nova_selinux(8)

1nova_selinux(8)               SELinux Policy nova              nova_selinux(8)
2
3
4

NAME

6       nova_selinux - Security Enhanced Linux Policy for the nova processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the nova processes via flexible manda‐
10       tory access control.
11
12       The nova processes execute with the nova_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep nova_t
19
20
21

ENTRYPOINTS

23       The nova_t SELinux type can be entered via the nova_exec_t file type.
24
25       The default entrypoint paths for the nova_t domain are the following:
26
27       /usr/bin/nova-console.*,     /usr/bin/nova-api,     /usr/bin/nova-cert,
28       /usr/bin/nova-cells,    /usr/bin/nova-volume,    /usr/bin/nova-network,
29       /usr/bin/nova-vncproxy,  /usr/bin/nova-conductor,  /usr/bin/nova-sched‐
30       uler,        /usr/bin/nova-direct-api,        /usr/bin/nova-novncproxy,
31       /usr/bin/nova-objectstore,  /usr/bin/nova-xvpvncproxy,   /usr/bin/nova-
32       serialproxy,  /usr/bin/nova-api-metadata,  /usr//bin/nova-api-metadata,
33       /usr/bin/nova-ajax-console-proxy
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       nova policy is very flexible allowing users to setup  their  nova  pro‐
43       cesses in as secure a method as possible.
44
45       The following process types are defined for nova:
46
47       nova_t
48
49       Note:  semanage  permissive  -a  nova_t can be used to make the process
50       type nova_t permissive. SELinux does  not  deny  access  to  permissive
51       process  types, but the AVC (SELinux denials) messages are still gener‐
52       ated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least  access  required.   nova
57       policy is extremely flexible and has several booleans that allow you to
58       manipulate the policy and run nova with the tightest access possible.
59
60
61
62       If you want to allow users to resolve user passwd entries directly from
63       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
64       gin_nsswitch_use_ldap boolean. Disabled by default.
65
66       setsebool -P authlogin_nsswitch_use_ldap 1
67
68
69
70       If you want to allow all daemons to write corefiles to /, you must turn
71       on the daemons_dump_core boolean. Disabled by default.
72
73       setsebool -P daemons_dump_core 1
74
75
76
77       If  you  want  to enable cluster mode for daemons, you must turn on the
78       daemons_enable_cluster_mode boolean. Enabled by default.
79
80       setsebool -P daemons_enable_cluster_mode 1
81
82
83
84       If you want to allow all daemons to use tcp wrappers, you must turn  on
85       the daemons_use_tcp_wrapper boolean. Disabled by default.
86
87       setsebool -P daemons_use_tcp_wrapper 1
88
89
90
91       If  you  want to allow all daemons the ability to read/write terminals,
92       you must turn on the daemons_use_tty boolean. Disabled by default.
93
94       setsebool -P daemons_use_tty 1
95
96
97
98       If you want to deny any process from ptracing or  debugging  any  other
99       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
100       default.
101
102       setsebool -P deny_ptrace 1
103
104
105
106       If you want to allow any process  to  mmap  any  file  on  system  with
107       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
108       ean. Enabled by default.
109
110       setsebool -P domain_can_mmap_files 1
111
112
113
114       If you want to allow all domains write to kmsg_device, while kernel  is
115       executed  with  systemd.log_target=kmsg parameter, you must turn on the
116       domain_can_write_kmsg boolean. Disabled by default.
117
118       setsebool -P domain_can_write_kmsg 1
119
120
121
122       If you want to allow all domains to use other domains file descriptors,
123       you must turn on the domain_fd_use boolean. Enabled by default.
124
125       setsebool -P domain_fd_use 1
126
127
128
129       If  you  want to allow all domains to have the kernel load modules, you
130       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
131       default.
132
133       setsebool -P domain_kernel_load_modules 1
134
135
136
137       If you want to allow all domains to execute in fips_mode, you must turn
138       on the fips_mode boolean. Enabled by default.
139
140       setsebool -P fips_mode 1
141
142
143
144       If you want to enable reading of urandom for all domains, you must turn
145       on the global_ssp boolean. Disabled by default.
146
147       setsebool -P global_ssp 1
148
149
150
151       If  you  want  to allow confined applications to run with kerberos, you
152       must turn on the kerberos_enabled boolean. Enabled by default.
153
154       setsebool -P kerberos_enabled 1
155
156
157
158       If you want to allow system to run with  NIS,  you  must  turn  on  the
159       nis_enabled boolean. Disabled by default.
160
161       setsebool -P nis_enabled 1
162
163
164
165       If  you  want to allow confined applications to use nscd shared memory,
166       you must turn on the nscd_use_shm boolean. Disabled by default.
167
168       setsebool -P nscd_use_shm 1
169
170
171

MANAGED FILES

173       The SELinux process type nova_t can manage files labeled with the  fol‐
174       lowing  file  types.   The paths listed are the default paths for these
175       file types.  Note the processes UID still need to have DAC permissions.
176
177       cluster_conf_t
178
179            /etc/cluster(/.*)?
180
181       cluster_var_lib_t
182
183            /var/lib/pcsd(/.*)?
184            /var/lib/cluster(/.*)?
185            /var/lib/openais(/.*)?
186            /var/lib/pengine(/.*)?
187            /var/lib/corosync(/.*)?
188            /usr/lib/heartbeat(/.*)?
189            /var/lib/heartbeat(/.*)?
190            /var/lib/pacemaker(/.*)?
191
192       cluster_var_run_t
193
194            /var/run/crm(/.*)?
195            /var/run/cman_.*
196            /var/run/rsctmp(/.*)?
197            /var/run/aisexec.*
198            /var/run/heartbeat(/.*)?
199            /var/run/corosync-qnetd(/.*)?
200            /var/run/corosync-qdevice(/.*)?
201            /var/run/cpglockd.pid
202            /var/run/corosync.pid
203            /var/run/rgmanager.pid
204            /var/run/cluster/rgmanager.sk
205
206       faillog_t
207
208            /var/log/btmp.*
209            /var/log/faillog.*
210            /var/log/tallylog.*
211            /var/run/faillock(/.*)?
212
213       initrc_var_run_t
214
215            /var/run/utmp
216            /var/run/random-seed
217            /var/run/runlevel.dir
218            /var/run/setmixer_flag
219
220       krb5_host_rcache_t
221
222            /var/cache/krb5rcache(/.*)?
223            /var/tmp/nfs_0
224            /var/tmp/DNS_25
225            /var/tmp/host_0
226            /var/tmp/imap_0
227            /var/tmp/HTTP_23
228            /var/tmp/HTTP_48
229            /var/tmp/ldap_55
230            /var/tmp/ldap_487
231            /var/tmp/ldapmap1_0
232
233       lastlog_t
234
235            /var/log/lastlog.*
236
237       nova_log_t
238
239            /var/log/nova(/.*)?
240
241       nova_tmp_t
242
243
244       nova_var_lib_t
245
246            /var/lib/nova(/.*)?
247
248       nova_var_run_t
249
250            /var/run/nova(/.*)?
251
252       root_t
253
254            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
255            /
256            /initrd
257
258       security_t
259
260            /selinux
261
262

FILE CONTEXTS

264       SELinux requires files to have an extended attribute to define the file
265       type.
266
267       You can see the context of a file using the -Z option to ls
268
269       Policy  governs  the  access  confined  processes  have to these files.
270       SELinux nova policy is very flexible allowing users to setup their nova
271       processes in as secure a method as possible.
272
273       STANDARD FILE CONTEXT
274
275       SELinux  defines  the file context types for the nova, if you wanted to
276       store files with these types in a diffent paths, you  need  to  execute
277       the  semanage  command  to  sepecify  alternate  labeling  and then use
278       restorecon to put the labels on disk.
279
280       semanage fcontext -a -t nova_var_run_t '/srv/mynova_content(/.*)?'
281       restorecon -R -v /srv/mynova_content
282
283       Note: SELinux often uses regular expressions  to  specify  labels  that
284       match multiple files.
285
286       The following file types are defined for nova:
287
288
289
290       nova_exec_t
291
292       -  Set  files  with  the nova_exec_t type, if you want to transition an
293       executable to the nova_t domain.
294
295
296       Paths:
297            /usr/bin/nova-console.*,  /usr/bin/nova-api,   /usr/bin/nova-cert,
298            /usr/bin/nova-cells,  /usr/bin/nova-volume, /usr/bin/nova-network,
299            /usr/bin/nova-vncproxy,  /usr/bin/nova-conductor,   /usr/bin/nova-
300            scheduler,   /usr/bin/nova-direct-api,   /usr/bin/nova-novncproxy,
301            /usr/bin/nova-objectstore,              /usr/bin/nova-xvpvncproxy,
302            /usr/bin/nova-serialproxy,             /usr/bin/nova-api-metadata,
303            /usr//bin/nova-api-metadata, /usr/bin/nova-ajax-console-proxy
304
305
306       nova_log_t
307
308       - Set files with the nova_log_t type, if you want to treat the data  as
309       nova log data, usually stored under the /var/log directory.
310
311
312
313       nova_tmp_t
314
315       -  Set files with the nova_tmp_t type, if you want to store nova tempo‐
316       rary files in the /tmp directories.
317
318
319
320       nova_unit_file_t
321
322       - Set files with the nova_unit_file_t type, if you want  to  treat  the
323       files as nova unit content.
324
325
326
327       nova_var_lib_t
328
329       - Set files with the nova_var_lib_t type, if you want to store the nova
330       files under the /var/lib directory.
331
332
333
334       nova_var_run_t
335
336       - Set files with the nova_var_run_t type, if you want to store the nova
337       files under the /run or /var/run directory.
338
339
340
341       Note:  File context can be temporarily modified with the chcon command.
342       If you want to permanently change the file context you need to use  the
343       semanage fcontext command.  This will modify the SELinux labeling data‐
344       base.  You will need to use restorecon to apply the labels.
345
346

COMMANDS

348       semanage fcontext can also be used to manipulate default  file  context
349       mappings.
350
351       semanage  permissive  can  also  be used to manipulate whether or not a
352       process type is permissive.
353
354       semanage module can also be used to enable/disable/install/remove  pol‐
355       icy modules.
356
357       semanage boolean can also be used to manipulate the booleans
358
359
360       system-config-selinux is a GUI tool available to customize SELinux pol‐
361       icy settings.
362
363

AUTHOR

365       This manual page was auto-generated using sepolicy manpage .
366
367