1local_login_selinux(8) SELinux Policy local_login local_login_selinux(8)
2
3
4
6 local_login_selinux - Security Enhanced Linux Policy for the
7 local_login processes
8
10 Security-Enhanced Linux secures the local_login processes via flexible
11 mandatory access control.
12
13 The local_login processes execute with the local_login_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep local_login_t
20
21
22
24 The local_login_t SELinux type can be entered via the login_exec_t file
25 type.
26
27 The default entrypoint paths for the local_login_t domain are the fol‐
28 lowing:
29
30 /bin/login, /usr/bin/login, /usr/kerberos/sbin/login.krb5
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 local_login policy is very flexible allowing users to setup their
40 local_login processes in as secure a method as possible.
41
42 The following process types are defined for local_login:
43
44 local_login_t
45
46 Note: semanage permissive -a local_login_t can be used to make the
47 process type local_login_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required.
54 local_login policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run local_login with the tight‐
56 est access possible.
57
58
59
60 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63
64 setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68 If you want to allow users to login using a radius server, you must
69 turn on the authlogin_radius boolean. Disabled by default.
70
71 setsebool -P authlogin_radius 1
72
73
74
75 If you want to allow users to login using a yubikey OTP server or chal‐
76 lenge response mode, you must turn on the authlogin_yubikey boolean.
77 Disabled by default.
78
79 setsebool -P authlogin_yubikey 1
80
81
82
83 If you want to deny any process from ptracing or debugging any other
84 processes, you must turn on the deny_ptrace boolean. Enabled by
85 default.
86
87 setsebool -P deny_ptrace 1
88
89
90
91 If you want to allow any process to mmap any file on system with
92 attribute file_type, you must turn on the domain_can_mmap_files bool‐
93 ean. Enabled by default.
94
95 setsebool -P domain_can_mmap_files 1
96
97
98
99 If you want to allow all domains write to kmsg_device, while kernel is
100 executed with systemd.log_target=kmsg parameter, you must turn on the
101 domain_can_write_kmsg boolean. Disabled by default.
102
103 setsebool -P domain_can_write_kmsg 1
104
105
106
107 If you want to allow all domains to use other domains file descriptors,
108 you must turn on the domain_fd_use boolean. Enabled by default.
109
110 setsebool -P domain_fd_use 1
111
112
113
114 If you want to allow all domains to have the kernel load modules, you
115 must turn on the domain_kernel_load_modules boolean. Disabled by
116 default.
117
118 setsebool -P domain_kernel_load_modules 1
119
120
121
122 If you want to allow all domains to execute in fips_mode, you must turn
123 on the fips_mode boolean. Enabled by default.
124
125 setsebool -P fips_mode 1
126
127
128
129 If you want to enable reading of urandom for all domains, you must turn
130 on the global_ssp boolean. Disabled by default.
131
132 setsebool -P global_ssp 1
133
134
135
136 If you want to allow confined applications to run with kerberos, you
137 must turn on the kerberos_enabled boolean. Enabled by default.
138
139 setsebool -P kerberos_enabled 1
140
141
142
143 If you want to allow logging in and using the system from /dev/console,
144 you must turn on the login_console_enabled boolean. Enabled by default.
145
146 setsebool -P login_console_enabled 1
147
148
149
150 If you want to allow system to run with NIS, you must turn on the
151 nis_enabled boolean. Disabled by default.
152
153 setsebool -P nis_enabled 1
154
155
156
157 If you want to allow confined applications to use nscd shared memory,
158 you must turn on the nscd_use_shm boolean. Disabled by default.
159
160 setsebool -P nscd_use_shm 1
161
162
163
164 If you want to enable polyinstantiated directory support, you must turn
165 on the polyinstantiation_enabled boolean. Disabled by default.
166
167 setsebool -P polyinstantiation_enabled 1
168
169
170
171 If you want to allow a user to login as an unconfined domain, you must
172 turn on the unconfined_login boolean. Enabled by default.
173
174 setsebool -P unconfined_login 1
175
176
177
178 If you want to support ecryptfs home directories, you must turn on the
179 use_ecryptfs_home_dirs boolean. Disabled by default.
180
181 setsebool -P use_ecryptfs_home_dirs 1
182
183
184
185 If you want to support fusefs home directories, you must turn on the
186 use_fusefs_home_dirs boolean. Disabled by default.
187
188 setsebool -P use_fusefs_home_dirs 1
189
190
191
192 If you want to support NFS home directories, you must turn on the
193 use_nfs_home_dirs boolean. Disabled by default.
194
195 setsebool -P use_nfs_home_dirs 1
196
197
198
199 If you want to support SAMBA home directories, you must turn on the
200 use_samba_home_dirs boolean. Disabled by default.
201
202 setsebool -P use_samba_home_dirs 1
203
204
205
207 The SELinux process type local_login_t can manage files labeled with
208 the following file types. The paths listed are the default paths for
209 these file types. Note the processes UID still need to have DAC per‐
210 missions.
211
212 auth_cache_t
213
214 /var/cache/coolkey(/.*)?
215
216 auth_home_t
217
218 /root/.yubico(/.*)?
219 /root/.google_authenticator
220 /root/.google_authenticator~
221 /home/[^/]+/.yubico(/.*)?
222 /home/[^/]+/.google_authenticator
223 /home/[^/]+/.google_authenticator~
224
225 cgroup_t
226
227 /sys/fs/cgroup
228
229 faillog_t
230
231 /var/log/btmp.*
232 /var/log/faillog.*
233 /var/log/tallylog.*
234 /var/run/faillock(/.*)?
235
236 initrc_var_run_t
237
238 /var/run/utmp
239 /var/run/random-seed
240 /var/run/runlevel.dir
241 /var/run/setmixer_flag
242
243 krb5_host_rcache_t
244
245 /var/cache/krb5rcache(/.*)?
246 /var/tmp/nfs_0
247 /var/tmp/DNS_25
248 /var/tmp/host_0
249 /var/tmp/imap_0
250 /var/tmp/HTTP_23
251 /var/tmp/HTTP_48
252 /var/tmp/ldap_55
253 /var/tmp/ldap_487
254 /var/tmp/ldapmap1_0
255
256 lastlog_t
257
258 /var/log/lastlog.*
259
260 local_login_lock_t
261
262
263 pam_var_console_t
264
265 /var/run/console(/.*)?
266
267 pam_var_run_t
268
269 /var/(db|adm)/sudo(/.*)?
270 /var/run/sudo(/.*)?
271 /var/lib/sudo(/.*)?
272 /var/run/sepermit(/.*)?
273 /var/run/pam_mount(/.*)?
274
275 security_t
276
277 /selinux
278
279 user_tmp_t
280
281 /dev/shm/mono.*
282 /var/run/user(/.*)?
283 /tmp/.X11-unix(/.*)?
284 /tmp/.ICE-unix(/.*)?
285 /dev/shm/pulse-shm.*
286 /tmp/.X0-lock
287 /tmp/hsperfdata_root
288 /var/tmp/hsperfdata_root
289 /home/[^/]+/tmp
290 /home/[^/]+/.tmp
291 /tmp/gconfd-[^/]+
292
293 var_auth_t
294
295 /var/ace(/.*)?
296 /var/rsa(/.*)?
297 /var/lib/abl(/.*)?
298 /var/lib/rsa(/.*)?
299 /var/lib/pam_ssh(/.*)?
300 /var/run/pam_ssh(/.*)?
301 /var/lib/pam_shield(/.*)?
302 /var/opt/quest/vas/vasd(/.*)?
303 /var/lib/google-authenticator(/.*)?
304
305 wtmp_t
306
307 /var/log/wtmp.*
308
309
311 SELinux requires files to have an extended attribute to define the file
312 type.
313
314 You can see the context of a file using the -Z option to ls
315
316 Policy governs the access confined processes have to these files.
317 SELinux local_login policy is very flexible allowing users to setup
318 their local_login processes in as secure a method as possible.
319
320 STANDARD FILE CONTEXT
321
322 SELinux defines the file context types for the local_login, if you
323 wanted to store files with these types in a diffent paths, you need to
324 execute the semanage command to sepecify alternate labeling and then
325 use restorecon to put the labels on disk.
326
327 semanage fcontext -a -t local_login_lock_t '/srv/mylocal_login_con‐
328 tent(/.*)?'
329 restorecon -R -v /srv/mylocal_login_content
330
331 Note: SELinux often uses regular expressions to specify labels that
332 match multiple files.
333
334 The following file types are defined for local_login:
335
336
337
338 local_login_home_t
339
340 - Set files with the local_login_home_t type, if you want to store
341 local login files in the users home directory.
342
343
344 Paths:
345 /root/.hushlogin, /home/[^/]+/.hushlogin
346
347
348 local_login_lock_t
349
350 - Set files with the local_login_lock_t type, if you want to treat the
351 files as local login lock data, stored under the /var/lock directory
352
353
354
355 Note: File context can be temporarily modified with the chcon command.
356 If you want to permanently change the file context you need to use the
357 semanage fcontext command. This will modify the SELinux labeling data‐
358 base. You will need to use restorecon to apply the labels.
359
360
362 semanage fcontext can also be used to manipulate default file context
363 mappings.
364
365 semanage permissive can also be used to manipulate whether or not a
366 process type is permissive.
367
368 semanage module can also be used to enable/disable/install/remove pol‐
369 icy modules.
370
371 semanage boolean can also be used to manipulate the booleans
372
373
374 system-config-selinux is a GUI tool available to customize SELinux pol‐
375 icy settings.
376
377
379 This manual page was auto-generated using sepolicy manpage .
380
381
383 selinux(8), local_login(8), semanage(8), restorecon(8), chcon(1),
384 sepolicy(8) , setsebool(8)
385
386
387
388local_login 19-04-25 local_login_selinux(8)