1winbind_rpcd_selinux(8) SELinux Policy winbind_rpcd winbind_rpcd_selinux(8)
2
3
4
6 winbind_rpcd_selinux - Security Enhanced Linux Policy for the win‐
7 bind_rpcd processes
8
10 Security-Enhanced Linux secures the winbind_rpcd processes via flexible
11 mandatory access control.
12
13 The winbind_rpcd processes execute with the winbind_rpcd_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep winbind_rpcd_t
20
21
22
24 The winbind_rpcd_t SELinux type can be entered via the win‐
25 bind_rpcd_exec_t file type.
26
27 The default entrypoint paths for the winbind_rpcd_t domain are the fol‐
28 lowing:
29
30 /usr/libexec/samba/rpcd_lsad, /usr/libexec/samba/samba-dcerpcd
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 winbind_rpcd policy is very flexible allowing users to setup their win‐
40 bind_rpcd processes in as secure a method as possible.
41
42 The following process types are defined for winbind_rpcd:
43
44 winbind_rpcd_t
45
46 Note: semanage permissive -a winbind_rpcd_t can be used to make the
47 process type winbind_rpcd_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required. win‐
54 bind_rpcd policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run winbind_rpcd with the tight‐
56 est access possible.
57
58
59
60 If you want to allow all domains to execute in fips_mode, you must turn
61 on the fips_mode boolean. Enabled by default.
62
63 setsebool -P fips_mode 1
64
65
66
67 If you want to allow system to run with NIS, you must turn on the
68 nis_enabled boolean. Disabled by default.
69
70 setsebool -P nis_enabled 1
71
72
73
74 If you want to allow samba to act as the domain controller, add users,
75 groups and change passwords, you must turn on the samba_domain_con‐
76 troller boolean. Disabled by default.
77
78 setsebool -P samba_domain_controller 1
79
80
81
82 If you want to allow samba and winbind-rpcd to share users home direc‐
83 tories, you must turn on the samba_enable_home_dirs boolean. Disabled
84 by default.
85
86 setsebool -P samba_enable_home_dirs 1
87
88
89
90 If you want to allow samba to share any file/directory read only, you
91 must turn on the samba_export_all_ro boolean. Disabled by default.
92
93 setsebool -P samba_export_all_ro 1
94
95
96
97 If you want to allow samba to share any file/directory read/write, you
98 must turn on the samba_export_all_rw boolean. Disabled by default.
99
100 setsebool -P samba_export_all_rw 1
101
102
103
105 The SELinux process type winbind_rpcd_t can manage files labeled with
106 the following file types. The paths listed are the default paths for
107 these file types. Note the processes UID still need to have DAC per‐
108 missions.
109
110 faillog_t
111
112 /var/log/btmp.*
113 /var/log/faillog.*
114 /var/log/tallylog.*
115 /var/run/faillock(/.*)?
116
117 krb5_host_rcache_t
118
119 /var/tmp/krb5_0.rcache2
120 /var/cache/krb5rcache(/.*)?
121 /var/tmp/nfs_0
122 /var/tmp/DNS_25
123 /var/tmp/host_0
124 /var/tmp/imap_0
125 /var/tmp/HTTP_23
126 /var/tmp/HTTP_48
127 /var/tmp/ldap_55
128 /var/tmp/ldap_487
129 /var/tmp/ldapmap1_0
130
131 non_security_file_type
132
133
134 noxattrfs
135
136 all files on file systems which do not support extended attributes
137
138 samba_log_t
139
140 /var/log/samba(/.*)?
141
142 samba_share_t
143
144 use this label for random content that will be shared using samba
145
146 smbd_tmp_t
147
148
149 user_home_type
150
151 all user home files
152
153 winbind_rpcd_tmp_t
154
155
156 winbind_rpcd_var_run_t
157
158
159 winbind_var_run_t
160
161 /var/run/winbindd(/.*)?
162 /var/run/samba/winbindd(/.*)?
163 /var/lib/samba/winbindd_privileged(/.*)?
164 /var/cache/samba/winbindd_privileged(/.*)?
165
166
168 SELinux requires files to have an extended attribute to define the file
169 type.
170
171 You can see the context of a file using the -Z option to ls
172
173 Policy governs the access confined processes have to these files.
174 SELinux winbind_rpcd policy is very flexible allowing users to setup
175 their winbind_rpcd processes in as secure a method as possible.
176
177 STANDARD FILE CONTEXT
178
179 SELinux defines the file context types for the winbind_rpcd, if you
180 wanted to store files with these types in a different paths, you need
181 to execute the semanage command to specify alternate labeling and then
182 use restorecon to put the labels on disk.
183
184 semanage fcontext -a -t winbind_rpcd_exec_t '/srv/winbind_rpcd/con‐
185 tent(/.*)?'
186 restorecon -R -v /srv/mywinbind_rpcd_content
187
188 Note: SELinux often uses regular expressions to specify labels that
189 match multiple files.
190
191 The following file types are defined for winbind_rpcd:
192
193
194
195 winbind_rpcd_exec_t
196
197 - Set files with the winbind_rpcd_exec_t type, if you want to transi‐
198 tion an executable to the winbind_rpcd_t domain.
199
200
201 Paths:
202 /usr/libexec/samba/rpcd_lsad, /usr/libexec/samba/samba-dcerpcd
203
204
205 winbind_rpcd_tmp_t
206
207 - Set files with the winbind_rpcd_tmp_t type, if you want to store win‐
208 bind rpcd temporary files in the /tmp directories.
209
210
211
212 winbind_rpcd_var_run_t
213
214 - Set files with the winbind_rpcd_var_run_t type, if you want to store
215 the winbind rpcd files under the /run or /var/run directory.
216
217
218
219 Note: File context can be temporarily modified with the chcon command.
220 If you want to permanently change the file context you need to use the
221 semanage fcontext command. This will modify the SELinux labeling data‐
222 base. You will need to use restorecon to apply the labels.
223
224
226 semanage fcontext can also be used to manipulate default file context
227 mappings.
228
229 semanage permissive can also be used to manipulate whether or not a
230 process type is permissive.
231
232 semanage module can also be used to enable/disable/install/remove pol‐
233 icy modules.
234
235 semanage boolean can also be used to manipulate the booleans
236
237
238 system-config-selinux is a GUI tool available to customize SELinux pol‐
239 icy settings.
240
241
243 This manual page was auto-generated using sepolicy manpage .
244
245
247 selinux(8), winbind_rpcd(8), semanage(8), restorecon(8), chcon(1), se‐
248 policy(8), setsebool(8)
249
250
251
252winbind_rpcd 23-12-15 winbind_rpcd_selinux(8)