1l2tpd_selinux(8) SELinux Policy l2tpd l2tpd_selinux(8)
2
6 l2tpd_selinux - Security Enhanced Linux Policy for the l2tpd processes
7
9 Security-Enhanced Linux secures the l2tpd processes via flexible manda‐
10 tory access control.
11 The l2tpd processes execute with the l2tpd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep l2tpd_t
19
23 The l2tpd_t SELinux type can be entered via the file_type, unlabeled_t,
24 proc_type, filesystem_type, l2tpd_exec_t, mtrr_device_t, sysctl_type
25 file types.
26 The default entrypoint paths for the l2tpd_t domain are the following:
28 all files on the system, /usr/sbin/xl2tpd, /usr/sbin/prol2tpd,
30 /usr/sbin/openl2tpd, /dev/cpu/mtrr
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 l2tpd policy is very flexible allowing users to setup their l2tpd pro‐
40 cesses in as secure a method as possible.
41 The following process types are defined for l2tpd:
43 l2tpd_t
45 Note: semanage permissive -a l2tpd_t can be used to make the process
47 type l2tpd_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
53 SELinux policy is customizable based on least access required. l2tpd
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run l2tpd with the tightest access possible.
56 If you want to allow all daemons to write corefiles to /, you must turn
60 on the allow_daemons_dump_core boolean. Disabled by default.
61 setsebool -P allow_daemons_dump_core 1
63 If you want to allow all daemons to use tcp wrappers, you must turn on
67 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
68 setsebool -P allow_daemons_use_tcp_wrapper 1
70 If you want to allow all daemons the ability to read/write terminals,
74 you must turn on the allow_daemons_use_tty boolean. Disabled by
75 default.
76 setsebool -P allow_daemons_use_tty 1
78 If you want to allow all domains to use other domains file descriptors,
82 you must turn on the allow_domain_fd_use boolean. Enabled by default.
83 setsebool -P allow_domain_fd_use 1
85 If you want to allow unconfined executables to make their heap memory
89 executable. Doing this is a really bad idea. Probably indicates a
90 badly coded executable, but could indicate an attack. This executable
91 should be reported in bugzilla, you must turn on the allow_execheap
92 boolean. Disabled by default.
93 setsebool -P allow_execheap 1
95 If you want to allow unconfined executables to map a memory region as
99 both executable and writable, this is dangerous and the executable
100 should be reported in bugzilla), you must turn on the allow_execmem
101 boolean. Enabled by default.
102 setsebool -P allow_execmem 1
104 If you want to allow all unconfined executables to use libraries
108 requiring text relocation that are not labeled textrel_shlib_t), you
109 must turn on the allow_execmod boolean. Enabled by default.
110 setsebool -P allow_execmod 1
112 If you want to allow unconfined executables to make their stack exe‐
116 cutable. This should never, ever be necessary. Probably indicates a
117 badly coded executable, but could indicate an attack. This executable
118 should be reported in bugzilla), you must turn on the allow_execstack
119 boolean. Enabled by default.
120 setsebool -P allow_execstack 1
122 If you want to allow sysadm to debug or ptrace all processes, you must
126 turn on the allow_ptrace boolean. Disabled by default.
127 setsebool -P allow_ptrace 1
129 If you want to enable cluster mode for daemons, you must turn on the
133 daemons_enable_cluster_mode boolean. Disabled by default.
134 setsebool -P daemons_enable_cluster_mode 1
136 If you want to allow all domains to have the kernel load modules, you
140 must turn on the domain_kernel_load_modules boolean. Disabled by
141 default.
142 setsebool -P domain_kernel_load_modules 1
144 If you want to allow all domains to execute in fips_mode, you must turn
148 on the fips_mode boolean. Enabled by default.
149 setsebool -P fips_mode 1
151 If you want to enable reading of urandom for all domains, you must turn
155 on the global_ssp boolean. Disabled by default.
156 setsebool -P global_ssp 1
158 If you want to enable support for upstart as the init program, you must
162 turn on the init_upstart boolean. Enabled by default.
163 setsebool -P init_upstart 1
165 If you want to allow certain domains to map low memory in the kernel,
169 you must turn on the mmap_low_allowed boolean. Disabled by default.
170 setsebool -P mmap_low_allowed 1
172 If you want to boolean to determine whether the system permits loading
176 policy, setting enforcing mode, and changing boolean values. Set this
177 to true and you have to reboot to set it back, you must turn on the
178 secure_mode_policyload boolean. Disabled by default.
179 setsebool -P secure_mode_policyload 1
181 If you want to support X userspace object manager, you must turn on the
185 xserver_object_manager boolean. Disabled by default.
186 setsebool -P xserver_object_manager 1
188
192 SELinux defines port types to represent TCP and UDP ports.
193 You can see the types associated with a port by using the following
195 command:
196 semanage port -l
198 Policy governs the access confined processes have to these ports.
201 SELinux l2tpd policy is very flexible allowing users to setup their
202 l2tpd processes in as secure a method as possible.
203 The following port types are defined for l2tpd:
205 l2tp_port_t
208 Default Defined Ports:
212 tcp 1701
213 udp 1701
214
216 The SELinux process type l2tpd_t can manage files labeled with the fol‐
217 lowing file types. The paths listed are the default paths for these
218 file types. Note the processes UID still need to have DAC permissions.
219 file_type
221 all files on the system
223
226 SELinux requires files to have an extended attribute to define the file
227 type.
228 You can see the context of a file using the -Z option to ls
230 Policy governs the access confined processes have to these files.
232 SELinux l2tpd policy is very flexible allowing users to setup their
233 l2tpd processes in as secure a method as possible.
234 EQUIVALENCE DIRECTORIES
236 l2tpd policy stores data with multiple different file context types
239 under the /var/run/xl2tpd directory. If you would like to store the
240 data in a different directory you can use the semanage command to cre‐
241 ate an equivalence mapping. If you wanted to store this data under the
242 /srv dirctory you would execute the following command:
243 semanage fcontext -a -e /var/run/xl2tpd /srv/xl2tpd
245 restorecon -R -v /srv/xl2tpd
246 l2tpd policy stores data with multiple different file context types
248 under the /var/run/prol2tpd directory. If you would like to store the
249 data in a different directory you can use the semanage command to cre‐
250 ate an equivalence mapping. If you wanted to store this data under the
251 /srv dirctory you would execute the following command:
252 semanage fcontext -a -e /var/run/prol2tpd /srv/prol2tpd
254 restorecon -R -v /srv/prol2tpd
255 STANDARD FILE CONTEXT
257 SELinux defines the file context types for the l2tpd, if you wanted to
259 store files with these types in a diffent paths, you need to execute
260 the semanage command to sepecify alternate labeling and then use
261 restorecon to put the labels on disk.
262 semanage fcontext -a -t l2tpd_var_run_t '/srv/myl2tpd_content(/.*)?'
264 restorecon -R -v /srv/myl2tpd_content
265 Note: SELinux often uses regular expressions to specify labels that
267 match multiple files.
268 The following file types are defined for l2tpd:
270 l2tpd_exec_t
274 - Set files with the l2tpd_exec_t type, if you want to transition an
276 executable to the l2tpd_t domain.
277 Paths:
280 /usr/sbin/xl2tpd, /usr/sbin/prol2tpd, /usr/sbin/openl2tpd
281 l2tpd_initrc_exec_t
284 - Set files with the l2tpd_initrc_exec_t type, if you want to transi‐
286 tion an executable to the l2tpd_initrc_t domain.
287 Paths:
290 /etc/rc.d/init.d/xl2tpd, /etc/rc.d/init.d/prol2tpd,
291 /etc/rc.d/init.d/openl2tpd
292 l2tpd_tmp_t
295 - Set files with the l2tpd_tmp_t type, if you want to store l2tpd tem‐
297 porary files in the /tmp directories.
298 l2tpd_var_run_t
302 - Set files with the l2tpd_var_run_t type, if you want to store the
304 l2tpd files under the /run or /var/run directory.
305 Paths:
308 /var/run/xl2tpd(/.*)?, /var/run/prol2tpd(/.*)?,
309 /var/run/xl2tpd.pid, /var/run/prol2tpd.ctl, /var/run/prol2tpd.pid,
310 /var/run/openl2tpd.pid
311 Note: File context can be temporarily modified with the chcon command.
314 If you want to permanently change the file context you need to use the
315 semanage fcontext command. This will modify the SELinux labeling data‐
316 base. You will need to use restorecon to apply the labels.
317
320 semanage fcontext can also be used to manipulate default file context
321 mappings.
322 semanage permissive can also be used to manipulate whether or not a
324 process type is permissive.
325 semanage module can also be used to enable/disable/install/remove pol‐
327 icy modules.
328 semanage port can also be used to manipulate the port definitions
330 semanage boolean can also be used to manipulate the booleans
332 system-config-selinux is a GUI tool available to customize SELinux pol‐
335 icy settings.
336
339 This manual page was auto-generated using sepolicy manpage .
340
343 selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1) , setse‐
344 bool(8)
345l2tpd 15-06-03 l2tpd_selinux(8)