apcupsd_selinux(8)

1apcupsd_selinux(8)          SELinux Policy apcupsd          apcupsd_selinux(8)
2
3
4

NAME

6       apcupsd_selinux  -  Security Enhanced Linux Policy for the apcupsd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  apcupsd  processes  via  flexible
11       mandatory access control.
12
13       The  apcupsd processes execute with the apcupsd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep apcupsd_t
20
21
22

ENTRYPOINTS

24       The  apcupsd_t  SELinux type can be entered via the apcupsd_exec_t file
25       type.
26
27       The default entrypoint paths for the apcupsd_t domain are  the  follow‐
28       ing:
29
30       /sbin/apcupsd, /usr/sbin/apcupsd
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       apcupsd  policy  is very flexible allowing users to setup their apcupsd
40       processes in as secure a method as possible.
41
42       The following process types are defined for apcupsd:
43
44       apcupsd_t, apcupsd_cgi_script_t
45
46       Note: semanage permissive -a apcupsd_t can be used to make the  process
47       type  apcupsd_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  apcupsd
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run apcupsd with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all daemons to write corefiles to /, you must turn
69       on the daemons_dump_core boolean. Disabled by default.
70
71       setsebool -P daemons_dump_core 1
72
73
74
75       If  you  want  to enable cluster mode for daemons, you must turn on the
76       daemons_enable_cluster_mode boolean. Enabled by default.
77
78       setsebool -P daemons_enable_cluster_mode 1
79
80
81
82       If you want to allow all daemons to use tcp wrappers, you must turn  on
83       the daemons_use_tcp_wrapper boolean. Disabled by default.
84
85       setsebool -P daemons_use_tcp_wrapper 1
86
87
88
89       If  you  want to allow all daemons the ability to read/write terminals,
90       you must turn on the daemons_use_tty boolean. Disabled by default.
91
92       setsebool -P daemons_use_tty 1
93
94
95
96       If you want to deny any process from ptracing or  debugging  any  other
97       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
98       default.
99
100       setsebool -P deny_ptrace 1
101
102
103
104       If you want to allow any process  to  mmap  any  file  on  system  with
105       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
106       ean. Enabled by default.
107
108       setsebool -P domain_can_mmap_files 1
109
110
111
112       If you want to allow all domains write to kmsg_device, while kernel  is
113       executed  with  systemd.log_target=kmsg parameter, you must turn on the
114       domain_can_write_kmsg boolean. Disabled by default.
115
116       setsebool -P domain_can_write_kmsg 1
117
118
119
120       If you want to allow all domains to use other domains file descriptors,
121       you must turn on the domain_fd_use boolean. Enabled by default.
122
123       setsebool -P domain_fd_use 1
124
125
126
127       If  you  want to allow all domains to have the kernel load modules, you
128       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
129       default.
130
131       setsebool -P domain_kernel_load_modules 1
132
133
134
135       If you want to allow all domains to execute in fips_mode, you must turn
136       on the fips_mode boolean. Enabled by default.
137
138       setsebool -P fips_mode 1
139
140
141
142       If you want to enable reading of urandom for all domains, you must turn
143       on the global_ssp boolean. Disabled by default.
144
145       setsebool -P global_ssp 1
146
147
148
149       If  you  want  to allow confined applications to run with kerberos, you
150       must turn on the kerberos_enabled boolean. Enabled by default.
151
152       setsebool -P kerberos_enabled 1
153
154
155
156       If you want to allow system to run with  NIS,  you  must  turn  on  the
157       nis_enabled boolean. Disabled by default.
158
159       setsebool -P nis_enabled 1
160
161
162
163       If  you  want to allow confined applications to use nscd shared memory,
164       you must turn on the nscd_use_shm boolean. Disabled by default.
165
166       setsebool -P nscd_use_shm 1
167
168
169

PORT TYPES

171       SELinux defines port types to represent TCP and UDP ports.
172
173       You can see the types associated with a port  by  using  the  following
174       command:
175
176       semanage port -l
177
178
179       Policy  governs  the  access  confined  processes  have to these ports.
180       SELinux apcupsd policy is very flexible allowing users to  setup  their
181       apcupsd processes in as secure a method as possible.
182
183       The following port types are defined for apcupsd:
184
185
186       apcupsd_port_t
187
188
189
190       Default Defined Ports:
191                 tcp 3551
192                 udp 3551
193

MANAGED FILES

195       The  SELinux  process  type apcupsd_t can manage files labeled with the
196       following file types.  The paths listed are the default paths for these
197       file types.  Note the processes UID still need to have DAC permissions.
198
199       apcupsd_lock_t
200
201            /var/lock/LCK..
202            /var/lock/subsys/apcupsd
203
204       apcupsd_log_t
205
206            /var/log/apcupsd.events.*
207            /var/log/apcupsd.status.*
208
209       apcupsd_power_t
210
211            /etc/apcupsd/powerfail
212
213       apcupsd_tmp_t
214
215
216       apcupsd_var_run_t
217
218            /var/run/apcupsd.pid
219
220       cluster_conf_t
221
222            /etc/cluster(/.*)?
223
224       cluster_var_lib_t
225
226            /var/lib/pcsd(/.*)?
227            /var/lib/cluster(/.*)?
228            /var/lib/openais(/.*)?
229            /var/lib/pengine(/.*)?
230            /var/lib/corosync(/.*)?
231            /usr/lib/heartbeat(/.*)?
232            /var/lib/heartbeat(/.*)?
233            /var/lib/pacemaker(/.*)?
234
235       cluster_var_run_t
236
237            /var/run/crm(/.*)?
238            /var/run/cman_.*
239            /var/run/rsctmp(/.*)?
240            /var/run/aisexec.*
241            /var/run/heartbeat(/.*)?
242            /var/run/corosync-qnetd(/.*)?
243            /var/run/corosync-qdevice(/.*)?
244            /var/run/cpglockd.pid
245            /var/run/corosync.pid
246            /var/run/rgmanager.pid
247            /var/run/cluster/rgmanager.sk
248
249       etc_runtime_t
250
251            /[^/]+
252            /etc/mtab.*
253            /etc/blkid(/.*)?
254            /etc/nologin.*
255            /etc/.fstab.hal..+
256            /halt
257            /fastboot
258            /poweroff
259            /etc/cmtab
260            /forcefsck
261            /.autofsck
262            /.suspended
263            /fsckoptions
264            /var/.updated
265            /etc/.updated
266            /.autorelabel
267            /etc/securetty
268            /etc/nohotplug
269            /etc/killpower
270            /etc/ioctl.save
271            /etc/fstab.REVOKE
272            /etc/network/ifstate
273            /etc/sysconfig/hwconf
274            /etc/ptal/ptal-printd-like
275            /etc/sysconfig/iptables.save
276            /etc/xorg.conf.d/00-system-setup-keyboard.conf
277            /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
278
279       initrc_var_run_t
280
281            /var/run/utmp
282            /var/run/random-seed
283            /var/run/runlevel.dir
284            /var/run/setmixer_flag
285
286       root_t
287
288            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
289            /
290            /initrd
291
292       systemd_passwd_var_run_t
293
294            /var/run/systemd/ask-password(/.*)?
295            /var/run/systemd/ask-password-block(/.*)?
296
297

FILE CONTEXTS

299       SELinux requires files to have an extended attribute to define the file
300       type.
301
302       You can see the context of a file using the -Z option to ls
303
304       Policy governs the access  confined  processes  have  to  these  files.
305       SELinux  apcupsd  policy is very flexible allowing users to setup their
306       apcupsd processes in as secure a method as possible.
307
308       STANDARD FILE CONTEXT
309
310       SELinux defines the file context types for the apcupsd, if  you  wanted
311       to store files with these types in a diffent paths, you need to execute
312       the semanage command  to  sepecify  alternate  labeling  and  then  use
313       restorecon to put the labels on disk.
314
315       semanage   fcontext   -a   -t   apcupsd_var_run_t  '/srv/myapcupsd_con‐
316       tent(/.*)?'
317       restorecon -R -v /srv/myapcupsd_content
318
319       Note: SELinux often uses regular expressions  to  specify  labels  that
320       match multiple files.
321
322       The following file types are defined for apcupsd:
323
324
325
326       apcupsd_cgi_content_t
327
328       -  Set  files with the apcupsd_cgi_content_t type, if you want to treat
329       the files as apcupsd cgi content.
330
331
332
333       apcupsd_cgi_htaccess_t
334
335       - Set files with the apcupsd_cgi_htaccess_t type, if you want to  treat
336       the file as a apcupsd cgi access file.
337
338
339
340       apcupsd_cgi_ra_content_t
341
342       -  Set  files  with  the  apcupsd_cgi_ra_content_t type, if you want to
343       treat the files as apcupsd cgi  read/append content.
344
345
346
347       apcupsd_cgi_rw_content_t
348
349       - Set files with the apcupsd_cgi_rw_content_t  type,  if  you  want  to
350       treat the files as apcupsd cgi read/write content.
351
352
353
354       apcupsd_cgi_script_exec_t
355
356       -  Set  files  with  the apcupsd_cgi_script_exec_t type, if you want to
357       transition an executable to the apcupsd_cgi_script_t domain.
358
359
360       Paths:
361            /var/www/cgi-bin/apcgui(/.*)?,      /var/www/apcupsd/multimon.cgi,
362            /var/www/apcupsd/upsimage.cgi,      /var/www/apcupsd/upsstats.cgi,
363            /var/www/apcupsd/upsfstats.cgi
364
365
366       apcupsd_exec_t
367
368       - Set files with the apcupsd_exec_t type, if you want to transition  an
369       executable to the apcupsd_t domain.
370
371
372       Paths:
373            /sbin/apcupsd, /usr/sbin/apcupsd
374
375
376       apcupsd_initrc_exec_t
377
378       - Set files with the apcupsd_initrc_exec_t type, if you want to transi‐
379       tion an executable to the apcupsd_initrc_t domain.
380
381
382
383       apcupsd_lock_t
384
385       - Set files with the apcupsd_lock_t type, if  you  want  to  treat  the
386       files as apcupsd lock data, stored under the /var/lock directory
387
388
389       Paths:
390            /var/lock/LCK.., /var/lock/subsys/apcupsd
391
392
393       apcupsd_log_t
394
395       -  Set files with the apcupsd_log_t type, if you want to treat the data
396       as apcupsd log data, usually stored under the /var/log directory.
397
398
399       Paths:
400            /var/log/apcupsd.events.*, /var/log/apcupsd.status.*
401
402
403       apcupsd_power_t
404
405       - Set files with the apcupsd_power_t type, if you  want  to  treat  the
406       files as apcupsd power data.
407
408
409
410       apcupsd_tmp_t
411
412       -  Set  files with the apcupsd_tmp_t type, if you want to store apcupsd
413       temporary files in the /tmp directories.
414
415
416
417       apcupsd_unit_file_t
418
419       - Set files with the apcupsd_unit_file_t type, if you want to treat the
420       files as apcupsd unit content.
421
422
423
424       apcupsd_var_run_t
425
426       -  Set  files with the apcupsd_var_run_t type, if you want to store the
427       apcupsd files under the /run or /var/run directory.
428
429
430
431       Note: File context can be temporarily modified with the chcon  command.
432       If  you want to permanently change the file context you need to use the
433       semanage fcontext command.  This will modify the SELinux labeling data‐
434       base.  You will need to use restorecon to apply the labels.
435
436

COMMANDS

438       semanage  fcontext  can also be used to manipulate default file context
439       mappings.
440
441       semanage permissive can also be used to manipulate  whether  or  not  a
442       process type is permissive.
443
444       semanage  module can also be used to enable/disable/install/remove pol‐
445       icy modules.
446
447       semanage port can also be used to manipulate the port definitions
448
449       semanage boolean can also be used to manipulate the booleans
450
451
452       system-config-selinux is a GUI tool available to customize SELinux pol‐
453       icy settings.
454
455

AUTHOR

457       This manual page was auto-generated using sepolicy manpage .
458
459