rlogind_selinux(8)

1rlogind_selinux(8)          SELinux Policy rlogind          rlogind_selinux(8)
2
3
4

NAME

6       rlogind_selinux  -  Security Enhanced Linux Policy for the rlogind pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  rlogind  processes  via  flexible
11       mandatory access control.
12
13       The  rlogind processes execute with the rlogind_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep rlogind_t
20
21
22

ENTRYPOINTS

24       The  rlogind_t  SELinux type can be entered via the rlogind_exec_t file
25       type.
26
27       The default entrypoint paths for the rlogind_t domain are  the  follow‐
28       ing:
29
30       /usr/lib/telnetlogin, /usr/sbin/in.rlogind, /usr/kerberos/sbin/klogind
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       rlogind  policy  is very flexible allowing users to setup their rlogind
40       processes in as secure a method as possible.
41
42       The following process types are defined for rlogind:
43
44       rlogind_t
45
46       Note: semanage permissive -a rlogind_t can be used to make the  process
47       type  rlogind_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  rlogind
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run rlogind with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66
67       If  you  want  to allow confined applications to run with kerberos, you
68       must turn on the kerberos_enabled boolean. Disabled by default.
69
70       setsebool -P kerberos_enabled 1
71
72
73
74       If you want to allow system to run with  NIS,  you  must  turn  on  the
75       nis_enabled boolean. Disabled by default.
76
77       setsebool -P nis_enabled 1
78
79
80
81       If you want to enable polyinstantiated directory support, you must turn
82       on the polyinstantiation_enabled boolean. Disabled by default.
83
84       setsebool -P polyinstantiation_enabled 1
85
86
87

PORT TYPES

89       SELinux defines port types to represent TCP and UDP ports.
90
91       You can see the types associated with a port  by  using  the  following
92       command:
93
94       semanage port -l
95
96
97       Policy  governs  the  access  confined  processes  have to these ports.
98       SELinux rlogind policy is very flexible allowing users to  setup  their
99       rlogind processes in as secure a method as possible.
100
101       The following port types are defined for rlogind:
102
103
104       rlogin_port_t
105
106
107
108       Default Defined Ports:
109                 tcp 543,2105
110
111
112       rlogind_port_t
113
114
115
116       Default Defined Ports:
117                 tcp 513
118

MANAGED FILES

120       The  SELinux  process  type rlogind_t can manage files labeled with the
121       following file types.  The paths listed are the default paths for these
122       file types.  Note the processes UID still need to have DAC permissions.
123
124       auth_cache_t
125
126            /var/cache/coolkey(/.*)?
127
128       auth_home_t
129
130            /root/.yubico(/.*)?
131            /root/.config/Yubico(/.*)?
132            /root/.google_authenticator
133            /root/.google_authenticator~
134            /home/[^/]+/.yubico(/.*)?
135            /home/[^/]+/.config/Yubico(/.*)?
136            /home/[^/]+/.google_authenticator
137            /home/[^/]+/.google_authenticator~
138
139       cgroup_t
140
141            /sys/fs/cgroup
142
143       cluster_conf_t
144
145            /etc/cluster(/.*)?
146
147       cluster_var_lib_t
148
149            /var/lib/pcsd(/.*)?
150            /var/lib/cluster(/.*)?
151            /var/lib/openais(/.*)?
152            /var/lib/pengine(/.*)?
153            /var/lib/corosync(/.*)?
154            /usr/lib/heartbeat(/.*)?
155            /var/lib/heartbeat(/.*)?
156            /var/lib/pacemaker(/.*)?
157
158       cluster_var_run_t
159
160            /var/run/crm(/.*)?
161            /var/run/cman_.*
162            /var/run/rsctmp(/.*)?
163            /var/run/aisexec.*
164            /var/run/heartbeat(/.*)?
165            /var/run/corosync-qnetd(/.*)?
166            /var/run/corosync-qdevice(/.*)?
167            /var/run/corosync.pid
168            /var/run/cpglockd.pid
169            /var/run/rgmanager.pid
170            /var/run/cluster/rgmanager.sk
171
172       faillog_t
173
174            /var/log/btmp.*
175            /var/log/faillog.*
176            /var/log/tallylog.*
177            /var/run/faillock(/.*)?
178
179       initrc_var_run_t
180
181            /var/run/utmp
182            /var/run/random-seed
183            /var/run/runlevel.dir
184            /var/run/setmixer_flag
185
186       lastlog_t
187
188            /var/log/lastlog.*
189
190       pam_var_run_t
191
192            /var/(db|adm)/sudo(/.*)?
193            /var/lib/sudo(/.*)?
194            /var/run/sudo(/.*)?
195            /var/run/motd.d(/.*)?
196            /var/run/pam_ssh(/.*)?
197            /var/run/sepermit(/.*)?
198            /var/run/pam_mount(/.*)?
199            /var/run/pam_timestamp(/.*)?
200            /var/run/motd
201
202       rlogind_var_run_t
203
204
205       root_t
206
207            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
208            /
209            /initrd
210
211       security_t
212
213            /selinux
214
215       var_auth_t
216
217            /var/ace(/.*)?
218            /var/rsa(/.*)?
219            /var/lib/abl(/.*)?
220            /var/lib/rsa(/.*)?
221            /var/lib/pam_ssh(/.*)?
222            /var/lib/pam_shield(/.*)?
223            /var/opt/quest/vas/vasd(/.*)?
224            /var/lib/google-authenticator(/.*)?
225
226       wtmp_t
227
228            /var/log/wtmp.*
229
230

FILE CONTEXTS

232       SELinux requires files to have an extended attribute to define the file
233       type.
234
235       You can see the context of a file using the -Z option to ls
236
237       Policy governs the access  confined  processes  have  to  these  files.
238       SELinux  rlogind  policy is very flexible allowing users to setup their
239       rlogind processes in as secure a method as possible.
240
241       STANDARD FILE CONTEXT
242
243       SELinux defines the file context types for the rlogind, if  you  wanted
244       to store files with these types in a diffent paths, you need to execute
245       the semanage command  to  sepecify  alternate  labeling  and  then  use
246       restorecon to put the labels on disk.
247
248       semanage   fcontext   -a   -t   rlogind_var_run_t  '/srv/myrlogind_con‐
249       tent(/.*)?'
250       restorecon -R -v /srv/myrlogind_content
251
252       Note: SELinux often uses regular expressions  to  specify  labels  that
253       match multiple files.
254
255       The following file types are defined for rlogind:
256
257
258
259       rlogind_exec_t
260
261       -  Set files with the rlogind_exec_t type, if you want to transition an
262       executable to the rlogind_t domain.
263
264
265       Paths:
266            /usr/lib/telnetlogin,       /usr/sbin/in.rlogind,        /usr/ker‐
267            beros/sbin/klogind
268
269
270       rlogind_home_t
271
272       -  Set files with the rlogind_home_t type, if you want to store rlogind
273       files in the users home directory.
274
275
276       Paths:
277            /root/.rhosts,         /root/.rlogin,         /home/[^/]+/.rhosts,
278            /home/[^/]+/.rlogin
279
280
281       rlogind_keytab_t
282
283       -  Set  files  with the rlogind_keytab_t type, if you want to treat the
284       files as kerberos keytab files.
285
286
287
288       rlogind_tmp_t
289
290       - Set files with the rlogind_tmp_t type, if you want to  store  rlogind
291       temporary files in the /tmp directories.
292
293
294
295       rlogind_var_run_t
296
297       -  Set  files with the rlogind_var_run_t type, if you want to store the
298       rlogind files under the /run or /var/run directory.
299
300
301
302       Note: File context can be temporarily modified with the chcon  command.
303       If  you want to permanently change the file context you need to use the
304       semanage fcontext command.  This will modify the SELinux labeling data‐
305       base.  You will need to use restorecon to apply the labels.
306
307

COMMANDS

309       semanage  fcontext  can also be used to manipulate default file context
310       mappings.
311
312       semanage permissive can also be used to manipulate  whether  or  not  a
313       process type is permissive.
314
315       semanage  module can also be used to enable/disable/install/remove pol‐
316       icy modules.
317
318       semanage port can also be used to manipulate the port definitions
319
320       semanage boolean can also be used to manipulate the booleans
321
322
323       system-config-selinux is a GUI tool available to customize SELinux pol‐
324       icy settings.
325
326

AUTHOR

328       This manual page was auto-generated using sepolicy manpage .
329
330