1systemd_logind_selinux(8)SELinux Policy systemd_logindsystemd_logind_selinux(8)
2
3
4

NAME

6       systemd_logind_selinux  -  Security  Enhanced Linux Policy for the sys‐
7       temd_logind processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the systemd_logind processes via flexi‐
11       ble mandatory access control.
12
13       The  systemd_logind processes execute with the systemd_logind_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep systemd_logind_t
20
21
22

ENTRYPOINTS

24       The   systemd_logind_t  SELinux  type  can  be  entered  via  the  sys‐
25       temd_logind_exec_t file type.
26
27       The default entrypoint paths for the systemd_logind_t  domain  are  the
28       following:
29
30       /usr/lib/systemd/systemd-logind
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       systemd_logind  policy  is  very flexible allowing users to setup their
40       systemd_logind processes in as secure a method as possible.
41
42       The following process types are defined for systemd_logind:
43
44       systemd_logind_t
45
46       Note: semanage permissive -a systemd_logind_t can be used to  make  the
47       process  type systemd_logind_t permissive. SELinux does not deny access
48       to permissive process types, but the AVC (SELinux denials) messages are
49       still generated.
50
51

BOOLEANS

53       SELinux  policy  is  customizable based on least access required.  sys‐
54       temd_logind policy is extremely flexible and has several booleans  that
55       allow  you  to  manipulate  the  policy and run systemd_logind with the
56       tightest access possible.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Enabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88
89       If  you  want to allow confined applications to use nscd shared memory,
90       you must turn on the nscd_use_shm boolean. Enabled by default.
91
92       setsebool -P nscd_use_shm 1
93
94
95
96       If you want to allow Zabbix to run su/sudo, you must turn on  the  zab‐
97       bix_run_sudo boolean. Disabled by default.
98
99       setsebool -P zabbix_run_sudo 1
100
101
102
103       If  you  want  to allow ZoneMinder to run su/sudo, you must turn on the
104       zoneminder_run_sudo boolean. Disabled by default.
105
106       setsebool -P zoneminder_run_sudo 1
107
108
109

MANAGED FILES

111       The SELinux process type systemd_logind_t can manage files labeled with
112       the  following  file types.  The paths listed are the default paths for
113       these file types.  Note the processes UID still need to have  DAC  per‐
114       missions.
115
116       cgroup_t
117
118            /sys/fs/cgroup
119
120       cluster_conf_t
121
122            /etc/cluster(/.*)?
123
124       cluster_var_lib_t
125
126            /var/lib/pcsd(/.*)?
127            /var/lib/cluster(/.*)?
128            /var/lib/openais(/.*)?
129            /var/lib/pengine(/.*)?
130            /var/lib/corosync(/.*)?
131            /usr/lib/heartbeat(/.*)?
132            /var/lib/heartbeat(/.*)?
133            /var/lib/pacemaker(/.*)?
134
135       cluster_var_run_t
136
137            /var/run/crm(/.*)?
138            /var/run/cman_.*
139            /var/run/rsctmp(/.*)?
140            /var/run/aisexec.*
141            /var/run/heartbeat(/.*)?
142            /var/run/corosync-qnetd(/.*)?
143            /var/run/corosync-qdevice(/.*)?
144            /var/run/corosync.pid
145            /var/run/cpglockd.pid
146            /var/run/rgmanager.pid
147            /var/run/cluster/rgmanager.sk
148
149       config_home_t
150
151            /root/.kde(/.*)?
152            /root/.xine(/.*)?
153            /root/.config(/.*)?
154            /var/run/user/[^/]*/dconf(/.*)?
155            /root/.Xdefaults
156            /home/[^/]+/.kde(/.*)?
157            /home/[^/]+/.xine(/.*)?
158            /home/[^/]+/.config(/.*)?
159            /home/[^/]+/.cache/dconf(/.*)?
160            /home/[^/]+/.Xdefaults
161
162       fusefs_t
163
164            /var/run/user/[^/]*/gvfs
165
166       kdbusfs_t
167
168
169       root_t
170
171            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
172            /
173            /initrd
174
175       sysfs_t
176
177            /sys(/.*)?
178
179       systemd_logind_inhibit_var_run_t
180
181            /var/run/systemd/inhibit(/.*)?
182
183       systemd_logind_sessions_t
184
185            /var/run/systemd/sessions(/.*)?
186
187       systemd_logind_var_lib_t
188
189            /var/lib/systemd/linger(/.*)?
190
191       systemd_logind_var_run_t
192
193            /var/run/.*nologin.*
194            /var/run/systemd/seats(/.*)?
195            /var/run/systemd/users(/.*)?
196            /var/run/systemd/shutdown(/.*)?
197
198       systemd_passwd_var_run_t
199
200            /var/run/systemd/ask-password(/.*)?
201            /var/run/systemd/ask-password-block(/.*)?
202
203       udev_rules_t
204
205            /etc/udev/rules.d(/.*)?
206
207       user_tmp_type
208
209            all user tmp files
210
211       var_auth_t
212
213            /var/ace(/.*)?
214            /var/rsa(/.*)?
215            /var/lib/abl(/.*)?
216            /var/lib/rsa(/.*)?
217            /var/lib/pam_ssh(/.*)?
218            /var/run/pam_ssh(/.*)?
219            /var/lib/pam_shield(/.*)?
220            /var/opt/quest/vas/vasd(/.*)?
221            /var/lib/google-authenticator(/.*)?
222
223

FILE CONTEXTS

225       SELinux requires files to have an extended attribute to define the file
226       type.
227
228       You can see the context of a file using the -Z option to ls
229
230       Policy governs the access  confined  processes  have  to  these  files.
231       SELinux  systemd_logind policy is very flexible allowing users to setup
232       their systemd_logind processes in as secure a method as possible.
233
234       STANDARD FILE CONTEXT
235
236       SELinux defines the file context types for the systemd_logind,  if  you
237       wanted  to store files with these types in a diffent paths, you need to
238       execute the semanage command to sepecify alternate  labeling  and  then
239       use restorecon to put the labels on disk.
240
241       semanage  fcontext  -a -t systemd_logind_inhibit_var_run_t '/srv/mysys‐
242       temd_logind_content(/.*)?'
243       restorecon -R -v /srv/mysystemd_logind_content
244
245       Note: SELinux often uses regular expressions  to  specify  labels  that
246       match multiple files.
247
248       The following file types are defined for systemd_logind:
249
250
251
252       systemd_logind_exec_t
253
254       - Set files with the systemd_logind_exec_t type, if you want to transi‐
255       tion an executable to the systemd_logind_t domain.
256
257
258
259       systemd_logind_inhibit_var_run_t
260
261       - Set files with the systemd_logind_inhibit_var_run_t type, if you want
262       to  store  the  systemd logind inhibit files under the /run or /var/run
263       directory.
264
265
266
267       systemd_logind_sessions_t
268
269       - Set files with the systemd_logind_sessions_t type,  if  you  want  to
270       treat the files as systemd logind sessions data.
271
272
273
274       systemd_logind_var_lib_t
275
276       -  Set  files  with  the  systemd_logind_var_lib_t type, if you want to
277       store the systemd logind files under the /var/lib directory.
278
279
280
281       systemd_logind_var_run_t
282
283       - Set files with the systemd_logind_var_run_t  type,  if  you  want  to
284       store the systemd logind files under the /run or /var/run directory.
285
286
287       Paths:
288            /var/run/.*nologin.*,  /var/run/systemd/seats(/.*)?, /var/run/sys‐
289            temd/users(/.*)?, /var/run/systemd/shutdown(/.*)?
290
291
292       Note: File context can be temporarily modified with the chcon  command.
293       If  you want to permanently change the file context you need to use the
294       semanage fcontext command.  This will modify the SELinux labeling data‐
295       base.  You will need to use restorecon to apply the labels.
296
297

COMMANDS

299       semanage  fcontext  can also be used to manipulate default file context
300       mappings.
301
302       semanage permissive can also be used to manipulate  whether  or  not  a
303       process type is permissive.
304
305       semanage  module can also be used to enable/disable/install/remove pol‐
306       icy modules.
307
308       semanage boolean can also be used to manipulate the booleans
309
310
311       system-config-selinux is a GUI tool available to customize SELinux pol‐
312       icy settings.
313
314

AUTHOR

316       This manual page was auto-generated using sepolicy manpage .
317
318

SEE ALSO

320       selinux(8),  systemd_logind(8),  semanage(8),  restorecon(8), chcon(1),
321       sepolicy(8), setsebool(8)
322
323
324
325systemd_logind                     19-10-08          systemd_logind_selinux(8)
Impressum