1lsassd_selinux(8) SELinux Policy lsassd lsassd_selinux(8)
2
6 lsassd_selinux - Security Enhanced Linux Policy for the lsassd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the lsassd processes via flexible
11 mandatory access control.
12 The lsassd processes execute with the lsassd_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep lsassd_t
20
24 The lsassd_t SELinux type can be entered via the lsassd_exec_t file
25 type.
26 The default entrypoint paths for the lsassd_t domain are the following:
28 /usr/sbin/lsassd, /opt/likewise/sbin/lsassd
30
32 SELinux defines process types (domains) for each process running on the
33 system
34 You can see the context of a process using the -Z option to ps
36 Policy governs the access confined processes have to files. SELinux
38 lsassd policy is very flexible allowing users to setup their lsassd
39 processes in as secure a method as possible.
40 The following process types are defined for lsassd:
42 lsassd_t
44 Note: semanage permissive -a lsassd_t can be used to make the process
46 type lsassd_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
52 SELinux policy is customizable based on least access required. lsassd
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run lsassd with the tightest access possible.
55 If you want to allow all daemons to write corefiles to /, you must turn
59 on the daemons_dump_core boolean. Disabled by default.
60 setsebool -P daemons_dump_core 1
62 If you want to enable cluster mode for daemons, you must turn on the
66 daemons_enable_cluster_mode boolean. Enabled by default.
67 setsebool -P daemons_enable_cluster_mode 1
69 If you want to allow all daemons to use tcp wrappers, you must turn on
73 the daemons_use_tcp_wrapper boolean. Disabled by default.
74 setsebool -P daemons_use_tcp_wrapper 1
76 If you want to allow all daemons the ability to read/write terminals,
80 you must turn on the daemons_use_tty boolean. Disabled by default.
81 setsebool -P daemons_use_tty 1
83 If you want to deny any process from ptracing or debugging any other
87 processes, you must turn on the deny_ptrace boolean. Enabled by
88 default.
89 setsebool -P deny_ptrace 1
91 If you want to allow any process to mmap any file on system with
95 attribute file_type, you must turn on the domain_can_mmap_files bool‐
96 ean. Enabled by default.
97 setsebool -P domain_can_mmap_files 1
99 If you want to allow all domains write to kmsg_device, while kernel is
103 executed with systemd.log_target=kmsg parameter, you must turn on the
104 domain_can_write_kmsg boolean. Disabled by default.
105 setsebool -P domain_can_write_kmsg 1
107 If you want to allow all domains to use other domains file descriptors,
111 you must turn on the domain_fd_use boolean. Enabled by default.
112 setsebool -P domain_fd_use 1
114 If you want to allow all domains to have the kernel load modules, you
118 must turn on the domain_kernel_load_modules boolean. Disabled by
119 default.
120 setsebool -P domain_kernel_load_modules 1
122 If you want to allow all domains to execute in fips_mode, you must turn
126 on the fips_mode boolean. Enabled by default.
127 setsebool -P fips_mode 1
129 If you want to enable reading of urandom for all domains, you must turn
133 on the global_ssp boolean. Disabled by default.
134 setsebool -P global_ssp 1
136 If you want to allow confined applications to run with kerberos, you
140 must turn on the kerberos_enabled boolean. Enabled by default.
141 setsebool -P kerberos_enabled 1
143
147 The SELinux process type lsassd_t can manage files labeled with the
148 following file types. The paths listed are the default paths for these
149 file types. Note the processes UID still need to have DAC permissions.
150 cluster_conf_t
152 /etc/cluster(/.*)?
154 cluster_var_lib_t
156 /var/lib/pcsd(/.*)?
158 /var/lib/cluster(/.*)?
159 /var/lib/openais(/.*)?
160 /var/lib/pengine(/.*)?
161 /var/lib/corosync(/.*)?
162 /usr/lib/heartbeat(/.*)?
163 /var/lib/heartbeat(/.*)?
164 /var/lib/pacemaker(/.*)?
165 cluster_var_run_t
167 /var/run/crm(/.*)?
169 /var/run/cman_.*
170 /var/run/rsctmp(/.*)?
171 /var/run/aisexec.*
172 /var/run/heartbeat(/.*)?
173 /var/run/corosync-qnetd(/.*)?
174 /var/run/corosync-qdevice(/.*)?
175 /var/run/cpglockd.pid
176 /var/run/corosync.pid
177 /var/run/rgmanager.pid
178 /var/run/cluster/rgmanager.sk
179 etc_runtime_t
181 /[^/]+
183 /etc/mtab.*
184 /etc/blkid(/.*)?
185 /etc/nologin.*
186 /etc/.fstab.hal..+
187 /halt
188 /fastboot
189 /poweroff
190 /etc/cmtab
191 /forcefsck
192 /.autofsck
193 /.suspended
194 /fsckoptions
195 /var/.updated
196 /etc/.updated
197 /.autorelabel
198 /etc/securetty
199 /etc/nohotplug
200 /etc/killpower
201 /etc/ioctl.save
202 /etc/fstab.REVOKE
203 /etc/network/ifstate
204 /etc/sysconfig/hwconf
205 /etc/ptal/ptal-printd-like
206 /etc/sysconfig/iptables.save
207 /etc/xorg.conf.d/00-system-setup-keyboard.conf
208 /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
209 etc_t
211 /etc/.*
213 /usr/etc(/.*)?
214 /var/ftp/etc(/.*)?
215 /var/lib/openshift/.limits.d(/.*)?
216 /var/lib/openshift/.openshift-proxy.d(/.*)?
217 /var/lib/openshift/.stickshift-proxy.d(/.*)?
218 /var/lib/stickshift/.limits.d(/.*)?
219 /var/lib/stickshift/.stickshift-proxy.d(/.*)?
220 /var/named/chroot/etc(/.*)?
221 /etc/ipsec.d/examples(/.*)?
222 /var/spool/postfix/etc(/.*)?
223 /etc
224 /etc/cups/client.conf
225 krb5_keytab_t
227 /etc/krb5.keytab
229 /etc/krb5kdc/kadm5.keytab
230 /var/kerberos/krb5kdc/kadm5.keytab
231 likewise_etc_t
233 /etc/likewise-open(/.*)?
235 lsassd_tmp_t
237 lsassd_var_lib_t
240 /var/lib/likewise/krb5cc.*
242 /var/lib/likewise-open/krb5cc.*
243 /var/lib/likewise/krb5ccr_lsass..*
244 /var/lib/likewise-open/krb5ccr_lsass..*
245 /var/lib/likewise/db/lsass-adcache.filedb..*
246 /var/lib/likewise-open/db/lsass-adcache.filedb..*
247 /var/lib/likewise/lsasd.err
248 /var/lib/likewise/db/sam.db
249 /var/lib/likewise/krb5ccr_lsass
250 /var/lib/likewise-open/lsasd.err
251 /var/lib/likewise-open/db/sam.db
252 /var/lib/likewise-open/krb5ccr_lsass
253 /var/lib/likewise/db/lsass-adcache.db
254 /var/lib/likewise/db/lsass-adstate.filedb
255 /var/lib/likewise-open/db/lsass-adcache.db
256 /var/lib/likewise-open/db/lsass-adstate.filedb
257 lsassd_var_run_t
259 /var/run/lsassd.pid
261 root_t
263 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
265 /
266 /initrd
267 security_t
269 /selinux
271 user_home_t
273 /home/[^/]+/.+
275
278 SELinux requires files to have an extended attribute to define the file
279 type.
280 You can see the context of a file using the -Z option to ls
282 Policy governs the access confined processes have to these files.
284 SELinux lsassd policy is very flexible allowing users to setup their
285 lsassd processes in as secure a method as possible.
286 STANDARD FILE CONTEXT
288 SELinux defines the file context types for the lsassd, if you wanted to
290 store files with these types in a diffent paths, you need to execute
291 the semanage command to sepecify alternate labeling and then use
292 restorecon to put the labels on disk.
293 semanage fcontext -a -t lsassd_var_socket_t '/srv/mylsassd_con‐
295 tent(/.*)?'
296 restorecon -R -v /srv/mylsassd_content
297 Note: SELinux often uses regular expressions to specify labels that
299 match multiple files.
300 The following file types are defined for lsassd:
302 lsassd_exec_t
306 - Set files with the lsassd_exec_t type, if you want to transition an
308 executable to the lsassd_t domain.
309 Paths:
312 /usr/sbin/lsassd, /opt/likewise/sbin/lsassd
313 lsassd_tmp_t
316 - Set files with the lsassd_tmp_t type, if you want to store lsassd
318 temporary files in the /tmp directories.
319 lsassd_var_lib_t
323 - Set files with the lsassd_var_lib_t type, if you want to store the
325 lsassd files under the /var/lib directory.
326 Paths:
329 /var/lib/likewise/krb5cc.*, /var/lib/likewise-open/krb5cc.*,
330 /var/lib/likewise/krb5ccr_lsass..*, /var/lib/likewise-
331 open/krb5ccr_lsass..*, /var/lib/likewise/db/lsass-
332 adcache.filedb..*, /var/lib/likewise-open/db/lsass-
333 adcache.filedb..*, /var/lib/likewise/lsasd.err, /var/lib/like‐
334 wise/db/sam.db, /var/lib/likewise/krb5ccr_lsass, /var/lib/like‐
335 wise-open/lsasd.err, /var/lib/likewise-open/db/sam.db,
336 /var/lib/likewise-open/krb5ccr_lsass, /var/lib/likewise/db/lsass-
337 adcache.db, /var/lib/likewise/db/lsass-adstate.filedb,
338 /var/lib/likewise-open/db/lsass-adcache.db, /var/lib/likewise-
339 open/db/lsass-adstate.filedb
340 lsassd_var_run_t
343 - Set files with the lsassd_var_run_t type, if you want to store the
345 lsassd files under the /run or /var/run directory.
346 lsassd_var_socket_t
350 - Set files with the lsassd_var_socket_t type, if you want to treat the
352 files as lsassd var socket data.
353 Paths:
356 /var/lib/likewise/.ntlmd, /var/lib/likewise/.lsassd,
357 /var/lib/likewise/rpc/lsass, /var/lib/likewise-open/.ntlmd,
358 /var/lib/likewise-open/.lsassd, /var/lib/likewise-open/rpc/lsass
359 Note: File context can be temporarily modified with the chcon command.
362 If you want to permanently change the file context you need to use the
363 semanage fcontext command. This will modify the SELinux labeling data‐
364 base. You will need to use restorecon to apply the labels.
365
368 semanage fcontext can also be used to manipulate default file context
369 mappings.
370 semanage permissive can also be used to manipulate whether or not a
372 process type is permissive.
373 semanage module can also be used to enable/disable/install/remove pol‐
375 icy modules.
376 semanage boolean can also be used to manipulate the booleans
378 system-config-selinux is a GUI tool available to customize SELinux pol‐
381 icy settings.
382
385 This manual page was auto-generated using sepolicy manpage .
386
389 selinux(8), lsassd(8), semanage(8), restorecon(8), chcon(1), sepol‐
390 icy(8) , setsebool(8)
391lsassd 19-04-25 lsassd_selinux(8)