sssd_selinux(8)

1sssd_selinux(8)               SELinux Policy sssd              sssd_selinux(8)
2
3
4

NAME

6       sssd_selinux - Security Enhanced Linux Policy for the sssd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the sssd processes via flexible manda‐
10       tory access control.
11
12       The sssd processes execute with the sssd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep sssd_t
19
20
21

ENTRYPOINTS

23       The sssd_t SELinux type can be entered via the sssd_exec_t file type.
24
25       The default entrypoint paths for the sssd_t domain are the following:
26
27       /usr/sbin/sssd,                             /usr/libexec/sssd/sssd_kcm,
28       /usr/libexec/sssd/sssd_secrets
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       sssd  policy  is  very flexible allowing users to setup their sssd pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for sssd:
41
42       sssd_t, sssd_selinux_manager_t
43
44       Note: semanage permissive -a sssd_t can be used  to  make  the  process
45       type  sssd_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  sssd
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run sssd with the tightest access possible.
54
55
56
57       If you want to allow users to resolve user passwd entries directly from
58       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
59       gin_nsswitch_use_ldap boolean. Disabled by default.
60
61       setsebool -P authlogin_nsswitch_use_ldap 1
62
63
64
65       If you want to allow all daemons to write corefiles to /, you must turn
66       on the daemons_dump_core boolean. Disabled by default.
67
68       setsebool -P daemons_dump_core 1
69
70
71
72       If you want to enable cluster mode for daemons, you must  turn  on  the
73       daemons_enable_cluster_mode boolean. Enabled by default.
74
75       setsebool -P daemons_enable_cluster_mode 1
76
77
78
79       If  you want to allow all daemons to use tcp wrappers, you must turn on
80       the daemons_use_tcp_wrapper boolean. Disabled by default.
81
82       setsebool -P daemons_use_tcp_wrapper 1
83
84
85
86       If you want to allow all daemons the ability to  read/write  terminals,
87       you must turn on the daemons_use_tty boolean. Disabled by default.
88
89       setsebool -P daemons_use_tty 1
90
91
92
93       If  you  want  to deny any process from ptracing or debugging any other
94       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
95       default.
96
97       setsebool -P deny_ptrace 1
98
99
100
101       If  you  want  to  allow  any  process  to mmap any file on system with
102       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
103       ean. Enabled by default.
104
105       setsebool -P domain_can_mmap_files 1
106
107
108
109       If  you want to allow all domains write to kmsg_device, while kernel is
110       executed with systemd.log_target=kmsg parameter, you must turn  on  the
111       domain_can_write_kmsg boolean. Disabled by default.
112
113       setsebool -P domain_can_write_kmsg 1
114
115
116
117       If you want to allow all domains to use other domains file descriptors,
118       you must turn on the domain_fd_use boolean. Enabled by default.
119
120       setsebool -P domain_fd_use 1
121
122
123
124       If you want to allow all domains to have the kernel load  modules,  you
125       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
126       default.
127
128       setsebool -P domain_kernel_load_modules 1
129
130
131
132       If you want to allow all domains to execute in fips_mode, you must turn
133       on the fips_mode boolean. Enabled by default.
134
135       setsebool -P fips_mode 1
136
137
138
139       If you want to enable reading of urandom for all domains, you must turn
140       on the global_ssp boolean. Disabled by default.
141
142       setsebool -P global_ssp 1
143
144
145
146       If you want to allow Apache to communicate with sssd service via  dbus,
147       you must turn on the httpd_dbus_sssd boolean. Disabled by default.
148
149       setsebool -P httpd_dbus_sssd 1
150
151
152
153       If  you  want  to allow confined applications to run with kerberos, you
154       must turn on the kerberos_enabled boolean. Enabled by default.
155
156       setsebool -P kerberos_enabled 1
157
158
159
160       If you want to allow system to run with  NIS,  you  must  turn  on  the
161       nis_enabled boolean. Disabled by default.
162
163       setsebool -P nis_enabled 1
164
165
166
167       If  you  want to allow confined applications to use nscd shared memory,
168       you must turn on the nscd_use_shm boolean. Disabled by default.
169
170       setsebool -P nscd_use_shm 1
171
172
173
174       If you want to support ecryptfs home directories, you must turn on  the
175       use_ecryptfs_home_dirs boolean. Disabled by default.
176
177       setsebool -P use_ecryptfs_home_dirs 1
178
179
180
181       If  you  want  to support fusefs home directories, you must turn on the
182       use_fusefs_home_dirs boolean. Disabled by default.
183
184       setsebool -P use_fusefs_home_dirs 1
185
186
187
188       If you want to support NFS home  directories,  you  must  turn  on  the
189       use_nfs_home_dirs boolean. Disabled by default.
190
191       setsebool -P use_nfs_home_dirs 1
192
193
194
195       If  you  want  to  support SAMBA home directories, you must turn on the
196       use_samba_home_dirs boolean. Disabled by default.
197
198       setsebool -P use_samba_home_dirs 1
199
200
201

MANAGED FILES

203       The SELinux process type sssd_t can manage files labeled with the  fol‐
204       lowing  file  types.   The paths listed are the default paths for these
205       file types.  Note the processes UID still need to have DAC permissions.
206
207       auth_cache_t
208
209            /var/cache/coolkey(/.*)?
210
211       cluster_conf_t
212
213            /etc/cluster(/.*)?
214
215       cluster_var_lib_t
216
217            /var/lib/pcsd(/.*)?
218            /var/lib/cluster(/.*)?
219            /var/lib/openais(/.*)?
220            /var/lib/pengine(/.*)?
221            /var/lib/corosync(/.*)?
222            /usr/lib/heartbeat(/.*)?
223            /var/lib/heartbeat(/.*)?
224            /var/lib/pacemaker(/.*)?
225
226       cluster_var_run_t
227
228            /var/run/crm(/.*)?
229            /var/run/cman_.*
230            /var/run/rsctmp(/.*)?
231            /var/run/aisexec.*
232            /var/run/heartbeat(/.*)?
233            /var/run/corosync-qnetd(/.*)?
234            /var/run/corosync-qdevice(/.*)?
235            /var/run/cpglockd.pid
236            /var/run/corosync.pid
237            /var/run/rgmanager.pid
238            /var/run/cluster/rgmanager.sk
239
240       faillog_t
241
242            /var/log/btmp.*
243            /var/log/faillog.*
244            /var/log/tallylog.*
245            /var/run/faillock(/.*)?
246
247       krb5_conf_t
248
249            /etc/krb5.conf
250
251       krb5_host_rcache_t
252
253            /var/cache/krb5rcache(/.*)?
254            /var/tmp/nfs_0
255            /var/tmp/DNS_25
256            /var/tmp/host_0
257            /var/tmp/imap_0
258            /var/tmp/HTTP_23
259            /var/tmp/HTTP_48
260            /var/tmp/ldap_55
261            /var/tmp/ldap_487
262            /var/tmp/ldapmap1_0
263
264       krb5_keytab_t
265
266            /etc/krb5.keytab
267            /etc/krb5kdc/kadm5.keytab
268            /var/kerberos/krb5kdc/kadm5.keytab
269
270       root_t
271
272            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
273            /
274            /initrd
275
276       samba_var_t
277
278            /var/nmbd(/.*)?
279            /var/lib/samba(/.*)?
280            /var/cache/samba(/.*)?
281
282       security_t
283
284            /selinux
285
286       selinux_login_config_t
287
288            /etc/selinux/([^/]*/)?logins(/.*)?
289
290       sssd_public_t
291
292            /var/lib/sss/mc(/.*)?
293            /var/lib/sss/pubconf(/.*)?
294
295       sssd_var_lib_t
296
297            /var/lib/sss(/.*)?
298
299       sssd_var_log_t
300
301            /var/log/sssd(/.*)?
302
303       sssd_var_run_t
304
305            /var/run/sssd.pid
306            /var/run/secrets.socket
307            /var/run/.heim_org.h5l.kcm-socket
308
309       user_tmp_type
310
311            all user tmp files
312
313

FILE CONTEXTS

315       SELinux requires files to have an extended attribute to define the file
316       type.
317
318       You can see the context of a file using the -Z option to ls
319
320       Policy  governs  the  access  confined  processes  have to these files.
321       SELinux sssd policy is very flexible allowing users to setup their sssd
322       processes in as secure a method as possible.
323
324       EQUIVALENCE DIRECTORIES
325
326
327       sssd  policy  stores  data  with  multiple different file context types
328       under the /var/lib/sss directory.  If you would like to store the  data
329       in  a different directory you can use the semanage command to create an
330       equivalence mapping.  If you wanted to store this data under  the  /srv
331       dirctory you would execute the following command:
332
333       semanage fcontext -a -e /var/lib/sss /srv/sss
334       restorecon -R -v /srv/sss
335
336       STANDARD FILE CONTEXT
337
338       SELinux  defines  the file context types for the sssd, if you wanted to
339       store files with these types in a diffent paths, you  need  to  execute
340       the  semanage  command  to  sepecify  alternate  labeling  and then use
341       restorecon to put the labels on disk.
342
343       semanage fcontext -a -t sssd_var_run_t '/srv/mysssd_content(/.*)?'
344       restorecon -R -v /srv/mysssd_content
345
346       Note: SELinux often uses regular expressions  to  specify  labels  that
347       match multiple files.
348
349       The following file types are defined for sssd:
350
351
352
353       sssd_conf_t
354
355       -  Set  files with the sssd_conf_t type, if you want to treat the files
356       as sssd configuration data, usually stored under the /etc directory.
357
358
359
360       sssd_exec_t
361
362       - Set files with the sssd_exec_t type, if you  want  to  transition  an
363       executable to the sssd_t domain.
364
365
366       Paths:
367            /usr/sbin/sssd,                        /usr/libexec/sssd/sssd_kcm,
368            /usr/libexec/sssd/sssd_secrets
369
370
371       sssd_initrc_exec_t
372
373       - Set files with the sssd_initrc_exec_t type, if you want to transition
374       an executable to the sssd_initrc_t domain.
375
376
377
378       sssd_public_t
379
380       - Set files with the sssd_public_t type, if you want to treat the files
381       as sssd public data.
382
383
384       Paths:
385            /var/lib/sss/mc(/.*)?, /var/lib/sss/pubconf(/.*)?
386
387
388       sssd_selinux_manager_exec_t
389
390       - Set files with the sssd_selinux_manager_exec_t type, if you  want  to
391       transition an executable to the sssd_selinux_manager_t domain.
392
393
394
395       sssd_unit_file_t
396
397       -  Set  files  with the sssd_unit_file_t type, if you want to treat the
398       files as sssd unit content.
399
400
401
402       sssd_var_lib_t
403
404       - Set files with the sssd_var_lib_t type, if you want to store the sssd
405       files under the /var/lib directory.
406
407
408
409       sssd_var_log_t
410
411       - Set files with the sssd_var_log_t type, if you want to treat the data
412       as sssd var log data, usually stored under the /var/log directory.
413
414
415
416       sssd_var_run_t
417
418       - Set files with the sssd_var_run_t type, if you want to store the sssd
419       files under the /run or /var/run directory.
420
421
422       Paths:
423            /var/run/sssd.pid,                        /var/run/secrets.socket,
424            /var/run/.heim_org.h5l.kcm-socket
425
426
427       Note: File context can be temporarily modified with the chcon  command.
428       If  you want to permanently change the file context you need to use the
429       semanage fcontext command.  This will modify the SELinux labeling data‐
430       base.  You will need to use restorecon to apply the labels.
431
432

COMMANDS

434       semanage  fcontext  can also be used to manipulate default file context
435       mappings.
436
437       semanage permissive can also be used to manipulate  whether  or  not  a
438       process type is permissive.
439
440       semanage  module can also be used to enable/disable/install/remove pol‐
441       icy modules.
442
443       semanage boolean can also be used to manipulate the booleans
444
445
446       system-config-selinux is a GUI tool available to customize SELinux pol‐
447       icy settings.
448
449

AUTHOR

451       This manual page was auto-generated using sepolicy manpage .
452
453