1chronyd_selinux(8) SELinux Policy chronyd chronyd_selinux(8)
2
6 chronyd_selinux - Security Enhanced Linux Policy for the chronyd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the chronyd processes via flexible
11 mandatory access control.
12 The chronyd processes execute with the chronyd_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep chronyd_t
20
24 The chronyd_t SELinux type can be entered via the chronyd_exec_t file
25 type.
26 The default entrypoint paths for the chronyd_t domain are the follow‐
28 ing:
29 /usr/sbin/chronyd, /usr/libexec/chrony-helper
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 chronyd policy is very flexible allowing users to setup their chronyd
40 processes in as secure a method as possible.
41 The following process types are defined for chronyd:
43 chronyd_t
45 Note: semanage permissive -a chronyd_t can be used to make the process
47 type chronyd_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
53 SELinux policy is customizable based on least access required. chronyd
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run chronyd with the tightest access possi‐
56 ble.
57 If you want to allow all domains to execute in fips_mode, you must turn
61 on the fips_mode boolean. Enabled by default.
62 setsebool -P fips_mode 1
64 If you want to allow system to run with NIS, you must turn on the
68 nis_enabled boolean. Disabled by default.
69 setsebool -P nis_enabled 1
71
75 SELinux defines port types to represent TCP and UDP ports.
76 You can see the types associated with a port by using the following
78 command:
79 semanage port -l
81 Policy governs the access confined processes have to these ports.
84 SELinux chronyd policy is very flexible allowing users to setup their
85 chronyd processes in as secure a method as possible.
86 The following port types are defined for chronyd:
88 chronyd_port_t
91 Default Defined Ports:
95 udp 323
96
98 The SELinux process type chronyd_t can manage files labeled with the
99 following file types. The paths listed are the default paths for these
100 file types. Note the processes UID still need to have DAC permissions.
101 chronyd_tmpfs_t
103 chronyd_var_lib_t
106 /var/lib/chrony(/.*)?
108 chronyd_var_run_t
110 /var/run/chrony(/.*)?
112 /var/run/chronyd(/.*)?
113 /var/run/chrony-helper(/.*)?
114 /var/run/chronyd.pid
115 /var/run/chronyd.sock
116 cluster_conf_t
118 /etc/cluster(/.*)?
120 cluster_var_lib_t
122 /var/lib/pcsd(/.*)?
124 /var/lib/cluster(/.*)?
125 /var/lib/openais(/.*)?
126 /var/lib/pengine(/.*)?
127 /var/lib/corosync(/.*)?
128 /usr/lib/heartbeat(/.*)?
129 /var/lib/heartbeat(/.*)?
130 /var/lib/pacemaker(/.*)?
131 cluster_var_run_t
133 /var/run/crm(/.*)?
135 /var/run/cman_.*
136 /var/run/rsctmp(/.*)?
137 /var/run/aisexec.*
138 /var/run/heartbeat(/.*)?
139 /var/run/corosync-qnetd(/.*)?
140 /var/run/corosync-qdevice(/.*)?
141 /var/run/corosync.pid
142 /var/run/cpglockd.pid
143 /var/run/rgmanager.pid
144 /var/run/cluster/rgmanager.sk
145 gpsd_tmpfs_t
147 root_t
150 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
152 /
153 /initrd
154 systemd_passwd_var_run_t
156 /var/run/systemd/ask-password(/.*)?
158 /var/run/systemd/ask-password-block(/.*)?
159 timemaster_tmpfs_t
161
165 SELinux requires files to have an extended attribute to define the file
166 type.
167 You can see the context of a file using the -Z option to ls
169 Policy governs the access confined processes have to these files.
171 SELinux chronyd policy is very flexible allowing users to setup their
172 chronyd processes in as secure a method as possible.
173 EQUIVALENCE DIRECTORIES
175 chronyd policy stores data with multiple different file context types
178 under the /var/run/chrony directory. If you would like to store the
179 data in a different directory you can use the semanage command to cre‐
180 ate an equivalence mapping. If you wanted to store this data under the
181 /srv directory you would execute the following command:
182 semanage fcontext -a -e /var/run/chrony /srv/chrony
184 restorecon -R -v /srv/chrony
185 STANDARD FILE CONTEXT
187 SELinux defines the file context types for the chronyd, if you wanted
189 to store files with these types in a diffent paths, you need to execute
190 the semanage command to sepecify alternate labeling and then use
191 restorecon to put the labels on disk.
192 semanage fcontext -a -t chronyd_tmp_t '/srv/mychronyd_content(/.*)?'
194 restorecon -R -v /srv/mychronyd_content
195 Note: SELinux often uses regular expressions to specify labels that
197 match multiple files.
198 The following file types are defined for chronyd:
200 chronyd_exec_t
204 - Set files with the chronyd_exec_t type, if you want to transition an
206 executable to the chronyd_t domain.
207 Paths:
210 /usr/sbin/chronyd, /usr/libexec/chrony-helper
211 chronyd_initrc_exec_t
214 - Set files with the chronyd_initrc_exec_t type, if you want to transi‐
216 tion an executable to the chronyd_initrc_t domain.
217 chronyd_keys_t
221 - Set files with the chronyd_keys_t type, if you want to treat the
223 files as chronyd keys data.
224 chronyd_tmp_t
228 - Set files with the chronyd_tmp_t type, if you want to store chronyd
230 temporary files in the /tmp directories.
231 chronyd_tmpfs_t
235 - Set files with the chronyd_tmpfs_t type, if you want to store chronyd
237 files on a tmpfs file system.
238 chronyd_unit_file_t
242 - Set files with the chronyd_unit_file_t type, if you want to treat the
244 files as chronyd unit content.
245 chronyd_var_lib_t
249 - Set files with the chronyd_var_lib_t type, if you want to store the
251 chronyd files under the /var/lib directory.
252 chronyd_var_log_t
256 - Set files with the chronyd_var_log_t type, if you want to treat the
258 data as chronyd var log data, usually stored under the /var/log direc‐
259 tory.
260 chronyd_var_run_t
264 - Set files with the chronyd_var_run_t type, if you want to store the
266 chronyd files under the /run or /var/run directory.
267 Paths:
270 /var/run/chrony(/.*)?, /var/run/chronyd(/.*)?, /var/run/chrony-
271 helper(/.*)?, /var/run/chronyd.pid, /var/run/chronyd.sock
272 Note: File context can be temporarily modified with the chcon command.
275 If you want to permanently change the file context you need to use the
276 semanage fcontext command. This will modify the SELinux labeling data‐
277 base. You will need to use restorecon to apply the labels.
278
281 semanage fcontext can also be used to manipulate default file context
282 mappings.
283 semanage permissive can also be used to manipulate whether or not a
285 process type is permissive.
286 semanage module can also be used to enable/disable/install/remove pol‐
288 icy modules.
289 semanage port can also be used to manipulate the port definitions
291 semanage boolean can also be used to manipulate the booleans
293 system-config-selinux is a GUI tool available to customize SELinux pol‐
296 icy settings.
297
300 This manual page was auto-generated using sepolicy manpage .
301
304 selinux(8), chronyd(8), semanage(8), restorecon(8), chcon(1), sepol‐
305 icy(8), setsebool(8)
306chronyd 20-05-05 chronyd_selinux(8)