portmap_selinux(8)

1portmap_selinux(8)          SELinux Policy portmap          portmap_selinux(8)
2
3
4

NAME

6       portmap_selinux  -  Security Enhanced Linux Policy for the portmap pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  portmap  processes  via  flexible
11       mandatory access control.
12
13       The  portmap processes execute with the portmap_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep portmap_t
20
21
22

ENTRYPOINTS

24       The  portmap_t  SELinux type can be entered via the portmap_exec_t file
25       type.
26
27       The default entrypoint paths for the portmap_t domain are  the  follow‐
28       ing:
29
30       /sbin/portmap, /usr/sbin/portmap
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       portmap  policy  is very flexible allowing users to setup their portmap
40       processes in as secure a method as possible.
41
42       The following process types are defined for portmap:
43
44       portmap_t, portmap_helper_t
45
46       Note: semanage permissive -a portmap_t can be used to make the  process
47       type  portmap_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  portmap
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run portmap with the tightest access possi‐
56       ble.
57
58
59
60       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
61       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
62       Enabled by default.
63
64       setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to  allow  system  to run with NIS, you must turn on the
76       nis_enabled boolean. Disabled by default.
77
78       setsebool -P nis_enabled 1
79
80
81

PORT TYPES

83       SELinux defines port types to represent TCP and UDP ports.
84
85       You can see the types associated with a port  by  using  the  following
86       command:
87
88       semanage port -l
89
90
91       Policy  governs  the  access  confined  processes  have to these ports.
92       SELinux portmap policy is very flexible allowing users to  setup  their
93       portmap processes in as secure a method as possible.
94
95       The following port types are defined for portmap:
96
97
98       portmap_port_t
99
100
101
102       Default Defined Ports:
103                 tcp 111
104                 udp 111
105

MANAGED FILES

107       The  SELinux  process  type portmap_t can manage files labeled with the
108       following file types.  The paths listed are the default paths for these
109       file types.  Note the processes UID still need to have DAC permissions.
110
111       cluster_conf_t
112
113            /etc/cluster(/.*)?
114
115       cluster_var_lib_t
116
117            /var/lib/pcsd(/.*)?
118            /var/lib/cluster(/.*)?
119            /var/lib/openais(/.*)?
120            /var/lib/pengine(/.*)?
121            /var/lib/corosync(/.*)?
122            /usr/lib/heartbeat(/.*)?
123            /var/lib/heartbeat(/.*)?
124            /var/lib/pacemaker(/.*)?
125
126       cluster_var_run_t
127
128            /var/run/crm(/.*)?
129            /var/run/cman_.*
130            /var/run/rsctmp(/.*)?
131            /var/run/aisexec.*
132            /var/run/heartbeat(/.*)?
133            /var/run/pcsd-ruby.socket
134            /var/run/corosync-qnetd(/.*)?
135            /var/run/corosync-qdevice(/.*)?
136            /var/run/corosync.pid
137            /var/run/cpglockd.pid
138            /var/run/rgmanager.pid
139            /var/run/cluster/rgmanager.sk
140
141       krb5_host_rcache_t
142
143            /var/tmp/krb5_0.rcache2
144            /var/cache/krb5rcache(/.*)?
145            /var/tmp/nfs_0
146            /var/tmp/DNS_25
147            /var/tmp/host_0
148            /var/tmp/imap_0
149            /var/tmp/HTTP_23
150            /var/tmp/HTTP_48
151            /var/tmp/ldap_55
152            /var/tmp/ldap_487
153            /var/tmp/ldapmap1_0
154
155       portmap_tmp_t
156
157
158       portmap_var_run_t
159
160            /var/run/portmap_mapping
161            /var/run/portmap.upgrade-state
162
163       root_t
164
165            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
166            /
167            /initrd
168
169

FILE CONTEXTS

171       SELinux requires files to have an extended attribute to define the file
172       type.
173
174       You can see the context of a file using the -Z option to ls
175
176       Policy governs the access  confined  processes  have  to  these  files.
177       SELinux  portmap  policy is very flexible allowing users to setup their
178       portmap processes in as secure a method as possible.
179
180       STANDARD FILE CONTEXT
181
182       SELinux defines the file context types for the portmap, if  you  wanted
183       to  store files with these types in a different paths, you need to exe‐
184       cute the semanage command to specify alternate labeling  and  then  use
185       restorecon to put the labels on disk.
186
187       semanage fcontext -a -t portmap_exec_t '/srv/portmap/content(/.*)?'
188       restorecon -R -v /srv/myportmap_content
189
190       Note:  SELinux  often  uses  regular expressions to specify labels that
191       match multiple files.
192
193       The following file types are defined for portmap:
194
195
196
197       portmap_exec_t
198
199       - Set files with the portmap_exec_t type, if you want to transition  an
200       executable to the portmap_t domain.
201
202
203       Paths:
204            /sbin/portmap, /usr/sbin/portmap
205
206
207       portmap_helper_exec_t
208
209       - Set files with the portmap_helper_exec_t type, if you want to transi‐
210       tion an executable to the portmap_helper_t domain.
211
212
213       Paths:
214            /sbin/pmap_set,        /sbin/pmap_dump,        /usr/sbin/pmap_set,
215            /usr/sbin/pmap_dump
216
217
218       portmap_initrc_exec_t
219
220       - Set files with the portmap_initrc_exec_t type, if you want to transi‐
221       tion an executable to the portmap_initrc_t domain.
222
223
224
225       portmap_tmp_t
226
227       - Set files with the portmap_tmp_t type, if you want to  store  portmap
228       temporary files in the /tmp directories.
229
230
231
232       portmap_var_run_t
233
234       -  Set  files with the portmap_var_run_t type, if you want to store the
235       portmap files under the /run or /var/run directory.
236
237
238       Paths:
239            /var/run/portmap_mapping, /var/run/portmap.upgrade-state
240
241
242       Note: File context can be temporarily modified with the chcon  command.
243       If  you want to permanently change the file context you need to use the
244       semanage fcontext command.  This will modify the SELinux labeling data‐
245       base.  You will need to use restorecon to apply the labels.
246
247

COMMANDS

249       semanage  fcontext  can also be used to manipulate default file context
250       mappings.
251
252       semanage permissive can also be used to manipulate  whether  or  not  a
253       process type is permissive.
254
255       semanage  module can also be used to enable/disable/install/remove pol‐
256       icy modules.
257
258       semanage port can also be used to manipulate the port definitions
259
260       semanage boolean can also be used to manipulate the booleans
261
262
263       system-config-selinux is a GUI tool available to customize SELinux pol‐
264       icy settings.
265
266

AUTHOR

268       This manual page was auto-generated using sepolicy manpage .
269
270