1fingerd_selinux(8)          SELinux Policy fingerd          fingerd_selinux(8)
2
3
4

NAME

6       fingerd_selinux  -  Security Enhanced Linux Policy for the fingerd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  fingerd  processes  via  flexible
11       mandatory access control.
12
13       The  fingerd processes execute with the fingerd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep fingerd_t
20
21
22

ENTRYPOINTS

24       The  fingerd_t  SELinux type can be entered via the fingerd_exec_t file
25       type.
26
27       The default entrypoint paths for the fingerd_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/[cef]fingerd,                       /usr/sbin/in.(x)?fingerd,
31       /etc/cron.weekly/(c)?fingerd
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       fingerd policy is very flexible allowing users to setup  their  fingerd
41       processes in as secure a method as possible.
42
43       The following process types are defined for fingerd:
44
45       fingerd_t
46
47       Note:  semanage permissive -a fingerd_t can be used to make the process
48       type fingerd_t permissive. SELinux does not deny access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least access required.  fingerd
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run fingerd with the tightest  access  possi‐
57       ble.
58
59
60
61       If you want to allow all domains to execute in fips_mode, you must turn
62       on the fips_mode boolean. Enabled by default.
63
64       setsebool -P fips_mode 1
65
66
67

PORT TYPES

69       SELinux defines port types to represent TCP and UDP ports.
70
71       You can see the types associated with a port  by  using  the  following
72       command:
73
74       semanage port -l
75
76
77       Policy  governs  the  access  confined  processes  have to these ports.
78       SELinux fingerd policy is very flexible allowing users to  setup  their
79       fingerd processes in as secure a method as possible.
80
81       The following port types are defined for fingerd:
82
83
84       fingerd_port_t
85
86
87
88       Default Defined Ports:
89                 tcp 79
90

MANAGED FILES

92       The  SELinux  process  type fingerd_t can manage files labeled with the
93       following file types.  The paths listed are the default paths for these
94       file types.  Note the processes UID still need to have DAC permissions.
95
96       cluster_conf_t
97
98            /etc/cluster(/.*)?
99
100       cluster_var_lib_t
101
102            /var/lib/pcsd(/.*)?
103            /var/lib/cluster(/.*)?
104            /var/lib/openais(/.*)?
105            /var/lib/pengine(/.*)?
106            /var/lib/corosync(/.*)?
107            /usr/lib/heartbeat(/.*)?
108            /var/lib/heartbeat(/.*)?
109            /var/lib/pacemaker(/.*)?
110
111       cluster_var_run_t
112
113            /var/run/crm(/.*)?
114            /var/run/cman_.*
115            /var/run/rsctmp(/.*)?
116            /var/run/aisexec.*
117            /var/run/heartbeat(/.*)?
118            /var/run/corosync-qnetd(/.*)?
119            /var/run/corosync-qdevice(/.*)?
120            /var/run/corosync.pid
121            /var/run/cpglockd.pid
122            /var/run/rgmanager.pid
123            /var/run/cluster/rgmanager.sk
124
125       fingerd_var_run_t
126
127            /var/run/*.fingerd.pid
128
129       root_t
130
131            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
132            /
133            /initrd
134
135

FILE CONTEXTS

137       SELinux requires files to have an extended attribute to define the file
138       type.
139
140       You can see the context of a file using the -Z option to ls
141
142       Policy governs the access  confined  processes  have  to  these  files.
143       SELinux  fingerd  policy is very flexible allowing users to setup their
144       fingerd processes in as secure a method as possible.
145
146       STANDARD FILE CONTEXT
147
148       SELinux defines the file context types for the fingerd, if  you  wanted
149       to store files with these types in a diffent paths, you need to execute
150       the semanage command  to  sepecify  alternate  labeling  and  then  use
151       restorecon to put the labels on disk.
152
153       semanage   fcontext   -a   -t   fingerd_var_run_t  '/srv/myfingerd_con‐
154       tent(/.*)?'
155       restorecon -R -v /srv/myfingerd_content
156
157       Note: SELinux often uses regular expressions  to  specify  labels  that
158       match multiple files.
159
160       The following file types are defined for fingerd:
161
162
163
164       fingerd_etc_t
165
166       -  Set  files with the fingerd_etc_t type, if you want to store fingerd
167       files in the /etc directories.
168
169
170
171       fingerd_exec_t
172
173       - Set files with the fingerd_exec_t type, if you want to transition  an
174       executable to the fingerd_t domain.
175
176
177       Paths:
178            /usr/sbin/[cef]fingerd,                  /usr/sbin/in.(x)?fingerd,
179            /etc/cron.weekly/(c)?fingerd
180
181
182       fingerd_log_t
183
184       - Set files with the fingerd_log_t type, if you want to treat the  data
185       as fingerd log data, usually stored under the /var/log directory.
186
187
188
189       fingerd_var_run_t
190
191       -  Set  files with the fingerd_var_run_t type, if you want to store the
192       fingerd files under the /run or /var/run directory.
193
194
195
196       Note: File context can be temporarily modified with the chcon  command.
197       If  you want to permanently change the file context you need to use the
198       semanage fcontext command.  This will modify the SELinux labeling data‐
199       base.  You will need to use restorecon to apply the labels.
200
201

COMMANDS

203       semanage  fcontext  can also be used to manipulate default file context
204       mappings.
205
206       semanage permissive can also be used to manipulate  whether  or  not  a
207       process type is permissive.
208
209       semanage  module can also be used to enable/disable/install/remove pol‐
210       icy modules.
211
212       semanage port can also be used to manipulate the port definitions
213
214       semanage boolean can also be used to manipulate the booleans
215
216
217       system-config-selinux is a GUI tool available to customize SELinux pol‐
218       icy settings.
219
220

AUTHOR

222       This manual page was auto-generated using sepolicy manpage .
223
224

SEE ALSO

226       selinux(8),  fingerd(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
227       icy(8), setsebool(8)
228
229
230
231fingerd                            20-05-05                 fingerd_selinux(8)
Impressum