1slapd_selinux(8) SELinux Policy slapd slapd_selinux(8)
2
6 slapd_selinux - Security Enhanced Linux Policy for the slapd processes
7
9 Security-Enhanced Linux secures the slapd processes via flexible manda‐
10 tory access control.
11 The slapd processes execute with the slapd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep slapd_t
19
23 The slapd_t SELinux type can be entered via the slapd_exec_t file type.
24 The default entrypoint paths for the slapd_t domain are the following:
26 /usr/lib/slapd, /usr/sbin/slapd, /usr/lib/openldap/slapd
28
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux
36 slapd policy is very flexible allowing users to setup their slapd pro‐
37 cesses in as secure a method as possible.
38 The following process types are defined for slapd:
40 slapd_t
42 Note: semanage permissive -a slapd_t can be used to make the process
44 type slapd_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
50 SELinux policy is customizable based on least access required. slapd
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run slapd with the tightest access possible.
53 If you want to dontaudit all daemons scheduling requests (setsched,
57 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
58 Enabled by default.
59 setsebool -P daemons_dontaudit_scheduling 1
61 If you want to allow all domains to execute in fips_mode, you must turn
65 on the fips_mode boolean. Enabled by default.
66 setsebool -P fips_mode 1
68 If you want to allow confined applications to run with kerberos, you
72 must turn on the kerberos_enabled boolean. Enabled by default.
73 setsebool -P kerberos_enabled 1
75 If you want to allow system to run with NIS, you must turn on the
79 nis_enabled boolean. Disabled by default.
80 setsebool -P nis_enabled 1
82
86 The SELinux process type slapd_t can manage files labeled with the fol‐
87 lowing file types. The paths listed are the default paths for these
88 file types. Note the processes UID still need to have DAC permissions.
89 auth_cache_t
91 /var/cache/coolkey(/.*)?
93 cluster_conf_t
95 /etc/cluster(/.*)?
97 cluster_var_lib_t
99 /var/lib/pcsd(/.*)?
101 /var/lib/cluster(/.*)?
102 /var/lib/openais(/.*)?
103 /var/lib/pengine(/.*)?
104 /var/lib/corosync(/.*)?
105 /usr/lib/heartbeat(/.*)?
106 /var/lib/heartbeat(/.*)?
107 /var/lib/pacemaker(/.*)?
108 cluster_var_run_t
110 /var/run/crm(/.*)?
112 /var/run/cman_.*
113 /var/run/rsctmp(/.*)?
114 /var/run/aisexec.*
115 /var/run/heartbeat(/.*)?
116 /var/run/pcsd-ruby.socket
117 /var/run/corosync-qnetd(/.*)?
118 /var/run/corosync-qdevice(/.*)?
119 /var/run/corosync.pid
120 /var/run/cpglockd.pid
121 /var/run/rgmanager.pid
122 /var/run/cluster/rgmanager.sk
123 krb5_host_rcache_t
125 /var/tmp/krb5_0.rcache2
127 /var/cache/krb5rcache(/.*)?
128 /var/tmp/nfs_0
129 /var/tmp/DNS_25
130 /var/tmp/host_0
131 /var/tmp/imap_0
132 /var/tmp/HTTP_23
133 /var/tmp/HTTP_48
134 /var/tmp/ldap_55
135 /var/tmp/ldap_487
136 /var/tmp/ldapmap1_0
137 root_t
139 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
141 /
142 /initrd
143 security_t
145 /selinux
147 slapd_cert_t
149 /etc/openldap/certs(/.*)?
151 slapd_db_t
153 /var/lib/ldap(/.*)?
155 /etc/openldap/slapd.d(/.*)?
156 /var/lib/openldap-data(/.*)?
157 /var/lib/openldap-ldbm(/.*)?
158 /var/lib/openldap-slurpd(/.*)?
159 slapd_lock_t
161 /var/lock/subsys/ldap
163 /var/lock/subsys/slapd
164 slapd_log_t
166 /var/log/ldap.*
168 /var/log/slapd.*
169 slapd_replog_t
171 /var/lib/ldap/replog(/.*)?
173 slapd_tmp_t
175 slapd_tmpfs_t
178 slapd_var_run_t
181 /var/run/openldap(/.*)?
183 /var/run/ldapi
184 /var/run/slapd.pid
185 /var/run/slapd.args
186
189 SELinux requires files to have an extended attribute to define the file
190 type.
191 You can see the context of a file using the -Z option to ls
193 Policy governs the access confined processes have to these files.
195 SELinux slapd policy is very flexible allowing users to setup their
196 slapd processes in as secure a method as possible.
197 EQUIVALENCE DIRECTORIES
199 slapd policy stores data with multiple different file context types un‐
202 der the /var/lib/ldap directory. If you would like to store the data
203 in a different directory you can use the semanage command to create an
204 equivalence mapping. If you wanted to store this data under the /srv
205 directory you would execute the following command:
206 semanage fcontext -a -e /var/lib/ldap /srv/ldap
208 restorecon -R -v /srv/ldap
209 STANDARD FILE CONTEXT
211 SELinux defines the file context types for the slapd, if you wanted to
213 store files with these types in a different paths, you need to execute
214 the semanage command to specify alternate labeling and then use re‐
215 storecon to put the labels on disk.
216 semanage fcontext -a -t slapd_exec_t '/srv/slapd/content(/.*)?'
218 restorecon -R -v /srv/myslapd_content
219 Note: SELinux often uses regular expressions to specify labels that
221 match multiple files.
222 The following file types are defined for slapd:
224 slapd_cert_t
228 - Set files with the slapd_cert_t type, if you want to treat the files
230 as slapd certificate data.
231 slapd_db_t
235 - Set files with the slapd_db_t type, if you want to treat the files as
237 slapd database content.
238 Paths:
241 /var/lib/ldap(/.*)?, /etc/openldap/slapd.d(/.*)?, /var/lib/openl‐
242 dap-data(/.*)?, /var/lib/openldap-ldbm(/.*)?, /var/lib/openldap-
243 slurpd(/.*)?
244 slapd_etc_t
247 - Set files with the slapd_etc_t type, if you want to store slapd files
249 in the /etc directories.
250 slapd_exec_t
254 - Set files with the slapd_exec_t type, if you want to transition an
256 executable to the slapd_t domain.
257 Paths:
260 /usr/lib/slapd, /usr/sbin/slapd, /usr/lib/openldap/slapd
261 slapd_initrc_exec_t
264 - Set files with the slapd_initrc_exec_t type, if you want to transi‐
266 tion an executable to the slapd_initrc_t domain.
267 slapd_keytab_t
271 - Set files with the slapd_keytab_t type, if you want to treat the
273 files as kerberos keytab files.
274 slapd_lock_t
278 - Set files with the slapd_lock_t type, if you want to treat the files
280 as slapd lock data, stored under the /var/lock directory
281 Paths:
284 /var/lock/subsys/ldap, /var/lock/subsys/slapd
285 slapd_log_t
288 - Set files with the slapd_log_t type, if you want to treat the data as
290 slapd log data, usually stored under the /var/log directory.
291 Paths:
294 /var/log/ldap.*, /var/log/slapd.*
295 slapd_replog_t
298 - Set files with the slapd_replog_t type, if you want to treat the
300 files as slapd replog data.
301 slapd_tmp_t
305 - Set files with the slapd_tmp_t type, if you want to store slapd tem‐
307 porary files in the /tmp directories.
308 slapd_tmpfs_t
312 - Set files with the slapd_tmpfs_t type, if you want to store slapd
314 files on a tmpfs file system.
315 slapd_unit_file_t
319 - Set files with the slapd_unit_file_t type, if you want to treat the
321 files as slapd unit content.
322 slapd_var_run_t
326 - Set files with the slapd_var_run_t type, if you want to store the
328 slapd files under the /run or /var/run directory.
329 Paths:
332 /var/run/openldap(/.*)?, /var/run/ldapi, /var/run/slapd.pid,
333 /var/run/slapd.args
334 Note: File context can be temporarily modified with the chcon command.
337 If you want to permanently change the file context you need to use the
338 semanage fcontext command. This will modify the SELinux labeling data‐
339 base. You will need to use restorecon to apply the labels.
340
343 semanage fcontext can also be used to manipulate default file context
344 mappings.
345 semanage permissive can also be used to manipulate whether or not a
347 process type is permissive.
348 semanage module can also be used to enable/disable/install/remove pol‐
350 icy modules.
351 semanage boolean can also be used to manipulate the booleans
353 system-config-selinux is a GUI tool available to customize SELinux pol‐
356 icy settings.
357
360 This manual page was auto-generated using sepolicy manpage .
361
364 selinux(8), slapd(8), semanage(8), restorecon(8), chcon(1), sepol‐
365 icy(8), setsebool(8)
366slapd 23-12-15 slapd_selinux(8)