1radiusd_selinux(8) SELinux Policy radiusd radiusd_selinux(8)
2
3
4
6 radiusd_selinux - Security Enhanced Linux Policy for the radiusd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the radiusd processes via flexible
11 mandatory access control.
12
13 The radiusd processes execute with the radiusd_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep radiusd_t
20
21
22
24 The radiusd_t SELinux type can be entered via the radiusd_exec_t file
25 type.
26
27 The default entrypoint paths for the radiusd_t domain are the follow‐
28 ing:
29
30 /etc/cron.(daily|monthly)/radiusd,
31 /etc/cron.((daily)|(weekly)|(monthly))/freeradius, /usr/sbin/radiusd,
32 /usr/sbin/freeradius
33
35 SELinux defines process types (domains) for each process running on the
36 system
37
38 You can see the context of a process using the -Z option to ps
39
40 Policy governs the access confined processes have to files. SELinux
41 radiusd policy is very flexible allowing users to setup their radiusd
42 processes in as secure a method as possible.
43
44 The following process types are defined for radiusd:
45
46 radiusd_t
47
48 Note: semanage permissive -a radiusd_t can be used to make the process
49 type radiusd_t permissive. SELinux does not deny access to permissive
50 process types, but the AVC (SELinux denials) messages are still gener‐
51 ated.
52
53
55 SELinux policy is customizable based on least access required. radiusd
56 policy is extremely flexible and has several booleans that allow you to
57 manipulate the policy and run radiusd with the tightest access possi‐
58 ble.
59
60
61
62 If you want to determine whether radius can use JIT compiler, you must
63 turn on the radius_use_jit boolean. Disabled by default.
64
65 setsebool -P radius_use_jit 1
66
67
68
69 If you want to deny any process from ptracing or debugging any other
70 processes, you must turn on the deny_ptrace boolean. Enabled by de‐
71 fault.
72
73 setsebool -P deny_ptrace 1
74
75
76
77 If you want to allow all domains to execute in fips_mode, you must turn
78 on the fips_mode boolean. Enabled by default.
79
80 setsebool -P fips_mode 1
81
82
83
84 If you want to allow confined applications to run with kerberos, you
85 must turn on the kerberos_enabled boolean. Enabled by default.
86
87 setsebool -P kerberos_enabled 1
88
89
90
92 SELinux defines port types to represent TCP and UDP ports.
93
94 You can see the types associated with a port by using the following
95 command:
96
97 semanage port -l
98
99
100 Policy governs the access confined processes have to these ports.
101 SELinux radiusd policy is very flexible allowing users to setup their
102 radiusd processes in as secure a method as possible.
103
104 The following port types are defined for radiusd:
105
106
107 radius_port_t
108
109
110
111 Default Defined Ports:
112 tcp 1645,1812,18120-18121
113 udp 1645,1812,18120-18121
114
116 The SELinux process type radiusd_t can manage files labeled with the
117 following file types. The paths listed are the default paths for these
118 file types. Note the processes UID still need to have DAC permissions.
119
120 cluster_conf_t
121
122 /etc/cluster(/.*)?
123
124 cluster_var_lib_t
125
126 /var/lib/pcsd(/.*)?
127 /var/lib/cluster(/.*)?
128 /var/lib/openais(/.*)?
129 /var/lib/pengine(/.*)?
130 /var/lib/corosync(/.*)?
131 /usr/lib/heartbeat(/.*)?
132 /var/lib/heartbeat(/.*)?
133 /var/lib/pacemaker(/.*)?
134
135 cluster_var_run_t
136
137 /var/run/crm(/.*)?
138 /var/run/cman_.*
139 /var/run/rsctmp(/.*)?
140 /var/run/aisexec.*
141 /var/run/heartbeat(/.*)?
142 /var/run/pcsd-ruby.socket
143 /var/run/corosync-qnetd(/.*)?
144 /var/run/corosync-qdevice(/.*)?
145 /var/run/corosync.pid
146 /var/run/cpglockd.pid
147 /var/run/rgmanager.pid
148 /var/run/cluster/rgmanager.sk
149
150 faillog_t
151
152 /var/log/btmp.*
153 /var/log/faillog.*
154 /var/log/tallylog.*
155 /var/run/faillock(/.*)?
156
157 krb5_host_rcache_t
158
159 /var/tmp/krb5_0.rcache2
160 /var/cache/krb5rcache(/.*)?
161 /var/tmp/nfs_0
162 /var/tmp/DNS_25
163 /var/tmp/host_0
164 /var/tmp/imap_0
165 /var/tmp/HTTP_23
166 /var/tmp/HTTP_48
167 /var/tmp/ldap_55
168 /var/tmp/ldap_487
169 /var/tmp/ldapmap1_0
170
171 radiusd_etc_rw_t
172
173 /etc/raddb/db.daily
174
175 radiusd_log_t
176
177 /var/log/radius(/.*)?
178 /var/log/radutmp.*
179 /var/log/radwtmp.*
180 /var/log/radacct(/.*)?
181 /var/log/radius.log.*
182 /var/log/freeradius(/.*)?
183 /var/log/radiusd-freeradius(/.*)?
184
185 radiusd_var_lib_t
186
187 /var/lib/radiusd(/.*)?
188
189 radiusd_var_run_t
190
191 /var/run/radiusd(/.*)?
192 /var/run/radiusd.pid
193
194 root_t
195
196 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
197 /
198 /initrd
199
200 security_t
201
202 /selinux
203
204
206 SELinux requires files to have an extended attribute to define the file
207 type.
208
209 You can see the context of a file using the -Z option to ls
210
211 Policy governs the access confined processes have to these files.
212 SELinux radiusd policy is very flexible allowing users to setup their
213 radiusd processes in as secure a method as possible.
214
215 EQUIVALENCE DIRECTORIES
216
217
218 radiusd policy stores data with multiple different file context types
219 under the /var/log/radius directory. If you would like to store the
220 data in a different directory you can use the semanage command to cre‐
221 ate an equivalence mapping. If you wanted to store this data under the
222 /srv directory you would execute the following command:
223
224 semanage fcontext -a -e /var/log/radius /srv/radius
225 restorecon -R -v /srv/radius
226
227 radiusd policy stores data with multiple different file context types
228 under the /var/run/radiusd directory. If you would like to store the
229 data in a different directory you can use the semanage command to cre‐
230 ate an equivalence mapping. If you wanted to store this data under the
231 /srv directory you would execute the following command:
232
233 semanage fcontext -a -e /var/run/radiusd /srv/radiusd
234 restorecon -R -v /srv/radiusd
235
236 STANDARD FILE CONTEXT
237
238 SELinux defines the file context types for the radiusd, if you wanted
239 to store files with these types in a diffent paths, you need to execute
240 the semanage command to specify alternate labeling and then use re‐
241 storecon to put the labels on disk.
242
243 semanage fcontext -a -t radiusd_unit_file_t '/srv/myradiusd_con‐
244 tent(/.*)?'
245 restorecon -R -v /srv/myradiusd_content
246
247 Note: SELinux often uses regular expressions to specify labels that
248 match multiple files.
249
250 The following file types are defined for radiusd:
251
252
253
254 radiusd_etc_rw_t
255
256 - Set files with the radiusd_etc_rw_t type, if you want to treat the
257 files as radiusd etc read/write content.
258
259
260
261 radiusd_etc_t
262
263 - Set files with the radiusd_etc_t type, if you want to store radiusd
264 files in the /etc directories.
265
266
267
268 radiusd_exec_t
269
270 - Set files with the radiusd_exec_t type, if you want to transition an
271 executable to the radiusd_t domain.
272
273
274 Paths:
275 /etc/cron.(daily|monthly)/radiusd,
276 /etc/cron.((daily)|(weekly)|(monthly))/freeradius, /usr/sbin/ra‐
277 diusd, /usr/sbin/freeradius
278
279
280 radiusd_initrc_exec_t
281
282 - Set files with the radiusd_initrc_exec_t type, if you want to transi‐
283 tion an executable to the radiusd_initrc_t domain.
284
285
286
287 radiusd_log_t
288
289 - Set files with the radiusd_log_t type, if you want to treat the data
290 as radiusd log data, usually stored under the /var/log directory.
291
292
293 Paths:
294 /var/log/radius(/.*)?, /var/log/radutmp.*, /var/log/radwtmp.*,
295 /var/log/radacct(/.*)?, /var/log/radius.log.*, /var/log/freera‐
296 dius(/.*)?, /var/log/radiusd-freeradius(/.*)?
297
298
299 radiusd_unit_file_t
300
301 - Set files with the radiusd_unit_file_t type, if you want to treat the
302 files as radiusd unit content.
303
304
305
306 radiusd_var_lib_t
307
308 - Set files with the radiusd_var_lib_t type, if you want to store the
309 radiusd files under the /var/lib directory.
310
311
312
313 radiusd_var_run_t
314
315 - Set files with the radiusd_var_run_t type, if you want to store the
316 radiusd files under the /run or /var/run directory.
317
318
319 Paths:
320 /var/run/radiusd(/.*)?, /var/run/radiusd.pid
321
322
323 Note: File context can be temporarily modified with the chcon command.
324 If you want to permanently change the file context you need to use the
325 semanage fcontext command. This will modify the SELinux labeling data‐
326 base. You will need to use restorecon to apply the labels.
327
328
330 semanage fcontext can also be used to manipulate default file context
331 mappings.
332
333 semanage permissive can also be used to manipulate whether or not a
334 process type is permissive.
335
336 semanage module can also be used to enable/disable/install/remove pol‐
337 icy modules.
338
339 semanage port can also be used to manipulate the port definitions
340
341 semanage boolean can also be used to manipulate the booleans
342
343
344 system-config-selinux is a GUI tool available to customize SELinux pol‐
345 icy settings.
346
347
349 This manual page was auto-generated using sepolicy manpage .
350
351
353 selinux(8), radiusd(8), semanage(8), restorecon(8), chcon(1), sepol‐
354 icy(8), setsebool(8)
355
356
357
358radiusd 22-05-27 radiusd_selinux(8)