1dirsrvadmin_selinux(8) SELinux Policy dirsrvadmin dirsrvadmin_selinux(8)
2
3
4
6 dirsrvadmin_selinux - Security Enhanced Linux Policy for the dirsrvad‐
7 min processes
8
10 Security-Enhanced Linux secures the dirsrvadmin processes via flexible
11 mandatory access control.
12
13 The dirsrvadmin processes execute with the dirsrvadmin_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep dirsrvadmin_t
20
21
22
24 The dirsrvadmin_t SELinux type can be entered via the shell_exec_t,
25 dirsrvadmin_exec_t file types.
26
27 The default entrypoint paths for the dirsrvadmin_t domain are the fol‐
28 lowing:
29
30 /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*,
31 /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash,
32 /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/sash,
33 /usr/bin/tcsh, /usr/bin/yash, /usr/bin/mksh, /usr/bin/fish,
34 /usr/bin/bash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2,
35 /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin,
36 /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell,
37 /usr/libexec/sudo/sesh, /usr/bin/cockpit-bridge, /usr/libexec/cockpit-
38 agent, /usr/libexec/git-core/git-shell, /usr/sbin/stop-ds-admin,
39 /usr/sbin/start-ds-admin, /usr/sbin/restart-ds-admin
40
42 SELinux defines process types (domains) for each process running on the
43 system
44
45 You can see the context of a process using the -Z option to ps
46
47 Policy governs the access confined processes have to files. SELinux
48 dirsrvadmin policy is very flexible allowing users to setup their
49 dirsrvadmin processes in as secure a method as possible.
50
51 The following process types are defined for dirsrvadmin:
52
53 dirsrvadmin_t, dirsrvadmin_unconfined_script_t, dirsrvadmin_script_t
54
55 Note: semanage permissive -a dirsrvadmin_t can be used to make the
56 process type dirsrvadmin_t permissive. SELinux does not deny access to
57 permissive process types, but the AVC (SELinux denials) messages are
58 still generated.
59
60
62 SELinux policy is customizable based on least access required. dirsr‐
63 vadmin policy is extremely flexible and has several booleans that allow
64 you to manipulate the policy and run dirsrvadmin with the tightest
65 access possible.
66
67
68
69 If you want to allow all daemons to write corefiles to /, you must turn
70 on the daemons_dump_core boolean. Disabled by default.
71
72 setsebool -P daemons_dump_core 1
73
74
75
76 If you want to enable cluster mode for daemons, you must turn on the
77 daemons_enable_cluster_mode boolean. Enabled by default.
78
79 setsebool -P daemons_enable_cluster_mode 1
80
81
82
83 If you want to allow all daemons to use tcp wrappers, you must turn on
84 the daemons_use_tcp_wrapper boolean. Disabled by default.
85
86 setsebool -P daemons_use_tcp_wrapper 1
87
88
89
90 If you want to allow all daemons the ability to read/write terminals,
91 you must turn on the daemons_use_tty boolean. Disabled by default.
92
93 setsebool -P daemons_use_tty 1
94
95
96
97 If you want to deny any process from ptracing or debugging any other
98 processes, you must turn on the deny_ptrace boolean. Enabled by
99 default.
100
101 setsebool -P deny_ptrace 1
102
103
104
105 If you want to allow any process to mmap any file on system with
106 attribute file_type, you must turn on the domain_can_mmap_files bool‐
107 ean. Enabled by default.
108
109 setsebool -P domain_can_mmap_files 1
110
111
112
113 If you want to allow all domains write to kmsg_device, while kernel is
114 executed with systemd.log_target=kmsg parameter, you must turn on the
115 domain_can_write_kmsg boolean. Disabled by default.
116
117 setsebool -P domain_can_write_kmsg 1
118
119
120
121 If you want to allow all domains to use other domains file descriptors,
122 you must turn on the domain_fd_use boolean. Enabled by default.
123
124 setsebool -P domain_fd_use 1
125
126
127
128 If you want to allow all domains to have the kernel load modules, you
129 must turn on the domain_kernel_load_modules boolean. Disabled by
130 default.
131
132 setsebool -P domain_kernel_load_modules 1
133
134
135
136 If you want to allow all domains to execute in fips_mode, you must turn
137 on the fips_mode boolean. Enabled by default.
138
139 setsebool -P fips_mode 1
140
141
142
143 If you want to enable reading of urandom for all domains, you must turn
144 on the global_ssp boolean. Disabled by default.
145
146 setsebool -P global_ssp 1
147
148
149
151 The SELinux process type dirsrvadmin_t can manage files labeled with
152 the following file types. The paths listed are the default paths for
153 these file types. Note the processes UID still need to have DAC per‐
154 missions.
155
156 cluster_conf_t
157
158 /etc/cluster(/.*)?
159
160 cluster_var_lib_t
161
162 /var/lib/pcsd(/.*)?
163 /var/lib/cluster(/.*)?
164 /var/lib/openais(/.*)?
165 /var/lib/pengine(/.*)?
166 /var/lib/corosync(/.*)?
167 /usr/lib/heartbeat(/.*)?
168 /var/lib/heartbeat(/.*)?
169 /var/lib/pacemaker(/.*)?
170
171 cluster_var_run_t
172
173 /var/run/crm(/.*)?
174 /var/run/cman_.*
175 /var/run/rsctmp(/.*)?
176 /var/run/aisexec.*
177 /var/run/heartbeat(/.*)?
178 /var/run/corosync-qnetd(/.*)?
179 /var/run/corosync-qdevice(/.*)?
180 /var/run/cpglockd.pid
181 /var/run/corosync.pid
182 /var/run/rgmanager.pid
183 /var/run/cluster/rgmanager.sk
184
185 dirsrvadmin_tmp_t
186
187
188 root_t
189
190 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
191 /
192 /initrd
193
194
196 SELinux requires files to have an extended attribute to define the file
197 type.
198
199 You can see the context of a file using the -Z option to ls
200
201 Policy governs the access confined processes have to these files.
202 SELinux dirsrvadmin policy is very flexible allowing users to setup
203 their dirsrvadmin processes in as secure a method as possible.
204
205 STANDARD FILE CONTEXT
206
207 SELinux defines the file context types for the dirsrvadmin, if you
208 wanted to store files with these types in a diffent paths, you need to
209 execute the semanage command to sepecify alternate labeling and then
210 use restorecon to put the labels on disk.
211
212 semanage fcontext -a -t dirsrvadmin_unit_file_t '/srv/mydirsrvad‐
213 min_content(/.*)?'
214 restorecon -R -v /srv/mydirsrvadmin_content
215
216 Note: SELinux often uses regular expressions to specify labels that
217 match multiple files.
218
219 The following file types are defined for dirsrvadmin:
220
221
222
223 dirsrvadmin_config_t
224
225 - Set files with the dirsrvadmin_config_t type, if you want to treat
226 the files as dirsrvadmin configuration data, usually stored under the
227 /etc directory.
228
229
230 Paths:
231 /etc/dirsrv/dsgw(/.*)?, /etc/dirsrv/admin-serv(/.*)?
232
233
234 dirsrvadmin_content_t
235
236 - Set files with the dirsrvadmin_content_t type, if you want to treat
237 the files as dirsrvadmin content.
238
239
240
241 dirsrvadmin_exec_t
242
243 - Set files with the dirsrvadmin_exec_t type, if you want to transition
244 an executable to the dirsrvadmin_t domain.
245
246
247 Paths:
248 /usr/sbin/stop-ds-admin, /usr/sbin/start-ds-admin,
249 /usr/sbin/restart-ds-admin
250
251
252 dirsrvadmin_htaccess_t
253
254 - Set files with the dirsrvadmin_htaccess_t type, if you want to treat
255 the file as a dirsrvadmin access file.
256
257
258
259 dirsrvadmin_lock_t
260
261 - Set files with the dirsrvadmin_lock_t type, if you want to treat the
262 files as dirsrvadmin lock data, stored under the /var/lock directory
263
264
265
266 dirsrvadmin_ra_content_t
267
268 - Set files with the dirsrvadmin_ra_content_t type, if you want to
269 treat the files as dirsrvadmin read/append content.
270
271
272
273 dirsrvadmin_rw_content_t
274
275 - Set files with the dirsrvadmin_rw_content_t type, if you want to
276 treat the files as dirsrvadmin read/write content.
277
278
279
280 dirsrvadmin_script_exec_t
281
282 - Set files with the dirsrvadmin_script_exec_t type, if you want to
283 transition an executable to the dirsrvadmin_script_t domain.
284
285
286 Paths:
287 /usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)?
288
289
290 dirsrvadmin_tmp_t
291
292 - Set files with the dirsrvadmin_tmp_t type, if you want to store
293 dirsrvadmin temporary files in the /tmp directories.
294
295
296
297 dirsrvadmin_unconfined_script_exec_t
298
299 - Set files with the dirsrvadmin_unconfined_script_exec_t type, if you
300 want to transition an executable to the dirsrvadmin_unconfined_script_t
301 domain.
302
303
304 Paths:
305 /usr/lib/dirsrv/cgi-bin/ds_create, /usr/lib/dirsrv/cgi-
306 bin/ds_remove
307
308
309 dirsrvadmin_unit_file_t
310
311 - Set files with the dirsrvadmin_unit_file_t type, if you want to treat
312 the files as dirsrvadmin unit content.
313
314
315
316 Note: File context can be temporarily modified with the chcon command.
317 If you want to permanently change the file context you need to use the
318 semanage fcontext command. This will modify the SELinux labeling data‐
319 base. You will need to use restorecon to apply the labels.
320
321
323 semanage fcontext can also be used to manipulate default file context
324 mappings.
325
326 semanage permissive can also be used to manipulate whether or not a
327 process type is permissive.
328
329 semanage module can also be used to enable/disable/install/remove pol‐
330 icy modules.
331
332 semanage boolean can also be used to manipulate the booleans
333
334
335 system-config-selinux is a GUI tool available to customize SELinux pol‐
336 icy settings.
337
338
340 This manual page was auto-generated using sepolicy manpage .
341
342
344 selinux(8), dirsrvadmin(8), semanage(8), restorecon(8), chcon(1),
345 sepolicy(8) , setsebool(8), dirsrvadmin_script_selinux(8), dirsrvad‐
346 min_script_selinux(8), dirsrvadmin_unconfined_script_selinux(8), dirsr‐
347 vadmin_unconfined_script_selinux(8)
348
349
350
351dirsrvadmin 19-04-25 dirsrvadmin_selinux(8)