1rlogind_selinux(8)          SELinux Policy rlogind          rlogind_selinux(8)
2
3
4

NAME

6       rlogind_selinux  -  Security Enhanced Linux Policy for the rlogind pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  rlogind  processes  via  flexible
11       mandatory access control.
12
13       The  rlogind processes execute with the rlogind_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep rlogind_t
20
21
22

ENTRYPOINTS

24       The  rlogind_t  SELinux type can be entered via the rlogind_exec_t file
25       type.
26
27       The default entrypoint paths for the rlogind_t domain are  the  follow‐
28       ing:
29
30       /usr/lib/telnetlogin, /usr/sbin/in.rlogind, /usr/kerberos/sbin/klogind
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       rlogind  policy  is very flexible allowing users to setup their rlogind
40       processes in as secure a method as possible.
41
42       The following process types are defined for rlogind:
43
44       rlogind_t
45
46       Note: semanage permissive -a rlogind_t can be used to make the  process
47       type  rlogind_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  rlogind
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run rlogind with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66
67       If  you  want  to allow confined applications to run with kerberos, you
68       must turn on the kerberos_enabled boolean. Enabled by default.
69
70       setsebool -P kerberos_enabled 1
71
72
73
74       If you want to allow system to run with  NIS,  you  must  turn  on  the
75       nis_enabled boolean. Disabled by default.
76
77       setsebool -P nis_enabled 1
78
79
80
81       If you want to enable polyinstantiated directory support, you must turn
82       on the polyinstantiation_enabled boolean. Disabled by default.
83
84       setsebool -P polyinstantiation_enabled 1
85
86
87

PORT TYPES

89       SELinux defines port types to represent TCP and UDP ports.
90
91       You can see the types associated with a port  by  using  the  following
92       command:
93
94       semanage port -l
95
96
97       Policy  governs  the  access  confined  processes  have to these ports.
98       SELinux rlogind policy is very flexible allowing users to  setup  their
99       rlogind processes in as secure a method as possible.
100
101       The following port types are defined for rlogind:
102
103
104       rlogin_port_t
105
106
107
108       Default Defined Ports:
109                 tcp 543,2105
110
111
112       rlogind_port_t
113
114
115
116       Default Defined Ports:
117                 tcp 513
118

MANAGED FILES

120       The  SELinux  process  type rlogind_t can manage files labeled with the
121       following file types.  The paths listed are the default paths for these
122       file types.  Note the processes UID still need to have DAC permissions.
123
124       auth_cache_t
125
126            /var/cache/coolkey(/.*)?
127
128       auth_home_t
129
130            /root/.yubico(/.*)?
131            /root/.config/Yubico(/.*)?
132            /root/.google_authenticator
133            /root/.google_authenticator~
134            /home/[^/]+/.yubico(/.*)?
135            /home/[^/]+/.config/Yubico(/.*)?
136            /home/[^/]+/.google_authenticator
137            /home/[^/]+/.google_authenticator~
138
139       cluster_conf_t
140
141            /etc/cluster(/.*)?
142
143       cluster_var_lib_t
144
145            /var/lib/pcsd(/.*)?
146            /var/lib/cluster(/.*)?
147            /var/lib/openais(/.*)?
148            /var/lib/pengine(/.*)?
149            /var/lib/corosync(/.*)?
150            /usr/lib/heartbeat(/.*)?
151            /var/lib/heartbeat(/.*)?
152            /var/lib/pacemaker(/.*)?
153
154       cluster_var_run_t
155
156            /var/run/crm(/.*)?
157            /var/run/cman_.*
158            /var/run/rsctmp(/.*)?
159            /var/run/aisexec.*
160            /var/run/heartbeat(/.*)?
161            /var/run/pcsd-ruby.socket
162            /var/run/corosync-qnetd(/.*)?
163            /var/run/corosync-qdevice(/.*)?
164            /var/run/corosync.pid
165            /var/run/cpglockd.pid
166            /var/run/rgmanager.pid
167            /var/run/cluster/rgmanager.sk
168
169       faillog_t
170
171            /var/log/btmp.*
172            /var/log/faillog.*
173            /var/log/tallylog.*
174            /var/run/faillock(/.*)?
175
176       initrc_var_run_t
177
178            /var/run/utmp
179            /var/run/random-seed
180            /var/run/runlevel.dir
181            /var/run/setmixer_flag
182
183       krb5_host_rcache_t
184
185            /var/tmp/krb5_0.rcache2
186            /var/cache/krb5rcache(/.*)?
187            /var/tmp/nfs_0
188            /var/tmp/DNS_25
189            /var/tmp/host_0
190            /var/tmp/imap_0
191            /var/tmp/HTTP_23
192            /var/tmp/HTTP_48
193            /var/tmp/ldap_55
194            /var/tmp/ldap_487
195            /var/tmp/ldapmap1_0
196
197       lastlog_t
198
199            /var/log/lastlog.*
200
201       pam_var_run_t
202
203            /var/(db|adm)/sudo(/.*)?
204            /var/lib/sudo(/.*)?
205            /var/run/sudo(/.*)?
206            /var/run/pam_ssh(/.*)?
207            /var/run/sepermit(/.*)?
208            /var/run/pam_mount(/.*)?
209            /var/run/pam_timestamp(/.*)?
210
211       rlogind_tmp_t
212
213
214       rlogind_var_run_t
215
216
217       root_t
218
219            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
220            /
221            /initrd
222
223       security_t
224
225            /selinux
226
227       user_tmp_t
228
229            /dev/shm/mono.*
230            /var/run/user(/.*)?
231            /tmp/.ICE-unix(/.*)?
232            /tmp/.X11-unix(/.*)?
233            /dev/shm/pulse-shm.*
234            /tmp/.X0-lock
235            /tmp/hsperfdata_root
236            /var/tmp/hsperfdata_root
237            /home/[^/]+/tmp
238            /home/[^/]+/.tmp
239            /tmp/gconfd-[^/]+
240
241       var_auth_t
242
243            /var/ace(/.*)?
244            /var/rsa(/.*)?
245            /var/lib/abl(/.*)?
246            /var/lib/rsa(/.*)?
247            /var/lib/pam_ssh(/.*)?
248            /var/lib/pam_shield(/.*)?
249            /var/opt/quest/vas/vasd(/.*)?
250            /var/lib/google-authenticator(/.*)?
251
252       wtmp_t
253
254            /var/log/wtmp.*
255
256

FILE CONTEXTS

258       SELinux requires files to have an extended attribute to define the file
259       type.
260
261       You can see the context of a file using the -Z option to ls
262
263       Policy governs the access  confined  processes  have  to  these  files.
264       SELinux  rlogind  policy is very flexible allowing users to setup their
265       rlogind processes in as secure a method as possible.
266
267       STANDARD FILE CONTEXT
268
269       SELinux defines the file context types for the rlogind, if  you  wanted
270       to store files with these types in a diffent paths, you need to execute
271       the semanage command to specify alternate labeling  and  then  use  re‐
272       storecon to put the labels on disk.
273
274       semanage   fcontext   -a   -t   rlogind_var_run_t  '/srv/myrlogind_con‐
275       tent(/.*)?'
276       restorecon -R -v /srv/myrlogind_content
277
278       Note: SELinux often uses regular expressions  to  specify  labels  that
279       match multiple files.
280
281       The following file types are defined for rlogind:
282
283
284
285       rlogind_exec_t
286
287       -  Set files with the rlogind_exec_t type, if you want to transition an
288       executable to the rlogind_t domain.
289
290
291       Paths:
292            /usr/lib/telnetlogin,       /usr/sbin/in.rlogind,        /usr/ker‐
293            beros/sbin/klogind
294
295
296       rlogind_home_t
297
298       -  Set files with the rlogind_home_t type, if you want to store rlogind
299       files in the users home directory.
300
301
302       Paths:
303            /root/.rhosts,         /root/.rlogin,         /home/[^/]+/.rhosts,
304            /home/[^/]+/.rlogin
305
306
307       rlogind_keytab_t
308
309       -  Set  files  with the rlogind_keytab_t type, if you want to treat the
310       files as kerberos keytab files.
311
312
313
314       rlogind_tmp_t
315
316       - Set files with the rlogind_tmp_t type, if you want to  store  rlogind
317       temporary files in the /tmp directories.
318
319
320
321       rlogind_var_run_t
322
323       -  Set  files with the rlogind_var_run_t type, if you want to store the
324       rlogind files under the /run or /var/run directory.
325
326
327
328       Note: File context can be temporarily modified with the chcon  command.
329       If  you want to permanently change the file context you need to use the
330       semanage fcontext command.  This will modify the SELinux labeling data‐
331       base.  You will need to use restorecon to apply the labels.
332
333

COMMANDS

335       semanage  fcontext  can also be used to manipulate default file context
336       mappings.
337
338       semanage permissive can also be used to manipulate  whether  or  not  a
339       process type is permissive.
340
341       semanage  module can also be used to enable/disable/install/remove pol‐
342       icy modules.
343
344       semanage port can also be used to manipulate the port definitions
345
346       semanage boolean can also be used to manipulate the booleans
347
348
349       system-config-selinux is a GUI tool available to customize SELinux pol‐
350       icy settings.
351
352

AUTHOR

354       This manual page was auto-generated using sepolicy manpage .
355
356

SEE ALSO

358       selinux(8),  rlogind(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
359       icy(8), setsebool(8)
360
361
362
363rlogind                            21-11-19                 rlogind_selinux(8)
Impressum