1sssd_selinux(8)               SELinux Policy sssd              sssd_selinux(8)
2
3
4

NAME

6       sssd_selinux - Security Enhanced Linux Policy for the sssd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the sssd processes via flexible manda‐
10       tory access control.
11
12       The sssd processes execute with the sssd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep sssd_t
19
20
21

ENTRYPOINTS

23       The sssd_t SELinux type can be entered via the sssd_exec_t file type.
24
25       The default entrypoint paths for the sssd_t domain are the following:
26
27       /usr/sbin/sssd, /usr/libexec/sssd/sssd_ifp, /usr/libexec/sssd/sssd_kcm,
28       /usr/libexec/sssd/sssd_nss,                 /usr/libexec/sssd/sssd_pac,
29       /usr/libexec/sssd/sssd_pam,                 /usr/libexec/sssd/sssd_ssh,
30       /usr/libexec/sssd/sssd_sudo,             /usr/libexec/sssd/sssd_autofs,
31       /usr/libexec/sssd/sssd_secrets
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       sssd policy is very flexible allowing users to setup  their  sssd  pro‐
41       cesses in as secure a method as possible.
42
43       The following process types are defined for sssd:
44
45       sssd_t, sssd_selinux_manager_t
46
47       Note:  semanage  permissive  -a  sssd_t can be used to make the process
48       type sssd_t permissive. SELinux does  not  deny  access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least  access  required.   sssd
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run sssd with the tightest access possible.
57
58
59
60       If you want to allow sssd read, view, and write access to  kernel  keys
61       with  kernel_t type, you must turn on the sssd_access_kernel_keys bool‐
62       ean. Disabled by default.
63
64       setsebool -P sssd_access_kernel_keys 1
65
66
67
68       If you want to allow sssd connect to all  unreserved  ports,  you  must
69       turn  on  the  sssd_connect_all_unreserved_ports  boolean.  Disabled by
70       default.
71
72       setsebool -P sssd_connect_all_unreserved_ports 1
73
74
75
76       If you want to allow all domains to execute in fips_mode, you must turn
77       on the fips_mode boolean. Enabled by default.
78
79       setsebool -P fips_mode 1
80
81
82
83       If  you want to allow Apache to communicate with sssd service via dbus,
84       you must turn on the httpd_dbus_sssd boolean. Disabled by default.
85
86       setsebool -P httpd_dbus_sssd 1
87
88
89
90       If you want to allow system to run with  NIS,  you  must  turn  on  the
91       nis_enabled boolean. Disabled by default.
92
93       setsebool -P nis_enabled 1
94
95
96

MANAGED FILES

98       The  SELinux process type sssd_t can manage files labeled with the fol‐
99       lowing file types.  The paths listed are the default  paths  for  these
100       file types.  Note the processes UID still need to have DAC permissions.
101
102       auth_cache_t
103
104            /var/cache/coolkey(/.*)?
105
106       cluster_conf_t
107
108            /etc/cluster(/.*)?
109
110       cluster_var_lib_t
111
112            /var/lib/pcsd(/.*)?
113            /var/lib/cluster(/.*)?
114            /var/lib/openais(/.*)?
115            /var/lib/pengine(/.*)?
116            /var/lib/corosync(/.*)?
117            /usr/lib/heartbeat(/.*)?
118            /var/lib/heartbeat(/.*)?
119            /var/lib/pacemaker(/.*)?
120
121       cluster_var_run_t
122
123            /var/run/crm(/.*)?
124            /var/run/cman_.*
125            /var/run/rsctmp(/.*)?
126            /var/run/aisexec.*
127            /var/run/heartbeat(/.*)?
128            /var/run/corosync-qnetd(/.*)?
129            /var/run/corosync-qdevice(/.*)?
130            /var/run/corosync.pid
131            /var/run/cpglockd.pid
132            /var/run/rgmanager.pid
133            /var/run/cluster/rgmanager.sk
134
135       faillog_t
136
137            /var/log/btmp.*
138            /var/log/faillog.*
139            /var/log/tallylog.*
140            /var/run/faillock(/.*)?
141
142       krb5_keytab_t
143
144            /var/kerberos/krb5(/.*)?
145            /etc/krb5.keytab
146            /etc/krb5kdc/kadm5.keytab
147            /var/kerberos/krb5kdc/kadm5.keytab
148
149       root_t
150
151            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
152            /
153            /initrd
154
155       security_t
156
157            /selinux
158
159       selinux_login_config_t
160
161            /etc/selinux/([^/]*/)?logins(/.*)?
162
163       sssd_var_log_t
164
165            /var/log/sssd(/.*)?
166
167       sssd_var_run_t
168
169            /var/run/sssd.pid
170            /var/run/secrets.socket
171            /var/run/.heim_org.h5l.kcm-socket
172
173

FILE CONTEXTS

175       SELinux requires files to have an extended attribute to define the file
176       type.
177
178       You can see the context of a file using the -Z option to ls
179
180       Policy governs the access  confined  processes  have  to  these  files.
181       SELinux sssd policy is very flexible allowing users to setup their sssd
182       processes in as secure a method as possible.
183
184       EQUIVALENCE DIRECTORIES
185
186
187       sssd policy stores data with  multiple  different  file  context  types
188       under  the /var/lib/sss directory.  If you would like to store the data
189       in a different directory you can use the semanage command to create  an
190       equivalence  mapping.   If you wanted to store this data under the /srv
191       directory you would execute the following command:
192
193       semanage fcontext -a -e /var/lib/sss /srv/sss
194       restorecon -R -v /srv/sss
195
196       STANDARD FILE CONTEXT
197
198       SELinux defines the file context types for the sssd, if you  wanted  to
199       store  files  with  these types in a diffent paths, you need to execute
200       the semanage command  to  sepecify  alternate  labeling  and  then  use
201       restorecon to put the labels on disk.
202
203       semanage fcontext -a -t sssd_unit_file_t '/srv/mysssd_content(/.*)?'
204       restorecon -R -v /srv/mysssd_content
205
206       Note:  SELinux  often  uses  regular expressions to specify labels that
207       match multiple files.
208
209       The following file types are defined for sssd:
210
211
212
213       sssd_conf_t
214
215       - Set files with the sssd_conf_t type, if you want to treat  the  files
216       as sssd configuration data, usually stored under the /etc directory.
217
218
219
220       sssd_exec_t
221
222       -  Set  files  with  the sssd_exec_t type, if you want to transition an
223       executable to the sssd_t domain.
224
225
226       Paths:
227            /usr/sbin/sssd,                        /usr/libexec/sssd/sssd_ifp,
228            /usr/libexec/sssd/sssd_kcm,            /usr/libexec/sssd/sssd_nss,
229            /usr/libexec/sssd/sssd_pac,            /usr/libexec/sssd/sssd_pam,
230            /usr/libexec/sssd/sssd_ssh,           /usr/libexec/sssd/sssd_sudo,
231            /usr/libexec/sssd/sssd_autofs, /usr/libexec/sssd/sssd_secrets
232
233
234       sssd_initrc_exec_t
235
236       - Set files with the sssd_initrc_exec_t type, if you want to transition
237       an executable to the sssd_initrc_t domain.
238
239
240
241       sssd_public_t
242
243       - Set files with the sssd_public_t type, if you want to treat the files
244       as sssd public data.
245
246
247       Paths:
248            /var/lib/sss/mc(/.*)?, /var/lib/sss/pubconf(/.*)?
249
250
251       sssd_selinux_manager_exec_t
252
253       - Set files with the sssd_selinux_manager_exec_t type, if you  want  to
254       transition an executable to the sssd_selinux_manager_t domain.
255
256
257
258       sssd_unit_file_t
259
260       -  Set  files  with the sssd_unit_file_t type, if you want to treat the
261       files as sssd unit content.
262
263
264
265       sssd_var_lib_t
266
267       - Set files with the sssd_var_lib_t type, if you want to store the sssd
268       files under the /var/lib directory.
269
270
271
272       sssd_var_log_t
273
274       - Set files with the sssd_var_log_t type, if you want to treat the data
275       as sssd var log data, usually stored under the /var/log directory.
276
277
278
279       sssd_var_run_t
280
281       - Set files with the sssd_var_run_t type, if you want to store the sssd
282       files under the /run or /var/run directory.
283
284
285       Paths:
286            /var/run/sssd.pid,                        /var/run/secrets.socket,
287            /var/run/.heim_org.h5l.kcm-socket
288
289
290       Note: File context can be temporarily modified with the chcon  command.
291       If  you want to permanently change the file context you need to use the
292       semanage fcontext command.  This will modify the SELinux labeling data‐
293       base.  You will need to use restorecon to apply the labels.
294
295

COMMANDS

297       semanage  fcontext  can also be used to manipulate default file context
298       mappings.
299
300       semanage permissive can also be used to manipulate  whether  or  not  a
301       process type is permissive.
302
303       semanage  module can also be used to enable/disable/install/remove pol‐
304       icy modules.
305
306       semanage boolean can also be used to manipulate the booleans
307
308
309       system-config-selinux is a GUI tool available to customize SELinux pol‐
310       icy settings.
311
312

AUTHOR

314       This manual page was auto-generated using sepolicy manpage .
315
316

SEE ALSO

318       selinux(8), sssd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
319       setsebool(8), sssd_selinux_manager_selinux(8)
320
321
322
323sssd                               21-03-26                    sssd_selinux(8)
Impressum