1remote_login_selinux(8) SELinux Policy remote_login remote_login_selinux(8)
2
6 remote_login_selinux - Security Enhanced Linux Policy for the
7 remote_login processes
8
10 Security-Enhanced Linux secures the remote_login processes via flexible
11 mandatory access control.
12 The remote_login processes execute with the remote_login_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16 For example:
18 ps -eZ | grep remote_login_t
20
24 The remote_login_t SELinux type can be entered via the login_exec_t
25 file type.
26 The default entrypoint paths for the remote_login_t domain are the fol‐
28 lowing:
29 /bin/login, /usr/bin/login, /usr/kerberos/sbin/login.krb5
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 remote_login policy is very flexible allowing users to setup their
40 remote_login processes in as secure a method as possible.
41 The following process types are defined for remote_login:
43 remote_login_t
45 Note: semanage permissive -a remote_login_t can be used to make the
47 process type remote_login_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
53 SELinux policy is customizable based on least access required.
54 remote_login policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run remote_login with the tight‐
56 est access possible.
57 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63 setsebool -P authlogin_nsswitch_use_ldap 1
65 If you want to allow users to login using a radius server, you must
69 turn on the authlogin_radius boolean. Disabled by default.
70 setsebool -P authlogin_radius 1
72 If you want to allow users to login using a yubikey OTP server or chal‐
76 lenge response mode, you must turn on the authlogin_yubikey boolean.
77 Disabled by default.
78 setsebool -P authlogin_yubikey 1
80 If you want to deny any process from ptracing or debugging any other
84 processes, you must turn on the deny_ptrace boolean. Enabled by
85 default.
86 setsebool -P deny_ptrace 1
88 If you want to allow any process to mmap any file on system with
92 attribute file_type, you must turn on the domain_can_mmap_files bool‐
93 ean. Enabled by default.
94 setsebool -P domain_can_mmap_files 1
96 If you want to allow all domains write to kmsg_device, while kernel is
100 executed with systemd.log_target=kmsg parameter, you must turn on the
101 domain_can_write_kmsg boolean. Disabled by default.
102 setsebool -P domain_can_write_kmsg 1
104 If you want to allow all domains to use other domains file descriptors,
108 you must turn on the domain_fd_use boolean. Enabled by default.
109 setsebool -P domain_fd_use 1
111 If you want to allow all domains to have the kernel load modules, you
115 must turn on the domain_kernel_load_modules boolean. Disabled by
116 default.
117 setsebool -P domain_kernel_load_modules 1
119 If you want to allow all domains to execute in fips_mode, you must turn
123 on the fips_mode boolean. Enabled by default.
124 setsebool -P fips_mode 1
126 If you want to enable reading of urandom for all domains, you must turn
130 on the global_ssp boolean. Disabled by default.
131 setsebool -P global_ssp 1
133 If you want to allow confined applications to run with kerberos, you
137 must turn on the kerberos_enabled boolean. Enabled by default.
138 setsebool -P kerberos_enabled 1
140 If you want to allow system to run with NIS, you must turn on the
144 nis_enabled boolean. Disabled by default.
145 setsebool -P nis_enabled 1
147 If you want to allow confined applications to use nscd shared memory,
151 you must turn on the nscd_use_shm boolean. Disabled by default.
152 setsebool -P nscd_use_shm 1
154 If you want to enable polyinstantiated directory support, you must turn
158 on the polyinstantiation_enabled boolean. Disabled by default.
159 setsebool -P polyinstantiation_enabled 1
161 If you want to allow a user to login as an unconfined domain, you must
165 turn on the unconfined_login boolean. Enabled by default.
166 setsebool -P unconfined_login 1
168 If you want to support ecryptfs home directories, you must turn on the
172 use_ecryptfs_home_dirs boolean. Disabled by default.
173 setsebool -P use_ecryptfs_home_dirs 1
175 If you want to support fusefs home directories, you must turn on the
179 use_fusefs_home_dirs boolean. Disabled by default.
180 setsebool -P use_fusefs_home_dirs 1
182 If you want to support NFS home directories, you must turn on the
186 use_nfs_home_dirs boolean. Disabled by default.
187 setsebool -P use_nfs_home_dirs 1
189 If you want to support SAMBA home directories, you must turn on the
193 use_samba_home_dirs boolean. Disabled by default.
194 setsebool -P use_samba_home_dirs 1
196
200 The SELinux process type remote_login_t can manage files labeled with
201 the following file types. The paths listed are the default paths for
202 these file types. Note the processes UID still need to have DAC per‐
203 missions.
204 auth_cache_t
206 /var/cache/coolkey(/.*)?
208 auth_home_t
210 /root/.yubico(/.*)?
212 /root/.google_authenticator
213 /root/.google_authenticator~
214 /home/[^/]+/.yubico(/.*)?
215 /home/[^/]+/.google_authenticator
216 /home/[^/]+/.google_authenticator~
217 cgroup_t
219 /sys/fs/cgroup
221 faillog_t
223 /var/log/btmp.*
225 /var/log/faillog.*
226 /var/log/tallylog.*
227 /var/run/faillock(/.*)?
228 initrc_var_run_t
230 /var/run/utmp
232 /var/run/random-seed
233 /var/run/runlevel.dir
234 /var/run/setmixer_flag
235 krb5_host_rcache_t
237 /var/cache/krb5rcache(/.*)?
239 /var/tmp/nfs_0
240 /var/tmp/DNS_25
241 /var/tmp/host_0
242 /var/tmp/imap_0
243 /var/tmp/HTTP_23
244 /var/tmp/HTTP_48
245 /var/tmp/ldap_55
246 /var/tmp/ldap_487
247 /var/tmp/ldapmap1_0
248 lastlog_t
250 /var/log/lastlog.*
252 pam_var_console_t
254 /var/run/console(/.*)?
256 pam_var_run_t
258 /var/(db|adm)/sudo(/.*)?
260 /var/run/sudo(/.*)?
261 /var/lib/sudo(/.*)?
262 /var/run/sepermit(/.*)?
263 /var/run/pam_mount(/.*)?
264 security_t
266 /selinux
268 user_tmp_t
270 /dev/shm/mono.*
272 /var/run/user(/.*)?
273 /tmp/.X11-unix(/.*)?
274 /tmp/.ICE-unix(/.*)?
275 /dev/shm/pulse-shm.*
276 /tmp/.X0-lock
277 /tmp/hsperfdata_root
278 /var/tmp/hsperfdata_root
279 /home/[^/]+/tmp
280 /home/[^/]+/.tmp
281 /tmp/gconfd-[^/]+
282 var_auth_t
284 /var/ace(/.*)?
286 /var/rsa(/.*)?
287 /var/lib/abl(/.*)?
288 /var/lib/rsa(/.*)?
289 /var/lib/pam_ssh(/.*)?
290 /var/run/pam_ssh(/.*)?
291 /var/lib/pam_shield(/.*)?
292 /var/opt/quest/vas/vasd(/.*)?
293 /var/lib/google-authenticator(/.*)?
294 wtmp_t
296 /var/log/wtmp.*
298
301 semanage fcontext can also be used to manipulate default file context
302 mappings.
303 semanage permissive can also be used to manipulate whether or not a
305 process type is permissive.
306 semanage module can also be used to enable/disable/install/remove pol‐
308 icy modules.
309 semanage boolean can also be used to manipulate the booleans
311 system-config-selinux is a GUI tool available to customize SELinux pol‐
314 icy settings.
315
318 This manual page was auto-generated using sepolicy manpage .
319
322 selinux(8), remote_login(8), semanage(8), restorecon(8), chcon(1),
323 sepolicy(8) , setsebool(8)
324remote_login 19-04-25 remote_login_selinux(8)