1mpd_selinux(8) SELinux Policy mpd mpd_selinux(8)
2
3
4
6 mpd_selinux - Security Enhanced Linux Policy for the mpd processes
7
9 Security-Enhanced Linux secures the mpd processes via flexible manda‐
10 tory access control.
11
12 The mpd processes execute with the mpd_t SELinux type. You can check if
13 you have these processes running by executing the ps command with the
14 -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep mpd_t
19
20
21
23 The mpd_t SELinux type can be entered via the mpd_exec_t file type.
24
25 The default entrypoint paths for the mpd_t domain are the following:
26
27 /usr/bin/mpd
28
30 SELinux defines process types (domains) for each process running on the
31 system
32
33 You can see the context of a process using the -Z option to ps
34
35 Policy governs the access confined processes have to files. SELinux
36 mpd policy is very flexible allowing users to setup their mpd processes
37 in as secure a method as possible.
38
39 The following process types are defined for mpd:
40
41 mpd_t
42
43 Note: semanage permissive -a mpd_t can be used to make the process type
44 mpd_t permissive. SELinux does not deny access to permissive process
45 types, but the AVC (SELinux denials) messages are still generated.
46
47
49 SELinux policy is customizable based on least access required. mpd
50 policy is extremely flexible and has several booleans that allow you to
51 manipulate the policy and run mpd with the tightest access possible.
52
53
54
55 If you want to determine whether mpd can traverse user home directo‐
56 ries, you must turn on the mpd_enable_homedirs boolean. Disabled by
57 default.
58
59 setsebool -P mpd_enable_homedirs 1
60
61
62
63 If you want to determine whether mpd can use cifs file systems, you
64 must turn on the mpd_use_cifs boolean. Disabled by default.
65
66 setsebool -P mpd_use_cifs 1
67
68
69
70 If you want to determine whether mpd can use nfs file systems, you must
71 turn on the mpd_use_nfs boolean. Disabled by default.
72
73 setsebool -P mpd_use_nfs 1
74
75
76
77 If you want to allow users to resolve user passwd entries directly from
78 ldap rather then using a sssd server, you must turn on the authlo‐
79 gin_nsswitch_use_ldap boolean. Disabled by default.
80
81 setsebool -P authlogin_nsswitch_use_ldap 1
82
83
84
85 If you want to allow all domains to execute in fips_mode, you must turn
86 on the fips_mode boolean. Enabled by default.
87
88 setsebool -P fips_mode 1
89
90
91
92 If you want to allow confined applications to run with kerberos, you
93 must turn on the kerberos_enabled boolean. Disabled by default.
94
95 setsebool -P kerberos_enabled 1
96
97
98
99 If you want to allow system to run with NIS, you must turn on the
100 nis_enabled boolean. Disabled by default.
101
102 setsebool -P nis_enabled 1
103
104
105
106 If you want to allow confined applications to use nscd shared memory,
107 you must turn on the nscd_use_shm boolean. Disabled by default.
108
109 setsebool -P nscd_use_shm 1
110
111
112
114 SELinux defines port types to represent TCP and UDP ports.
115
116 You can see the types associated with a port by using the following
117 command:
118
119 semanage port -l
120
121
122 Policy governs the access confined processes have to these ports.
123 SELinux mpd policy is very flexible allowing users to setup their mpd
124 processes in as secure a method as possible.
125
126 The following port types are defined for mpd:
127
128
129 mpd_port_t
130
131
132
133 Default Defined Ports:
134 tcp 6600
135
137 The SELinux process type mpd_t can manage files labeled with the fol‐
138 lowing file types. The paths listed are the default paths for these
139 file types. Note the processes UID still need to have DAC permissions.
140
141 anon_inodefs_t
142
143
144 cifs_t
145
146
147 cluster_conf_t
148
149 /etc/cluster(/.*)?
150
151 cluster_var_lib_t
152
153 /var/lib/pcsd(/.*)?
154 /var/lib/cluster(/.*)?
155 /var/lib/openais(/.*)?
156 /var/lib/pengine(/.*)?
157 /var/lib/corosync(/.*)?
158 /usr/lib/heartbeat(/.*)?
159 /var/lib/heartbeat(/.*)?
160 /var/lib/pacemaker(/.*)?
161
162 cluster_var_run_t
163
164 /var/run/crm(/.*)?
165 /var/run/cman_.*
166 /var/run/rsctmp(/.*)?
167 /var/run/aisexec.*
168 /var/run/heartbeat(/.*)?
169 /var/run/corosync-qnetd(/.*)?
170 /var/run/corosync-qdevice(/.*)?
171 /var/run/corosync.pid
172 /var/run/cpglockd.pid
173 /var/run/rgmanager.pid
174 /var/run/cluster/rgmanager.sk
175
176 mpd_data_t
177
178 /var/lib/mpd/music(/.*)?
179 /var/lib/mpd/playlists(/.*)?
180
181 mpd_home_t
182
183 /home/[^/]+/.mpd(/.*)?
184
185 mpd_tmp_t
186
187
188 mpd_tmpfs_t
189
190
191 mpd_var_lib_t
192
193 /var/lib/mpd(/.*)?
194
195 mpd_var_run_t
196
197 /var/run/mpd(/.*)?
198
199 nfs_t
200
201
202 root_t
203
204 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
205 /
206 /initrd
207
208
210 SELinux requires files to have an extended attribute to define the file
211 type.
212
213 You can see the context of a file using the -Z option to ls
214
215 Policy governs the access confined processes have to these files.
216 SELinux mpd policy is very flexible allowing users to setup their mpd
217 processes in as secure a method as possible.
218
219 EQUIVALENCE DIRECTORIES
220
221
222 mpd policy stores data with multiple different file context types under
223 the /var/lib/mpd directory. If you would like to store the data in a
224 different directory you can use the semanage command to create an
225 equivalence mapping. If you wanted to store this data under the /srv
226 dirctory you would execute the following command:
227
228 semanage fcontext -a -e /var/lib/mpd /srv/mpd
229 restorecon -R -v /srv/mpd
230
231 STANDARD FILE CONTEXT
232
233 SELinux defines the file context types for the mpd, if you wanted to
234 store files with these types in a diffent paths, you need to execute
235 the semanage command to sepecify alternate labeling and then use
236 restorecon to put the labels on disk.
237
238 semanage fcontext -a -t mpd_var_run_t '/srv/mympd_content(/.*)?'
239 restorecon -R -v /srv/mympd_content
240
241 Note: SELinux often uses regular expressions to specify labels that
242 match multiple files.
243
244 The following file types are defined for mpd:
245
246
247
248 mpd_data_t
249
250 - Set files with the mpd_data_t type, if you want to treat the files as
251 mpd content.
252
253
254 Paths:
255 /var/lib/mpd/music(/.*)?, /var/lib/mpd/playlists(/.*)?
256
257
258 mpd_etc_t
259
260 - Set files with the mpd_etc_t type, if you want to store mpd files in
261 the /etc directories.
262
263
264
265 mpd_exec_t
266
267 - Set files with the mpd_exec_t type, if you want to transition an exe‐
268 cutable to the mpd_t domain.
269
270
271
272 mpd_home_t
273
274 - Set files with the mpd_home_t type, if you want to store mpd files in
275 the users home directory.
276
277
278
279 mpd_initrc_exec_t
280
281 - Set files with the mpd_initrc_exec_t type, if you want to transition
282 an executable to the mpd_initrc_t domain.
283
284
285
286 mpd_log_t
287
288 - Set files with the mpd_log_t type, if you want to treat the data as
289 mpd log data, usually stored under the /var/log directory.
290
291
292
293 mpd_tmp_t
294
295 - Set files with the mpd_tmp_t type, if you want to store mpd temporary
296 files in the /tmp directories.
297
298
299
300 mpd_tmpfs_t
301
302 - Set files with the mpd_tmpfs_t type, if you want to store mpd files
303 on a tmpfs file system.
304
305
306
307 mpd_user_data_t
308
309 - Set files with the mpd_user_data_t type, if you want to treat the
310 files as mpd user content.
311
312
313
314 mpd_var_lib_t
315
316 - Set files with the mpd_var_lib_t type, if you want to store the mpd
317 files under the /var/lib directory.
318
319
320
321 mpd_var_run_t
322
323 - Set files with the mpd_var_run_t type, if you want to store the mpd
324 files under the /run or /var/run directory.
325
326
327
328 Note: File context can be temporarily modified with the chcon command.
329 If you want to permanently change the file context you need to use the
330 semanage fcontext command. This will modify the SELinux labeling data‐
331 base. You will need to use restorecon to apply the labels.
332
333
335 semanage fcontext can also be used to manipulate default file context
336 mappings.
337
338 semanage permissive can also be used to manipulate whether or not a
339 process type is permissive.
340
341 semanage module can also be used to enable/disable/install/remove pol‐
342 icy modules.
343
344 semanage port can also be used to manipulate the port definitions
345
346 semanage boolean can also be used to manipulate the booleans
347
348
349 system-config-selinux is a GUI tool available to customize SELinux pol‐
350 icy settings.
351
352
354 This manual page was auto-generated using sepolicy manpage .
355
356
358 selinux(8), mpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
359 setsebool(8)
360
361
362
363mpd 19-12-02 mpd_selinux(8)