1krb5kdc_selinux(8)          SELinux Policy krb5kdc          krb5kdc_selinux(8)
2
3
4

NAME

6       krb5kdc_selinux  -  Security Enhanced Linux Policy for the krb5kdc pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  krb5kdc  processes  via  flexible
11       mandatory access control.
12
13       The  krb5kdc processes execute with the krb5kdc_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep krb5kdc_t
20
21
22

ENTRYPOINTS

24       The  krb5kdc_t  SELinux type can be entered via the krb5kdc_exec_t file
25       type.
26
27       The default entrypoint paths for the krb5kdc_t domain are  the  follow‐
28       ing:
29
30       /usr/(kerberos/)?sbin/krb5kdc
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       krb5kdc  policy  is very flexible allowing users to setup their krb5kdc
40       processes in as secure a method as possible.
41
42       The following process types are defined for krb5kdc:
43
44       krb5kdc_t
45
46       Note: semanage permissive -a krb5kdc_t can be used to make the  process
47       type  krb5kdc_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  krb5kdc
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run krb5kdc with the tightest access possi‐
56       ble.
57
58
59
60       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
61       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
62       Enabled by default.
63
64       setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to  allow  system  to run with NIS, you must turn on the
76       nis_enabled boolean. Disabled by default.
77
78       setsebool -P nis_enabled 1
79
80
81

MANAGED FILES

83       The SELinux process type krb5kdc_t can manage files  labeled  with  the
84       following file types.  The paths listed are the default paths for these
85       file types.  Note the processes UID still need to have DAC permissions.
86
87       cluster_conf_t
88
89            /etc/cluster(/.*)?
90
91       cluster_var_lib_t
92
93            /var/lib/pcsd(/.*)?
94            /var/lib/cluster(/.*)?
95            /var/lib/openais(/.*)?
96            /var/lib/pengine(/.*)?
97            /var/lib/corosync(/.*)?
98            /usr/lib/heartbeat(/.*)?
99            /var/lib/heartbeat(/.*)?
100            /var/lib/pacemaker(/.*)?
101
102       cluster_var_run_t
103
104            /var/run/crm(/.*)?
105            /var/run/cman_.*
106            /var/run/rsctmp(/.*)?
107            /var/run/aisexec.*
108            /var/run/heartbeat(/.*)?
109            /var/run/pcsd-ruby.socket
110            /var/run/corosync-qnetd(/.*)?
111            /var/run/corosync-qdevice(/.*)?
112            /var/run/corosync.pid
113            /var/run/cpglockd.pid
114            /var/run/rgmanager.pid
115            /var/run/cluster/rgmanager.sk
116
117       krb5_host_rcache_t
118
119            /var/tmp/krb5_0.rcache2
120            /var/cache/krb5rcache(/.*)?
121            /var/tmp/nfs_0
122            /var/tmp/DNS_25
123            /var/tmp/host_0
124            /var/tmp/imap_0
125            /var/tmp/HTTP_23
126            /var/tmp/HTTP_48
127            /var/tmp/ldap_55
128            /var/tmp/ldap_487
129            /var/tmp/ldapmap1_0
130
131       krb5kdc_lock_t
132
133            /var/kerberos/krb5kdc/principal.*.ok
134            /var/kerberos/krb5kdc/from_master.*
135
136       krb5kdc_log_t
137
138            /var/log/krb5kdc.log.*
139
140       krb5kdc_principal_t
141
142            /etc/krb5kdc/principal.*
143            /usr/var/krb5kdc/principal.*
144            /var/kerberos/krb5kdc/principal.*
145
146       krb5kdc_tmp_t
147
148
149       krb5kdc_var_lib_t
150
151            /var/lib/kdcproxy(/.*)?
152
153       krb5kdc_var_run_t
154
155            /var/run/krb5kdc(/.*)?
156
157       root_t
158
159            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
160            /
161            /initrd
162
163       security_t
164
165            /selinux
166
167

FILE CONTEXTS

169       SELinux requires files to have an extended attribute to define the file
170       type.
171
172       You can see the context of a file using the -Z option to ls
173
174       Policy  governs  the  access  confined  processes  have to these files.
175       SELinux krb5kdc policy is very flexible allowing users to  setup  their
176       krb5kdc processes in as secure a method as possible.
177
178       EQUIVALENCE DIRECTORIES
179
180
181       krb5kdc  policy  stores data with multiple different file context types
182       under the /var/kerberos/krb5kdc directory.  If you would like to  store
183       the  data  in a different directory you can use the semanage command to
184       create an equivalence mapping.  If you wanted to store this data  under
185       the /srv directory you would execute the following command:
186
187       semanage fcontext -a -e /var/kerberos/krb5kdc /srv/krb5kdc
188       restorecon -R -v /srv/krb5kdc
189
190       STANDARD FILE CONTEXT
191
192       SELinux  defines  the file context types for the krb5kdc, if you wanted
193       to store files with these types in a different paths, you need to  exe‐
194       cute  the  semanage  command to specify alternate labeling and then use
195       restorecon to put the labels on disk.
196
197       semanage fcontext -a -t krb5kdc_conf_t '/srv/krb5kdc/content(/.*)?'
198       restorecon -R -v /srv/mykrb5kdc_content
199
200       Note: SELinux often uses regular expressions  to  specify  labels  that
201       match multiple files.
202
203       The following file types are defined for krb5kdc:
204
205
206
207       krb5kdc_conf_t
208
209       -  Set  files  with  the  krb5kdc_conf_t type, if you want to treat the
210       files as krb5kdc configuration data, usually stored under the /etc  di‐
211       rectory.
212
213
214       Paths:
215            /etc/krb5kdc(/.*)?,        /usr/var/krb5kdc(/.*)?,       /var/ker‐
216            beros/krb5kdc(/.*)?
217
218
219       krb5kdc_exec_t
220
221       - Set files with the krb5kdc_exec_t type, if you want to transition  an
222       executable to the krb5kdc_t domain.
223
224
225
226       krb5kdc_lock_t
227
228       -  Set  files  with  the  krb5kdc_lock_t type, if you want to treat the
229       files as krb5kdc lock data, stored under the /var/lock directory
230
231
232       Paths:
233            /var/kerberos/krb5kdc/principal.*.ok,                    /var/ker‐
234            beros/krb5kdc/from_master.*
235
236
237       krb5kdc_log_t
238
239       -  Set files with the krb5kdc_log_t type, if you want to treat the data
240       as krb5kdc log data, usually stored under the /var/log directory.
241
242
243
244       krb5kdc_principal_t
245
246       - Set files with the krb5kdc_principal_t type, if you want to treat the
247       files as krb5kdc principal data.
248
249
250       Paths:
251            /etc/krb5kdc/principal.*,  /usr/var/krb5kdc/principal.*, /var/ker‐
252            beros/krb5kdc/principal.*
253
254
255       krb5kdc_tmp_t
256
257       - Set files with the krb5kdc_tmp_t type, if you want to  store  krb5kdc
258       temporary files in the /tmp directories.
259
260
261
262       krb5kdc_var_lib_t
263
264       -  Set  files with the krb5kdc_var_lib_t type, if you want to store the
265       krb5kdc files under the /var/lib directory.
266
267
268
269       krb5kdc_var_run_t
270
271       - Set files with the krb5kdc_var_run_t type, if you want to  store  the
272       krb5kdc files under the /run or /var/run directory.
273
274
275
276       Note:  File context can be temporarily modified with the chcon command.
277       If you want to permanently change the file context you need to use  the
278       semanage fcontext command.  This will modify the SELinux labeling data‐
279       base.  You will need to use restorecon to apply the labels.
280
281

COMMANDS

283       semanage fcontext can also be used to manipulate default  file  context
284       mappings.
285
286       semanage  permissive  can  also  be used to manipulate whether or not a
287       process type is permissive.
288
289       semanage module can also be used to enable/disable/install/remove  pol‐
290       icy modules.
291
292       semanage boolean can also be used to manipulate the booleans
293
294
295       system-config-selinux is a GUI tool available to customize SELinux pol‐
296       icy settings.
297
298

AUTHOR

300       This manual page was auto-generated using sepolicy manpage .
301
302

SEE ALSO

304       selinux(8), krb5kdc(8), semanage(8),  restorecon(8),  chcon(1),  sepol‐
305       icy(8), setsebool(8)
306
307
308
309krb5kdc                            23-10-20                 krb5kdc_selinux(8)
Impressum