1openshift_selinux(8)       SELinux Policy openshift       openshift_selinux(8)
2
3
4

NAME

6       openshift_selinux  -  Security  Enhanced Linux Policy for the openshift
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the openshift  processes  via  flexible
11       mandatory access control.
12
13       The  openshift processes execute with the openshift_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openshift_t
20
21
22

ENTRYPOINTS

24       The  openshift_t  SELinux  type  can  be  entered via the shell_exec_t,
25       bin_t,   openshift_file_type,    usr_t,    gpg_exec_t,    httpd_exec_t,
26       user_cron_spool_t file types.
27
28       The default entrypoint paths for the openshift_t domain are the follow‐
29       ing:
30
31       All executeables with the default executable label, usually  stored  in
32       /usr/bin    and   /usr/sbin.    /bin/d?ash,   /bin/zsh.*,   /bin/ksh.*,
33       /usr/bin/d?ash, /usr/bin/ksh.*,  /usr/bin/zsh.*,  /bin/esh,  /bin/mksh,
34       /bin/sash,  /bin/tcsh,  /bin/yash,  /bin/bash,  /bin/fish,  /bin/bash2,
35       /usr/bin/esh,     /usr/bin/sash,     /usr/bin/tcsh,      /usr/bin/yash,
36       /usr/bin/mksh,     /usr/bin/fish,     /usr/bin/bash,     /sbin/nologin,
37       /usr/sbin/sesh,  /usr/bin/bash2,   /usr/sbin/smrsh,   /usr/bin/scponly,
38       /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-
39       shell,         /usr/libexec/sudo/sesh,         /usr/bin/cockpit-bridge,
40       /usr/libexec/cockpit-agent,  /usr/libexec/git-core/git-shell,  /usr/.*,
41       /opt/.*,        /emul/.*,         /ostree(/.*)?,         /export(/.*)?,
42       /usr/doc(/.*)?/lib(/.*)?,                           /usr/inclu.e(/.*)?,
43       /usr/share/doc(/.*)?/README.*,  /usr,  /opt,  /emul,  /usr/bin/gpg(2)?,
44       /usr/lib/gnupg/.*,      /usr/bin/gpgsm,      /usr/sbin/httpd(.worker)?,
45       /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?,
46       /usr/share/jetty/bin/jetty.sh,    /usr/sbin/nginx,    /usr/sbin/thttpd,
47       /usr/sbin/php-fpm,       /usr/sbin/cherokee,        /usr/sbin/lighttpd,
48       /usr/sbin/httpd.event,  /usr/bin/mongrel_rails, /usr/sbin/htcacheclean,
49       /var/spool/at(/.*)?, /var/spool/cron
50

PROCESS TYPES

52       SELinux defines process types (domains) for each process running on the
53       system
54
55       You can see the context of a process using the -Z option to ps
56
57       Policy  governs  the  access confined processes have to files.  SELinux
58       openshift policy is very flexible allowing users to setup  their  open‐
59       shift processes in as secure a method as possible.
60
61       The following process types are defined for openshift:
62
63       openshift_initrc_t, openshift_cgroup_read_t, openshift_net_read_t, openshift_cron_t, openshift_t, openshift_app_t, openshift_script_t
64
65       Note:  semanage  permissive  -a  openshift_t  can  be  used to make the
66       process type openshift_t permissive. SELinux does not  deny  access  to
67       permissive  process  types,  but the AVC (SELinux denials) messages are
68       still generated.
69
70

MCS Constrained

72       The SELinux process type openshift_t is an MCS  (Multi  Category  Secu‐
73       rity)  constrained  type.   Sometimes this separation is referred to as
74       sVirt. These types are usually used for securing multi-tenant  environ‐
75       ments,  such as virtualization, containers or separation of users.  The
76       tools used to launch MCS types, pick out a different MCS label for each
77       process group.
78
79       For  example  one  process might be launched with openshift_t:s0:c1,c2,
80       and another process launched  with  openshift_t:s0:c3,c4.  The  SELinux
81       kernel  only  allows  these  processes can only write to content with a
82       matching MCS label, or a MCS Label of s0. A process  running  with  the
83       MCS  level  of s0:c1,c2 is not allowed to write to content with the MCS
84       label of s0:c3,c4
85
86

BOOLEANS

88       SELinux policy is customizable based on least access  required.   open‐
89       shift  policy is extremely flexible and has several booleans that allow
90       you to manipulate the policy and run openshift with the tightest access
91       possible.
92
93
94
95       If  you  want  to  allow  openshift  to access nfs file systems without
96       labels, you must turn on the  openshift_use_nfs  boolean.  Disabled  by
97       default.
98
99       setsebool -P openshift_use_nfs 1
100
101
102
103       If you want to allow users to resolve user passwd entries directly from
104       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
105       gin_nsswitch_use_ldap boolean. Disabled by default.
106
107       setsebool -P authlogin_nsswitch_use_ldap 1
108
109
110
111       If  you  want  to  determine whether crond can execute jobs in the user
112       domain as opposed to the the generic cronjob domain, you must  turn  on
113       the cron_userdomain_transition boolean. Enabled by default.
114
115       setsebool -P cron_userdomain_transition 1
116
117
118
119       If  you  want  to deny any process from ptracing or debugging any other
120       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
121       default.
122
123       setsebool -P deny_ptrace 1
124
125
126
127       If  you  want  to  allow  any  process  to mmap any file on system with
128       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
129       ean. Enabled by default.
130
131       setsebool -P domain_can_mmap_files 1
132
133
134
135       If  you want to allow all domains write to kmsg_device, while kernel is
136       executed with systemd.log_target=kmsg parameter, you must turn  on  the
137       domain_can_write_kmsg boolean. Disabled by default.
138
139       setsebool -P domain_can_write_kmsg 1
140
141
142
143       If you want to allow all domains to use other domains file descriptors,
144       you must turn on the domain_fd_use boolean. Enabled by default.
145
146       setsebool -P domain_fd_use 1
147
148
149
150       If you want to allow all domains to have the kernel load  modules,  you
151       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
152       default.
153
154       setsebool -P domain_kernel_load_modules 1
155
156
157
158       If you want to allow all domains to execute in fips_mode, you must turn
159       on the fips_mode boolean. Enabled by default.
160
161       setsebool -P fips_mode 1
162
163
164
165       If you want to enable reading of urandom for all domains, you must turn
166       on the global_ssp boolean. Disabled by default.
167
168       setsebool -P global_ssp 1
169
170
171
172       If you want to allow confined applications to run  with  kerberos,  you
173       must turn on the kerberos_enabled boolean. Enabled by default.
174
175       setsebool -P kerberos_enabled 1
176
177
178
179       If  you  want  to  allow  system  to run with NIS, you must turn on the
180       nis_enabled boolean. Disabled by default.
181
182       setsebool -P nis_enabled 1
183
184
185
186       If you want to allow confined applications to use nscd  shared  memory,
187       you must turn on the nscd_use_shm boolean. Disabled by default.
188
189       setsebool -P nscd_use_shm 1
190
191
192

PORT TYPES

194       SELinux defines port types to represent TCP and UDP ports.
195
196       You  can  see  the  types associated with a port by using the following
197       command:
198
199       semanage port -l
200
201
202       Policy governs the access  confined  processes  have  to  these  ports.
203       SELinux openshift policy is very flexible allowing users to setup their
204       openshift processes in as secure a method as possible.
205
206       The following port types are defined for openshift:
207
208
209       openshift_port_t
210
211
212
213       MANAGED FILES
214
215              The SELinux process type openshift_t can  manage  files  labeled
216              with the following file types.  The paths listed are the default
217              paths for these file types.  Note the processes UID  still  need
218              to have DAC permissions.
219
220              anon_inodefs_t
221
222
223              hugetlbfs_t
224
225                   /dev/hugepages
226                   /usr/lib/udev/devices/hugepages
227
228              nfs_t
229
230
231              openshift_file_type
232
233
234              openshift_tmpfs_t
235
236
237              postfix_spool_t
238
239                   /var/spool/postfix.*
240                   /var/spool/postfix/defer(/.*)?
241                   /var/spool/postfix/flush(/.*)?
242                   /var/spool/postfix/deferred(/.*)?
243                   /var/spool/postfix/maildrop(/.*)?
244
245              security_t
246
247                   /selinux
248
249

FILE CONTEXTS

251       SELinux requires files to have an extended attribute to define the file
252       type.
253
254       You can see the context of a file using the -Z option to ls
255
256       Policy governs the access  confined  processes  have  to  these  files.
257       SELinux openshift policy is very flexible allowing users to setup their
258       openshift processes in as secure a method as possible.
259
260       EQUIVALENCE DIRECTORIES
261
262
263       openshift policy stores data with multiple different file context types
264       under the /var/lib/openshift directory.  If you would like to store the
265       data in a different directory you can use the semanage command to  cre‐
266       ate an equivalence mapping.  If you wanted to store this data under the
267       /srv dirctory you would execute the following command:
268
269       semanage fcontext -a -e /var/lib/openshift /srv/openshift
270       restorecon -R -v /srv/openshift
271
272       openshift policy stores data with multiple different file context types
273       under  the  /var/lib/stickshift  directory.  If you would like to store
274       the data in a different directory you can use the semanage  command  to
275       create  an equivalence mapping.  If you wanted to store this data under
276       the /srv dirctory you would execute the following command:
277
278       semanage fcontext -a -e /var/lib/stickshift /srv/stickshift
279       restorecon -R -v /srv/stickshift
280
281       STANDARD FILE CONTEXT
282
283       SELinux defines the file context types for the openshift, if you wanted
284       to store files with these types in a diffent paths, you need to execute
285       the semanage command  to  sepecify  alternate  labeling  and  then  use
286       restorecon to put the labels on disk.
287
288       semanage  fcontext  -a  -t  openshift_var_run_t  '/srv/myopenshift_con‐
289       tent(/.*)?'
290       restorecon -R -v /srv/myopenshift_content
291
292       Note: SELinux often uses regular expressions  to  specify  labels  that
293       match multiple files.
294
295       The following file types are defined for openshift:
296
297
298
299       openshift_cgroup_read_exec_t
300
301       -  Set files with the openshift_cgroup_read_exec_t type, if you want to
302       transition an executable to the openshift_cgroup_read_t domain.
303
304
305
306       openshift_cgroup_read_tmp_t
307
308       - Set files with the openshift_cgroup_read_tmp_t type, if you  want  to
309       store openshift cgroup read temporary files in the /tmp directories.
310
311
312
313       openshift_content_t
314
315       - Set files with the openshift_content_t type, if you want to treat the
316       files as openshift content.
317
318
319
320       openshift_cron_exec_t
321
322       - Set files with the openshift_cron_exec_t type, if you want to transi‐
323       tion an executable to the openshift_cron_t domain.
324
325
326
327       openshift_cron_tmp_t
328
329       -  Set  files  with the openshift_cron_tmp_t type, if you want to store
330       openshift cron temporary files in the /tmp directories.
331
332
333
334       openshift_htaccess_t
335
336       - Set files with the openshift_htaccess_t type, if you  want  to  treat
337       the file as a openshift access file.
338
339
340
341       openshift_initrc_exec_t
342
343       - Set files with the openshift_initrc_exec_t type, if you want to tran‐
344       sition an executable to the openshift_initrc_t domain.
345
346
347       Paths:
348            /usr/s?bin/mcollectived,             /usr/s?bin/(oo|rhc)-restorer,
349            /usr/s?bin/oo-admin-ctl-gears,  /usr/s?bin/(oo|rhc)-restorer-wrap‐
350            per.sh, /etc/rc.d/init.d/libra, /etc/rc.d/init.d/mcollective
351
352
353       openshift_initrc_tmp_t
354
355       - Set files with the openshift_initrc_tmp_t type, if you want to  store
356       openshift initrc temporary files in the /tmp directories.
357
358
359
360       openshift_log_t
361
362       -  Set  files  with  the openshift_log_t type, if you want to treat the
363       data as openshift log data, usually stored under  the  /var/log  direc‐
364       tory.
365
366
367       Paths:
368            /var/log/openshift(/.*)?, /var/log/mcollective.log.*
369
370
371       openshift_net_read_exec_t
372
373       -  Set  files  with  the openshift_net_read_exec_t type, if you want to
374       transition an executable to the openshift_net_read_t domain.
375
376
377
378       openshift_ra_content_t
379
380       - Set files with the openshift_ra_content_t type, if you want to  treat
381       the files as openshift  read/append content.
382
383
384
385       openshift_rw_content_t
386
387       -  Set files with the openshift_rw_content_t type, if you want to treat
388       the files as openshift read/write content.
389
390
391
392       openshift_rw_file_t
393
394       - Set files with the openshift_rw_file_t type, if you want to treat the
395       files as openshift rw content.
396
397
398       Paths:
399            /var/lib/openshift/.*/data(/.*)?,                  /var/lib/stick‐
400            shift/.*/data(/.*)?
401
402
403       openshift_script_exec_t
404
405       - Set files with the openshift_script_exec_t type, if you want to tran‐
406       sition an executable to the openshift_script_t domain.
407
408
409
410       openshift_tmp_t
411
412       -  Set  files with the openshift_tmp_t type, if you want to store open‐
413       shift temporary files in the /tmp directories.
414
415
416       Paths:
417            /var/lib/openshift/.*/.tmp(/.*)?,     /var/lib/openshift/.*/.sand‐
418            box(/.*)?,    /var/lib/stickshift/.*/.tmp(/.*)?,   /var/lib/stick‐
419            shift/.*/.sandbox(/.*)?
420
421
422       openshift_tmpfs_t
423
424       - Set files with the openshift_tmpfs_t type, if you want to store open‐
425       shift files on a tmpfs file system.
426
427
428
429       openshift_var_lib_t
430
431       - Set files with the openshift_var_lib_t type, if you want to store the
432       openshift files under the /var/lib directory.
433
434
435       Paths:
436            /var/lib/openshift(/.*)?, /var/lib/stickshift(/.*)?, /var/lib/con‐
437            tainers/home(/.*)?
438
439
440       openshift_var_run_t
441
442       - Set files with the openshift_var_run_t type, if you want to store the
443       openshift files under the /run or /var/run directory.
444
445
446       Paths:
447            /var/run/openshift(/.*)?, /var/run/stickshift(/.*)?
448
449
450       Note: File context can be temporarily modified with the chcon  command.
451       If  you want to permanently change the file context you need to use the
452       semanage fcontext command.  This will modify the SELinux labeling data‐
453       base.  You will need to use restorecon to apply the labels.
454
455

COMMANDS

457       semanage  fcontext  can also be used to manipulate default file context
458       mappings.
459
460       semanage permissive can also be used to manipulate  whether  or  not  a
461       process type is permissive.
462
463       semanage  module can also be used to enable/disable/install/remove pol‐
464       icy modules.
465
466       semanage port can also be used to manipulate the port definitions
467
468       semanage boolean can also be used to manipulate the booleans
469
470
471       system-config-selinux is a GUI tool available to customize SELinux pol‐
472       icy settings.
473
474

AUTHOR

476       This manual page was auto-generated using sepolicy manpage .
477
478

SEE ALSO

480       selinux(8),  openshift(8), semanage(8), restorecon(8), chcon(1), sepol‐
481       icy(8)     ,     setsebool(8),     openshift_app_selinux(8),      open‐
482       shift_app_selinux(8),      openshift_cgroup_read_selinux(8),      open‐
483       shift_cgroup_read_selinux(8),     openshift_cron_selinux(8),      open‐
484       shift_cron_selinux(8),    openshift_initrc_selinux(8),   openshift_ini‐
485       trc_selinux(8),          openshift_net_read_selinux(8),           open‐
486       shift_net_read_selinux(8),      openshift_script_selinux(8),      open‐
487       shift_script_selinux(8)
488
489
490
491openshift                          19-04-25               openshift_selinux(8)
Impressum