1mpd_selinux(8) SELinux Policy mpd mpd_selinux(8)
2
6 mpd_selinux - Security Enhanced Linux Policy for the mpd processes
7
9 Security-Enhanced Linux secures the mpd processes via flexible manda‐
10 tory access control.
11 The mpd processes execute with the mpd_t SELinux type. You can check if
13 you have these processes running by executing the ps command with the
14 -Z qualifier.
15 For example:
17 ps -eZ | grep mpd_t
19
23 The mpd_t SELinux type can be entered via the mpd_exec_t file type.
24 The default entrypoint paths for the mpd_t domain are the following:
26 /usr/bin/mpd
28
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux
36 mpd policy is very flexible allowing users to setup their mpd processes
37 in as secure a method as possible.
38 The following process types are defined for mpd:
40 mpd_t
42 Note: semanage permissive -a mpd_t can be used to make the process type
44 mpd_t permissive. SELinux does not deny access to permissive process
45 types, but the AVC (SELinux denials) messages are still generated.
46
49 SELinux policy is customizable based on least access required. mpd
50 policy is extremely flexible and has several booleans that allow you to
51 manipulate the policy and run mpd with the tightest access possible.
52 If you want to determine whether mpd can traverse user home directo‐
56 ries, you must turn on the mpd_enable_homedirs boolean. Disabled by de‐
57 fault.
58 setsebool -P mpd_enable_homedirs 1
60 If you want to determine whether mpd can use cifs file systems, you
64 must turn on the mpd_use_cifs boolean. Disabled by default.
65 setsebool -P mpd_use_cifs 1
67 If you want to determine whether mpd can use nfs file systems, you must
71 turn on the mpd_use_nfs boolean. Disabled by default.
72 setsebool -P mpd_use_nfs 1
74 If you want to dontaudit all daemons scheduling requests (setsched,
78 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
79 Enabled by default.
80 setsebool -P daemons_dontaudit_scheduling 1
82 If you want to allow all domains to execute in fips_mode, you must turn
86 on the fips_mode boolean. Enabled by default.
87 setsebool -P fips_mode 1
89 If you want to allow system to run with NIS, you must turn on the
93 nis_enabled boolean. Disabled by default.
94 setsebool -P nis_enabled 1
96 If you want to support NFS home directories, you must turn on the
100 use_nfs_home_dirs boolean. Disabled by default.
101 setsebool -P use_nfs_home_dirs 1
103 If you want to support SAMBA home directories, you must turn on the
107 use_samba_home_dirs boolean. Disabled by default.
108 setsebool -P use_samba_home_dirs 1
110
114 SELinux defines port types to represent TCP and UDP ports.
115 You can see the types associated with a port by using the following
117 command:
118 semanage port -l
120 Policy governs the access confined processes have to these ports.
123 SELinux mpd policy is very flexible allowing users to setup their mpd
124 processes in as secure a method as possible.
125 The following port types are defined for mpd:
127 mpd_port_t
130 Default Defined Ports:
134 tcp 6600
135
137 The SELinux process type mpd_t can manage files labeled with the fol‐
138 lowing file types. The paths listed are the default paths for these
139 file types. Note the processes UID still need to have DAC permissions.
140 cifs_t
142 cluster_conf_t
145 /etc/cluster(/.*)?
147 cluster_var_lib_t
149 /var/lib/pcsd(/.*)?
151 /var/lib/cluster(/.*)?
152 /var/lib/openais(/.*)?
153 /var/lib/pengine(/.*)?
154 /var/lib/corosync(/.*)?
155 /usr/lib/heartbeat(/.*)?
156 /var/lib/heartbeat(/.*)?
157 /var/lib/pacemaker(/.*)?
158 cluster_var_run_t
160 /var/run/crm(/.*)?
162 /var/run/cman_.*
163 /var/run/rsctmp(/.*)?
164 /var/run/aisexec.*
165 /var/run/heartbeat(/.*)?
166 /var/run/pcsd-ruby.socket
167 /var/run/corosync-qnetd(/.*)?
168 /var/run/corosync-qdevice(/.*)?
169 /var/run/corosync.pid
170 /var/run/cpglockd.pid
171 /var/run/rgmanager.pid
172 /var/run/cluster/rgmanager.sk
173 krb5_host_rcache_t
175 /var/tmp/krb5_0.rcache2
177 /var/cache/krb5rcache(/.*)?
178 /var/tmp/nfs_0
179 /var/tmp/DNS_25
180 /var/tmp/host_0
181 /var/tmp/imap_0
182 /var/tmp/HTTP_23
183 /var/tmp/HTTP_48
184 /var/tmp/ldap_55
185 /var/tmp/ldap_487
186 /var/tmp/ldapmap1_0
187 mpd_data_t
189 /var/lib/mpd/music(/.*)?
191 /var/lib/mpd/playlists(/.*)?
192 mpd_home_t
194 /home/[^/]+/.mpd(/.*)?
196 mpd_tmp_t
198 mpd_tmpfs_t
201 mpd_var_lib_t
204 /var/lib/mpd(/.*)?
206 mpd_var_run_t
208 /var/run/mpd(/.*)?
210 nfs_t
212 root_t
215 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
217 /
218 /initrd
219
222 SELinux requires files to have an extended attribute to define the file
223 type.
224 You can see the context of a file using the -Z option to ls
226 Policy governs the access confined processes have to these files.
228 SELinux mpd policy is very flexible allowing users to setup their mpd
229 processes in as secure a method as possible.
230 EQUIVALENCE DIRECTORIES
232 mpd policy stores data with multiple different file context types under
235 the /var/lib/mpd directory. If you would like to store the data in a
236 different directory you can use the semanage command to create an
237 equivalence mapping. If you wanted to store this data under the /srv
238 directory you would execute the following command:
239 semanage fcontext -a -e /var/lib/mpd /srv/mpd
241 restorecon -R -v /srv/mpd
242 STANDARD FILE CONTEXT
244 SELinux defines the file context types for the mpd, if you wanted to
246 store files with these types in a different paths, you need to execute
247 the semanage command to specify alternate labeling and then use re‐
248 storecon to put the labels on disk.
249 semanage fcontext -a -t mpd_exec_t '/srv/mpd/content(/.*)?'
251 restorecon -R -v /srv/mympd_content
252 Note: SELinux often uses regular expressions to specify labels that
254 match multiple files.
255 The following file types are defined for mpd:
257 mpd_data_t
261 - Set files with the mpd_data_t type, if you want to treat the files as
263 mpd content.
264 Paths:
267 /var/lib/mpd/music(/.*)?, /var/lib/mpd/playlists(/.*)?
268 mpd_etc_t
271 - Set files with the mpd_etc_t type, if you want to store mpd files in
273 the /etc directories.
274 mpd_exec_t
278 - Set files with the mpd_exec_t type, if you want to transition an exe‐
280 cutable to the mpd_t domain.
281 mpd_home_t
285 - Set files with the mpd_home_t type, if you want to store mpd files in
287 the users home directory.
288 mpd_initrc_exec_t
292 - Set files with the mpd_initrc_exec_t type, if you want to transition
294 an executable to the mpd_initrc_t domain.
295 mpd_log_t
299 - Set files with the mpd_log_t type, if you want to treat the data as
301 mpd log data, usually stored under the /var/log directory.
302 mpd_tmp_t
306 - Set files with the mpd_tmp_t type, if you want to store mpd temporary
308 files in the /tmp directories.
309 mpd_tmpfs_t
313 - Set files with the mpd_tmpfs_t type, if you want to store mpd files
315 on a tmpfs file system.
316 mpd_user_data_t
320 - Set files with the mpd_user_data_t type, if you want to treat the
322 files as mpd user content.
323 mpd_var_lib_t
327 - Set files with the mpd_var_lib_t type, if you want to store the mpd
329 files under the /var/lib directory.
330 mpd_var_run_t
334 - Set files with the mpd_var_run_t type, if you want to store the mpd
336 files under the /run or /var/run directory.
337 Note: File context can be temporarily modified with the chcon command.
341 If you want to permanently change the file context you need to use the
342 semanage fcontext command. This will modify the SELinux labeling data‐
343 base. You will need to use restorecon to apply the labels.
344
347 semanage fcontext can also be used to manipulate default file context
348 mappings.
349 semanage permissive can also be used to manipulate whether or not a
351 process type is permissive.
352 semanage module can also be used to enable/disable/install/remove pol‐
354 icy modules.
355 semanage port can also be used to manipulate the port definitions
357 semanage boolean can also be used to manipulate the booleans
359 system-config-selinux is a GUI tool available to customize SELinux pol‐
362 icy settings.
363
366 This manual page was auto-generated using sepolicy manpage .
367
370 selinux(8), mpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
371 setsebool(8)
372mpd 23-10-20 mpd_selinux(8)