1tmpreaper_selinux(8) SELinux Policy tmpreaper tmpreaper_selinux(8)
2
3
4
6 tmpreaper_selinux - Security Enhanced Linux Policy for the tmpreaper
7 processes
8
10 Security-Enhanced Linux secures the tmpreaper processes via flexible
11 mandatory access control.
12
13 The tmpreaper processes execute with the tmpreaper_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep tmpreaper_t
20
21
22
24 The tmpreaper_t SELinux type can be entered via the tmpreaper_exec_t
25 file type.
26
27 The default entrypoint paths for the tmpreaper_t domain are the follow‐
28 ing:
29
30 /usr/sbin/tmpwatch, /usr/sbin/tmpreaper, /etc/rc.d/init.d/mountall-
31 bootclean.sh, /etc/rc.d/init.d/mountnfs-bootclean.sh
32
34 SELinux defines process types (domains) for each process running on the
35 system
36
37 You can see the context of a process using the -Z option to ps
38
39 Policy governs the access confined processes have to files. SELinux
40 tmpreaper policy is very flexible allowing users to setup their tm‐
41 preaper processes in as secure a method as possible.
42
43 The following process types are defined for tmpreaper:
44
45 tmpreaper_t
46
47 Note: semanage permissive -a tmpreaper_t can be used to make the
48 process type tmpreaper_t permissive. SELinux does not deny access to
49 permissive process types, but the AVC (SELinux denials) messages are
50 still generated.
51
52
54 SELinux policy is customizable based on least access required. tm‐
55 preaper policy is extremely flexible and has several booleans that al‐
56 low you to manipulate the policy and run tmpreaper with the tightest
57 access possible.
58
59
60
61 If you want to allow all domains to execute in fips_mode, you must turn
62 on the fips_mode boolean. Enabled by default.
63
64 setsebool -P fips_mode 1
65
66
67
68 If you want to allow system to run with NIS, you must turn on the
69 nis_enabled boolean. Disabled by default.
70
71 setsebool -P nis_enabled 1
72
73
74
76 The SELinux process type tmpreaper_t can manage files labeled with the
77 following file types. The paths listed are the default paths for these
78 file types. Note the processes UID still need to have DAC permissions.
79
80 antivirus_db_t
81
82 /var/amavis(/.*)?
83 /var/clamav(/.*)?
84 /var/lib/clamd.*
85 /var/lib/amavis(/.*)?
86 /var/lib/clamav(/.*)?
87 /var/virusmails(/.*)?
88 /var/opt/f-secure(/.*)?
89 /var/spool/amavisd(/.*)?
90 /var/lib/clamav-unofficial-sigs(/.*)?
91
92 kismet_log_t
93
94 /var/log/kismet(/.*)?
95
96 krb5_host_rcache_t
97
98 /var/tmp/krb5_0.rcache2
99 /var/cache/krb5rcache(/.*)?
100 /var/tmp/nfs_0
101 /var/tmp/DNS_25
102 /var/tmp/host_0
103 /var/tmp/imap_0
104 /var/tmp/HTTP_23
105 /var/tmp/HTTP_48
106 /var/tmp/ldap_55
107 /var/tmp/ldap_487
108 /var/tmp/ldapmap1_0
109
110 ntpd_log_t
111
112 /var/log/ntp.*
113 /var/log/xntpd.*
114 /var/log/ntpstats(/.*)?
115
116 print_spool_t
117
118 /var/spool/lpd(/.*)?
119 /var/spool/cups(/.*)?
120 /var/spool/cups-pdf(/.*)?
121
122 rpm_var_cache_t
123
124 /var/cache/dnf(/.*)?
125 /var/cache/yum(/.*)?
126 /var/spool/up2date(/.*)?
127 /var/cache/PackageKit(/.*)?
128
129
131 SELinux requires files to have an extended attribute to define the file
132 type.
133
134 You can see the context of a file using the -Z option to ls
135
136 Policy governs the access confined processes have to these files.
137 SELinux tmpreaper policy is very flexible allowing users to setup their
138 tmpreaper processes in as secure a method as possible.
139
140 The following file types are defined for tmpreaper:
141
142
143
144 tmpreaper_exec_t
145
146 - Set files with the tmpreaper_exec_t type, if you want to transition
147 an executable to the tmpreaper_t domain.
148
149
150 Paths:
151 /usr/sbin/tmpwatch, /usr/sbin/tmpreaper, /etc/rc.d/init.d/moun‐
152 tall-bootclean.sh, /etc/rc.d/init.d/mountnfs-bootclean.sh
153
154
155 Note: File context can be temporarily modified with the chcon command.
156 If you want to permanently change the file context you need to use the
157 semanage fcontext command. This will modify the SELinux labeling data‐
158 base. You will need to use restorecon to apply the labels.
159
160
162 semanage fcontext can also be used to manipulate default file context
163 mappings.
164
165 semanage permissive can also be used to manipulate whether or not a
166 process type is permissive.
167
168 semanage module can also be used to enable/disable/install/remove pol‐
169 icy modules.
170
171 semanage boolean can also be used to manipulate the booleans
172
173
174 system-config-selinux is a GUI tool available to customize SELinux pol‐
175 icy settings.
176
177
179 This manual page was auto-generated using sepolicy manpage .
180
181
183 selinux(8), tmpreaper(8), semanage(8), restorecon(8), chcon(1), sepol‐
184 icy(8), setsebool(8)
185
186
187
188tmpreaper 23-02-03 tmpreaper_selinux(8)