auditadm_selinux(8)

1auditadm_selinux(8)  auditadm SELinux Policy documentation auditadm_selinux(8)
2
3
4

NAME

6       auditadm_r - Audit administrator role - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       SELinux  supports  Roles  Based Access Control (RBAC), some Linux roles
11       are login roles, while other roles need to be transition into.
12
13       Note: Examples in this man page will use the staff_u SELinux user.
14
15       Non login roles are usually used for administrative tasks. For example,
16       tasks  that  require root privileges.  Roles control which types a user
17       can run processes with. Roles often  have  default  types  assigned  to
18       them.
19
20       The default type for the auditadm_r role is auditadm_t.
21
22       The newrole program to transition directly to this role.
23
24       newrole -r auditadm_r -t auditadm_t
25
26       sudo is the preferred method to do transition from one role to another.
27       You setup sudo to transition to auditadm_r by adding a similar line  to
28       the /etc/sudoers file.
29
30       USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
31
32       sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
33
34       When  using  a a non login role, you need to setup SELinux so that your
35       SELinux user can reach auditadm_r role.
36
37       Execute the following to see all of the assigned SELinux roles:
38
39       semanage user -l
40
41       You need to add auditadm_r to the staff_u user.  You  could  setup  the
42       staff_u user to be able to use the auditadm_r role with a command like:
43
44       $ semanage user -m -R 'staff_r system_r auditadm_r' staff_u
45
46
47
48       SELinux  policy also controls which roles can transition to a different
49       role.  You can list these rules using the following command.
50
51       sesearch --role_allow
52
53       SELinux policy allows the secadm_r, staff_r, sysadm_r roles can transi‐
54       tion to the auditadm_r role.
55
56
57

BOOLEANS

59       SELinux  policy  is customizable based on least access required.  audi‐
60       tadm policy is extremely flexible and has several booleans  that  allow
61       you  to manipulate the policy and run auditadm with the tightest access
62       possible.
63
64
65
66       If you want to allow users to resolve user passwd entries directly from
67       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
68       gin_nsswitch_use_ldap boolean. Disabled by default.
69
70       setsebool -P authlogin_nsswitch_use_ldap 1
71
72
73
74       If you want to deny user domains applications to map a memory region as
75       both  executable  and  writable,  this  is dangerous and the executable
76       should be reported in bugzilla, you must turn on the deny_execmem bool‐
77       ean. Enabled by default.
78
79       setsebool -P deny_execmem 1
80
81
82
83       If  you  want  to deny any process from ptracing or debugging any other
84       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
85       default.
86
87       setsebool -P deny_ptrace 1
88
89
90
91       If  you  want  to  allow  any  process  to mmap any file on system with
92       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
93       ean. Enabled by default.
94
95       setsebool -P domain_can_mmap_files 1
96
97
98
99       If  you want to allow all domains write to kmsg_device, while kernel is
100       executed with systemd.log_target=kmsg parameter, you must turn  on  the
101       domain_can_write_kmsg boolean. Disabled by default.
102
103       setsebool -P domain_can_write_kmsg 1
104
105
106
107       If you want to allow all domains to use other domains file descriptors,
108       you must turn on the domain_fd_use boolean. Enabled by default.
109
110       setsebool -P domain_fd_use 1
111
112
113
114       If you want to allow all domains to have the kernel load  modules,  you
115       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
116       default.
117
118       setsebool -P domain_kernel_load_modules 1
119
120
121
122       If you want to allow all domains to execute in fips_mode, you must turn
123       on the fips_mode boolean. Enabled by default.
124
125       setsebool -P fips_mode 1
126
127
128
129       If you want to enable reading of urandom for all domains, you must turn
130       on the global_ssp boolean. Disabled by default.
131
132       setsebool -P global_ssp 1
133
134
135
136       If you want to allow confined applications to run  with  kerberos,  you
137       must turn on the kerberos_enabled boolean. Enabled by default.
138
139       setsebool -P kerberos_enabled 1
140
141
142
143       If you want to allow logging in and using the system from /dev/console,
144       you must turn on the login_console_enabled boolean. Enabled by default.
145
146       setsebool -P login_console_enabled 1
147
148
149
150       If you want to allow system to run with  NIS,  you  must  turn  on  the
151       nis_enabled boolean. Disabled by default.
152
153       setsebool -P nis_enabled 1
154
155
156
157       If  you  want to allow confined applications to use nscd shared memory,
158       you must turn on the nscd_use_shm boolean. Disabled by default.
159
160       setsebool -P nscd_use_shm 1
161
162
163
164       If you want to disallow programs, such as newrole,  from  transitioning
165       to  administrative user domains, you must turn on the secure_mode bool‐
166       ean. Enabled by default.
167
168       setsebool -P secure_mode 1
169
170
171
172       If you want to allow unconfined executables to make  their  stack  exe‐
173       cutable.   This  should  never, ever be necessary. Probably indicates a
174       badly coded executable, but could indicate an attack.  This  executable
175       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
176       stack boolean. Enabled by default.
177
178       setsebool -P selinuxuser_execstack 1
179
180
181
182       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
183       the ssh_sysadm_login boolean. Disabled by default.
184
185       setsebool -P ssh_sysadm_login 1
186
187
188
189       If  you  want  to  support  NFS  home directories, you must turn on the
190       use_nfs_home_dirs boolean. Disabled by default.
191
192       setsebool -P use_nfs_home_dirs 1
193
194
195
196       If you want to support SAMBA home directories, you  must  turn  on  the
197       use_samba_home_dirs boolean. Disabled by default.
198
199       setsebool -P use_samba_home_dirs 1
200
201
202
203       If  you  want to allow the graphical login program to login directly as
204       sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.  Dis‐
205       abled by default.
206
207       setsebool -P xdm_sysadm_login 1
208
209
210

MANAGED FILES

212       The  SELinux  process type auditadm_t can manage files labeled with the
213       following file types.  The paths listed are the default paths for these
214       file types.  Note the processes UID still need to have DAC permissions.
215
216       auditd_etc_t
217
218            /etc/audit(/.*)?
219
220       auditd_log_t
221
222            /var/log/audit(/.*)?
223            /var/log/audit.log.*
224
225       screen_home_t
226
227            /root/.screen(/.*)?
228            /home/[^/]+/.screen(/.*)?
229            /home/[^/]+/.screenrc
230            /home/[^/]+/.tmux.conf
231
232

COMMANDS

234       semanage  fcontext  can also be used to manipulate default file context
235       mappings.
236
237       semanage permissive can also be used to manipulate  whether  or  not  a
238       process type is permissive.
239
240       semanage  module can also be used to enable/disable/install/remove pol‐
241       icy modules.
242
243       semanage boolean can also be used to manipulate the booleans
244
245
246       system-config-selinux is a GUI tool available to customize SELinux pol‐
247       icy settings.
248
249

AUTHOR

251       This manual page was auto-generated using sepolicy manpage .
252
253

NAME

DESCRIPTION

BOOLEANS

MANAGED FILES

COMMANDS

AUTHOR

SEE ALSO