1radiusd_selinux(8)          SELinux Policy radiusd          radiusd_selinux(8)
2
3
4

NAME

6       radiusd_selinux  -  Security Enhanced Linux Policy for the radiusd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  radiusd  processes  via  flexible
11       mandatory access control.
12
13       The  radiusd processes execute with the radiusd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep radiusd_t
20
21
22

ENTRYPOINTS

24       The  radiusd_t  SELinux type can be entered via the radiusd_exec_t file
25       type.
26
27       The default entrypoint paths for the radiusd_t domain are  the  follow‐
28       ing:
29
30       /etc/cron.(daily|monthly)/radiusd,
31       /etc/cron.((daily)|(weekly)|(monthly))/freeradius,   /usr/sbin/radiusd,
32       /usr/sbin/freeradius
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       radiusd  policy  is very flexible allowing users to setup their radiusd
42       processes in as secure a method as possible.
43
44       The following process types are defined for radiusd:
45
46       radiusd_t
47
48       Note: semanage permissive -a radiusd_t can be used to make the  process
49       type  radiusd_t  permissive. SELinux does not deny access to permissive
50       process types, but the AVC (SELinux denials) messages are still  gener‐
51       ated.
52
53

BOOLEANS

55       SELinux policy is customizable based on least access required.  radiusd
56       policy is extremely flexible and has several booleans that allow you to
57       manipulate  the  policy and run radiusd with the tightest access possi‐
58       ble.
59
60
61
62       If you want to determine whether radius can use JIT compiler, you  must
63       turn on the radius_use_jit boolean. Disabled by default.
64
65       setsebool -P radius_use_jit 1
66
67
68
69       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
70       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
71       Enabled by default.
72
73       setsebool -P daemons_dontaudit_scheduling 1
74
75
76
77       If  you  want  to deny any process from ptracing or debugging any other
78       processes, you must turn on the deny_ptrace boolean.  Disabled  by  de‐
79       fault.
80
81       setsebool -P deny_ptrace 1
82
83
84
85       If you want to allow all domains to execute in fips_mode, you must turn
86       on the fips_mode boolean. Enabled by default.
87
88       setsebool -P fips_mode 1
89
90
91
92       If you want to allow confined applications to run  with  kerberos,  you
93       must turn on the kerberos_enabled boolean. Enabled by default.
94
95       setsebool -P kerberos_enabled 1
96
97
98
99       If  you  want  to  allow  system  to run with NIS, you must turn on the
100       nis_enabled boolean. Disabled by default.
101
102       setsebool -P nis_enabled 1
103
104
105

PORT TYPES

107       SELinux defines port types to represent TCP and UDP ports.
108
109       You can see the types associated with a port  by  using  the  following
110       command:
111
112       semanage port -l
113
114
115       Policy  governs  the  access  confined  processes  have to these ports.
116       SELinux radiusd policy is very flexible allowing users to  setup  their
117       radiusd processes in as secure a method as possible.
118
119       The following port types are defined for radiusd:
120
121
122       radius_port_t
123
124
125
126       Default Defined Ports:
127                 tcp 1645,1812,18120-18121
128                 udp 1645,1812,18120-18121
129

MANAGED FILES

131       The  SELinux  process  type radiusd_t can manage files labeled with the
132       following file types.  The paths listed are the default paths for these
133       file types.  Note the processes UID still need to have DAC permissions.
134
135       cluster_conf_t
136
137            /etc/cluster(/.*)?
138
139       cluster_var_lib_t
140
141            /var/lib/pcsd(/.*)?
142            /var/lib/cluster(/.*)?
143            /var/lib/openais(/.*)?
144            /var/lib/pengine(/.*)?
145            /var/lib/corosync(/.*)?
146            /usr/lib/heartbeat(/.*)?
147            /var/lib/heartbeat(/.*)?
148            /var/lib/pacemaker(/.*)?
149
150       cluster_var_run_t
151
152            /var/run/crm(/.*)?
153            /var/run/cman_.*
154            /var/run/rsctmp(/.*)?
155            /var/run/aisexec.*
156            /var/run/heartbeat(/.*)?
157            /var/run/pcsd-ruby.socket
158            /var/run/corosync-qnetd(/.*)?
159            /var/run/corosync-qdevice(/.*)?
160            /var/run/corosync.pid
161            /var/run/cpglockd.pid
162            /var/run/rgmanager.pid
163            /var/run/cluster/rgmanager.sk
164
165       faillog_t
166
167            /var/log/btmp.*
168            /var/log/faillog.*
169            /var/log/tallylog.*
170            /var/run/faillock(/.*)?
171
172       krb5_host_rcache_t
173
174            /var/tmp/krb5_0.rcache2
175            /var/cache/krb5rcache(/.*)?
176            /var/tmp/nfs_0
177            /var/tmp/DNS_25
178            /var/tmp/host_0
179            /var/tmp/imap_0
180            /var/tmp/HTTP_23
181            /var/tmp/HTTP_48
182            /var/tmp/ldap_55
183            /var/tmp/ldap_487
184            /var/tmp/ldapmap1_0
185
186       radiusd_etc_rw_t
187
188            /etc/raddb/db.daily
189
190       radiusd_log_t
191
192            /var/log/radius(/.*)?
193            /var/log/radutmp.*
194            /var/log/radwtmp.*
195            /var/log/radacct(/.*)?
196            /var/log/radius.log.*
197            /var/log/freeradius(/.*)?
198            /var/log/radiusd-freeradius(/.*)?
199
200       radiusd_var_lib_t
201
202            /var/lib/radiusd(/.*)?
203
204       radiusd_var_run_t
205
206            /var/run/radiusd(/.*)?
207            /var/run/radiusd.pid
208
209       root_t
210
211            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
212            /
213            /initrd
214
215       security_t
216
217            /selinux
218
219

FILE CONTEXTS

221       SELinux requires files to have an extended attribute to define the file
222       type.
223
224       You can see the context of a file using the -Z option to ls
225
226       Policy governs the access  confined  processes  have  to  these  files.
227       SELinux  radiusd  policy is very flexible allowing users to setup their
228       radiusd processes in as secure a method as possible.
229
230       EQUIVALENCE DIRECTORIES
231
232
233       radiusd policy stores data with multiple different file  context  types
234       under  the  /var/log/radius  directory.  If you would like to store the
235       data in a different directory you can use the semanage command to  cre‐
236       ate an equivalence mapping.  If you wanted to store this data under the
237       /srv directory you would execute the following command:
238
239       semanage fcontext -a -e /var/log/radius /srv/radius
240       restorecon -R -v /srv/radius
241
242       radiusd policy stores data with multiple different file  context  types
243       under  the  /var/run/radiusd directory.  If you would like to store the
244       data in a different directory you can use the semanage command to  cre‐
245       ate an equivalence mapping.  If you wanted to store this data under the
246       /srv directory you would execute the following command:
247
248       semanage fcontext -a -e /var/run/radiusd /srv/radiusd
249       restorecon -R -v /srv/radiusd
250
251       STANDARD FILE CONTEXT
252
253       SELinux defines the file context types for the radiusd, if  you  wanted
254       to  store files with these types in a different paths, you need to exe‐
255       cute the semanage command to specify alternate labeling  and  then  use
256       restorecon to put the labels on disk.
257
258       semanage fcontext -a -t radiusd_exec_t '/srv/radiusd/content(/.*)?'
259       restorecon -R -v /srv/myradiusd_content
260
261       Note:  SELinux  often  uses  regular expressions to specify labels that
262       match multiple files.
263
264       The following file types are defined for radiusd:
265
266
267
268       radiusd_etc_rw_t
269
270       - Set files with the radiusd_etc_rw_t type, if you want  to  treat  the
271       files as radiusd etc read/write content.
272
273
274
275       radiusd_etc_t
276
277       -  Set  files with the radiusd_etc_t type, if you want to store radiusd
278       files in the /etc directories.
279
280
281
282       radiusd_exec_t
283
284       - Set files with the radiusd_exec_t type, if you want to transition  an
285       executable to the radiusd_t domain.
286
287
288       Paths:
289            /etc/cron.(daily|monthly)/radiusd,
290            /etc/cron.((daily)|(weekly)|(monthly))/freeradius,   /usr/sbin/ra‐
291            diusd, /usr/sbin/freeradius
292
293
294       radiusd_initrc_exec_t
295
296       - Set files with the radiusd_initrc_exec_t type, if you want to transi‐
297       tion an executable to the radiusd_initrc_t domain.
298
299
300
301       radiusd_log_t
302
303       - Set files with the radiusd_log_t type, if you want to treat the  data
304       as radiusd log data, usually stored under the /var/log directory.
305
306
307       Paths:
308            /var/log/radius(/.*)?,   /var/log/radutmp.*,   /var/log/radwtmp.*,
309            /var/log/radacct(/.*)?,  /var/log/radius.log.*,   /var/log/freera‐
310            dius(/.*)?, /var/log/radiusd-freeradius(/.*)?
311
312
313       radiusd_unit_file_t
314
315       - Set files with the radiusd_unit_file_t type, if you want to treat the
316       files as radiusd unit content.
317
318
319
320       radiusd_var_lib_t
321
322       - Set files with the radiusd_var_lib_t type, if you want to  store  the
323       radiusd files under the /var/lib directory.
324
325
326
327       radiusd_var_run_t
328
329       -  Set  files with the radiusd_var_run_t type, if you want to store the
330       radiusd files under the /run or /var/run directory.
331
332
333       Paths:
334            /var/run/radiusd(/.*)?, /var/run/radiusd.pid
335
336
337       Note: File context can be temporarily modified with the chcon  command.
338       If  you want to permanently change the file context you need to use the
339       semanage fcontext command.  This will modify the SELinux labeling data‐
340       base.  You will need to use restorecon to apply the labels.
341
342

COMMANDS

344       semanage  fcontext  can also be used to manipulate default file context
345       mappings.
346
347       semanage permissive can also be used to manipulate  whether  or  not  a
348       process type is permissive.
349
350       semanage  module can also be used to enable/disable/install/remove pol‐
351       icy modules.
352
353       semanage port can also be used to manipulate the port definitions
354
355       semanage boolean can also be used to manipulate the booleans
356
357
358       system-config-selinux is a GUI tool available to customize SELinux pol‐
359       icy settings.
360
361

AUTHOR

363       This manual page was auto-generated using sepolicy manpage .
364
365

SEE ALSO

367       selinux(8),  radiusd(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
368       icy(8), setsebool(8)
369
370
371
372radiusd                            23-10-20                 radiusd_selinux(8)
Impressum