neutron_selinux(8)

1neutron_selinux(8)          SELinux Policy neutron          neutron_selinux(8)
2
3
4

NAME

6       neutron_selinux  -  Security Enhanced Linux Policy for the neutron pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  neutron  processes  via  flexible
11       mandatory access control.
12
13       The  neutron processes execute with the neutron_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep neutron_t
20
21
22

ENTRYPOINTS

24       The  neutron_t  SELinux type can be entered via the neutron_exec_t file
25       type.
26
27       The default entrypoint paths for the neutron_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/neutron-server,   /usr/bin/quantum-server,   /usr/bin/neutron-
31       l3-agent,     /usr/bin/neutron-rootwrap,     /usr/bin/quantum-l3-agent,
32       /usr/bin/neutron-ryu-agent,  /usr/bin/quantum-ryu-agent,  /usr/bin/neu‐
33       tron-dhcp-agent,  /usr/bin/quantum-dhcp-agent,  /usr/bin/neutron-lbaas-
34       agent,    /usr/bin/neutron-ovs-cleanup,   /usr/bin/quantum-ovs-cleanup,
35       /usr/bin/neutron-netns-cleanup,        /usr/bin/neutron-metadata-agent,
36       /usr/bin/neutron-ns-metadata-proxy, /usr/bin/neutron-linuxbridge-agent,
37       /usr/bin/neutron-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent,
38       /usr/bin/quantum-openvswitch-agent
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       neutron  policy  is very flexible allowing users to setup their neutron
48       processes in as secure a method as possible.
49
50       The following process types are defined for neutron:
51
52       neutron_t
53
54       Note: semanage permissive -a neutron_t can be used to make the  process
55       type  neutron_t  permissive. SELinux does not deny access to permissive
56       process types, but the AVC (SELinux denials) messages are still  gener‐
57       ated.
58
59

BOOLEANS

61       SELinux policy is customizable based on least access required.  neutron
62       policy is extremely flexible and has several booleans that allow you to
63       manipulate  the  policy and run neutron with the tightest access possi‐
64       ble.
65
66
67
68       If you want to determine whether neutron can connect to all TCP  ports,
69       you must turn on the neutron_can_network boolean. Disabled by default.
70
71       setsebool -P neutron_can_network 1
72
73
74
75       If you want to allow users to resolve user passwd entries directly from
76       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
77       gin_nsswitch_use_ldap boolean. Disabled by default.
78
79       setsebool -P authlogin_nsswitch_use_ldap 1
80
81
82
83       If you want to allow all daemons to write corefiles to /, you must turn
84       on the daemons_dump_core boolean. Disabled by default.
85
86       setsebool -P daemons_dump_core 1
87
88
89
90       If you want to enable cluster mode for daemons, you must  turn  on  the
91       daemons_enable_cluster_mode boolean. Enabled by default.
92
93       setsebool -P daemons_enable_cluster_mode 1
94
95
96
97       If  you want to allow all daemons to use tcp wrappers, you must turn on
98       the daemons_use_tcp_wrapper boolean. Disabled by default.
99
100       setsebool -P daemons_use_tcp_wrapper 1
101
102
103
104       If you want to allow all daemons the ability to  read/write  terminals,
105       you must turn on the daemons_use_tty boolean. Disabled by default.
106
107       setsebool -P daemons_use_tty 1
108
109
110
111       If  you  want  to deny any process from ptracing or debugging any other
112       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
113       default.
114
115       setsebool -P deny_ptrace 1
116
117
118
119       If  you  want  to  allow  any  process  to mmap any file on system with
120       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
121       ean. Enabled by default.
122
123       setsebool -P domain_can_mmap_files 1
124
125
126
127       If  you want to allow all domains write to kmsg_device, while kernel is
128       executed with systemd.log_target=kmsg parameter, you must turn  on  the
129       domain_can_write_kmsg boolean. Disabled by default.
130
131       setsebool -P domain_can_write_kmsg 1
132
133
134
135       If you want to allow all domains to use other domains file descriptors,
136       you must turn on the domain_fd_use boolean. Enabled by default.
137
138       setsebool -P domain_fd_use 1
139
140
141
142       If you want to allow all domains to have the kernel load  modules,  you
143       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
144       default.
145
146       setsebool -P domain_kernel_load_modules 1
147
148
149
150       If you want to allow all domains to execute in fips_mode, you must turn
151       on the fips_mode boolean. Enabled by default.
152
153       setsebool -P fips_mode 1
154
155
156
157       If you want to enable reading of urandom for all domains, you must turn
158       on the global_ssp boolean. Disabled by default.
159
160       setsebool -P global_ssp 1
161
162
163
164       If you want to allow confined applications to run  with  kerberos,  you
165       must turn on the kerberos_enabled boolean. Enabled by default.
166
167       setsebool -P kerberos_enabled 1
168
169
170
171       If  you  want  to  allow  system  to run with NIS, you must turn on the
172       nis_enabled boolean. Disabled by default.
173
174       setsebool -P nis_enabled 1
175
176
177
178       If you want to allow confined applications to use nscd  shared  memory,
179       you must turn on the nscd_use_shm boolean. Disabled by default.
180
181       setsebool -P nscd_use_shm 1
182
183
184
185       If  you  want to allow unprivileged users to execute DDL statement, you
186       must turn  on  the  postgresql_selinux_users_ddl  boolean.  Enabled  by
187       default.
188
189       setsebool -P postgresql_selinux_users_ddl 1
190
191
192

PORT TYPES

194       SELinux defines port types to represent TCP and UDP ports.
195
196       You  can  see  the  types associated with a port by using the following
197       command:
198
199       semanage port -l
200
201
202       Policy governs the access  confined  processes  have  to  these  ports.
203       SELinux  neutron  policy is very flexible allowing users to setup their
204       neutron processes in as secure a method as possible.
205
206       The following port types are defined for neutron:
207
208
209       neutron_port_t
210
211
212
213       Default Defined Ports:
214                 tcp 8775,9696,9697
215

MANAGED FILES

217       The SELinux process type neutron_t can manage files  labeled  with  the
218       following file types.  The paths listed are the default paths for these
219       file types.  Note the processes UID still need to have DAC permissions.
220
221       cluster_conf_t
222
223            /etc/cluster(/.*)?
224
225       cluster_var_lib_t
226
227            /var/lib/pcsd(/.*)?
228            /var/lib/cluster(/.*)?
229            /var/lib/openais(/.*)?
230            /var/lib/pengine(/.*)?
231            /var/lib/corosync(/.*)?
232            /usr/lib/heartbeat(/.*)?
233            /var/lib/heartbeat(/.*)?
234            /var/lib/pacemaker(/.*)?
235
236       cluster_var_run_t
237
238            /var/run/crm(/.*)?
239            /var/run/cman_.*
240            /var/run/rsctmp(/.*)?
241            /var/run/aisexec.*
242            /var/run/heartbeat(/.*)?
243            /var/run/corosync-qnetd(/.*)?
244            /var/run/corosync-qdevice(/.*)?
245            /var/run/cpglockd.pid
246            /var/run/corosync.pid
247            /var/run/rgmanager.pid
248            /var/run/cluster/rgmanager.sk
249
250       faillog_t
251
252            /var/log/btmp.*
253            /var/log/faillog.*
254            /var/log/tallylog.*
255            /var/run/faillock(/.*)?
256
257       ifconfig_var_run_t
258
259            /var/run/netns(/.*)?
260
261       initrc_var_run_t
262
263            /var/run/utmp
264            /var/run/random-seed
265            /var/run/runlevel.dir
266            /var/run/setmixer_flag
267
268       krb5_host_rcache_t
269
270            /var/cache/krb5rcache(/.*)?
271            /var/tmp/nfs_0
272            /var/tmp/DNS_25
273            /var/tmp/host_0
274            /var/tmp/imap_0
275            /var/tmp/HTTP_23
276            /var/tmp/HTTP_48
277            /var/tmp/ldap_55
278            /var/tmp/ldap_487
279            /var/tmp/ldapmap1_0
280
281       krb5_keytab_t
282
283            /etc/krb5.keytab
284            /etc/krb5kdc/kadm5.keytab
285            /var/kerberos/krb5kdc/kadm5.keytab
286
287       lastlog_t
288
289            /var/log/lastlog.*
290
291       neutron_tmp_t
292
293
294       neutron_var_lib_t
295
296            /var/lib/neutron(/.*)?
297            /var/lib/quantum(/.*)?
298
299       neutron_var_run_t
300
301            /var/run/neutron(/.*)?
302            /var/run/quantum(/.*)?
303
304       root_t
305
306            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
307            /
308            /initrd
309
310       security_t
311
312            /selinux
313
314

FILE CONTEXTS

316       SELinux requires files to have an extended attribute to define the file
317       type.
318
319       You can see the context of a file using the -Z option to ls
320
321       Policy  governs  the  access  confined  processes  have to these files.
322       SELinux neutron policy is very flexible allowing users to  setup  their
323       neutron processes in as secure a method as possible.
324
325       STANDARD FILE CONTEXT
326
327       SELinux  defines  the file context types for the neutron, if you wanted
328       to store files with these types in a diffent paths, you need to execute
329       the  semanage  command  to  sepecify  alternate  labeling  and then use
330       restorecon to put the labels on disk.
331
332       semanage  fcontext   -a   -t   neutron_var_run_t   '/srv/myneutron_con‐
333       tent(/.*)?'
334       restorecon -R -v /srv/myneutron_content
335
336       Note:  SELinux  often  uses  regular expressions to specify labels that
337       match multiple files.
338
339       The following file types are defined for neutron:
340
341
342
343       neutron_exec_t
344
345       - Set files with the neutron_exec_t type, if you want to transition  an
346       executable to the neutron_t domain.
347
348
349       Paths:
350            /usr/bin/neutron-server,   /usr/bin/quantum-server,  /usr/bin/neu‐
351            tron-l3-agent,    /usr/bin/neutron-rootwrap,     /usr/bin/quantum-
352            l3-agent,  /usr/bin/neutron-ryu-agent, /usr/bin/quantum-ryu-agent,
353            /usr/bin/neutron-dhcp-agent,          /usr/bin/quantum-dhcp-agent,
354            /usr/bin/neutron-lbaas-agent,        /usr/bin/neutron-ovs-cleanup,
355            /usr/bin/quantum-ovs-cleanup,      /usr/bin/neutron-netns-cleanup,
356            /usr/bin/neutron-metadata-agent,     /usr/bin/neutron-ns-metadata-
357            proxy, /usr/bin/neutron-linuxbridge-agent,  /usr/bin/neutron-open‐
358            vswitch-agent,  /usr/bin/quantum-linuxbridge-agent, /usr/bin/quan‐
359            tum-openvswitch-agent
360
361
362       neutron_initrc_exec_t
363
364       - Set files with the neutron_initrc_exec_t type, if you want to transi‐
365       tion an executable to the neutron_initrc_t domain.
366
367
368       Paths:
369            /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*
370
371
372       neutron_log_t
373
374       -  Set files with the neutron_log_t type, if you want to treat the data
375       as neutron log data, usually stored under the /var/log directory.
376
377
378       Paths:
379            /var/log/neutron(/.*)?, /var/log/quantum(/.*)?
380
381
382       neutron_tmp_t
383
384       - Set files with the neutron_tmp_t type, if you want to  store  neutron
385       temporary files in the /tmp directories.
386
387
388
389       neutron_unit_file_t
390
391       - Set files with the neutron_unit_file_t type, if you want to treat the
392       files as neutron unit content.
393
394
395       Paths:
396            /usr/lib/systemd/system/neutron.*,   /usr/lib/systemd/system/quan‐
397            tum.*
398
399
400       neutron_var_lib_t
401
402       -  Set  files with the neutron_var_lib_t type, if you want to store the
403       neutron files under the /var/lib directory.
404
405
406       Paths:
407            /var/lib/neutron(/.*)?, /var/lib/quantum(/.*)?
408
409
410       neutron_var_run_t
411
412       - Set files with the neutron_var_run_t type, if you want to  store  the
413       neutron files under the /run or /var/run directory.
414
415
416       Paths:
417            /var/run/neutron(/.*)?, /var/run/quantum(/.*)?
418
419
420       Note:  File context can be temporarily modified with the chcon command.
421       If you want to permanently change the file context you need to use  the
422       semanage fcontext command.  This will modify the SELinux labeling data‐
423       base.  You will need to use restorecon to apply the labels.
424
425

COMMANDS

427       semanage fcontext can also be used to manipulate default  file  context
428       mappings.
429
430       semanage  permissive  can  also  be used to manipulate whether or not a
431       process type is permissive.
432
433       semanage module can also be used to enable/disable/install/remove  pol‐
434       icy modules.
435
436       semanage port can also be used to manipulate the port definitions
437
438       semanage boolean can also be used to manipulate the booleans
439
440
441       system-config-selinux is a GUI tool available to customize SELinux pol‐
442       icy settings.
443
444

AUTHOR

446       This manual page was auto-generated using sepolicy manpage .
447
448