systemd_logind_selinux(8)

1systemd_logind_selinux(8)SELinux Policy systemd_logindsystemd_logind_selinux(8)
2
3
4

NAME

6       systemd_logind_selinux  -  Security  Enhanced Linux Policy for the sys‐
7       temd_logind processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the systemd_logind processes via flexi‐
11       ble mandatory access control.
12
13       The  systemd_logind processes execute with the systemd_logind_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep systemd_logind_t
20
21
22

ENTRYPOINTS

24       The   systemd_logind_t  SELinux  type  can  be  entered  via  the  sys‐
25       temd_logind_exec_t file type.
26
27       The default entrypoint paths for the systemd_logind_t  domain  are  the
28       following:
29
30       /usr/lib/systemd/systemd-logind, /usr/lib/systemd/systemd-user-runtime-
31       dir
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       systemd_logind policy is very flexible allowing users  to  setup  their
41       systemd_logind processes in as secure a method as possible.
42
43       The following process types are defined for systemd_logind:
44
45       systemd_logind_t
46
47       Note:  semanage  permissive -a systemd_logind_t can be used to make the
48       process type systemd_logind_t permissive. SELinux does not deny  access
49       to permissive process types, but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least  access  required.   sys‐
55       temd_logind  policy is extremely flexible and has several booleans that
56       allow you to manipulate the policy  and  run  systemd_logind  with  the
57       tightest access possible.
58
59
60
61       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
62       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
63       Enabled by default.
64
65       setsebool -P daemons_dontaudit_scheduling 1
66
67
68
69       If you want to allow all domains to execute in fips_mode, you must turn
70       on the fips_mode boolean. Enabled by default.
71
72       setsebool -P fips_mode 1
73
74
75
76       If you want to allow nagios/nrpe to call sudo from NRPE utils  scripts,
77       you must turn on the nagios_run_sudo boolean. Disabled by default.
78
79       setsebool -P nagios_run_sudo 1
80
81
82
83       If  you  want  to  allow  system  to run with NIS, you must turn on the
84       nis_enabled boolean. Disabled by default.
85
86       setsebool -P nis_enabled 1
87
88
89
90       If you want to allow Zabbix to run su/sudo, you must turn on  the  zab‐
91       bix_run_sudo boolean. Disabled by default.
92
93       setsebool -P zabbix_run_sudo 1
94
95
96
97       If  you  want  to allow ZoneMinder to run su/sudo, you must turn on the
98       zoneminder_run_sudo boolean. Disabled by default.
99
100       setsebool -P zoneminder_run_sudo 1
101
102
103

MANAGED FILES

105       The SELinux process type systemd_logind_t can manage files labeled with
106       the  following  file types.  The paths listed are the default paths for
107       these file types.  Note the processes UID still need to have  DAC  per‐
108       missions.
109
110       cluster_conf_t
111
112            /etc/cluster(/.*)?
113
114       cluster_var_lib_t
115
116            /var/lib/pcsd(/.*)?
117            /var/lib/cluster(/.*)?
118            /var/lib/openais(/.*)?
119            /var/lib/pengine(/.*)?
120            /var/lib/corosync(/.*)?
121            /usr/lib/heartbeat(/.*)?
122            /var/lib/heartbeat(/.*)?
123            /var/lib/pacemaker(/.*)?
124
125       cluster_var_run_t
126
127            /var/run/crm(/.*)?
128            /var/run/cman_.*
129            /var/run/rsctmp(/.*)?
130            /var/run/aisexec.*
131            /var/run/heartbeat(/.*)?
132            /var/run/pcsd-ruby.socket
133            /var/run/corosync-qnetd(/.*)?
134            /var/run/corosync-qdevice(/.*)?
135            /var/run/corosync.pid
136            /var/run/cpglockd.pid
137            /var/run/rgmanager.pid
138            /var/run/cluster/rgmanager.sk
139
140       config_home_t
141
142            /root/.kde(/.*)?
143            /root/.xine(/.*)?
144            /root/.config(/.*)?
145            /root/.Xdefaults
146            /home/[^/]+/.kde(/.*)?
147            /home/[^/]+/.xine(/.*)?
148            /home/[^/]+/.config(/.*)?
149            /home/[^/]+/.cache/dconf(/.*)?
150            /home/[^/]+/.Xdefaults
151            /var/run/user/[0-9]+/dconf(/.*)?
152
153       fusefs_t
154
155            /var/run/user/[0-9]+/gvfs
156
157       krb5_host_rcache_t
158
159            /var/tmp/krb5_0.rcache2
160            /var/cache/krb5rcache(/.*)?
161            /var/tmp/nfs_0
162            /var/tmp/DNS_25
163            /var/tmp/host_0
164            /var/tmp/imap_0
165            /var/tmp/HTTP_23
166            /var/tmp/HTTP_48
167            /var/tmp/ldap_55
168            /var/tmp/ldap_487
169            /var/tmp/ldapmap1_0
170
171       root_t
172
173            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
174            /
175            /initrd
176
177       sysfs_t
178
179            /sys(/.*)?
180
181       systemd_logind_inhibit_var_run_t
182
183            /var/run/systemd/inhibit(/.*)?
184
185       systemd_logind_sessions_t
186
187            /var/run/systemd/sessions(/.*)?
188
189       systemd_logind_var_lib_t
190
191            /var/lib/systemd/linger(/.*)?
192
193       systemd_logind_var_run_t
194
195            /var/run/.*nologin.*
196            /var/run/systemd/seats(/.*)?
197            /var/run/systemd/users(/.*)?
198            /var/run/systemd/shutdown(/.*)?
199
200       systemd_passwd_var_run_t
201
202            /var/run/systemd/ask-password(/.*)?
203            /var/run/systemd/ask-password-block(/.*)?
204
205       udev_rules_t
206
207            /etc/udev/rules.d(/.*)?
208
209       user_tmp_type
210
211            all user tmp files
212
213       var_auth_t
214
215            /var/ace(/.*)?
216            /var/rsa(/.*)?
217            /var/lib/abl(/.*)?
218            /var/lib/rsa(/.*)?
219            /var/lib/pam_ssh(/.*)?
220            /var/lib/pam_shield(/.*)?
221            /var/opt/quest/vas/vasd(/.*)?
222            /var/lib/google-authenticator(/.*)?
223
224

FILE CONTEXTS

226       SELinux requires files to have an extended attribute to define the file
227       type.
228
229       You can see the context of a file using the -Z option to ls
230
231       Policy governs the access  confined  processes  have  to  these  files.
232       SELinux  systemd_logind policy is very flexible allowing users to setup
233       their systemd_logind processes in as secure a method as possible.
234
235       STANDARD FILE CONTEXT
236
237       SELinux defines the file context types for the systemd_logind,  if  you
238       wanted  to  store files with these types in a different paths, you need
239       to execute the semanage command to specify alternate labeling and  then
240       use restorecon to put the labels on disk.
241
242       semanage fcontext -a -t systemd_logind_exec_t '/srv/systemd_logind/con‐
243       tent(/.*)?'
244       restorecon -R -v /srv/mysystemd_logind_content
245
246       Note: SELinux often uses regular expressions  to  specify  labels  that
247       match multiple files.
248
249       The following file types are defined for systemd_logind:
250
251
252
253       systemd_logind_exec_t
254
255       - Set files with the systemd_logind_exec_t type, if you want to transi‐
256       tion an executable to the systemd_logind_t domain.
257
258
259       Paths:
260            /usr/lib/systemd/systemd-logind,    /usr/lib/systemd/systemd-user-
261            runtime-dir
262
263
264       systemd_logind_inhibit_var_run_t
265
266       - Set files with the systemd_logind_inhibit_var_run_t type, if you want
267       to store the systemd logind inhibit files under the  /run  or  /var/run
268       directory.
269
270
271
272       systemd_logind_sessions_t
273
274       -  Set  files  with  the systemd_logind_sessions_t type, if you want to
275       treat the files as systemd logind sessions data.
276
277
278
279       systemd_logind_var_lib_t
280
281       - Set files with the systemd_logind_var_lib_t  type,  if  you  want  to
282       store the systemd logind files under the /var/lib directory.
283
284
285
286       systemd_logind_var_run_t
287
288       -  Set  files  with  the  systemd_logind_var_run_t type, if you want to
289       store the systemd logind files under the /run or /var/run directory.
290
291
292       Paths:
293            /var/run/.*nologin.*, /var/run/systemd/seats(/.*)?,  /var/run/sys‐
294            temd/users(/.*)?, /var/run/systemd/shutdown(/.*)?
295
296
297       Note:  File context can be temporarily modified with the chcon command.
298       If you want to permanently change the file context you need to use  the
299       semanage fcontext command.  This will modify the SELinux labeling data‐
300       base.  You will need to use restorecon to apply the labels.
301
302

COMMANDS

304       semanage fcontext can also be used to manipulate default  file  context
305       mappings.
306
307       semanage  permissive  can  also  be used to manipulate whether or not a
308       process type is permissive.
309
310       semanage module can also be used to enable/disable/install/remove  pol‐
311       icy modules.
312
313       semanage boolean can also be used to manipulate the booleans
314
315
316       system-config-selinux is a GUI tool available to customize SELinux pol‐
317       icy settings.
318
319

AUTHOR

321       This manual page was auto-generated using sepolicy manpage .
322
323