1rlogind_selinux(8) SELinux Policy rlogind rlogind_selinux(8)
2
3
4
6 rlogind_selinux - Security Enhanced Linux Policy for the rlogind pro‐
7 cesses
8
10 Security-Enhanced Linux secures the rlogind processes via flexible
11 mandatory access control.
12
13 The rlogind processes execute with the rlogind_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep rlogind_t
20
21
22
24 The rlogind_t SELinux type can be entered via the rlogind_exec_t file
25 type.
26
27 The default entrypoint paths for the rlogind_t domain are the follow‐
28 ing:
29
30 /usr/lib/telnetlogin, /usr/sbin/in.rlogind, /usr/kerberos/sbin/klogind
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 rlogind policy is very flexible allowing users to setup their rlogind
40 processes in as secure a method as possible.
41
42 The following process types are defined for rlogind:
43
44 rlogind_t
45
46 Note: semanage permissive -a rlogind_t can be used to make the process
47 type rlogind_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. rlogind
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run rlogind with the tightest access possi‐
56 ble.
57
58
59
60 If you want to allow all domains to execute in fips_mode, you must turn
61 on the fips_mode boolean. Enabled by default.
62
63 setsebool -P fips_mode 1
64
65
66
67 If you want to allow confined applications to run with kerberos, you
68 must turn on the kerberos_enabled boolean. Disabled by default.
69
70 setsebool -P kerberos_enabled 1
71
72
73
74 If you want to allow system to run with NIS, you must turn on the
75 nis_enabled boolean. Disabled by default.
76
77 setsebool -P nis_enabled 1
78
79
80
81 If you want to enable polyinstantiated directory support, you must turn
82 on the polyinstantiation_enabled boolean. Disabled by default.
83
84 setsebool -P polyinstantiation_enabled 1
85
86
87
89 SELinux defines port types to represent TCP and UDP ports.
90
91 You can see the types associated with a port by using the following
92 command:
93
94 semanage port -l
95
96
97 Policy governs the access confined processes have to these ports.
98 SELinux rlogind policy is very flexible allowing users to setup their
99 rlogind processes in as secure a method as possible.
100
101 The following port types are defined for rlogind:
102
103
104 rlogin_port_t
105
106
107
108 Default Defined Ports:
109 tcp 543,2105
110
111
112 rlogind_port_t
113
114
115
116 Default Defined Ports:
117 tcp 513
118
120 The SELinux process type rlogind_t can manage files labeled with the
121 following file types. The paths listed are the default paths for these
122 file types. Note the processes UID still need to have DAC permissions.
123
124 auth_cache_t
125
126 /var/cache/coolkey(/.*)?
127
128 auth_home_t
129
130 /root/.yubico(/.*)?
131 /root/.google_authenticator
132 /root/.google_authenticator~
133 /home/[^/]+/.yubico(/.*)?
134 /home/[^/]+/.google_authenticator
135 /home/[^/]+/.google_authenticator~
136
137 cgroup_t
138
139 /sys/fs/cgroup
140
141 cluster_conf_t
142
143 /etc/cluster(/.*)?
144
145 cluster_var_lib_t
146
147 /var/lib/pcsd(/.*)?
148 /var/lib/cluster(/.*)?
149 /var/lib/openais(/.*)?
150 /var/lib/pengine(/.*)?
151 /var/lib/corosync(/.*)?
152 /usr/lib/heartbeat(/.*)?
153 /var/lib/heartbeat(/.*)?
154 /var/lib/pacemaker(/.*)?
155
156 cluster_var_run_t
157
158 /var/run/crm(/.*)?
159 /var/run/cman_.*
160 /var/run/rsctmp(/.*)?
161 /var/run/aisexec.*
162 /var/run/heartbeat(/.*)?
163 /var/run/corosync-qnetd(/.*)?
164 /var/run/corosync-qdevice(/.*)?
165 /var/run/corosync.pid
166 /var/run/cpglockd.pid
167 /var/run/rgmanager.pid
168 /var/run/cluster/rgmanager.sk
169
170 faillog_t
171
172 /var/log/btmp.*
173 /var/log/faillog.*
174 /var/log/tallylog.*
175 /var/run/faillock(/.*)?
176
177 initrc_var_run_t
178
179 /var/run/utmp
180 /var/run/random-seed
181 /var/run/runlevel.dir
182 /var/run/setmixer_flag
183
184 kdbusfs_t
185
186
187 lastlog_t
188
189 /var/log/lastlog.*
190
191 pam_var_run_t
192
193 /var/(db|adm)/sudo(/.*)?
194 /var/lib/sudo(/.*)?
195 /var/run/sudo(/.*)?
196 /var/run/motd.d(/.*)?
197 /var/run/pam_ssh(/.*)?
198 /var/run/sepermit(/.*)?
199 /var/run/pam_mount(/.*)?
200 /var/run/pam_timestamp(/.*)?
201 /var/run/motd
202
203 rlogind_var_run_t
204
205
206 root_t
207
208 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
209 /
210 /initrd
211
212 security_t
213
214 /selinux
215
216 var_auth_t
217
218 /var/ace(/.*)?
219 /var/rsa(/.*)?
220 /var/lib/abl(/.*)?
221 /var/lib/rsa(/.*)?
222 /var/lib/pam_ssh(/.*)?
223 /var/lib/pam_shield(/.*)?
224 /var/opt/quest/vas/vasd(/.*)?
225 /var/lib/google-authenticator(/.*)?
226
227 wtmp_t
228
229 /var/log/wtmp.*
230
231
233 SELinux requires files to have an extended attribute to define the file
234 type.
235
236 You can see the context of a file using the -Z option to ls
237
238 Policy governs the access confined processes have to these files.
239 SELinux rlogind policy is very flexible allowing users to setup their
240 rlogind processes in as secure a method as possible.
241
242 STANDARD FILE CONTEXT
243
244 SELinux defines the file context types for the rlogind, if you wanted
245 to store files with these types in a diffent paths, you need to execute
246 the semanage command to sepecify alternate labeling and then use
247 restorecon to put the labels on disk.
248
249 semanage fcontext -a -t rlogind_var_run_t '/srv/myrlogind_con‐
250 tent(/.*)?'
251 restorecon -R -v /srv/myrlogind_content
252
253 Note: SELinux often uses regular expressions to specify labels that
254 match multiple files.
255
256 The following file types are defined for rlogind:
257
258
259
260 rlogind_exec_t
261
262 - Set files with the rlogind_exec_t type, if you want to transition an
263 executable to the rlogind_t domain.
264
265
266 Paths:
267 /usr/lib/telnetlogin, /usr/sbin/in.rlogind, /usr/ker‐
268 beros/sbin/klogind
269
270
271 rlogind_home_t
272
273 - Set files with the rlogind_home_t type, if you want to store rlogind
274 files in the users home directory.
275
276
277 Paths:
278 /root/.rhosts, /root/.rlogin, /home/[^/]+/.rhosts,
279 /home/[^/]+/.rlogin
280
281
282 rlogind_keytab_t
283
284 - Set files with the rlogind_keytab_t type, if you want to treat the
285 files as kerberos keytab files.
286
287
288
289 rlogind_tmp_t
290
291 - Set files with the rlogind_tmp_t type, if you want to store rlogind
292 temporary files in the /tmp directories.
293
294
295
296 rlogind_var_run_t
297
298 - Set files with the rlogind_var_run_t type, if you want to store the
299 rlogind files under the /run or /var/run directory.
300
301
302
303 Note: File context can be temporarily modified with the chcon command.
304 If you want to permanently change the file context you need to use the
305 semanage fcontext command. This will modify the SELinux labeling data‐
306 base. You will need to use restorecon to apply the labels.
307
308
310 semanage fcontext can also be used to manipulate default file context
311 mappings.
312
313 semanage permissive can also be used to manipulate whether or not a
314 process type is permissive.
315
316 semanage module can also be used to enable/disable/install/remove pol‐
317 icy modules.
318
319 semanage port can also be used to manipulate the port definitions
320
321 semanage boolean can also be used to manipulate the booleans
322
323
324 system-config-selinux is a GUI tool available to customize SELinux pol‐
325 icy settings.
326
327
329 This manual page was auto-generated using sepolicy manpage .
330
331
333 selinux(8), rlogind(8), semanage(8), restorecon(8), chcon(1), sepol‐
334 icy(8), setsebool(8)
335
336
337
338rlogind 20-05-05 rlogind_selinux(8)