1portmap_selinux(8)          SELinux Policy portmap          portmap_selinux(8)
2
3
4

NAME

6       portmap_selinux  -  Security Enhanced Linux Policy for the portmap pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  portmap  processes  via  flexible
11       mandatory access control.
12
13       The  portmap processes execute with the portmap_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep portmap_t
20
21
22

ENTRYPOINTS

24       The  portmap_t  SELinux type can be entered via the portmap_exec_t file
25       type.
26
27       The default entrypoint paths for the portmap_t domain are  the  follow‐
28       ing:
29
30       /sbin/portmap, /usr/sbin/portmap
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       portmap  policy  is very flexible allowing users to setup their portmap
40       processes in as secure a method as possible.
41
42       The following process types are defined for portmap:
43
44       portmap_t, portmap_helper_t
45
46       Note: semanage permissive -a portmap_t can be used to make the  process
47       type  portmap_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  portmap
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run portmap with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Enabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88
89       If  you  want to allow confined applications to use nscd shared memory,
90       you must turn on the nscd_use_shm boolean. Enabled by default.
91
92       setsebool -P nscd_use_shm 1
93
94
95

PORT TYPES

97       SELinux defines port types to represent TCP and UDP ports.
98
99       You can see the types associated with a port  by  using  the  following
100       command:
101
102       semanage port -l
103
104
105       Policy  governs  the  access  confined  processes  have to these ports.
106       SELinux portmap policy is very flexible allowing users to  setup  their
107       portmap processes in as secure a method as possible.
108
109       The following port types are defined for portmap:
110
111
112       portmap_port_t
113
114
115
116       Default Defined Ports:
117                 tcp 111
118                 udp 111
119

MANAGED FILES

121       The  SELinux  process  type portmap_t can manage files labeled with the
122       following file types.  The paths listed are the default paths for these
123       file types.  Note the processes UID still need to have DAC permissions.
124
125       cluster_conf_t
126
127            /etc/cluster(/.*)?
128
129       cluster_var_lib_t
130
131            /var/lib/pcsd(/.*)?
132            /var/lib/cluster(/.*)?
133            /var/lib/openais(/.*)?
134            /var/lib/pengine(/.*)?
135            /var/lib/corosync(/.*)?
136            /usr/lib/heartbeat(/.*)?
137            /var/lib/heartbeat(/.*)?
138            /var/lib/pacemaker(/.*)?
139
140       cluster_var_run_t
141
142            /var/run/crm(/.*)?
143            /var/run/cman_.*
144            /var/run/rsctmp(/.*)?
145            /var/run/aisexec.*
146            /var/run/heartbeat(/.*)?
147            /var/run/corosync-qnetd(/.*)?
148            /var/run/corosync-qdevice(/.*)?
149            /var/run/corosync.pid
150            /var/run/cpglockd.pid
151            /var/run/rgmanager.pid
152            /var/run/cluster/rgmanager.sk
153
154       portmap_tmp_t
155
156
157       portmap_var_run_t
158
159            /var/run/portmap_mapping
160            /var/run/portmap.upgrade-state
161
162       root_t
163
164            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
165            /
166            /initrd
167
168

FILE CONTEXTS

170       SELinux requires files to have an extended attribute to define the file
171       type.
172
173       You can see the context of a file using the -Z option to ls
174
175       Policy governs the access  confined  processes  have  to  these  files.
176       SELinux  portmap  policy is very flexible allowing users to setup their
177       portmap processes in as secure a method as possible.
178
179       STANDARD FILE CONTEXT
180
181       SELinux defines the file context types for the portmap, if  you  wanted
182       to store files with these types in a diffent paths, you need to execute
183       the semanage command  to  sepecify  alternate  labeling  and  then  use
184       restorecon to put the labels on disk.
185
186       semanage   fcontext   -a   -t   portmap_var_run_t  '/srv/myportmap_con‐
187       tent(/.*)?'
188       restorecon -R -v /srv/myportmap_content
189
190       Note: SELinux often uses regular expressions  to  specify  labels  that
191       match multiple files.
192
193       The following file types are defined for portmap:
194
195
196
197       portmap_exec_t
198
199       -  Set files with the portmap_exec_t type, if you want to transition an
200       executable to the portmap_t domain.
201
202
203       Paths:
204            /sbin/portmap, /usr/sbin/portmap
205
206
207       portmap_helper_exec_t
208
209       - Set files with the portmap_helper_exec_t type, if you want to transi‐
210       tion an executable to the portmap_helper_t domain.
211
212
213       Paths:
214            /sbin/pmap_set,        /sbin/pmap_dump,        /usr/sbin/pmap_set,
215            /usr/sbin/pmap_dump
216
217
218       portmap_initrc_exec_t
219
220       - Set files with the portmap_initrc_exec_t type, if you want to transi‐
221       tion an executable to the portmap_initrc_t domain.
222
223
224
225       portmap_tmp_t
226
227       -  Set  files with the portmap_tmp_t type, if you want to store portmap
228       temporary files in the /tmp directories.
229
230
231
232       portmap_var_run_t
233
234       - Set files with the portmap_var_run_t type, if you want to  store  the
235       portmap files under the /run or /var/run directory.
236
237
238       Paths:
239            /var/run/portmap_mapping, /var/run/portmap.upgrade-state
240
241
242       Note:  File context can be temporarily modified with the chcon command.
243       If you want to permanently change the file context you need to use  the
244       semanage fcontext command.  This will modify the SELinux labeling data‐
245       base.  You will need to use restorecon to apply the labels.
246
247

COMMANDS

249       semanage fcontext can also be used to manipulate default  file  context
250       mappings.
251
252       semanage  permissive  can  also  be used to manipulate whether or not a
253       process type is permissive.
254
255       semanage module can also be used to enable/disable/install/remove  pol‐
256       icy modules.
257
258       semanage port can also be used to manipulate the port definitions
259
260       semanage boolean can also be used to manipulate the booleans
261
262
263       system-config-selinux is a GUI tool available to customize SELinux pol‐
264       icy settings.
265
266

AUTHOR

268       This manual page was auto-generated using sepolicy manpage .
269
270

SEE ALSO

272       selinux(8), portmap(8), semanage(8),  restorecon(8),  chcon(1),  sepol‐
273       icy(8),             setsebool(8),            portmap_helper_selinux(8),
274       portmap_helper_selinux(8)
275
276
277
278portmap                            19-10-08                 portmap_selinux(8)
Impressum