sssd_selinux(8)

1sssd_selinux(8)               SELinux Policy sssd              sssd_selinux(8)
2
3
4

NAME

6       sssd_selinux - Security Enhanced Linux Policy for the sssd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the sssd processes via flexible manda‐
10       tory access control.
11
12       The sssd processes execute with the sssd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep sssd_t
19
20
21

ENTRYPOINTS

23       The sssd_t SELinux type can be entered via the sssd_exec_t file type.
24
25       The default entrypoint paths for the sssd_t domain are the following:
26
27       /usr/sbin/sssd,    /usr/sbin/sss_cache,     /usr/libexec/sssd/sssd_ifp,
28       /usr/libexec/sssd/sssd_kcm,                 /usr/libexec/sssd/sssd_nss,
29       /usr/libexec/sssd/sssd_pac,                 /usr/libexec/sssd/sssd_pam,
30       /usr/libexec/sssd/sssd_ssh,                /usr/libexec/sssd/sssd_sudo,
31       /usr/libexec/sssd/sssd_autofs, /usr/libexec/sssd/sssd_secrets
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       sssd policy is very flexible allowing users to setup  their  sssd  pro‐
41       cesses in as secure a method as possible.
42
43       The following process types are defined for sssd:
44
45       sssd_t, sssd_selinux_manager_t
46
47       Note:  semanage  permissive  -a  sssd_t can be used to make the process
48       type sssd_t permissive. SELinux does  not  deny  access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least  access  required.   sssd
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run sssd with the tightest access possible.
57
58
59
60       If you want to allow sssd read, view, and write access to  kernel  keys
61       with  kernel_t type, you must turn on the sssd_access_kernel_keys bool‐
62       ean. Disabled by default.
63
64       setsebool -P sssd_access_kernel_keys 1
65
66
67
68       If you want to allow sssd connect to all  unreserved  ports,  you  must
69       turn  on the sssd_connect_all_unreserved_ports boolean. Disabled by de‐
70       fault.
71
72       setsebool -P sssd_connect_all_unreserved_ports 1
73
74
75
76       If you want to allow sssd  use  usb  devices,  you  must  turn  on  the
77       sssd_use_usb boolean. Disabled by default.
78
79       setsebool -P sssd_use_usb 1
80
81
82
83       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
84       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
85       Enabled by default.
86
87       setsebool -P daemons_dontaudit_scheduling 1
88
89
90
91       If you want to allow all domains to execute in fips_mode, you must turn
92       on the fips_mode boolean. Enabled by default.
93
94       setsebool -P fips_mode 1
95
96
97
98       If you want to allow Apache to communicate with sssd service via  dbus,
99       you must turn on the httpd_dbus_sssd boolean. Disabled by default.
100
101       setsebool -P httpd_dbus_sssd 1
102
103
104
105       If  you  want  to  allow  system  to run with NIS, you must turn on the
106       nis_enabled boolean. Disabled by default.
107
108       setsebool -P nis_enabled 1
109
110
111

MANAGED FILES

113       The SELinux process type sssd_t can manage files labeled with the  fol‐
114       lowing  file  types.   The paths listed are the default paths for these
115       file types.  Note the processes UID still need to have DAC permissions.
116
117       auth_cache_t
118
119            /var/cache/coolkey(/.*)?
120
121       cluster_conf_t
122
123            /etc/cluster(/.*)?
124
125       cluster_var_lib_t
126
127            /var/lib/pcsd(/.*)?
128            /var/lib/cluster(/.*)?
129            /var/lib/openais(/.*)?
130            /var/lib/pengine(/.*)?
131            /var/lib/corosync(/.*)?
132            /usr/lib/heartbeat(/.*)?
133            /var/lib/heartbeat(/.*)?
134            /var/lib/pacemaker(/.*)?
135
136       cluster_var_run_t
137
138            /var/run/crm(/.*)?
139            /var/run/cman_.*
140            /var/run/rsctmp(/.*)?
141            /var/run/aisexec.*
142            /var/run/heartbeat(/.*)?
143            /var/run/pcsd-ruby.socket
144            /var/run/corosync-qnetd(/.*)?
145            /var/run/corosync-qdevice(/.*)?
146            /var/run/corosync.pid
147            /var/run/cpglockd.pid
148            /var/run/rgmanager.pid
149            /var/run/cluster/rgmanager.sk
150
151       faillog_t
152
153            /var/log/btmp.*
154            /var/log/faillog.*
155            /var/log/tallylog.*
156            /var/run/faillock(/.*)?
157
158       krb5_host_rcache_t
159
160            /var/tmp/krb5_0.rcache2
161            /var/cache/krb5rcache(/.*)?
162            /var/tmp/nfs_0
163            /var/tmp/DNS_25
164            /var/tmp/host_0
165            /var/tmp/imap_0
166            /var/tmp/HTTP_23
167            /var/tmp/HTTP_48
168            /var/tmp/ldap_55
169            /var/tmp/ldap_487
170            /var/tmp/ldapmap1_0
171
172       krb5_keytab_t
173
174            /var/kerberos/krb5(/.*)?
175            /etc/krb5.keytab
176            /etc/krb5kdc/kadm5.keytab
177            /var/kerberos/krb5kdc/kadm5.keytab
178
179       root_t
180
181            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
182            /
183            /initrd
184
185       security_t
186
187            /selinux
188
189       selinux_login_config_t
190
191            /etc/selinux/([^/]*/)?logins(/.*)?
192
193       sssd_var_log_t
194
195            /var/log/sssd(/.*)?
196
197       sssd_var_run_t
198
199            /var/run/sssd.pid
200            /var/run/secrets.socket
201            /var/run/.heim_org.h5l.kcm-socket
202
203       user_tmp_type
204
205            all user tmp files
206
207

FILE CONTEXTS

209       SELinux requires files to have an extended attribute to define the file
210       type.
211
212       You can see the context of a file using the -Z option to ls
213
214       Policy  governs  the  access  confined  processes  have to these files.
215       SELinux sssd policy is very flexible allowing users to setup their sssd
216       processes in as secure a method as possible.
217
218       EQUIVALENCE DIRECTORIES
219
220
221       sssd  policy stores data with multiple different file context types un‐
222       der the /var/lib/sss directory.  If you would like to store the data in
223       a  different  directory  you  can use the semanage command to create an
224       equivalence mapping.  If you wanted to store this data under  the  /srv
225       directory you would execute the following command:
226
227       semanage fcontext -a -e /var/lib/sss /srv/sss
228       restorecon -R -v /srv/sss
229
230       STANDARD FILE CONTEXT
231
232       SELinux  defines  the file context types for the sssd, if you wanted to
233       store files with these types in a different paths, you need to  execute
234       the  semanage  command  to  specify alternate labeling and then use re‐
235       storecon to put the labels on disk.
236
237       semanage fcontext -a -t sssd_exec_t '/srv/sssd/content(/.*)?'
238       restorecon -R -v /srv/mysssd_content
239
240       Note: SELinux often uses regular expressions  to  specify  labels  that
241       match multiple files.
242
243       The following file types are defined for sssd:
244
245
246
247       sssd_conf_t
248
249       -  Set  files with the sssd_conf_t type, if you want to treat the files
250       as sssd configuration data, usually stored under the /etc directory.
251
252
253
254       sssd_exec_t
255
256       - Set files with the sssd_exec_t type, if you want to transition an ex‐
257       ecutable to the sssd_t domain.
258
259
260       Paths:
261            /usr/sbin/sssd,  /usr/sbin/sss_cache,  /usr/libexec/sssd/sssd_ifp,
262            /usr/libexec/sssd/sssd_kcm,            /usr/libexec/sssd/sssd_nss,
263            /usr/libexec/sssd/sssd_pac,            /usr/libexec/sssd/sssd_pam,
264            /usr/libexec/sssd/sssd_ssh,           /usr/libexec/sssd/sssd_sudo,
265            /usr/libexec/sssd/sssd_autofs, /usr/libexec/sssd/sssd_secrets
266
267
268       sssd_initrc_exec_t
269
270       - Set files with the sssd_initrc_exec_t type, if you want to transition
271       an executable to the sssd_initrc_t domain.
272
273
274
275       sssd_public_t
276
277       - Set files with the sssd_public_t type, if you want to treat the files
278       as sssd public data.
279
280
281       Paths:
282            /var/lib/sss/mc(/.*)?, /var/lib/sss/pubconf(/.*)?
283
284
285       sssd_selinux_manager_exec_t
286
287       -  Set  files with the sssd_selinux_manager_exec_t type, if you want to
288       transition an executable to the sssd_selinux_manager_t domain.
289
290
291
292       sssd_unit_file_t
293
294       - Set files with the sssd_unit_file_t type, if you want  to  treat  the
295       files as sssd unit content.
296
297
298
299       sssd_var_lib_t
300
301       - Set files with the sssd_var_lib_t type, if you want to store the sssd
302       files under the /var/lib directory.
303
304
305
306       sssd_var_log_t
307
308       - Set files with the sssd_var_log_t type, if you want to treat the data
309       as sssd var log data, usually stored under the /var/log directory.
310
311
312
313       sssd_var_run_t
314
315       - Set files with the sssd_var_run_t type, if you want to store the sssd
316       files under the /run or /var/run directory.
317
318
319       Paths:
320            /var/run/sssd.pid,                        /var/run/secrets.socket,
321            /var/run/.heim_org.h5l.kcm-socket
322
323
324       Note:  File context can be temporarily modified with the chcon command.
325       If you want to permanently change the file context you need to use  the
326       semanage fcontext command.  This will modify the SELinux labeling data‐
327       base.  You will need to use restorecon to apply the labels.
328
329

COMMANDS

331       semanage fcontext can also be used to manipulate default  file  context
332       mappings.
333
334       semanage  permissive  can  also  be used to manipulate whether or not a
335       process type is permissive.
336
337       semanage module can also be used to enable/disable/install/remove  pol‐
338       icy modules.
339
340       semanage boolean can also be used to manipulate the booleans
341
342
343       system-config-selinux is a GUI tool available to customize SELinux pol‐
344       icy settings.
345
346

AUTHOR

348       This manual page was auto-generated using sepolicy manpage .
349
350