1passwd_selinux(8)            SELinux Policy passwd           passwd_selinux(8)
2
3
4

NAME

6       passwd_selinux  -  Security  Enhanced  Linux Policy for the passwd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  passwd  processes  via  flexible
11       mandatory access control.
12
13       The  passwd  processes  execute with the passwd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep passwd_t
20
21
22

ENTRYPOINTS

24       The  passwd_t  SELinux  type  can be entered via the passwd_exec_t file
25       type.
26
27       The default entrypoint paths for the passwd_t domain are the following:
28
29       /usr/bin/chage, /usr/bin/passwd, /usr/sbin/chpasswd
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       passwd policy is very flexible allowing users  to  setup  their  passwd
39       processes in as secure a method as possible.
40
41       The following process types are defined for passwd:
42
43       passwd_t
44
45       Note:  semanage  permissive -a passwd_t can be used to make the process
46       type passwd_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   passwd
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run passwd with the tightest access possible.
55
56
57
58       If you want to allow all domains to execute in fips_mode, you must turn
59       on the fips_mode boolean. Enabled by default.
60
61       setsebool -P fips_mode 1
62
63
64
65       If  you  want  to allow confined applications to run with kerberos, you
66       must turn on the kerberos_enabled boolean. Disabled by default.
67
68       setsebool -P kerberos_enabled 1
69
70
71
72       If you want to allow system to run with  NIS,  you  must  turn  on  the
73       nis_enabled boolean. Disabled by default.
74
75       setsebool -P nis_enabled 1
76
77
78
79       If  you want to allow samba to act as the domain controller, add users,
80       groups and change passwords, you must  turn  on  the  samba_domain_con‐
81       troller boolean. Disabled by default.
82
83       setsebool -P samba_domain_controller 1
84
85
86

MANAGED FILES

88       The  SELinux  process  type  passwd_t can manage files labeled with the
89       following file types.  The paths listed are the default paths for these
90       file types.  Note the processes UID still need to have DAC permissions.
91
92       faillog_t
93
94            /var/log/btmp.*
95            /var/log/faillog.*
96            /var/log/tallylog.*
97            /var/run/faillock(/.*)?
98
99       lastlog_t
100
101            /var/log/lastlog.*
102
103       security_t
104
105            /selinux
106
107       shadow_t
108
109            /etc/shadow.*
110            /etc/gshadow.*
111            /etc/nshadow.*
112            /var/db/shadow.*
113            /etc/security/opasswd
114            /etc/security/opasswd.old
115
116

FILE CONTEXTS

118       SELinux requires files to have an extended attribute to define the file
119       type.
120
121       You can see the context of a file using the -Z option to ls
122
123       Policy governs the access  confined  processes  have  to  these  files.
124       SELinux  passwd  policy  is very flexible allowing users to setup their
125       passwd processes in as secure a method as possible.
126
127       STANDARD FILE CONTEXT
128
129       SELinux defines the file context types for the passwd, if you wanted to
130       store  files  with  these types in a diffent paths, you need to execute
131       the semanage command  to  sepecify  alternate  labeling  and  then  use
132       restorecon to put the labels on disk.
133
134       semanage fcontext -a -t passwd_file_t '/srv/mypasswd_content(/.*)?'
135       restorecon -R -v /srv/mypasswd_content
136
137       Note:  SELinux  often  uses  regular expressions to specify labels that
138       match multiple files.
139
140       The following file types are defined for passwd:
141
142
143
144       passwd_exec_t
145
146       - Set files with the passwd_exec_t type, if you want to  transition  an
147       executable to the passwd_t domain.
148
149
150       Paths:
151            /usr/bin/chage, /usr/bin/passwd, /usr/sbin/chpasswd
152
153
154       passwd_file_t
155
156       - Set files with the passwd_file_t type, if you want to treat the files
157       as passwd content.
158
159
160       Paths:
161            /etc/group[-+]?,     /etc/passwd[-+]?,      /etc/passwd.adjunct.*,
162            /etc/ptmptmp,  /etc/.pwd.lock,  /etc/group.lock,  /etc/passwd.OLD,
163            /etc/passwd.lock
164
165
166       Note: File context can be temporarily modified with the chcon  command.
167       If  you want to permanently change the file context you need to use the
168       semanage fcontext command.  This will modify the SELinux labeling data‐
169       base.  You will need to use restorecon to apply the labels.
170
171

COMMANDS

173       semanage  fcontext  can also be used to manipulate default file context
174       mappings.
175
176       semanage permissive can also be used to manipulate  whether  or  not  a
177       process type is permissive.
178
179       semanage  module can also be used to enable/disable/install/remove pol‐
180       icy modules.
181
182       semanage boolean can also be used to manipulate the booleans
183
184
185       system-config-selinux is a GUI tool available to customize SELinux pol‐
186       icy settings.
187
188

AUTHOR

190       This manual page was auto-generated using sepolicy manpage .
191
192

SEE ALSO

194       selinux(8),  passwd(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
195       icy(8), setsebool(8)
196
197
198
199passwd                             20-05-05                  passwd_selinux(8)
Impressum