1admin_crontab_selinux(8) SELinux Policy admin_crontab admin_crontab_selinux(8)
2
3
4

NAME

6       admin_crontab_selinux   -   Security  Enhanced  Linux  Policy  for  the
7       admin_crontab processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the admin_crontab processes via  flexi‐
11       ble mandatory access control.
12
13       The  admin_crontab  processes  execute with the admin_crontab_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep admin_crontab_t
20
21
22

ENTRYPOINTS

24       The  admin_crontab_t SELinux type can be entered via the crontab_exec_t
25       file type.
26
27       The default entrypoint paths for the  admin_crontab_t  domain  are  the
28       following:
29
30       /usr/bin/(f)?crontab,        /usr/bin/at,        /usr/sbin/fcronsighup,
31       /usr/libexec/fcronsighup
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       admin_crontab policy is very flexible allowing  users  to  setup  their
41       admin_crontab processes in as secure a method as possible.
42
43       The following process types are defined for admin_crontab:
44
45       admin_crontab_t
46
47       Note:  semanage  permissive  -a admin_crontab_t can be used to make the
48       process type admin_crontab_t permissive. SELinux does not  deny  access
49       to permissive process types, but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       admin_crontab  policy  is  extremely  flexible and has several booleans
56       that allow you to manipulate the policy and run admin_crontab with  the
57       tightest access possible.
58
59
60
61       If you want to allow users to resolve user passwd entries directly from
62       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
63       gin_nsswitch_use_ldap boolean. Disabled by default.
64
65       setsebool -P authlogin_nsswitch_use_ldap 1
66
67
68
69       If  you want to enable extra rules in the cron domain to support fcron,
70       you must turn on the fcron_crond boolean. Disabled by default.
71
72       setsebool -P fcron_crond 1
73
74
75
76       If you want to allow all domains to execute in fips_mode, you must turn
77       on the fips_mode boolean. Enabled by default.
78
79       setsebool -P fips_mode 1
80
81
82
83       If  you  want  to allow confined applications to run with kerberos, you
84       must turn on the kerberos_enabled boolean. Disabled by default.
85
86       setsebool -P kerberos_enabled 1
87
88
89
90       If you want to allow system to run with  NIS,  you  must  turn  on  the
91       nis_enabled boolean. Disabled by default.
92
93       setsebool -P nis_enabled 1
94
95
96
97       If  you  want to allow confined applications to use nscd shared memory,
98       you must turn on the nscd_use_shm boolean. Disabled by default.
99
100       setsebool -P nscd_use_shm 1
101
102
103

MANAGED FILES

105       The SELinux process type admin_crontab_t can manage files labeled  with
106       the  following  file types.  The paths listed are the default paths for
107       these file types.  Note the processes UID still need to have  DAC  per‐
108       missions.
109
110       admin_crontab_tmp_t
111
112
113       cgroup_t
114
115            /sys/fs/cgroup
116
117       faillog_t
118
119            /var/log/btmp.*
120            /var/log/faillog.*
121            /var/log/tallylog.*
122            /var/run/faillock(/.*)?
123
124       security_t
125
126            /selinux
127
128       user_cron_spool_t
129
130            /var/spool/at(/.*)?
131            /var/spool/cron
132            /var/spool/cron/[^/]+
133
134       user_tmp_t
135
136            /dev/shm/mono.*
137            /var/run/user(/.*)?
138            /tmp/.ICE-unix(/.*)?
139            /tmp/.X11-unix(/.*)?
140            /dev/shm/pulse-shm.*
141            /tmp/.X0-lock
142            /tmp/hsperfdata_root
143            /var/tmp/hsperfdata_root
144            /home/[^/]+/tmp
145            /home/[^/]+/.tmp
146            /tmp/gconfd-[^/]+
147
148       var_auth_t
149
150            /var/ace(/.*)?
151            /var/rsa(/.*)?
152            /var/lib/abl(/.*)?
153            /var/lib/rsa(/.*)?
154            /var/lib/pam_ssh(/.*)?
155            /var/run/pam_ssh(/.*)?
156            /var/lib/pam_shield(/.*)?
157            /var/opt/quest/vas/vasd(/.*)?
158            /var/lib/google-authenticator(/.*)?
159
160

COMMANDS

162       semanage  fcontext  can also be used to manipulate default file context
163       mappings.
164
165       semanage permissive can also be used to manipulate  whether  or  not  a
166       process type is permissive.
167
168       semanage  module can also be used to enable/disable/install/remove pol‐
169       icy modules.
170
171       semanage boolean can also be used to manipulate the booleans
172
173
174       system-config-selinux is a GUI tool available to customize SELinux pol‐
175       icy settings.
176
177

AUTHOR

179       This manual page was auto-generated using sepolicy manpage .
180
181

SEE ALSO

183       selinux(8),  admin_crontab(8),  semanage(8),  restorecon(8),  chcon(1),
184       sepolicy(8), setsebool(8)
185
186
187
188admin_crontab                      19-12-02           admin_crontab_selinux(8)
Impressum