1auditd_selinux(8) SELinux Policy auditd auditd_selinux(8)
2
3
4
6 auditd_selinux - Security Enhanced Linux Policy for the auditd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the auditd processes via flexible
11 mandatory access control.
12
13 The auditd processes execute with the auditd_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep auditd_t
20
21
22
24 The auditd_t SELinux type can be entered via the auditd_exec_t file
25 type.
26
27 The default entrypoint paths for the auditd_t domain are the following:
28
29 /sbin/auditd, /usr/sbin/auditd
30
32 SELinux defines process types (domains) for each process running on the
33 system
34
35 You can see the context of a process using the -Z option to ps
36
37 Policy governs the access confined processes have to files. SELinux
38 auditd policy is very flexible allowing users to setup their auditd
39 processes in as secure a method as possible.
40
41 The following process types are defined for auditd:
42
43 auditd_t
44
45 Note: semanage permissive -a auditd_t can be used to make the process
46 type auditd_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
50
52 SELinux policy is customizable based on least access required. auditd
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run auditd with the tightest access possible.
55
56
57
58 If you want to allow users to resolve user passwd entries directly from
59 ldap rather then using a sssd server, you must turn on the authlo‐
60 gin_nsswitch_use_ldap boolean. Disabled by default.
61
62 setsebool -P authlogin_nsswitch_use_ldap 1
63
64
65
66 If you want to allow all domains to execute in fips_mode, you must turn
67 on the fips_mode boolean. Enabled by default.
68
69 setsebool -P fips_mode 1
70
71
72
73 If you want to allow confined applications to run with kerberos, you
74 must turn on the kerberos_enabled boolean. Enabled by default.
75
76 setsebool -P kerberos_enabled 1
77
78
79
80 If you want to allow system to run with NIS, you must turn on the
81 nis_enabled boolean. Disabled by default.
82
83 setsebool -P nis_enabled 1
84
85
86
87 If you want to allow confined applications to use nscd shared memory,
88 you must turn on the nscd_use_shm boolean. Enabled by default.
89
90 setsebool -P nscd_use_shm 1
91
92
93
95 SELinux defines port types to represent TCP and UDP ports.
96
97 You can see the types associated with a port by using the following
98 command:
99
100 semanage port -l
101
102
103 Policy governs the access confined processes have to these ports.
104 SELinux auditd policy is very flexible allowing users to setup their
105 auditd processes in as secure a method as possible.
106
107 The following port types are defined for auditd:
108
109
110 audit_port_t
111
112
113
114 Default Defined Ports:
115 tcp 60
116
118 The SELinux process type auditd_t can manage files labeled with the
119 following file types. The paths listed are the default paths for these
120 file types. Note the processes UID still need to have DAC permissions.
121
122 anon_inodefs_t
123
124
125 auditd_log_t
126
127 /var/log/audit(/.*)?
128 /var/log/audit.log.*
129
130 auditd_var_run_t
131
132 /var/run/auditd.pid
133 /var/run/auditd_sock
134 /var/run/audit_events
135
136 cluster_conf_t
137
138 /etc/cluster(/.*)?
139
140 cluster_var_lib_t
141
142 /var/lib/pcsd(/.*)?
143 /var/lib/cluster(/.*)?
144 /var/lib/openais(/.*)?
145 /var/lib/pengine(/.*)?
146 /var/lib/corosync(/.*)?
147 /usr/lib/heartbeat(/.*)?
148 /var/lib/heartbeat(/.*)?
149 /var/lib/pacemaker(/.*)?
150
151 cluster_var_run_t
152
153 /var/run/crm(/.*)?
154 /var/run/cman_.*
155 /var/run/rsctmp(/.*)?
156 /var/run/aisexec.*
157 /var/run/heartbeat(/.*)?
158 /var/run/corosync-qnetd(/.*)?
159 /var/run/corosync-qdevice(/.*)?
160 /var/run/corosync.pid
161 /var/run/cpglockd.pid
162 /var/run/rgmanager.pid
163 /var/run/cluster/rgmanager.sk
164
165 root_t
166
167 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
168 /
169 /initrd
170
171 systemd_passwd_var_run_t
172
173 /var/run/systemd/ask-password(/.*)?
174 /var/run/systemd/ask-password-block(/.*)?
175
176
178 SELinux requires files to have an extended attribute to define the file
179 type.
180
181 You can see the context of a file using the -Z option to ls
182
183 Policy governs the access confined processes have to these files.
184 SELinux auditd policy is very flexible allowing users to setup their
185 auditd processes in as secure a method as possible.
186
187 EQUIVALENCE DIRECTORIES
188
189
190 auditd policy stores data with multiple different file context types
191 under the /var/log/audit directory. If you would like to store the
192 data in a different directory you can use the semanage command to cre‐
193 ate an equivalence mapping. If you wanted to store this data under the
194 /srv dirctory you would execute the following command:
195
196 semanage fcontext -a -e /var/log/audit /srv/audit
197 restorecon -R -v /srv/audit
198
199 STANDARD FILE CONTEXT
200
201 SELinux defines the file context types for the auditd, if you wanted to
202 store files with these types in a diffent paths, you need to execute
203 the semanage command to sepecify alternate labeling and then use
204 restorecon to put the labels on disk.
205
206 semanage fcontext -a -t auditd_unit_file_t '/srv/myauditd_con‐
207 tent(/.*)?'
208 restorecon -R -v /srv/myauditd_content
209
210 Note: SELinux often uses regular expressions to specify labels that
211 match multiple files.
212
213 The following file types are defined for auditd:
214
215
216
217 auditd_etc_t
218
219 - Set files with the auditd_etc_t type, if you want to store auditd
220 files in the /etc directories.
221
222
223
224 auditd_exec_t
225
226 - Set files with the auditd_exec_t type, if you want to transition an
227 executable to the auditd_t domain.
228
229
230 Paths:
231 /sbin/auditd, /usr/sbin/auditd
232
233
234 auditd_initrc_exec_t
235
236 - Set files with the auditd_initrc_exec_t type, if you want to transi‐
237 tion an executable to the auditd_initrc_t domain.
238
239
240
241 auditd_log_t
242
243 - Set files with the auditd_log_t type, if you want to treat the data
244 as auditd log data, usually stored under the /var/log directory.
245
246
247 Paths:
248 /var/log/audit(/.*)?, /var/log/audit.log.*
249
250
251 auditd_unit_file_t
252
253 - Set files with the auditd_unit_file_t type, if you want to treat the
254 files as auditd unit content.
255
256
257
258 auditd_var_run_t
259
260 - Set files with the auditd_var_run_t type, if you want to store the
261 auditd files under the /run or /var/run directory.
262
263
264 Paths:
265 /var/run/auditd.pid, /var/run/auditd_sock, /var/run/audit_events
266
267
268 Note: File context can be temporarily modified with the chcon command.
269 If you want to permanently change the file context you need to use the
270 semanage fcontext command. This will modify the SELinux labeling data‐
271 base. You will need to use restorecon to apply the labels.
272
273
275 semanage fcontext can also be used to manipulate default file context
276 mappings.
277
278 semanage permissive can also be used to manipulate whether or not a
279 process type is permissive.
280
281 semanage module can also be used to enable/disable/install/remove pol‐
282 icy modules.
283
284 semanage port can also be used to manipulate the port definitions
285
286 semanage boolean can also be used to manipulate the booleans
287
288
289 system-config-selinux is a GUI tool available to customize SELinux pol‐
290 icy settings.
291
292
294 This manual page was auto-generated using sepolicy manpage .
295
296
298 selinux(8), auditd(8), semanage(8), restorecon(8), chcon(1), sepol‐
299 icy(8), setsebool(8)
300
301
302
303auditd 19-10-08 auditd_selinux(8)