible allowing users to setup their ntpd
120       processes in as secure a method as possible.
121
122       The following port types are defined for ntpd:
123
124
125       ntp_port_t
126
127
128
129       Default Defined Ports:
130                 udp 123
131

MANAGED FILES

133       The SELinux process type ntpd_t can manage files labeled with the  fol‐
134       lowing  file  types.   The paths listed are the default paths for these
135       file types.  Note the processes UID still need to have DAC permissions.
136
137       cluster_conf_t
138
139            /etc/cluster(/.*)?
140
141       cluster_var_lib_t
142
143            /var/lib/pcsd(/.*)?
144            /var/lib/cluster(/.*)?
145            /var/lib/openais(/.*)?
146            /var/lib/pengine(/.*)?
147            /var/lib/corosync(/.*)?
148            /usr/lib/heartbeat(/.*)?
149            /var/lib/heartbeat(/.*)?
150            /var/lib/pacemaker(/.*)?
151
152       cluster_var_run_t
153
154            /var/run/crm(/.*)?
155            /var/run/cman_.*
156            /var/run/rsctmp(/.*)?
157            /var/run/aisexec.*
158            /var/run/heartbeat(/.*)?
159            /var/run/corosync-qnetd(/.*)?
160            /var/run/corosync-qdevice(/.*)?
161            /var/run/corosync.pid
162            /var/run/cpglockd.pid
163            /var/run/rgmanager.pid
164            /var/run/cluster/rgmanager.sk
165
166       gpsd_tmpfs_t
167
168
169       ntp_drift_t
170
171            /var/lib/ntp(/.*)?
172            /etc/ntp/data(/.*)?
173            /var/lib/sntp(/.*)?
174            /var/lib/sntp-kod(/.*)?
175
176       ntpd_log_t
177
178            /var/log/ntp.*
179            /var/log/xntpd.*
180            /var/log/ntpstats(/.*)?
181
182       ntpd_tmp_t
183
184
185       ntpd_tmpfs_t
186
187
188       ntpd_var_run_t
189
190            /var/run/ntpd.pid
191
192       root_t
193
194            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
195            /
196            /initrd
197
198       timemaster_tmpfs_t
199
200
201       tmpfs_t
202
203            /dev/shm
204            /var/run/shm
205            /usr/lib/udev/devices/shm
206
207

FILE CONTEXTS

209       SELinux requires files to have an extended attribute to define the file
210       type.
211
212       You can see the context of a file using the -Z option to ls
213
214       Policy  governs  the  access  confined  processes  have to these files.
215       SELinux ntpd policy is very flexible allowing users to setup their ntpd
216       processes in as secure a method as possible.
217
218       STANDARD FILE CONTEXT
219
220       SELinux  defines  the file context types for the ntpd, if you wanted to
221       store files with these types in a diffent paths, you  need  to  execute
222       the  semanage  command  to  sepecify  alternate  labeling  and then use
223       restorecon to put the labels on disk.
224
225       semanage fcontext -a -t ntpd_var_run_t '/srv/myntpd_content(/.*)?'
226       restorecon -R -v /srv/myntpd_content
227
228       Note: SELinux often uses regular expressions  to  specify  labels  that
229       match multiple files.
230
231       The following file types are defined for ntpd:
232
233
234
235       ntpd_exec_t
236
237       -  Set  files  with  the ntpd_exec_t type, if you want to transition an
238       executable to the ntpd_t domain.
239
240
241       Paths:
242            /etc/cron.(daily|weekly)/ntp-server, /etc/cron.(daily|weekly)/ntp-
243            simple, /usr/sbin/ntpd
244
245
246       ntpd_initrc_exec_t
247
248       - Set files with the ntpd_initrc_exec_t type, if you want to transition
249       an executable to the ntpd_initrc_t domain.
250
251
252
253       ntpd_key_t
254
255       - Set files with the ntpd_key_t type, if you want to treat the files as
256       ntpd key data.
257
258
259       Paths:
260            /etc/ntp/crypto(/.*)?, /etc/ntp/keys
261
262
263       ntpd_log_t
264
265       -  Set files with the ntpd_log_t type, if you want to treat the data as
266       ntpd log data, usually stored under the /var/log directory.
267
268
269       Paths:
270            /var/log/ntp.*, /var/log/xntpd.*, /var/log/ntpstats(/.*)?
271
272
273       ntpd_tmp_t
274
275       - Set files with the ntpd_tmp_t type, if you want to store ntpd  tempo‐
276       rary files in the /tmp directories.
277
278
279
280       ntpd_tmpfs_t
281
282       - Set files with the ntpd_tmpfs_t type, if you want to store ntpd files
283       on a tmpfs file system.
284
285
286
287       ntpd_unit_file_t
288
289       - Set files with the ntpd_unit_file_t type, if you want  to  treat  the
290       files as ntpd unit content.
291
292
293
294       ntpd_var_run_t
295
296       - Set files with the ntpd_var_run_t type, if you want to store the ntpd
297       files under the /run or /var/run directory.
298
299
300
301       ntpdate_exec_t
302
303       - Set files with the ntpdate_exec_t type, if you want to transition  an
304       executable to the ntpdate_t domain.
305
306
307       Paths:
308            /usr/sbin/sntp, /usr/sbin/ntpdate, /usr/libexec/ntpdate-wrapper
309
310
311       Note:  File context can be temporarily modified with the chcon command.
312       If you want to permanently change the file context you need to use  the
313       semanage fcontext command.  This will modify the SELinux labeling data‐
314       base.  You will need to use restorecon to apply the labels.
315
316

COMMANDS

318       semanage fcontext can also be used to manipulate default  file  context
319       mappings.
320
321       semanage  permissive  can  also  be used to manipulate whether or not a
322       process type is permissive.
323
324       semanage module can also be used to enable/disable/install/remove  pol‐
325       icy modules.
326
327       semanage port can also be used to manipulate the port definitions
328
329       semanage boolean can also be used to manipulate the booleans
330
331
332       system-config-selinux is a GUI tool available to customize SELinux pol‐
333       icy settings.
334
335

AUTHOR

337       This manual page was auto-generated using sepolicy manpage .
338
339

SEE ALSO

341       selinux(8), ntpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
342       setsebool(8)
343
344
345
346ntpd                               19-06-18                    ntpd_selinux(8)
Impressum