1systemd_timedated_selinuSxE(L8i)nux Policy systemd_timedsaytsetdemd_timedated_selinux(8)
2
3
4

NAME

6       systemd_timedated_selinux - Security Enhanced Linux Policy for the sys‐
7       temd_timedated processes
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  systemd_timedated  processes  via
11       flexible mandatory access control.
12
13       The  systemd_timedated  processes  execute with the systemd_timedated_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep systemd_timedated_t
20
21
22

ENTRYPOINTS

24       The  systemd_timedated_t  SELinux  type  can  be  entered  via the sys‐
25       temd_timedated_exec_t file type.
26
27       The default entrypoint paths for the systemd_timedated_t domain are the
28       following:
29
30       /usr/lib/systemd/systemd-timedated, /usr/lib/systemd/systemd-timesyncd,
31       /usr/lib/systemd/systemd-time-wait-sync
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       systemd_timedated policy is very flexible allowing users to setup their
41       systemd_timedated processes in as secure a method as possible.
42
43       The following process types are defined for systemd_timedated:
44
45       systemd_timedated_t
46
47       Note:  semanage  permissive  -a systemd_timedated_t can be used to make
48       the process type systemd_timedated_t permissive. SELinux does not  deny
49       access  to permissive process types, but the AVC (SELinux denials) mes‐
50       sages are still generated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least  access  required.   sys‐
55       temd_timedated  policy  is  extremely flexible and has several booleans
56       that allow you to manipulate the policy and run systemd_timedated  with
57       the tightest access possible.
58
59
60
61       If you want to allow all domains to execute in fips_mode, you must turn
62       on the fips_mode boolean. Enabled by default.
63
64       setsebool -P fips_mode 1
65
66
67
68       If you want to allow system to run with  NIS,  you  must  turn  on  the
69       nis_enabled boolean. Disabled by default.
70
71       setsebool -P nis_enabled 1
72
73
74

MANAGED FILES

76       The  SELinux  process type systemd_timedated_t can manage files labeled
77       with the following file types.  The paths listed are the default  paths
78       for  these  file  types.  Note the processes UID still need to have DAC
79       permissions.
80
81       adjtime_t
82
83            /etc/adjtime
84
85       cluster_conf_t
86
87            /etc/cluster(/.*)?
88
89       cluster_var_lib_t
90
91            /var/lib/pcsd(/.*)?
92            /var/lib/cluster(/.*)?
93            /var/lib/openais(/.*)?
94            /var/lib/pengine(/.*)?
95            /var/lib/corosync(/.*)?
96            /usr/lib/heartbeat(/.*)?
97            /var/lib/heartbeat(/.*)?
98            /var/lib/pacemaker(/.*)?
99
100       cluster_var_run_t
101
102            /var/run/crm(/.*)?
103            /var/run/cman_.*
104            /var/run/rsctmp(/.*)?
105            /var/run/aisexec.*
106            /var/run/heartbeat(/.*)?
107            /var/run/pcsd-ruby.socket
108            /var/run/corosync-qnetd(/.*)?
109            /var/run/corosync-qdevice(/.*)?
110            /var/run/corosync.pid
111            /var/run/cpglockd.pid
112            /var/run/rgmanager.pid
113            /var/run/cluster/rgmanager.sk
114
115       config_home_t
116
117            /root/.kde(/.*)?
118            /root/.xine(/.*)?
119            /root/.config(/.*)?
120            /root/.Xdefaults
121            /home/[^/]+/.kde(/.*)?
122            /home/[^/]+/.xine(/.*)?
123            /home/[^/]+/.config(/.*)?
124            /home/[^/]+/.cache/dconf(/.*)?
125            /home/[^/]+/.Xdefaults
126            /var/run/user/[0-9]+/dconf(/.*)?
127
128       config_usr_t
129
130            /usr/share/config(/.*)?
131
132       krb5_host_rcache_t
133
134            /var/tmp/krb5_0.rcache2
135            /var/cache/krb5rcache(/.*)?
136            /var/tmp/nfs_0
137            /var/tmp/DNS_25
138            /var/tmp/host_0
139            /var/tmp/imap_0
140            /var/tmp/HTTP_23
141            /var/tmp/HTTP_48
142            /var/tmp/ldap_55
143            /var/tmp/ldap_487
144            /var/tmp/ldapmap1_0
145
146       root_t
147
148            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
149            /
150            /initrd
151
152       systemd_passwd_var_run_t
153
154            /var/run/systemd/ask-password(/.*)?
155            /var/run/systemd/ask-password-block(/.*)?
156
157       systemd_timedated_var_lib_t
158
159            /var/lib/systemd/timesync(/.*)?
160            /var/lib/private/systemd/timesync(/.*)?
161
162       systemd_timedated_var_run_t
163
164            /var/run/systemd/timesync(/.*)?
165
166       xserver_etc_t
167
168            /etc/X11/xorg.conf.d(/.*)?
169
170

FILE CONTEXTS

172       SELinux requires files to have an extended attribute to define the file
173       type.
174
175       You can see the context of a file using the -Z option to ls
176
177       Policy  governs  the  access  confined  processes  have to these files.
178       SELinux systemd_timedated policy is very  flexible  allowing  users  to
179       setup their systemd_timedated processes in as secure a method as possi‐
180       ble.
181
182       STANDARD FILE CONTEXT
183
184       SELinux defines the file context types for  the  systemd_timedated,  if
185       you wanted to store files with these types in a diffent paths, you need
186       to execute the semanage command to specify alternate labeling and  then
187       use restorecon to put the labels on disk.
188
189       semanage   fcontext   -a  -t  systemd_timedated_var_lib_t  '/srv/mysys‐
190       temd_timedated_content(/.*)?'
191       restorecon -R -v /srv/mysystemd_timedated_content
192
193       Note: SELinux often uses regular expressions  to  specify  labels  that
194       match multiple files.
195
196       The following file types are defined for systemd_timedated:
197
198
199
200       systemd_timedated_exec_t
201
202       -  Set  files  with  the  systemd_timedated_exec_t type, if you want to
203       transition an executable to the systemd_timedated_t domain.
204
205
206       Paths:
207            /usr/lib/systemd/systemd-timedated,      /usr/lib/systemd/systemd-
208            timesyncd, /usr/lib/systemd/systemd-time-wait-sync
209
210
211       systemd_timedated_unit_file_t
212
213       - Set files with the systemd_timedated_unit_file_t type, if you want to
214       treat the files as systemd timedated unit content.
215
216
217
218       systemd_timedated_var_lib_t
219
220       - Set files with the systemd_timedated_var_lib_t type, if you  want  to
221       store the systemd timedated files under the /var/lib directory.
222
223
224       Paths:
225            /var/lib/systemd/timesync(/.*)?,             /var/lib/private/sys‐
226            temd/timesync(/.*)?
227
228
229       systemd_timedated_var_run_t
230
231       - Set files with the systemd_timedated_var_run_t type, if you  want  to
232       store the systemd timedated files under the /run or /var/run directory.
233
234
235
236       Note:  File context can be temporarily modified with the chcon command.
237       If you want to permanently change the file context you need to use  the
238       semanage fcontext command.  This will modify the SELinux labeling data‐
239       base.  You will need to use restorecon to apply the labels.
240
241

COMMANDS

243       semanage fcontext can also be used to manipulate default  file  context
244       mappings.
245
246       semanage  permissive  can  also  be used to manipulate whether or not a
247       process type is permissive.
248
249       semanage module can also be used to enable/disable/install/remove  pol‐
250       icy modules.
251
252       semanage boolean can also be used to manipulate the booleans
253
254
255       system-config-selinux is a GUI tool available to customize SELinux pol‐
256       icy settings.
257
258

AUTHOR

260       This manual page was auto-generated using sepolicy manpage .
261
262

SEE ALSO

264       selinux(8), systemd_timedated(8), semanage(8), restorecon(8), chcon(1),
265       sepolicy(8), setsebool(8)
266
267
268
269systemd_timedated                  23-02-03       systemd_timedated_selinux(8)
Impressum