1krb5kdc_selinux(8) SELinux Policy krb5kdc krb5kdc_selinux(8)
2
3
4
6 krb5kdc_selinux - Security Enhanced Linux Policy for the krb5kdc pro‐
7 cesses
8
10 Security-Enhanced Linux secures the krb5kdc processes via flexible
11 mandatory access control.
12
13 The krb5kdc processes execute with the krb5kdc_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep krb5kdc_t
20
21
22
24 The krb5kdc_t SELinux type can be entered via the krb5kdc_exec_t file
25 type.
26
27 The default entrypoint paths for the krb5kdc_t domain are the follow‐
28 ing:
29
30 /usr/(kerberos/)?sbin/krb5kdc
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 krb5kdc policy is very flexible allowing users to setup their krb5kdc
40 processes in as secure a method as possible.
41
42 The following process types are defined for krb5kdc:
43
44 krb5kdc_t
45
46 Note: semanage permissive -a krb5kdc_t can be used to make the process
47 type krb5kdc_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. krb5kdc
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run krb5kdc with the tightest access possi‐
56 ble.
57
58
59
60 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63
64 setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Enabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
89 If you want to allow confined applications to use nscd shared memory,
90 you must turn on the nscd_use_shm boolean. Disabled by default.
91
92 setsebool -P nscd_use_shm 1
93
94
95
97 The SELinux process type krb5kdc_t can manage files labeled with the
98 following file types. The paths listed are the default paths for these
99 file types. Note the processes UID still need to have DAC permissions.
100
101 anon_inodefs_t
102
103
104 cluster_conf_t
105
106 /etc/cluster(/.*)?
107
108 cluster_var_lib_t
109
110 /var/lib/pcsd(/.*)?
111 /var/lib/cluster(/.*)?
112 /var/lib/openais(/.*)?
113 /var/lib/pengine(/.*)?
114 /var/lib/corosync(/.*)?
115 /usr/lib/heartbeat(/.*)?
116 /var/lib/heartbeat(/.*)?
117 /var/lib/pacemaker(/.*)?
118
119 cluster_var_run_t
120
121 /var/run/crm(/.*)?
122 /var/run/cman_.*
123 /var/run/rsctmp(/.*)?
124 /var/run/aisexec.*
125 /var/run/heartbeat(/.*)?
126 /var/run/corosync-qnetd(/.*)?
127 /var/run/corosync-qdevice(/.*)?
128 /var/run/corosync.pid
129 /var/run/cpglockd.pid
130 /var/run/rgmanager.pid
131 /var/run/cluster/rgmanager.sk
132
133 krb5kdc_lock_t
134
135 /var/kerberos/krb5kdc/principal.*.ok
136 /var/kerberos/krb5kdc/from_master.*
137
138 krb5kdc_log_t
139
140 /var/log/krb5kdc.log.*
141
142 krb5kdc_principal_t
143
144 /etc/krb5kdc/principal.*
145 /usr/var/krb5kdc/principal.*
146 /var/kerberos/krb5kdc/principal.*
147
148 krb5kdc_tmp_t
149
150
151 krb5kdc_var_lib_t
152
153 /var/lib/kdcproxy(/.*)?
154
155 krb5kdc_var_run_t
156
157 /var/run/krb5kdc(/.*)?
158
159 root_t
160
161 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
162 /
163 /initrd
164
165 security_t
166
167 /selinux
168
169
171 SELinux requires files to have an extended attribute to define the file
172 type.
173
174 You can see the context of a file using the -Z option to ls
175
176 Policy governs the access confined processes have to these files.
177 SELinux krb5kdc policy is very flexible allowing users to setup their
178 krb5kdc processes in as secure a method as possible.
179
180 EQUIVALENCE DIRECTORIES
181
182
183 krb5kdc policy stores data with multiple different file context types
184 under the /var/kerberos/krb5kdc directory. If you would like to store
185 the data in a different directory you can use the semanage command to
186 create an equivalence mapping. If you wanted to store this data under
187 the /srv dirctory you would execute the following command:
188
189 semanage fcontext -a -e /var/kerberos/krb5kdc /srv/krb5kdc
190 restorecon -R -v /srv/krb5kdc
191
192 STANDARD FILE CONTEXT
193
194 SELinux defines the file context types for the krb5kdc, if you wanted
195 to store files with these types in a diffent paths, you need to execute
196 the semanage command to sepecify alternate labeling and then use
197 restorecon to put the labels on disk.
198
199 semanage fcontext -a -t krb5kdc_var_run_t '/srv/mykrb5kdc_con‐
200 tent(/.*)?'
201 restorecon -R -v /srv/mykrb5kdc_content
202
203 Note: SELinux often uses regular expressions to specify labels that
204 match multiple files.
205
206 The following file types are defined for krb5kdc:
207
208
209
210 krb5kdc_conf_t
211
212 - Set files with the krb5kdc_conf_t type, if you want to treat the
213 files as krb5kdc configuration data, usually stored under the /etc
214 directory.
215
216
217 Paths:
218 /etc/krb5kdc(/.*)?, /usr/var/krb5kdc(/.*)?, /var/ker‐
219 beros/krb5kdc(/.*)?
220
221
222 krb5kdc_exec_t
223
224 - Set files with the krb5kdc_exec_t type, if you want to transition an
225 executable to the krb5kdc_t domain.
226
227
228
229 krb5kdc_lock_t
230
231 - Set files with the krb5kdc_lock_t type, if you want to treat the
232 files as krb5kdc lock data, stored under the /var/lock directory
233
234
235 Paths:
236 /var/kerberos/krb5kdc/principal.*.ok, /var/ker‐
237 beros/krb5kdc/from_master.*
238
239
240 krb5kdc_log_t
241
242 - Set files with the krb5kdc_log_t type, if you want to treat the data
243 as krb5kdc log data, usually stored under the /var/log directory.
244
245
246
247 krb5kdc_principal_t
248
249 - Set files with the krb5kdc_principal_t type, if you want to treat the
250 files as krb5kdc principal data.
251
252
253 Paths:
254 /etc/krb5kdc/principal.*, /usr/var/krb5kdc/principal.*, /var/ker‐
255 beros/krb5kdc/principal.*
256
257
258 krb5kdc_tmp_t
259
260 - Set files with the krb5kdc_tmp_t type, if you want to store krb5kdc
261 temporary files in the /tmp directories.
262
263
264
265 krb5kdc_var_lib_t
266
267 - Set files with the krb5kdc_var_lib_t type, if you want to store the
268 krb5kdc files under the /var/lib directory.
269
270
271
272 krb5kdc_var_run_t
273
274 - Set files with the krb5kdc_var_run_t type, if you want to store the
275 krb5kdc files under the /run or /var/run directory.
276
277
278
279 Note: File context can be temporarily modified with the chcon command.
280 If you want to permanently change the file context you need to use the
281 semanage fcontext command. This will modify the SELinux labeling data‐
282 base. You will need to use restorecon to apply the labels.
283
284
286 semanage fcontext can also be used to manipulate default file context
287 mappings.
288
289 semanage permissive can also be used to manipulate whether or not a
290 process type is permissive.
291
292 semanage module can also be used to enable/disable/install/remove pol‐
293 icy modules.
294
295 semanage boolean can also be used to manipulate the booleans
296
297
298 system-config-selinux is a GUI tool available to customize SELinux pol‐
299 icy settings.
300
301
303 This manual page was auto-generated using sepolicy manpage .
304
305
307 selinux(8), krb5kdc(8), semanage(8), restorecon(8), chcon(1), sepol‐
308 icy(8), setsebool(8)
309
310
311
312krb5kdc 19-05-30 krb5kdc_selinux(8)