1rpcd_selinux(8) SELinux Policy rpcd rpcd_selinux(8)
2
6 rpcd_selinux - Security Enhanced Linux Policy for the rpcd processes
7
9 Security-Enhanced Linux secures the rpcd processes via flexible manda‐
10 tory access control.
11 The rpcd processes execute with the rpcd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15 For example:
17 ps -eZ | grep rpcd_t
19
23 The rpcd_t SELinux type can be entered via the rpcd_exec_t file type.
24 The default entrypoint paths for the rpcd_t domain are the following:
26 /sbin/rpc..*, /usr/sbin/rpc..*, /sbin/sm-notify, /usr/sbin/nfsdcld,
28 /usr/sbin/sm-notify, /usr/sbin/rpc.idmapd, /usr/sbin/rpc.rquotad
29
31 SELinux defines process types (domains) for each process running on the
32 system
33 You can see the context of a process using the -Z option to ps
35 Policy governs the access confined processes have to files. SELinux
37 rpcd policy is very flexible allowing users to setup their rpcd pro‐
38 cesses in as secure a method as possible.
39 The following process types are defined for rpcd:
41 rpcd_t
43 Note: semanage permissive -a rpcd_t can be used to make the process
45 type rpcd_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
51 SELinux policy is customizable based on least access required. rpcd
52 policy is extremely flexible and has several booleans that allow you to
53 manipulate the policy and run rpcd with the tightest access possible.
54 If you want to allow rpcd_t to manage fuse files, you must turn on the
58 rpcd_use_fusefs boolean. Disabled by default.
59 setsebool -P rpcd_use_fusefs 1
61 If you want to allow all domains to execute in fips_mode, you must turn
65 on the fips_mode boolean. Enabled by default.
66 setsebool -P fips_mode 1
68
72 The SELinux process type rpcd_t can manage files labeled with the fol‐
73 lowing file types. The paths listed are the default paths for these
74 file types. Note the processes UID still need to have DAC permissions.
75 cluster_conf_t
77 /etc/cluster(/.*)?
79 cluster_tmp_t
81 cluster_var_lib_t
84 /var/lib/pcsd(/.*)?
86 /var/lib/cluster(/.*)?
87 /var/lib/openais(/.*)?
88 /var/lib/pengine(/.*)?
89 /var/lib/corosync(/.*)?
90 /usr/lib/heartbeat(/.*)?
91 /var/lib/heartbeat(/.*)?
92 /var/lib/pacemaker(/.*)?
93 cluster_var_run_t
95 /var/run/crm(/.*)?
97 /var/run/cman_.*
98 /var/run/rsctmp(/.*)?
99 /var/run/aisexec.*
100 /var/run/heartbeat(/.*)?
101 /var/run/pcsd-ruby.socket
102 /var/run/corosync-qnetd(/.*)?
103 /var/run/corosync-qdevice(/.*)?
104 /var/run/corosync.pid
105 /var/run/cpglockd.pid
106 /var/run/rgmanager.pid
107 /var/run/cluster/rgmanager.sk
108 fusefs_t
110 /var/run/user/[^/]*/gvfs
112 krb5_host_rcache_t
114 /var/tmp/krb5_0.rcache2
116 /var/cache/krb5rcache(/.*)?
117 /var/tmp/nfs_0
118 /var/tmp/DNS_25
119 /var/tmp/host_0
120 /var/tmp/imap_0
121 /var/tmp/HTTP_23
122 /var/tmp/HTTP_48
123 /var/tmp/ldap_55
124 /var/tmp/ldap_487
125 /var/tmp/ldapmap1_0
126 quota_db_t
128 /a?quota.(user|group)
130 /etc/a?quota.(user|group)
131 /var/a?quota.(user|group)
132 /boot/a?quota.(user|group)
133 /var/spool/(.*/)?a?quota.(user|group)
134 /var/spool/cron/a?quota.(user|group)
135 /var/lib/openshift/a?quota.(user|group)
136 /var/lib/stickshift/a?quota.(user|group)
137 /home/[^/]+/a?quota.(user|group)
138 /home/a?quota.(user|group)
139 root_t
141 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
143 /
144 /initrd
145 rpcd_lock_t
147 /var/run/rpc.statd.lock
149 rpcd_var_run_t
151 /var/run/sm-notify.*
153 /var/run/rpc.statd(/.*)?
154 /var/run/rpc.statd.pid
155 var_lib_nfs_t
157 /var/lib/nfs(/.*)?
159 var_lib_t
161 /opt/(.*/)?var/lib(/.*)?
163 /var/lib(/.*)?
164
167 SELinux requires files to have an extended attribute to define the file
168 type.
169 You can see the context of a file using the -Z option to ls
171 Policy governs the access confined processes have to these files.
173 SELinux rpcd policy is very flexible allowing users to setup their rpcd
174 processes in as secure a method as possible.
175 EQUIVALENCE DIRECTORIES
177 rpcd policy stores data with multiple different file context types un‐
180 der the /var/run/rpc.statd directory. If you would like to store the
181 data in a different directory you can use the semanage command to cre‐
182 ate an equivalence mapping. If you wanted to store this data under the
183 /srv directory you would execute the following command:
184 semanage fcontext -a -e /var/run/rpc.statd /srv/rpc.statd
186 restorecon -R -v /srv/rpc.statd
187 STANDARD FILE CONTEXT
189 SELinux defines the file context types for the rpcd, if you wanted to
191 store files with these types in a diffent paths, you need to execute
192 the semanage command to specify alternate labeling and then use re‐
193 storecon to put the labels on disk.
194 semanage fcontext -a -t rpcd_unit_file_t '/srv/myrpcd_content(/.*)?'
196 restorecon -R -v /srv/myrpcd_content
197 Note: SELinux often uses regular expressions to specify labels that
199 match multiple files.
200 The following file types are defined for rpcd:
202 rpcd_exec_t
206 - Set files with the rpcd_exec_t type, if you want to transition an ex‐
208 ecutable to the rpcd_t domain.
209 Paths:
212 /sbin/rpc..*, /usr/sbin/rpc..*, /sbin/sm-notify, /usr/sbin/nfsd‐
213 cld, /usr/sbin/sm-notify, /usr/sbin/rpc.idmapd,
214 /usr/sbin/rpc.rquotad
215 rpcd_initrc_exec_t
218 - Set files with the rpcd_initrc_exec_t type, if you want to transition
220 an executable to the rpcd_initrc_t domain.
221 Paths:
224 /etc/rc.d/init.d/nfslock, /etc/rc.d/init.d/rpcidmapd
225 rpcd_lock_t
228 - Set files with the rpcd_lock_t type, if you want to treat the files
230 as rpcd lock data, stored under the /var/lock directory
231 rpcd_unit_file_t
235 - Set files with the rpcd_unit_file_t type, if you want to treat the
237 files as rpcd unit content.
238 rpcd_var_run_t
242 - Set files with the rpcd_var_run_t type, if you want to store the rpcd
244 files under the /run or /var/run directory.
245 Paths:
248 /var/run/sm-notify.*, /var/run/rpc.statd(/.*)?,
249 /var/run/rpc.statd.pid
250 Note: File context can be temporarily modified with the chcon command.
253 If you want to permanently change the file context you need to use the
254 semanage fcontext command. This will modify the SELinux labeling data‐
255 base. You will need to use restorecon to apply the labels.
256
259 semanage fcontext can also be used to manipulate default file context
260 mappings.
261 semanage permissive can also be used to manipulate whether or not a
263 process type is permissive.
264 semanage module can also be used to enable/disable/install/remove pol‐
266 icy modules.
267 semanage boolean can also be used to manipulate the booleans
269 system-config-selinux is a GUI tool available to customize SELinux pol‐
272 icy settings.
273
276 This manual page was auto-generated using sepolicy manpage .
277
280 selinux(8), rpcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
281 setsebool(8)
282rpcd 21-11-19 rpcd_selinux(8)