1radiusd_selinux(8)          SELinux Policy radiusd          radiusd_selinux(8)
2
3
4

NAME

6       radiusd_selinux  -  Security Enhanced Linux Policy for the radiusd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  radiusd  processes  via  flexible
11       mandatory access control.
12
13       The  radiusd processes execute with the radiusd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep radiusd_t
20
21
22

ENTRYPOINTS

24       The  radiusd_t  SELinux type can be entered via the radiusd_exec_t file
25       type.
26
27       The default entrypoint paths for the radiusd_t domain are  the  follow‐
28       ing:
29
30       /etc/cron.(daily|monthly)/radiusd,
31       /etc/cron.((daily)|(weekly)|(monthly))/freeradius,   /usr/sbin/radiusd,
32       /usr/sbin/freeradius
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       radiusd  policy  is very flexible allowing users to setup their radiusd
42       processes in as secure a method as possible.
43
44       The following process types are defined for radiusd:
45
46       radiusd_t
47
48       Note: semanage permissive -a radiusd_t can be used to make the  process
49       type  radiusd_t  permissive. SELinux does not deny access to permissive
50       process types, but the AVC (SELinux denials) messages are still  gener‐
51       ated.
52
53

BOOLEANS

55       SELinux policy is customizable based on least access required.  radiusd
56       policy is extremely flexible and has several booleans that allow you to
57       manipulate  the  policy and run radiusd with the tightest access possi‐
58       ble.
59
60
61
62       If you want to determine whether radius can use JIT compiler, you  must
63       turn on the radius_use_jit boolean. Disabled by default.
64
65       setsebool -P radius_use_jit 1
66
67
68
69       If you want to allow users to resolve user passwd entries directly from
70       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
71       gin_nsswitch_use_ldap boolean. Disabled by default.
72
73       setsebool -P authlogin_nsswitch_use_ldap 1
74
75
76
77       If  you  want  to deny any process from ptracing or debugging any other
78       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
79       default.
80
81       setsebool -P deny_ptrace 1
82
83
84
85       If you want to allow all domains to execute in fips_mode, you must turn
86       on the fips_mode boolean. Enabled by default.
87
88       setsebool -P fips_mode 1
89
90
91
92       If you want to allow confined applications to run  with  kerberos,  you
93       must turn on the kerberos_enabled boolean. Enabled by default.
94
95       setsebool -P kerberos_enabled 1
96
97
98
99       If  you  want  to  allow  system  to run with NIS, you must turn on the
100       nis_enabled boolean. Disabled by default.
101
102       setsebool -P nis_enabled 1
103
104
105
106       If you want to allow confined applications to use nscd  shared  memory,
107       you must turn on the nscd_use_shm boolean. Enabled by default.
108
109       setsebool -P nscd_use_shm 1
110
111
112

PORT TYPES

114       SELinux defines port types to represent TCP and UDP ports.
115
116       You  can  see  the  types associated with a port by using the following
117       command:
118
119       semanage port -l
120
121
122       Policy governs the access  confined  processes  have  to  these  ports.
123       SELinux  radiusd  policy is very flexible allowing users to setup their
124       radiusd processes in as secure a method as possible.
125
126       The following port types are defined for radiusd:
127
128
129       radius_port_t
130
131
132
133       Default Defined Ports:
134                 tcp 1645,1812,18120-18121
135                 udp 1645,1812,18120-18121
136

MANAGED FILES

138       The SELinux process type radiusd_t can manage files  labeled  with  the
139       following file types.  The paths listed are the default paths for these
140       file types.  Note the processes UID still need to have DAC permissions.
141
142       cluster_conf_t
143
144            /etc/cluster(/.*)?
145
146       cluster_var_lib_t
147
148            /var/lib/pcsd(/.*)?
149            /var/lib/cluster(/.*)?
150            /var/lib/openais(/.*)?
151            /var/lib/pengine(/.*)?
152            /var/lib/corosync(/.*)?
153            /usr/lib/heartbeat(/.*)?
154            /var/lib/heartbeat(/.*)?
155            /var/lib/pacemaker(/.*)?
156
157       cluster_var_run_t
158
159            /var/run/crm(/.*)?
160            /var/run/cman_.*
161            /var/run/rsctmp(/.*)?
162            /var/run/aisexec.*
163            /var/run/heartbeat(/.*)?
164            /var/run/corosync-qnetd(/.*)?
165            /var/run/corosync-qdevice(/.*)?
166            /var/run/corosync.pid
167            /var/run/cpglockd.pid
168            /var/run/rgmanager.pid
169            /var/run/cluster/rgmanager.sk
170
171       faillog_t
172
173            /var/log/btmp.*
174            /var/log/faillog.*
175            /var/log/tallylog.*
176            /var/run/faillock(/.*)?
177
178       krb5_host_rcache_t
179
180            /var/cache/krb5rcache(/.*)?
181            /var/tmp/nfs_0
182            /var/tmp/DNS_25
183            /var/tmp/host_0
184            /var/tmp/imap_0
185            /var/tmp/HTTP_23
186            /var/tmp/HTTP_48
187            /var/tmp/ldap_55
188            /var/tmp/ldap_487
189            /var/tmp/ldapmap1_0
190
191       radiusd_etc_rw_t
192
193            /etc/raddb/db.daily
194
195       radiusd_log_t
196
197            /var/log/radius(/.*)?
198            /var/log/radutmp.*
199            /var/log/radwtmp.*
200            /var/log/radacct(/.*)?
201            /var/log/radius.log.*
202            /var/log/freeradius(/.*)?
203            /var/log/radiusd-freeradius(/.*)?
204
205       radiusd_var_lib_t
206
207            /var/lib/radiusd(/.*)?
208
209       radiusd_var_run_t
210
211            /var/run/radiusd(/.*)?
212            /var/run/radiusd.pid
213
214       root_t
215
216            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
217            /
218            /initrd
219
220       security_t
221
222            /selinux
223
224

FILE CONTEXTS

226       SELinux requires files to have an extended attribute to define the file
227       type.
228
229       You can see the context of a file using the -Z option to ls
230
231       Policy  governs  the  access  confined  processes  have to these files.
232       SELinux radiusd policy is very flexible allowing users to  setup  their
233       radiusd processes in as secure a method as possible.
234
235       EQUIVALENCE DIRECTORIES
236
237
238       radiusd  policy  stores data with multiple different file context types
239       under the /var/log/radius directory.  If you would like  to  store  the
240       data  in a different directory you can use the semanage command to cre‐
241       ate an equivalence mapping.  If you wanted to store this data under the
242       /srv dirctory you would execute the following command:
243
244       semanage fcontext -a -e /var/log/radius /srv/radius
245       restorecon -R -v /srv/radius
246
247       radiusd  policy  stores data with multiple different file context types
248       under the /var/run/radiusd directory.  If you would like to  store  the
249       data  in a different directory you can use the semanage command to cre‐
250       ate an equivalence mapping.  If you wanted to store this data under the
251       /srv dirctory you would execute the following command:
252
253       semanage fcontext -a -e /var/run/radiusd /srv/radiusd
254       restorecon -R -v /srv/radiusd
255
256       STANDARD FILE CONTEXT
257
258       SELinux  defines  the file context types for the radiusd, if you wanted
259       to store files with these types in a diffent paths, you need to execute
260       the  semanage  command  to  sepecify  alternate  labeling  and then use
261       restorecon to put the labels on disk.
262
263       semanage  fcontext  -a  -t   radiusd_unit_file_t   '/srv/myradiusd_con‐
264       tent(/.*)?'
265       restorecon -R -v /srv/myradiusd_content
266
267       Note:  SELinux  often  uses  regular expressions to specify labels that
268       match multiple files.
269
270       The following file types are defined for radiusd:
271
272
273
274       radiusd_etc_rw_t
275
276       - Set files with the radiusd_etc_rw_t type, if you want  to  treat  the
277       files as radiusd etc read/write content.
278
279
280
281       radiusd_etc_t
282
283       -  Set  files with the radiusd_etc_t type, if you want to store radiusd
284       files in the /etc directories.
285
286
287
288       radiusd_exec_t
289
290       - Set files with the radiusd_exec_t type, if you want to transition  an
291       executable to the radiusd_t domain.
292
293
294       Paths:
295            /etc/cron.(daily|monthly)/radiusd,
296            /etc/cron.((daily)|(weekly)|(monthly))/freeradius,
297            /usr/sbin/radiusd, /usr/sbin/freeradius
298
299
300       radiusd_initrc_exec_t
301
302       - Set files with the radiusd_initrc_exec_t type, if you want to transi‐
303       tion an executable to the radiusd_initrc_t domain.
304
305
306
307       radiusd_log_t
308
309       - Set files with the radiusd_log_t type, if you want to treat the  data
310       as radiusd log data, usually stored under the /var/log directory.
311
312
313       Paths:
314            /var/log/radius(/.*)?,   /var/log/radutmp.*,   /var/log/radwtmp.*,
315            /var/log/radacct(/.*)?,  /var/log/radius.log.*,   /var/log/freera‐
316            dius(/.*)?, /var/log/radiusd-freeradius(/.*)?
317
318
319       radiusd_unit_file_t
320
321       - Set files with the radiusd_unit_file_t type, if you want to treat the
322       files as radiusd unit content.
323
324
325
326       radiusd_var_lib_t
327
328       - Set files with the radiusd_var_lib_t type, if you want to  store  the
329       radiusd files under the /var/lib directory.
330
331
332
333       radiusd_var_run_t
334
335       -  Set  files with the radiusd_var_run_t type, if you want to store the
336       radiusd files under the /run or /var/run directory.
337
338
339       Paths:
340            /var/run/radiusd(/.*)?, /var/run/radiusd.pid
341
342
343       Note: File context can be temporarily modified with the chcon  command.
344       If  you want to permanently change the file context you need to use the
345       semanage fcontext command.  This will modify the SELinux labeling data‐
346       base.  You will need to use restorecon to apply the labels.
347
348

COMMANDS

350       semanage  fcontext  can also be used to manipulate default file context
351       mappings.
352
353       semanage permissive can also be used to manipulate  whether  or  not  a
354       process type is permissive.
355
356       semanage  module can also be used to enable/disable/install/remove pol‐
357       icy modules.
358
359       semanage port can also be used to manipulate the port definitions
360
361       semanage boolean can also be used to manipulate the booleans
362
363
364       system-config-selinux is a GUI tool available to customize SELinux pol‐
365       icy settings.
366
367

AUTHOR

369       This manual page was auto-generated using sepolicy manpage .
370
371

SEE ALSO

373       selinux(8),  radiusd(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
374       icy(8), setsebool(8)
375
376
377
378radiusd                            19-10-08                 radiusd_selinux(8)
Impressum