1mpd_selinux(8) SELinux Policy mpd mpd_selinux(8)
2
3
4
6 mpd_selinux - Security Enhanced Linux Policy for the mpd processes
7
9 Security-Enhanced Linux secures the mpd processes via flexible manda‐
10 tory access control.
11
12 The mpd processes execute with the mpd_t SELinux type. You can check if
13 you have these processes running by executing the ps command with the
14 -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep mpd_t
19
20
21
23 The mpd_t SELinux type can be entered via the mpd_exec_t file type.
24
25 The default entrypoint paths for the mpd_t domain are the following:
26
27 /usr/bin/mpd
28
30 SELinux defines process types (domains) for each process running on the
31 system
32
33 You can see the context of a process using the -Z option to ps
34
35 Policy governs the access confined processes have to files. SELinux
36 mpd policy is very flexible allowing users to setup their mpd processes
37 in as secure a method as possible.
38
39 The following process types are defined for mpd:
40
41 mpd_t
42
43 Note: semanage permissive -a mpd_t can be used to make the process type
44 mpd_t permissive. SELinux does not deny access to permissive process
45 types, but the AVC (SELinux denials) messages are still generated.
46
47
49 SELinux policy is customizable based on least access required. mpd
50 policy is extremely flexible and has several booleans that allow you to
51 manipulate the policy and run mpd with the tightest access possible.
52
53
54
55 If you want to determine whether mpd can traverse user home directo‐
56 ries, you must turn on the mpd_enable_homedirs boolean. Disabled by de‐
57 fault.
58
59 setsebool -P mpd_enable_homedirs 1
60
61
62
63 If you want to determine whether mpd can use cifs file systems, you
64 must turn on the mpd_use_cifs boolean. Disabled by default.
65
66 setsebool -P mpd_use_cifs 1
67
68
69
70 If you want to determine whether mpd can use nfs file systems, you must
71 turn on the mpd_use_nfs boolean. Disabled by default.
72
73 setsebool -P mpd_use_nfs 1
74
75
76
77 If you want to allow all domains to execute in fips_mode, you must turn
78 on the fips_mode boolean. Enabled by default.
79
80 setsebool -P fips_mode 1
81
82
83
85 SELinux defines port types to represent TCP and UDP ports.
86
87 You can see the types associated with a port by using the following
88 command:
89
90 semanage port -l
91
92
93 Policy governs the access confined processes have to these ports.
94 SELinux mpd policy is very flexible allowing users to setup their mpd
95 processes in as secure a method as possible.
96
97 The following port types are defined for mpd:
98
99
100 mpd_port_t
101
102
103
104 Default Defined Ports:
105 tcp 6600
106
108 The SELinux process type mpd_t can manage files labeled with the fol‐
109 lowing file types. The paths listed are the default paths for these
110 file types. Note the processes UID still need to have DAC permissions.
111
112 cifs_t
113
114
115 cluster_conf_t
116
117 /etc/cluster(/.*)?
118
119 cluster_var_lib_t
120
121 /var/lib/pcsd(/.*)?
122 /var/lib/cluster(/.*)?
123 /var/lib/openais(/.*)?
124 /var/lib/pengine(/.*)?
125 /var/lib/corosync(/.*)?
126 /usr/lib/heartbeat(/.*)?
127 /var/lib/heartbeat(/.*)?
128 /var/lib/pacemaker(/.*)?
129
130 cluster_var_run_t
131
132 /var/run/crm(/.*)?
133 /var/run/cman_.*
134 /var/run/rsctmp(/.*)?
135 /var/run/aisexec.*
136 /var/run/heartbeat(/.*)?
137 /var/run/pcsd-ruby.socket
138 /var/run/corosync-qnetd(/.*)?
139 /var/run/corosync-qdevice(/.*)?
140 /var/run/corosync.pid
141 /var/run/cpglockd.pid
142 /var/run/rgmanager.pid
143 /var/run/cluster/rgmanager.sk
144
145 krb5_host_rcache_t
146
147 /var/tmp/krb5_0.rcache2
148 /var/cache/krb5rcache(/.*)?
149 /var/tmp/nfs_0
150 /var/tmp/DNS_25
151 /var/tmp/host_0
152 /var/tmp/imap_0
153 /var/tmp/HTTP_23
154 /var/tmp/HTTP_48
155 /var/tmp/ldap_55
156 /var/tmp/ldap_487
157 /var/tmp/ldapmap1_0
158
159 mpd_data_t
160
161 /var/lib/mpd/music(/.*)?
162 /var/lib/mpd/playlists(/.*)?
163
164 mpd_home_t
165
166 /home/[^/]+/.mpd(/.*)?
167
168 mpd_tmp_t
169
170
171 mpd_tmpfs_t
172
173
174 mpd_var_lib_t
175
176 /var/lib/mpd(/.*)?
177
178 mpd_var_run_t
179
180 /var/run/mpd(/.*)?
181
182 nfs_t
183
184
185 root_t
186
187 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
188 /
189 /initrd
190
191
193 SELinux requires files to have an extended attribute to define the file
194 type.
195
196 You can see the context of a file using the -Z option to ls
197
198 Policy governs the access confined processes have to these files.
199 SELinux mpd policy is very flexible allowing users to setup their mpd
200 processes in as secure a method as possible.
201
202 EQUIVALENCE DIRECTORIES
203
204
205 mpd policy stores data with multiple different file context types under
206 the /var/lib/mpd directory. If you would like to store the data in a
207 different directory you can use the semanage command to create an
208 equivalence mapping. If you wanted to store this data under the /srv
209 directory you would execute the following command:
210
211 semanage fcontext -a -e /var/lib/mpd /srv/mpd
212 restorecon -R -v /srv/mpd
213
214 STANDARD FILE CONTEXT
215
216 SELinux defines the file context types for the mpd, if you wanted to
217 store files with these types in a diffent paths, you need to execute
218 the semanage command to specify alternate labeling and then use re‐
219 storecon to put the labels on disk.
220
221 semanage fcontext -a -t mpd_var_run_t '/srv/mympd_content(/.*)?'
222 restorecon -R -v /srv/mympd_content
223
224 Note: SELinux often uses regular expressions to specify labels that
225 match multiple files.
226
227 The following file types are defined for mpd:
228
229
230
231 mpd_data_t
232
233 - Set files with the mpd_data_t type, if you want to treat the files as
234 mpd content.
235
236
237 Paths:
238 /var/lib/mpd/music(/.*)?, /var/lib/mpd/playlists(/.*)?
239
240
241 mpd_etc_t
242
243 - Set files with the mpd_etc_t type, if you want to store mpd files in
244 the /etc directories.
245
246
247
248 mpd_exec_t
249
250 - Set files with the mpd_exec_t type, if you want to transition an exe‐
251 cutable to the mpd_t domain.
252
253
254
255 mpd_home_t
256
257 - Set files with the mpd_home_t type, if you want to store mpd files in
258 the users home directory.
259
260
261
262 mpd_initrc_exec_t
263
264 - Set files with the mpd_initrc_exec_t type, if you want to transition
265 an executable to the mpd_initrc_t domain.
266
267
268
269 mpd_log_t
270
271 - Set files with the mpd_log_t type, if you want to treat the data as
272 mpd log data, usually stored under the /var/log directory.
273
274
275
276 mpd_tmp_t
277
278 - Set files with the mpd_tmp_t type, if you want to store mpd temporary
279 files in the /tmp directories.
280
281
282
283 mpd_tmpfs_t
284
285 - Set files with the mpd_tmpfs_t type, if you want to store mpd files
286 on a tmpfs file system.
287
288
289
290 mpd_user_data_t
291
292 - Set files with the mpd_user_data_t type, if you want to treat the
293 files as mpd user content.
294
295
296
297 mpd_var_lib_t
298
299 - Set files with the mpd_var_lib_t type, if you want to store the mpd
300 files under the /var/lib directory.
301
302
303
304 mpd_var_run_t
305
306 - Set files with the mpd_var_run_t type, if you want to store the mpd
307 files under the /run or /var/run directory.
308
309
310
311 Note: File context can be temporarily modified with the chcon command.
312 If you want to permanently change the file context you need to use the
313 semanage fcontext command. This will modify the SELinux labeling data‐
314 base. You will need to use restorecon to apply the labels.
315
316
318 semanage fcontext can also be used to manipulate default file context
319 mappings.
320
321 semanage permissive can also be used to manipulate whether or not a
322 process type is permissive.
323
324 semanage module can also be used to enable/disable/install/remove pol‐
325 icy modules.
326
327 semanage port can also be used to manipulate the port definitions
328
329 semanage boolean can also be used to manipulate the booleans
330
331
332 system-config-selinux is a GUI tool available to customize SELinux pol‐
333 icy settings.
334
335
337 This manual page was auto-generated using sepolicy manpage .
338
339
341 selinux(8), mpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
342 setsebool(8)
343
344
345
346mpd 23-02-03 mpd_selinux(8)