1named_selinux(8) SELinux Policy named named_selinux(8)
2
6 named_selinux - Security Enhanced Linux Policy for the named processes
7
9 Security-Enhanced Linux secures the named processes via flexible manda‐
10 tory access control.
11 The named processes execute with the named_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep named_t
19
23 The named_t SELinux type can be entered via the named_checkconf_exec_t,
24 named_exec_t file types.
25 The default entrypoint paths for the named_t domain are the following:
27 /usr/sbin/named-checkconf, /usr/sbin/named, /usr/sbin/lwresd,
29 /usr/sbin/unbound, /usr/sbin/named-sdb, /usr/sbin/named-pkcs11,
30 /usr/sbin/unbound-anchor, /usr/sbin/unbound-control, /usr/sbin/unbound-
31 checkconf
32
34 SELinux defines process types (domains) for each process running on the
35 system
36 You can see the context of a process using the -Z option to ps
38 Policy governs the access confined processes have to files. SELinux
40 named policy is very flexible allowing users to setup their named pro‐
41 cesses in as secure a method as possible.
42 The following process types are defined for named:
44 named_t
46 Note: semanage permissive -a named_t can be used to make the process
48 type named_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
54 SELinux policy is customizable based on least access required. named
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run named with the tightest access possible.
57 If you want to determine whether Bind can bind tcp socket to http
61 ports, you must turn on the named_tcp_bind_http_port boolean. Disabled
62 by default.
63 setsebool -P named_tcp_bind_http_port 1
65 If you want to determine whether Bind can write to master zone files.
69 Generally this is used for dynamic DNS or zone transfers, you must turn
70 on the named_write_master_zones boolean. Disabled by default.
71 setsebool -P named_write_master_zones 1
73 If you want to allow users to resolve user passwd entries directly from
77 ldap rather then using a sssd server, you must turn on the authlo‐
78 gin_nsswitch_use_ldap boolean. Disabled by default.
79 setsebool -P authlogin_nsswitch_use_ldap 1
81 If you want to allow all daemons to write corefiles to /, you must turn
85 on the daemons_dump_core boolean. Disabled by default.
86 setsebool -P daemons_dump_core 1
88 If you want to enable cluster mode for daemons, you must turn on the
92 daemons_enable_cluster_mode boolean. Enabled by default.
93 setsebool -P daemons_enable_cluster_mode 1
95 If you want to allow all daemons to use tcp wrappers, you must turn on
99 the daemons_use_tcp_wrapper boolean. Disabled by default.
100 setsebool -P daemons_use_tcp_wrapper 1
102 If you want to allow all daemons the ability to read/write terminals,
106 you must turn on the daemons_use_tty boolean. Disabled by default.
107 setsebool -P daemons_use_tty 1
109 If you want to deny any process from ptracing or debugging any other
113 processes, you must turn on the deny_ptrace boolean. Enabled by
114 default.
115 setsebool -P deny_ptrace 1
117 If you want to allow any process to mmap any file on system with
121 attribute file_type, you must turn on the domain_can_mmap_files bool‐
122 ean. Enabled by default.
123 setsebool -P domain_can_mmap_files 1
125 If you want to allow all domains write to kmsg_device, while kernel is
129 executed with systemd.log_target=kmsg parameter, you must turn on the
130 domain_can_write_kmsg boolean. Disabled by default.
131 setsebool -P domain_can_write_kmsg 1
133 If you want to allow all domains to use other domains file descriptors,
137 you must turn on the domain_fd_use boolean. Enabled by default.
138 setsebool -P domain_fd_use 1
140 If you want to allow all domains to have the kernel load modules, you
144 must turn on the domain_kernel_load_modules boolean. Disabled by
145 default.
146 setsebool -P domain_kernel_load_modules 1
148 If you want to allow all domains to execute in fips_mode, you must turn
152 on the fips_mode boolean. Enabled by default.
153 setsebool -P fips_mode 1
155 If you want to enable reading of urandom for all domains, you must turn
159 on the global_ssp boolean. Disabled by default.
160 setsebool -P global_ssp 1
162 If you want to allow confined applications to run with kerberos, you
166 must turn on the kerberos_enabled boolean. Enabled by default.
167 setsebool -P kerberos_enabled 1
169 If you want to allow system to run with NIS, you must turn on the
173 nis_enabled boolean. Disabled by default.
174 setsebool -P nis_enabled 1
176 If you want to allow confined applications to use nscd shared memory,
180 you must turn on the nscd_use_shm boolean. Disabled by default.
181 setsebool -P nscd_use_shm 1
183
187 The SELinux process type named_t can manage files labeled with the fol‐
188 lowing file types. The paths listed are the default paths for these
189 file types. Note the processes UID still need to have DAC permissions.
190 cluster_conf_t
192 /etc/cluster(/.*)?
194 cluster_var_lib_t
196 /var/lib/pcsd(/.*)?
198 /var/lib/cluster(/.*)?
199 /var/lib/openais(/.*)?
200 /var/lib/pengine(/.*)?
201 /var/lib/corosync(/.*)?
202 /usr/lib/heartbeat(/.*)?
203 /var/lib/heartbeat(/.*)?
204 /var/lib/pacemaker(/.*)?
205 cluster_var_run_t
207 /var/run/crm(/.*)?
209 /var/run/cman_.*
210 /var/run/rsctmp(/.*)?
211 /var/run/aisexec.*
212 /var/run/heartbeat(/.*)?
213 /var/run/corosync-qnetd(/.*)?
214 /var/run/corosync-qdevice(/.*)?
215 /var/run/cpglockd.pid
216 /var/run/corosync.pid
217 /var/run/rgmanager.pid
218 /var/run/cluster/rgmanager.sk
219 dnssec_trigger_var_run_t
221 /var/run/dnssec.*
223 ipa_var_lib_t
225 /var/lib/ipa(/.*)?
227 krb5_host_rcache_t
229 /var/cache/krb5rcache(/.*)?
231 /var/tmp/nfs_0
232 /var/tmp/DNS_25
233 /var/tmp/host_0
234 /var/tmp/imap_0
235 /var/tmp/HTTP_23
236 /var/tmp/HTTP_48
237 /var/tmp/ldap_55
238 /var/tmp/ldap_487
239 /var/tmp/ldapmap1_0
240 krb5_keytab_t
242 /etc/krb5.keytab
244 /etc/krb5kdc/kadm5.keytab
245 /var/kerberos/krb5kdc/kadm5.keytab
246 named_cache_t
248 /var/named/data(/.*)?
250 /var/lib/softhsm(/.*)?
251 /var/lib/unbound(/.*)?
252 /var/named/slaves(/.*)?
253 /var/named/dynamic(/.*)?
254 /var/named/chroot/var/tmp(/.*)?
255 /var/named/chroot/var/named/data(/.*)?
256 /var/named/chroot/var/named/slaves(/.*)?
257 /var/named/chroot/var/named/dynamic(/.*)?
258 named_log_t
260 /var/log/named.*
262 /var/named/chroot/var/log/named.*
263 named_tmp_t
265 named_var_run_t
268 /var/run/bind(/.*)?
270 /var/run/named(/.*)?
271 /var/run/unbound(/.*)?
272 /var/named/chroot/run/named.*
273 /var/named/chroot/var/run/named.*
274 /var/run/ndc
275 named_zone_t
277 /var/named(/.*)?
279 /var/named/chroot/var/named(/.*)?
280 root_t
282 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
284 /
285 /initrd
286
289 SELinux requires files to have an extended attribute to define the file
290 type.
291 You can see the context of a file using the -Z option to ls
293 Policy governs the access confined processes have to these files.
295 SELinux named policy is very flexible allowing users to setup their
296 named processes in as secure a method as possible.
297 EQUIVALENCE DIRECTORIES
299 named policy stores data with multiple different file context types
302 under the /var/named directory. If you would like to store the data in
303 a different directory you can use the semanage command to create an
304 equivalence mapping. If you wanted to store this data under the /srv
305 dirctory you would execute the following command:
306 semanage fcontext -a -e /var/named /srv/named
308 restorecon -R -v /srv/named
309 STANDARD FILE CONTEXT
311 SELinux defines the file context types for the named, if you wanted to
313 store files with these types in a diffent paths, you need to execute
314 the semanage command to sepecify alternate labeling and then use
315 restorecon to put the labels on disk.
316 semanage fcontext -a -t named_zone_t '/srv/mynamed_content(/.*)?'
318 restorecon -R -v /srv/mynamed_content
319 Note: SELinux often uses regular expressions to specify labels that
321 match multiple files.
322 The following file types are defined for named:
324 named_cache_t
328 - Set files with the named_cache_t type, if you want to store the files
330 under the /var/cache directory.
331 Paths:
334 /var/named/data(/.*)?, /var/lib/softhsm(/.*)?,
335 /var/lib/unbound(/.*)?, /var/named/slaves(/.*)?,
336 /var/named/dynamic(/.*)?, /var/named/chroot/var/tmp(/.*)?,
337 /var/named/chroot/var/named/data(/.*)?,
338 /var/named/chroot/var/named/slaves(/.*)?,
339 /var/named/chroot/var/named/dynamic(/.*)?
340 named_checkconf_exec_t
343 - Set files with the named_checkconf_exec_t type, if you want to tran‐
345 sition an executable to the named_checkconf_t domain.
346 named_conf_t
350 - Set files with the named_conf_t type, if you want to treat the files
352 as named configuration data, usually stored under the /etc directory.
353 Paths:
356 /etc/rndc.*, /etc/unbound(/.*)?, /var/named/chroot(/.*)?,
357 /etc/named.rfc1912.zones,
358 /var/named/chroot/etc/named.rfc1912.zones, /etc/named.conf,
359 /var/named/named.ca, /etc/named.root.hints,
360 /var/named/chroot/etc/named.conf, /etc/named.caching-name‐
361 server.conf, /var/named/chroot/var/named/named.ca,
362 /var/named/chroot/etc/named.root.hints,
363 /var/named/chroot/etc/named.caching-nameserver.conf
364 named_exec_t
367 - Set files with the named_exec_t type, if you want to transition an
369 executable to the named_t domain.
370 Paths:
373 /usr/sbin/named, /usr/sbin/lwresd, /usr/sbin/unbound,
374 /usr/sbin/named-sdb, /usr/sbin/named-pkcs11, /usr/sbin/unbound-
375 anchor, /usr/sbin/unbound-control, /usr/sbin/unbound-checkconf
376 named_initrc_exec_t
379 - Set files with the named_initrc_exec_t type, if you want to transi‐
381 tion an executable to the named_initrc_t domain.
382 Paths:
385 /etc/rc.d/init.d/named, /etc/rc.d/init.d/unbound,
386 /etc/rc.d/init.d/named-sdb
387 named_keytab_t
390 - Set files with the named_keytab_t type, if you want to treat the
392 files as kerberos keytab files.
393 named_log_t
397 - Set files with the named_log_t type, if you want to treat the data as
399 named log data, usually stored under the /var/log directory.
400 Paths:
403 /var/log/named.*, /var/named/chroot/var/log/named.*
404 named_tmp_t
407 - Set files with the named_tmp_t type, if you want to store named tem‐
409 porary files in the /tmp directories.
410 named_unit_file_t
414 - Set files with the named_unit_file_t type, if you want to treat the
416 files as named unit content.
417 Paths:
420 /usr/lib/systemd/system/named.*, /usr/lib/systemd/sys‐
421 tem/unbound.*, /usr/lib/systemd/system/named-sdb.*
422 named_var_run_t
425 - Set files with the named_var_run_t type, if you want to store the
427 named files under the /run or /var/run directory.
428 Paths:
431 /var/run/bind(/.*)?, /var/run/named(/.*)?, /var/run/unbound(/.*)?,
432 /var/named/chroot/run/named.*, /var/named/chroot/var/run/named.*,
433 /var/run/ndc
434 named_zone_t
437 - Set files with the named_zone_t type, if you want to treat the files
439 as named zone data.
440 Paths:
443 /var/named(/.*)?, /var/named/chroot/var/named(/.*)?
444 Note: File context can be temporarily modified with the chcon command.
447 If you want to permanently change the file context you need to use the
448 semanage fcontext command. This will modify the SELinux labeling data‐
449 base. You will need to use restorecon to apply the labels.
450
453 semanage fcontext can also be used to manipulate default file context
454 mappings.
455 semanage permissive can also be used to manipulate whether or not a
457 process type is permissive.
458 semanage module can also be used to enable/disable/install/remove pol‐
460 icy modules.
461 semanage boolean can also be used to manipulate the booleans
463 system-config-selinux is a GUI tool available to customize SELinux pol‐
466 icy settings.
467
470 This manual page was auto-generated using sepolicy manpage .
471
474 selinux(8), named(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
475 , setsebool(8)
476named 19-04-25 named_selinux(8)