1mpd_selinux(8)                SELinux Policy mpd                mpd_selinux(8)
2
3
4

NAME

6       mpd_selinux - Security Enhanced Linux Policy for the mpd processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the mpd processes via flexible manda‐
10       tory access control.
11
12       The mpd processes execute with the mpd_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep mpd_t
19
20
21

ENTRYPOINTS

23       The mpd_t SELinux type can be entered via the mpd_exec_t file type.
24
25       The default entrypoint paths for the mpd_t domain are the following:
26
27       /usr/bin/mpd
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       mpd policy is very flexible allowing users to setup their mpd processes
37       in as secure a method as possible.
38
39       The following process types are defined for mpd:
40
41       mpd_t
42
43       Note: semanage permissive -a mpd_t can be used to make the process type
44       mpd_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  mpd
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run mpd with the tightest access possible.
52
53
54
55       If  you  want  to determine whether mpd can traverse user home directo‐
56       ries, you must turn on the mpd_enable_homedirs boolean. Disabled by de‐
57       fault.
58
59       setsebool -P mpd_enable_homedirs 1
60
61
62
63       If  you  want  to  determine whether mpd can use cifs file systems, you
64       must turn on the mpd_use_cifs boolean. Disabled by default.
65
66       setsebool -P mpd_use_cifs 1
67
68
69
70       If you want to determine whether mpd can use nfs file systems, you must
71       turn on the mpd_use_nfs boolean. Disabled by default.
72
73       setsebool -P mpd_use_nfs 1
74
75
76
77       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
78       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
79       Enabled by default.
80
81       setsebool -P daemons_dontaudit_scheduling 1
82
83
84
85       If you want to allow all domains to execute in fips_mode, you must turn
86       on the fips_mode boolean. Enabled by default.
87
88       setsebool -P fips_mode 1
89
90
91
92       If you want to allow system to run with  NIS,  you  must  turn  on  the
93       nis_enabled boolean. Disabled by default.
94
95       setsebool -P nis_enabled 1
96
97
98
99       If  you  want  to  support  NFS  home directories, you must turn on the
100       use_nfs_home_dirs boolean. Disabled by default.
101
102       setsebool -P use_nfs_home_dirs 1
103
104
105
106       If you want to support SAMBA home directories, you  must  turn  on  the
107       use_samba_home_dirs boolean. Disabled by default.
108
109       setsebool -P use_samba_home_dirs 1
110
111
112

PORT TYPES

114       SELinux defines port types to represent TCP and UDP ports.
115
116       You  can  see  the  types associated with a port by using the following
117       command:
118
119       semanage port -l
120
121
122       Policy governs the access  confined  processes  have  to  these  ports.
123       SELinux  mpd  policy is very flexible allowing users to setup their mpd
124       processes in as secure a method as possible.
125
126       The following port types are defined for mpd:
127
128
129       mpd_port_t
130
131
132
133       Default Defined Ports:
134                 tcp 6600
135

MANAGED FILES

137       The SELinux process type mpd_t can manage files labeled with  the  fol‐
138       lowing  file  types.   The paths listed are the default paths for these
139       file types.  Note the processes UID still need to have DAC permissions.
140
141       cifs_t
142
143
144       cluster_conf_t
145
146            /etc/cluster(/.*)?
147
148       cluster_var_lib_t
149
150            /var/lib/pcsd(/.*)?
151            /var/lib/cluster(/.*)?
152            /var/lib/openais(/.*)?
153            /var/lib/pengine(/.*)?
154            /var/lib/corosync(/.*)?
155            /usr/lib/heartbeat(/.*)?
156            /var/lib/heartbeat(/.*)?
157            /var/lib/pacemaker(/.*)?
158
159       cluster_var_run_t
160
161            /var/run/crm(/.*)?
162            /var/run/cman_.*
163            /var/run/rsctmp(/.*)?
164            /var/run/aisexec.*
165            /var/run/heartbeat(/.*)?
166            /var/run/pcsd-ruby.socket
167            /var/run/corosync-qnetd(/.*)?
168            /var/run/corosync-qdevice(/.*)?
169            /var/run/corosync.pid
170            /var/run/cpglockd.pid
171            /var/run/rgmanager.pid
172            /var/run/cluster/rgmanager.sk
173
174       krb5_host_rcache_t
175
176            /var/tmp/krb5_0.rcache2
177            /var/cache/krb5rcache(/.*)?
178            /var/tmp/nfs_0
179            /var/tmp/DNS_25
180            /var/tmp/host_0
181            /var/tmp/imap_0
182            /var/tmp/HTTP_23
183            /var/tmp/HTTP_48
184            /var/tmp/ldap_55
185            /var/tmp/ldap_487
186            /var/tmp/ldapmap1_0
187
188       mpd_data_t
189
190            /var/lib/mpd/music(/.*)?
191            /var/lib/mpd/playlists(/.*)?
192
193       mpd_home_t
194
195            /home/[^/]+/.mpd(/.*)?
196
197       mpd_tmp_t
198
199
200       mpd_tmpfs_t
201
202
203       mpd_var_lib_t
204
205            /var/lib/mpd(/.*)?
206
207       mpd_var_run_t
208
209            /var/run/mpd(/.*)?
210
211       nfs_t
212
213
214       root_t
215
216            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
217            /
218            /initrd
219
220

FILE CONTEXTS

222       SELinux requires files to have an extended attribute to define the file
223       type.
224
225       You can see the context of a file using the -Z option to ls
226
227       Policy  governs  the  access  confined  processes  have to these files.
228       SELinux mpd policy is very flexible allowing users to setup  their  mpd
229       processes in as secure a method as possible.
230
231       EQUIVALENCE DIRECTORIES
232
233
234       mpd policy stores data with multiple different file context types under
235       the /var/lib/mpd directory.  If you would like to store the data  in  a
236       different  directory  you  can  use  the  semanage command to create an
237       equivalence mapping.  If you wanted to store this data under  the  /srv
238       directory you would execute the following command:
239
240       semanage fcontext -a -e /var/lib/mpd /srv/mpd
241       restorecon -R -v /srv/mpd
242
243       STANDARD FILE CONTEXT
244
245       SELinux  defines  the  file context types for the mpd, if you wanted to
246       store files with these types in a different paths, you need to  execute
247       the  semanage  command  to  specify alternate labeling and then use re‐
248       storecon to put the labels on disk.
249
250       semanage fcontext -a -t mpd_exec_t '/srv/mpd/content(/.*)?'
251       restorecon -R -v /srv/mympd_content
252
253       Note: SELinux often uses regular expressions  to  specify  labels  that
254       match multiple files.
255
256       The following file types are defined for mpd:
257
258
259
260       mpd_data_t
261
262       - Set files with the mpd_data_t type, if you want to treat the files as
263       mpd content.
264
265
266       Paths:
267            /var/lib/mpd/music(/.*)?, /var/lib/mpd/playlists(/.*)?
268
269
270       mpd_etc_t
271
272       - Set files with the mpd_etc_t type, if you want to store mpd files  in
273       the /etc directories.
274
275
276
277       mpd_exec_t
278
279       - Set files with the mpd_exec_t type, if you want to transition an exe‐
280       cutable to the mpd_t domain.
281
282
283
284       mpd_home_t
285
286       - Set files with the mpd_home_t type, if you want to store mpd files in
287       the users home directory.
288
289
290
291       mpd_initrc_exec_t
292
293       -  Set files with the mpd_initrc_exec_t type, if you want to transition
294       an executable to the mpd_initrc_t domain.
295
296
297
298       mpd_log_t
299
300       - Set files with the mpd_log_t type, if you want to treat the  data  as
301       mpd log data, usually stored under the /var/log directory.
302
303
304
305       mpd_tmp_t
306
307       - Set files with the mpd_tmp_t type, if you want to store mpd temporary
308       files in the /tmp directories.
309
310
311
312       mpd_tmpfs_t
313
314       - Set files with the mpd_tmpfs_t type, if you want to store  mpd  files
315       on a tmpfs file system.
316
317
318
319       mpd_user_data_t
320
321       -  Set  files  with  the mpd_user_data_t type, if you want to treat the
322       files as mpd user content.
323
324
325
326       mpd_var_lib_t
327
328       - Set files with the mpd_var_lib_t type, if you want to store  the  mpd
329       files under the /var/lib directory.
330
331
332
333       mpd_var_run_t
334
335       -  Set  files with the mpd_var_run_t type, if you want to store the mpd
336       files under the /run or /var/run directory.
337
338
339
340       Note: File context can be temporarily modified with the chcon  command.
341       If  you want to permanently change the file context you need to use the
342       semanage fcontext command.  This will modify the SELinux labeling data‐
343       base.  You will need to use restorecon to apply the labels.
344
345

COMMANDS

347       semanage  fcontext  can also be used to manipulate default file context
348       mappings.
349
350       semanage permissive can also be used to manipulate  whether  or  not  a
351       process type is permissive.
352
353       semanage  module can also be used to enable/disable/install/remove pol‐
354       icy modules.
355
356       semanage port can also be used to manipulate the port definitions
357
358       semanage boolean can also be used to manipulate the booleans
359
360
361       system-config-selinux is a GUI tool available to customize SELinux pol‐
362       icy settings.
363
364

AUTHOR

366       This manual page was auto-generated using sepolicy manpage .
367
368

SEE ALSO

370       selinux(8),  mpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
371       setsebool(8)
372
373
374
375mpd                                23-10-20                     mpd_selinux(8)
Impressum