systemd_logind_selinux(8)

1systemd_logind_selinux(8)SELinux Policy systemd_logindsystemd_logind_selinux(8)
2
3
4

NAME

6       systemd_logind_selinux  -  Security  Enhanced Linux Policy for the sys‐
7       temd_logind processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the systemd_logind processes via flexi‐
11       ble mandatory access control.
12
13       The  systemd_logind processes execute with the systemd_logind_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep systemd_logind_t
20
21
22

ENTRYPOINTS

24       The   systemd_logind_t  SELinux  type  can  be  entered  via  the  sys‐
25       temd_logind_exec_t file type.
26
27       The default entrypoint paths for the systemd_logind_t  domain  are  the
28       following:
29
30       /usr/lib/systemd/systemd-logind, /usr/lib/systemd/systemd-user-runtime-
31       dir
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       systemd_logind policy is very flexible allowing users  to  setup  their
41       systemd_logind processes in as secure a method as possible.
42
43       The following process types are defined for systemd_logind:
44
45       systemd_logind_t
46
47       Note:  semanage  permissive -a systemd_logind_t can be used to make the
48       process type systemd_logind_t permissive. SELinux does not deny  access
49       to permissive process types, but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least  access  required.   sys‐
55       temd_logind  policy is extremely flexible and has several booleans that
56       allow you to manipulate the policy  and  run  systemd_logind  with  the
57       tightest access possible.
58
59
60
61       If you want to allow users to resolve user passwd entries directly from
62       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
63       gin_nsswitch_use_ldap boolean. Disabled by default.
64
65       setsebool -P authlogin_nsswitch_use_ldap 1
66
67
68
69       If you want to allow all domains to execute in fips_mode, you must turn
70       on the fips_mode boolean. Enabled by default.
71
72       setsebool -P fips_mode 1
73
74
75
76       If you want to allow confined applications to run  with  kerberos,  you
77       must turn on the kerberos_enabled boolean. Disabled by default.
78
79       setsebool -P kerberos_enabled 1
80
81
82
83       If  you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
84       you must turn on the nagios_run_sudo boolean. Disabled by default.
85
86       setsebool -P nagios_run_sudo 1
87
88
89
90       If you want to allow system to run with  NIS,  you  must  turn  on  the
91       nis_enabled boolean. Disabled by default.
92
93       setsebool -P nis_enabled 1
94
95
96
97       If  you  want to allow confined applications to use nscd shared memory,
98       you must turn on the nscd_use_shm boolean. Disabled by default.
99
100       setsebool -P nscd_use_shm 1
101
102
103
104       If you want to allow Zabbix to run su/sudo, you must turn on  the  zab‐
105       bix_run_sudo boolean. Disabled by default.
106
107       setsebool -P zabbix_run_sudo 1
108
109
110
111       If  you  want  to allow ZoneMinder to run su/sudo, you must turn on the
112       zoneminder_run_sudo boolean. Disabled by default.
113
114       setsebool -P zoneminder_run_sudo 1
115
116
117

MANAGED FILES

119       The SELinux process type systemd_logind_t can manage files labeled with
120       the  following  file types.  The paths listed are the default paths for
121       these file types.  Note the processes UID still need to have  DAC  per‐
122       missions.
123
124       cgroup_t
125
126            /sys/fs/cgroup
127
128       cluster_conf_t
129
130            /etc/cluster(/.*)?
131
132       cluster_var_lib_t
133
134            /var/lib/pcsd(/.*)?
135            /var/lib/cluster(/.*)?
136            /var/lib/openais(/.*)?
137            /var/lib/pengine(/.*)?
138            /var/lib/corosync(/.*)?
139            /usr/lib/heartbeat(/.*)?
140            /var/lib/heartbeat(/.*)?
141            /var/lib/pacemaker(/.*)?
142
143       cluster_var_run_t
144
145            /var/run/crm(/.*)?
146            /var/run/cman_.*
147            /var/run/rsctmp(/.*)?
148            /var/run/aisexec.*
149            /var/run/heartbeat(/.*)?
150            /var/run/corosync-qnetd(/.*)?
151            /var/run/corosync-qdevice(/.*)?
152            /var/run/corosync.pid
153            /var/run/cpglockd.pid
154            /var/run/rgmanager.pid
155            /var/run/cluster/rgmanager.sk
156
157       config_home_t
158
159            /root/.kde(/.*)?
160            /root/.xine(/.*)?
161            /root/.config(/.*)?
162            /var/run/user/[^/]*/dconf(/.*)?
163            /root/.Xdefaults
164            /home/[^/]+/.kde(/.*)?
165            /home/[^/]+/.xine(/.*)?
166            /home/[^/]+/.config(/.*)?
167            /home/[^/]+/.cache/dconf(/.*)?
168            /home/[^/]+/.Xdefaults
169
170       fusefs_t
171
172            /var/run/user/[^/]*/gvfs
173
174       kdbusfs_t
175
176
177       root_t
178
179            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
180            /
181            /initrd
182
183       sysfs_t
184
185            /sys(/.*)?
186
187       systemd_logind_inhibit_var_run_t
188
189            /var/run/systemd/inhibit(/.*)?
190
191       systemd_logind_sessions_t
192
193            /var/run/systemd/sessions(/.*)?
194
195       systemd_logind_var_lib_t
196
197            /var/lib/systemd/linger(/.*)?
198
199       systemd_logind_var_run_t
200
201            /var/run/.*nologin.*
202            /var/run/systemd/seats(/.*)?
203            /var/run/systemd/users(/.*)?
204            /var/run/systemd/shutdown(/.*)?
205
206       systemd_passwd_var_run_t
207
208            /var/run/systemd/ask-password(/.*)?
209            /var/run/systemd/ask-password-block(/.*)?
210
211       udev_rules_t
212
213            /etc/udev/rules.d(/.*)?
214
215       user_tmp_type
216
217            all user tmp files
218
219       var_auth_t
220
221            /var/ace(/.*)?
222            /var/rsa(/.*)?
223            /var/lib/abl(/.*)?
224            /var/lib/rsa(/.*)?
225            /var/lib/pam_ssh(/.*)?
226            /var/run/pam_ssh(/.*)?
227            /var/lib/pam_shield(/.*)?
228            /var/opt/quest/vas/vasd(/.*)?
229            /var/lib/google-authenticator(/.*)?
230
231

FILE CONTEXTS

233       SELinux requires files to have an extended attribute to define the file
234       type.
235
236       You can see the context of a file using the -Z option to ls
237
238       Policy governs the access  confined  processes  have  to  these  files.
239       SELinux  systemd_logind policy is very flexible allowing users to setup
240       their systemd_logind processes in as secure a method as possible.
241
242       STANDARD FILE CONTEXT
243
244       SELinux defines the file context types for the systemd_logind,  if  you
245       wanted  to store files with these types in a diffent paths, you need to
246       execute the semanage command to sepecify alternate  labeling  and  then
247       use restorecon to put the labels on disk.
248
249       semanage  fcontext  -a -t systemd_logind_inhibit_var_run_t '/srv/mysys‐
250       temd_logind_content(/.*)?'
251       restorecon -R -v /srv/mysystemd_logind_content
252
253       Note: SELinux often uses regular expressions  to  specify  labels  that
254       match multiple files.
255
256       The following file types are defined for systemd_logind:
257
258
259
260       systemd_logind_exec_t
261
262       - Set files with the systemd_logind_exec_t type, if you want to transi‐
263       tion an executable to the systemd_logind_t domain.
264
265
266       Paths:
267            /usr/lib/systemd/systemd-logind,    /usr/lib/systemd/systemd-user-
268            runtime-dir
269
270
271       systemd_logind_inhibit_var_run_t
272
273       - Set files with the systemd_logind_inhibit_var_run_t type, if you want
274       to store the systemd logind inhibit files under the  /run  or  /var/run
275       directory.
276
277
278
279       systemd_logind_sessions_t
280
281       -  Set  files  with  the systemd_logind_sessions_t type, if you want to
282       treat the files as systemd logind sessions data.
283
284
285
286       systemd_logind_var_lib_t
287
288       - Set files with the systemd_logind_var_lib_t  type,  if  you  want  to
289       store the systemd logind files under the /var/lib directory.
290
291
292
293       systemd_logind_var_run_t
294
295       -  Set  files  with  the  systemd_logind_var_run_t type, if you want to
296       store the systemd logind files under the /run or /var/run directory.
297
298
299       Paths:
300            /var/run/.*nologin.*, /var/run/systemd/seats(/.*)?,  /var/run/sys‐
301            temd/users(/.*)?, /var/run/systemd/shutdown(/.*)?
302
303
304       Note:  File context can be temporarily modified with the chcon command.
305       If you want to permanently change the file context you need to use  the
306       semanage fcontext command.  This will modify the SELinux labeling data‐
307       base.  You will need to use restorecon to apply the labels.
308
309

COMMANDS

311       semanage fcontext can also be used to manipulate default  file  context
312       mappings.
313
314       semanage  permissive  can  also  be used to manipulate whether or not a
315       process type is permissive.
316
317       semanage module can also be used to enable/disable/install/remove  pol‐
318       icy modules.
319
320       semanage boolean can also be used to manipulate the booleans
321
322
323       system-config-selinux is a GUI tool available to customize SELinux pol‐
324       icy settings.
325
326

AUTHOR

328       This manual page was auto-generated using sepolicy manpage .
329
330