cockpit_session_selinux(8)

1cockpit_session_selinux(8S)ELinux Policy cockpit_sessiocnockpit_session_selinux(8)
2
3
4

NAME

6       cockpit_session_selinux  - Security Enhanced Linux Policy for the cock‐
7       pit_session processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the cockpit_session processes via flex‐
11       ible mandatory access control.
12
13       The   cockpit_session  processes  execute  with  the  cockpit_session_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep cockpit_session_t
20
21
22

ENTRYPOINTS

24       The  cockpit_session_t SELinux type can be entered via the cockpit_ses‐
25       sion_exec_t file type.
26
27       The default entrypoint paths for the cockpit_session_t domain  are  the
28       following:
29
30       /usr/libexec/cockpit-ssh, /usr/libexec/cockpit-session
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       cockpit_session  policy  is very flexible allowing users to setup their
40       cockpit_session processes in as secure a method as possible.
41
42       The following process types are defined for cockpit_session:
43
44       cockpit_session_t
45
46       Note: semanage permissive -a cockpit_session_t can be used to make  the
47       process type cockpit_session_t permissive. SELinux does not deny access
48       to permissive process types, but the AVC (SELinux denials) messages are
49       still generated.
50
51

BOOLEANS

53       SELinux  policy  is customizable based on least access required.  cock‐
54       pit_session policy is extremely flexible and has several booleans  that
55       allow  you  to  manipulate  the policy and run cockpit_session with the
56       tightest access possible.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow users to login using a  radius  server,  you  must
69       turn on the authlogin_radius boolean. Disabled by default.
70
71       setsebool -P authlogin_radius 1
72
73
74
75       If you want to allow users to login using a yubikey OTP server or chal‐
76       lenge response mode, you must turn on  the  authlogin_yubikey  boolean.
77       Disabled by default.
78
79       setsebool -P authlogin_yubikey 1
80
81
82
83       If  you  want  to deny any process from ptracing or debugging any other
84       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
85       default.
86
87       setsebool -P deny_ptrace 1
88
89
90
91       If  you  want  to  allow  any  process  to mmap any file on system with
92       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
93       ean. Enabled by default.
94
95       setsebool -P domain_can_mmap_files 1
96
97
98
99       If  you want to allow all domains write to kmsg_device, while kernel is
100       executed with systemd.log_target=kmsg parameter, you must turn  on  the
101       domain_can_write_kmsg boolean. Disabled by default.
102
103       setsebool -P domain_can_write_kmsg 1
104
105
106
107       If you want to allow all domains to use other domains file descriptors,
108       you must turn on the domain_fd_use boolean. Enabled by default.
109
110       setsebool -P domain_fd_use 1
111
112
113
114       If you want to allow all domains to have the kernel load  modules,  you
115       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
116       default.
117
118       setsebool -P domain_kernel_load_modules 1
119
120
121
122       If you want to allow all domains to execute in fips_mode, you must turn
123       on the fips_mode boolean. Enabled by default.
124
125       setsebool -P fips_mode 1
126
127
128
129       If you want to enable reading of urandom for all domains, you must turn
130       on the global_ssp boolean. Disabled by default.
131
132       setsebool -P global_ssp 1
133
134
135
136       If you want to allow confined applications to run  with  kerberos,  you
137       must turn on the kerberos_enabled boolean. Enabled by default.
138
139       setsebool -P kerberos_enabled 1
140
141
142
143       If  you  want  to  allow  system  to run with NIS, you must turn on the
144       nis_enabled boolean. Disabled by default.
145
146       setsebool -P nis_enabled 1
147
148
149
150       If you want to allow confined applications to use nscd  shared  memory,
151       you must turn on the nscd_use_shm boolean. Disabled by default.
152
153       setsebool -P nscd_use_shm 1
154
155
156
157       If you want to enable polyinstantiated directory support, you must turn
158       on the polyinstantiation_enabled boolean. Disabled by default.
159
160       setsebool -P polyinstantiation_enabled 1
161
162
163

MANAGED FILES

165       The SELinux process type cockpit_session_t  can  manage  files  labeled
166       with  the following file types.  The paths listed are the default paths
167       for these file types.  Note the processes UID still need  to  have  DAC
168       permissions.
169
170       auth_cache_t
171
172            /var/cache/coolkey(/.*)?
173
174       auth_home_t
175
176            /root/.yubico(/.*)?
177            /root/.google_authenticator
178            /root/.google_authenticator~
179            /home/[^/]+/.yubico(/.*)?
180            /home/[^/]+/.google_authenticator
181            /home/[^/]+/.google_authenticator~
182
183       cgroup_t
184
185            /sys/fs/cgroup
186
187       cockpit_tmp_t
188
189
190       faillog_t
191
192            /var/log/btmp.*
193            /var/log/faillog.*
194            /var/log/tallylog.*
195            /var/run/faillock(/.*)?
196
197       initrc_var_run_t
198
199            /var/run/utmp
200            /var/run/random-seed
201            /var/run/runlevel.dir
202            /var/run/setmixer_flag
203
204       krb5_host_rcache_t
205
206            /var/cache/krb5rcache(/.*)?
207            /var/tmp/nfs_0
208            /var/tmp/DNS_25
209            /var/tmp/host_0
210            /var/tmp/imap_0
211            /var/tmp/HTTP_23
212            /var/tmp/HTTP_48
213            /var/tmp/ldap_55
214            /var/tmp/ldap_487
215            /var/tmp/ldapmap1_0
216
217       lastlog_t
218
219            /var/log/lastlog.*
220
221       pam_var_run_t
222
223            /var/(db|adm)/sudo(/.*)?
224            /var/run/sudo(/.*)?
225            /var/lib/sudo(/.*)?
226            /var/run/sepermit(/.*)?
227            /var/run/pam_mount(/.*)?
228
229       passwd_file_t
230
231            /etc/group[-+]?
232            /etc/passwd[-+]?
233            /etc/passwd.adjunct.*
234            /etc/ptmptmp
235            /etc/.pwd.lock
236            /etc/group.lock
237            /etc/passwd.OLD
238            /etc/passwd.lock
239
240       security_t
241
242            /selinux
243
244       shadow_t
245
246            /etc/shadow.*
247            /etc/gshadow.*
248            /etc/nshadow.*
249            /var/db/shadow.*
250            /etc/security/opasswd
251            /etc/security/opasswd.old
252
253       user_tmp_t
254
255            /dev/shm/mono.*
256            /var/run/user(/.*)?
257            /tmp/.X11-unix(/.*)?
258            /tmp/.ICE-unix(/.*)?
259            /dev/shm/pulse-shm.*
260            /tmp/.X0-lock
261            /tmp/hsperfdata_root
262            /var/tmp/hsperfdata_root
263            /home/[^/]+/tmp
264            /home/[^/]+/.tmp
265            /tmp/gconfd-[^/]+
266
267       var_auth_t
268
269            /var/ace(/.*)?
270            /var/rsa(/.*)?
271            /var/lib/abl(/.*)?
272            /var/lib/rsa(/.*)?
273            /var/lib/pam_ssh(/.*)?
274            /var/run/pam_ssh(/.*)?
275            /var/lib/pam_shield(/.*)?
276            /var/opt/quest/vas/vasd(/.*)?
277            /var/lib/google-authenticator(/.*)?
278
279       wtmp_t
280
281            /var/log/wtmp.*
282
283

FILE CONTEXTS

285       SELinux requires files to have an extended attribute to define the file
286       type.
287
288       You can see the context of a file using the -Z option to ls
289
290       Policy governs the access  confined  processes  have  to  these  files.
291       SELinux cockpit_session policy is very flexible allowing users to setup
292       their cockpit_session processes in as secure a method as possible.
293
294       The following file types are defined for cockpit_session:
295
296
297
298       cockpit_session_exec_t
299
300       - Set files with the cockpit_session_exec_t type, if you want to  tran‐
301       sition an executable to the cockpit_session_t domain.
302
303
304       Paths:
305            /usr/libexec/cockpit-ssh, /usr/libexec/cockpit-session
306
307
308       Note:  File context can be temporarily modified with the chcon command.
309       If you want to permanently change the file context you need to use  the
310       semanage fcontext command.  This will modify the SELinux labeling data‐
311       base.  You will need to use restorecon to apply the labels.
312
313

COMMANDS

315       semanage fcontext can also be used to manipulate default  file  context
316       mappings.
317
318       semanage  permissive  can  also  be used to manipulate whether or not a
319       process type is permissive.
320
321       semanage module can also be used to enable/disable/install/remove  pol‐
322       icy modules.
323
324       semanage boolean can also be used to manipulate the booleans
325
326
327       system-config-selinux is a GUI tool available to customize SELinux pol‐
328       icy settings.
329
330

AUTHOR

332       This manual page was auto-generated using sepolicy manpage .
333
334