1winbind_rpcd_selinux(8)   SELinux Policy winbind_rpcd  winbind_rpcd_selinux(8)
2
3
4

NAME

6       winbind_rpcd_selinux  -  Security  Enhanced  Linux  Policy for the win‐
7       bind_rpcd processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the winbind_rpcd processes via flexible
11       mandatory access control.
12
13       The  winbind_rpcd  processes  execute  with  the winbind_rpcd_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep winbind_rpcd_t
20
21
22

ENTRYPOINTS

24       The   winbind_rpcd_t   SELinux   type  can  be  entered  via  the  win‐
25       bind_rpcd_exec_t file type.
26
27       The default entrypoint paths for the winbind_rpcd_t domain are the fol‐
28       lowing:
29
30       /usr/libexec/samba/rpcd_lsad, /usr/libexec/samba/samba-dcerpcd
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       winbind_rpcd policy is very flexible allowing users to setup their win‐
40       bind_rpcd processes in as secure a method as possible.
41
42       The following process types are defined for winbind_rpcd:
43
44       winbind_rpcd_t
45
46       Note: semanage permissive -a winbind_rpcd_t can be  used  to  make  the
47       process type winbind_rpcd_t permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux  policy  is  customizable based on least access required.  win‐
54       bind_rpcd policy is extremely flexible and has  several  booleans  that
55       allow you to manipulate the policy and run winbind_rpcd with the tight‐
56       est access possible.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66
67       If  you  want  to  allow  system  to run with NIS, you must turn on the
68       nis_enabled boolean. Disabled by default.
69
70       setsebool -P nis_enabled 1
71
72
73
74       If you want to allow samba to act as the domain controller, add  users,
75       groups  and  change  passwords,  you must turn on the samba_domain_con‐
76       troller boolean. Disabled by default.
77
78       setsebool -P samba_domain_controller 1
79
80
81
82       If you want to allow samba and winbind-rpcd to share users home  direc‐
83       tories,  you  must turn on the samba_enable_home_dirs boolean. Disabled
84       by default.
85
86       setsebool -P samba_enable_home_dirs 1
87
88
89
90       If you want to allow samba to share any file/directory read  only,  you
91       must turn on the samba_export_all_ro boolean. Disabled by default.
92
93       setsebool -P samba_export_all_ro 1
94
95
96
97       If  you want to allow samba to share any file/directory read/write, you
98       must turn on the samba_export_all_rw boolean. Disabled by default.
99
100       setsebool -P samba_export_all_rw 1
101
102
103

MANAGED FILES

105       The SELinux process type winbind_rpcd_t can manage files  labeled  with
106       the  following  file types.  The paths listed are the default paths for
107       these file types.  Note the processes UID still need to have  DAC  per‐
108       missions.
109
110       faillog_t
111
112            /var/log/btmp.*
113            /var/log/faillog.*
114            /var/log/tallylog.*
115            /var/run/faillock(/.*)?
116
117       krb5_host_rcache_t
118
119            /var/tmp/krb5_0.rcache2
120            /var/cache/krb5rcache(/.*)?
121            /var/tmp/nfs_0
122            /var/tmp/DNS_25
123            /var/tmp/host_0
124            /var/tmp/imap_0
125            /var/tmp/HTTP_23
126            /var/tmp/HTTP_48
127            /var/tmp/ldap_55
128            /var/tmp/ldap_487
129            /var/tmp/ldapmap1_0
130
131       non_security_file_type
132
133
134       noxattrfs
135
136            all files on file systems which do not support extended attributes
137
138       samba_log_t
139
140            /var/log/samba(/.*)?
141
142       samba_share_t
143
144            use this label for random content that will be shared using samba
145
146       smbd_tmp_t
147
148
149       user_home_type
150
151            all user home files
152
153       winbind_rpcd_tmp_t
154
155
156       winbind_rpcd_var_run_t
157
158
159       winbind_var_run_t
160
161            /var/run/winbindd(/.*)?
162            /var/run/samba/winbindd(/.*)?
163            /var/lib/samba/winbindd_privileged(/.*)?
164            /var/cache/samba/winbindd_privileged(/.*)?
165
166

FILE CONTEXTS

168       SELinux requires files to have an extended attribute to define the file
169       type.
170
171       You can see the context of a file using the -Z option to ls
172
173       Policy governs the access  confined  processes  have  to  these  files.
174       SELinux  winbind_rpcd  policy  is very flexible allowing users to setup
175       their winbind_rpcd processes in as secure a method as possible.
176
177       STANDARD FILE CONTEXT
178
179       SELinux defines the file context types for  the  winbind_rpcd,  if  you
180       wanted  to  store files with these types in a different paths, you need
181       to execute the semanage command to specify alternate labeling and  then
182       use restorecon to put the labels on disk.
183
184       semanage  fcontext  -a  -t  winbind_rpcd_exec_t '/srv/winbind_rpcd/con‐
185       tent(/.*)?'
186       restorecon -R -v /srv/mywinbind_rpcd_content
187
188       Note: SELinux often uses regular expressions  to  specify  labels  that
189       match multiple files.
190
191       The following file types are defined for winbind_rpcd:
192
193
194
195       winbind_rpcd_exec_t
196
197       -  Set  files with the winbind_rpcd_exec_t type, if you want to transi‐
198       tion an executable to the winbind_rpcd_t domain.
199
200
201       Paths:
202            /usr/libexec/samba/rpcd_lsad, /usr/libexec/samba/samba-dcerpcd
203
204
205       winbind_rpcd_tmp_t
206
207       - Set files with the winbind_rpcd_tmp_t type, if you want to store win‐
208       bind rpcd temporary files in the /tmp directories.
209
210
211
212       winbind_rpcd_var_run_t
213
214       -  Set files with the winbind_rpcd_var_run_t type, if you want to store
215       the winbind rpcd files under the /run or /var/run directory.
216
217
218
219       Note: File context can be temporarily modified with the chcon  command.
220       If  you want to permanently change the file context you need to use the
221       semanage fcontext command.  This will modify the SELinux labeling data‐
222       base.  You will need to use restorecon to apply the labels.
223
224

COMMANDS

226       semanage  fcontext  can also be used to manipulate default file context
227       mappings.
228
229       semanage permissive can also be used to manipulate  whether  or  not  a
230       process type is permissive.
231
232       semanage  module can also be used to enable/disable/install/remove pol‐
233       icy modules.
234
235       semanage boolean can also be used to manipulate the booleans
236
237
238       system-config-selinux is a GUI tool available to customize SELinux pol‐
239       icy settings.
240
241

AUTHOR

243       This manual page was auto-generated using sepolicy manpage .
244
245

SEE ALSO

247       selinux(8),  winbind_rpcd(8), semanage(8), restorecon(8), chcon(1), se‐
248       policy(8), setsebool(8)
249
250
251
252winbind_rpcd                       23-12-15            winbind_rpcd_selinux(8)
Impressum