1logadm_selinux(8)     logadm SELinux Policy documentation    logadm_selinux(8)
2
3
4

NAME

6       logadm_r - Log administrator role - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       SELinux  supports  Roles  Based Access Control (RBAC), some Linux roles
11       are login roles, while other roles need to be transition into.
12
13       Note: Examples in this man page will use the staff_u SELinux user.
14
15       Non login roles are usually used for administrative tasks. For example,
16       tasks  that  require root privileges.  Roles control which types a user
17       can run processes with. Roles often  have  default  types  assigned  to
18       them.
19
20       The default type for the logadm_r role is logadm_t.
21
22       The newrole program to transition directly to this role.
23
24       newrole -r logadm_r -t logadm_t
25
26       sudo is the preferred method to do transition from one role to another.
27       You setup sudo to transition to logadm_r by adding a  similar  line  to
28       the /etc/sudoers file.
29
30       USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
31
32       sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
33
34       When  using  a a non login role, you need to setup SELinux so that your
35       SELinux user can reach logadm_r role.
36
37       Execute the following to see all of the assigned SELinux roles:
38
39       semanage user -l
40
41       You need to add logadm_r to the staff_u  user.   You  could  setup  the
42       staff_u user to be able to use the logadm_r role with a command like:
43
44       $ semanage user -m -R 'staff_r system_r logadm_r' staff_u
45
46
47

BOOLEANS

49       SELinux  policy is customizable based on least access required.  logadm
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run logadm with the tightest access possible.
52
53
54
55       If  you  want to allow direct login to the console device. Required for
56       System 390, you must turn on the allow_console_login  boolean.  Enabled
57       by default.
58
59       setsebool -P allow_console_login 1
60
61
62
63       If you want to allow all domains to use other domains file descriptors,
64       you must turn on the allow_domain_fd_use boolean. Enabled by default.
65
66       setsebool -P allow_domain_fd_use 1
67
68
69
70       If you want to allow unconfined executables to map a memory  region  as
71       both  executable  and  writable,  this  is dangerous and the executable
72       should be reported in bugzilla), you must  turn  on  the  allow_execmem
73       boolean. Enabled by default.
74
75       setsebool -P allow_execmem 1
76
77
78
79       If  you  want  to allow unconfined executables to make their stack exe‐
80       cutable.  This should never, ever be necessary.  Probably  indicates  a
81       badly  coded  executable, but could indicate an attack. This executable
82       should be reported in bugzilla), you must turn on  the  allow_execstack
83       boolean. Enabled by default.
84
85       setsebool -P allow_execstack 1
86
87
88
89       If  you  want  to allow confined applications to run with kerberos, you
90       must turn on the allow_kerberos boolean. Enabled by default.
91
92       setsebool -P allow_kerberos 1
93
94
95
96       If you want to allow sysadm to debug or ptrace all processes, you  must
97       turn on the allow_ptrace boolean. Disabled by default.
98
99       setsebool -P allow_ptrace 1
100
101
102
103       If  you  want  to  allow  system  to run with NIS, you must turn on the
104       allow_ypbind boolean. Disabled by default.
105
106       setsebool -P allow_ypbind 1
107
108
109
110       If you want to allow all domains to have the kernel load  modules,  you
111       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
112       default.
113
114       setsebool -P domain_kernel_load_modules 1
115
116
117
118       If you want to allow all domains to execute in fips_mode, you must turn
119       on the fips_mode boolean. Enabled by default.
120
121       setsebool -P fips_mode 1
122
123
124
125       If you want to enable reading of urandom for all domains, you must turn
126       on the global_ssp boolean. Disabled by default.
127
128       setsebool -P global_ssp 1
129
130
131
132       If you want to allow confined applications to use nscd  shared  memory,
133       you must turn on the nscd_use_shm boolean. Enabled by default.
134
135       setsebool -P nscd_use_shm 1
136
137
138
139       If  you  want  to enabling secure mode disallows programs, such as new‐
140       role, from transitioning to administrative user domains, you must  turn
141       on the secure_mode boolean. Disabled by default.
142
143       setsebool -P secure_mode 1
144
145
146
147       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
148       the ssh_sysadm_login boolean. Disabled by default.
149
150       setsebool -P ssh_sysadm_login 1
151
152
153
154       If you want to allow xdm  logins  as  sysadm,  you  must  turn  on  the
155       xdm_sysadm_login boolean. Disabled by default.
156
157       setsebool -P xdm_sysadm_login 1
158
159
160

MANAGED FILES

162       The  SELinux  process  type  logadm_t can manage files labeled with the
163       following file types.  The paths listed are the default paths for these
164       file types.  Note the processes UID still need to have DAC permissions.
165
166       auditd_etc_t
167
168            /etc/audit(/.*)?
169
170       auditd_log_t
171
172            /var/log/audit(/.*)?
173            /var/log/audit.log.*
174
175       auditd_var_run_t
176
177            /var/run/auditd.pid
178            /var/run/auditd_sock
179            /var/run/audit_events
180
181       initrc_tmp_t
182
183
184       klogd_tmp_t
185
186
187       klogd_var_run_t
188
189            /var/run/klogd.pid
190
191       logfile
192
193            all log files
194
195       mnt_t
196
197            /mnt(/[^/]*)
198            /mnt(/[^/]*)?
199            /rhev(/[^/]*)?
200            /media(/[^/]*)
201            /media(/[^/]*)?
202            /etc/rhgb(/.*)?
203            /media/.hal-.*
204            /net
205            /afs
206            /rhev
207            /misc
208
209       syslog_conf_t
210
211            /etc/syslog.conf
212            /etc/rsyslog.conf
213            /etc/rsyslog.d(/.*)?
214
215       syslogd_tmp_t
216
217
218       syslogd_var_lib_t
219
220            /var/lib/r?syslog(/.*)?
221            /var/lib/syslog-ng(/.*)?
222            /var/lib/syslog-ng.persist
223            /var/lib/misc/syslog-ng.persist-?
224
225       syslogd_var_run_t
226
227            /var/run/log(/.*)?
228            /var/run/syslog-ng.ctl
229            /var/run/syslog-ng(/.*)?
230            /var/run/metalog.pid
231            /var/run/syslogd.pid
232
233       tmp_t
234
235            /tmp
236            /usr/tmp
237            /var/tmp
238            /tmp-inst
239            /var/tmp-inst
240            /var/tmp/vi.recover
241
242

COMMANDS

244       semanage  fcontext  can also be used to manipulate default file context
245       mappings.
246
247       semanage permissive can also be used to manipulate  whether  or  not  a
248       process type is permissive.
249
250       semanage  module can also be used to enable/disable/install/remove pol‐
251       icy modules.
252
253       semanage boolean can also be used to manipulate the booleans
254
255
256       system-config-selinux is a GUI tool available to customize SELinux pol‐
257       icy settings.
258
259

AUTHOR

261       This manual page was auto-generated using sepolicy manpage .
262
263

SEE ALSO

265       selinux(8),  logadm(8),  semanage(8),  restorecon(8), chcon(1) , setse‐
266       bool(8)
267
268
269
270mgrepl@redhat.com                   logadm                   logadm_selinux(8)
Impressum