1l2tpd_selinux(8) SELinux Policy l2tpd l2tpd_selinux(8)
2
6 l2tpd_selinux - Security Enhanced Linux Policy for the l2tpd processes
7
9 Security-Enhanced Linux secures the l2tpd processes via flexible manda‐
10 tory access control.
11 The l2tpd processes execute with the l2tpd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep l2tpd_t
19
23 The l2tpd_t SELinux type can be entered via the l2tpd_exec_t file type.
24 The default entrypoint paths for the l2tpd_t domain are the following:
26 /usr/sbin/.*l2tpd, /usr/libexec/nm-l2tp-service
28
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux
36 l2tpd policy is very flexible allowing users to setup their l2tpd pro‐
37 cesses in as secure a method as possible.
38 The following process types are defined for l2tpd:
40 l2tpd_t
42 Note: semanage permissive -a l2tpd_t can be used to make the process
44 type l2tpd_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
50 SELinux policy is customizable based on least access required. l2tpd
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run l2tpd with the tightest access possible.
53 If you want to dontaudit all daemons scheduling requests (setsched,
57 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
58 Enabled by default.
59 setsebool -P daemons_dontaudit_scheduling 1
61 If you want to allow all domains to execute in fips_mode, you must turn
65 on the fips_mode boolean. Enabled by default.
66 setsebool -P fips_mode 1
68 If you want to allow confined applications to use nscd shared memory,
72 you must turn on the nscd_use_shm boolean. Enabled by default.
73 setsebool -P nscd_use_shm 1
75
79 SELinux defines port types to represent TCP and UDP ports.
80 You can see the types associated with a port by using the following
82 command:
83 semanage port -l
85 Policy governs the access confined processes have to these ports.
88 SELinux l2tpd policy is very flexible allowing users to setup their
89 l2tpd processes in as secure a method as possible.
90 The following port types are defined for l2tpd:
92 l2tp_port_t
95 Default Defined Ports:
99 tcp 1701
100 udp 1701
101
103 The SELinux process type l2tpd_t can manage files labeled with the fol‐
104 lowing file types. The paths listed are the default paths for these
105 file types. Note the processes UID still need to have DAC permissions.
106 NetworkManager_var_run_t
108 /var/run/teamd(/.*)?
110 /var/run/nm-xl2tpd.conf.*
111 /var/run/nm-dhclient.*
112 /var/run/NetworkManager(/.*)?
113 /var/run/wpa_supplicant(/.*)?
114 /var/run/wicd.pid
115 /var/run/NetworkManager.pid
116 /var/run/nm-dns-dnsmasq.conf
117 /var/run/wpa_supplicant-global
118 cluster_conf_t
120 /etc/cluster(/.*)?
122 cluster_var_lib_t
124 /var/lib/pcsd(/.*)?
126 /var/lib/cluster(/.*)?
127 /var/lib/openais(/.*)?
128 /var/lib/pengine(/.*)?
129 /var/lib/corosync(/.*)?
130 /usr/lib/heartbeat(/.*)?
131 /var/lib/heartbeat(/.*)?
132 /var/lib/pacemaker(/.*)?
133 cluster_var_run_t
135 /var/run/crm(/.*)?
137 /var/run/cman_.*
138 /var/run/rsctmp(/.*)?
139 /var/run/aisexec.*
140 /var/run/heartbeat(/.*)?
141 /var/run/pcsd-ruby.socket
142 /var/run/corosync-qnetd(/.*)?
143 /var/run/corosync-qdevice(/.*)?
144 /var/run/corosync.pid
145 /var/run/cpglockd.pid
146 /var/run/rgmanager.pid
147 /var/run/cluster/rgmanager.sk
148 ipsec_key_file_t
150 /etc/ipsec.d(/.*)?
152 /etc/racoon/certs(/.*)?
153 /etc/ipsec.secrets.*
154 /var/lib/ipsec/nss(/.*)?
155 /etc/strongswan/ipsec.d(/.*)?
156 /etc/strongswan/swanctl/rsa(/.*)?
157 /etc/strongswan/swanctl/pkcs.*
158 /etc/strongswan/swanctl/x509.*
159 /etc/strongswan/ipsec.secrets.*
160 /etc/strongswan/swanctl/ecdsa(/.*)?
161 /etc/strongswan/swanctl/bliss/(/.*)?
162 /etc/strongswan/swanctl/pubkey(/.*)?
163 /etc/strongswan/swanctl/private(/.*)?
164 /etc/racoon/psk.txt
165 l2tpd_var_run_t
167 /var/run/*.xl2tpd.*
169 /var/run/.*l2tpd.pid
170 /var/run/.*l2tpd(/.*)?
171 /var/run/prol2tpd.ctl
172 root_t
174 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
176 /
177 /initrd
178
181 SELinux requires files to have an extended attribute to define the file
182 type.
183 You can see the context of a file using the -Z option to ls
185 Policy governs the access confined processes have to these files.
187 SELinux l2tpd policy is very flexible allowing users to setup their
188 l2tpd processes in as secure a method as possible.
189 EQUIVALENCE DIRECTORIES
191 l2tpd policy stores data with multiple different file context types un‐
194 der the /var/run/.*l2tpd directory. If you would like to store the
195 data in a different directory you can use the semanage command to cre‐
196 ate an equivalence mapping. If you wanted to store this data under the
197 /srv directory you would execute the following command:
198 semanage fcontext -a -e /var/run/.*l2tpd /srv/.*l2tpd
200 restorecon -R -v /srv/.*l2tpd
201 STANDARD FILE CONTEXT
203 SELinux defines the file context types for the l2tpd, if you wanted to
205 store files with these types in a different paths, you need to execute
206 the semanage command to specify alternate labeling and then use re‐
207 storecon to put the labels on disk.
208 semanage fcontext -a -t l2tpd_exec_t '/srv/l2tpd/content(/.*)?'
210 restorecon -R -v /srv/myl2tpd_content
211 Note: SELinux often uses regular expressions to specify labels that
213 match multiple files.
214 The following file types are defined for l2tpd:
216 l2tpd_exec_t
220 - Set files with the l2tpd_exec_t type, if you want to transition an
222 executable to the l2tpd_t domain.
223 Paths:
226 /usr/sbin/.*l2tpd, /usr/libexec/nm-l2tp-service
227 l2tpd_initrc_exec_t
230 - Set files with the l2tpd_initrc_exec_t type, if you want to transi‐
232 tion an executable to the l2tpd_initrc_t domain.
233 l2tpd_tmp_t
237 - Set files with the l2tpd_tmp_t type, if you want to store l2tpd tem‐
239 porary files in the /tmp directories.
240 l2tpd_var_run_t
244 - Set files with the l2tpd_var_run_t type, if you want to store the
246 l2tpd files under the /run or /var/run directory.
247 Paths:
250 /var/run/*.xl2tpd.*, /var/run/.*l2tpd.pid, /var/run/.*l2tpd(/.*)?,
251 /var/run/prol2tpd.ctl
252 Note: File context can be temporarily modified with the chcon command.
255 If you want to permanently change the file context you need to use the
256 semanage fcontext command. This will modify the SELinux labeling data‐
257 base. You will need to use restorecon to apply the labels.
258
261 semanage fcontext can also be used to manipulate default file context
262 mappings.
263 semanage permissive can also be used to manipulate whether or not a
265 process type is permissive.
266 semanage module can also be used to enable/disable/install/remove pol‐
268 icy modules.
269 semanage port can also be used to manipulate the port definitions
271 semanage boolean can also be used to manipulate the booleans
273 system-config-selinux is a GUI tool available to customize SELinux pol‐
276 icy settings.
277
280 This manual page was auto-generated using sepolicy manpage .
281
284 selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1), sepol‐
285 icy(8), setsebool(8)
286l2tpd 23-12-15 l2tpd_selinux(8)