1pki_ra_selinux(8) SELinux Policy pki_ra pki_ra_selinux(8)
2
6 pki_ra_selinux - Security Enhanced Linux Policy for the pki_ra pro‐
7 cesses
8
10 Security-Enhanced Linux secures the pki_ra processes via flexible
11 mandatory access control.
12 The pki_ra processes execute with the pki_ra_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep pki_ra_t
20
24 The pki_ra_t SELinux type can be entered via the pki_ra_exec_t,
25 httpd_exec_t file types.
26 The default entrypoint paths for the pki_ra_t domain are the following:
28 /var/lib/pki-ra/pki-ra, /usr/sbin/httpd(.worker)?,
30 /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?,
31 /usr/share/jetty/bin/jetty.sh, /usr/sbin/nginx, /usr/sbin/thttpd,
32 /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd,
33 /usr/sbin/httpd.event, /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
34
36 SELinux defines process types (domains) for each process running on the
37 system
38 You can see the context of a process using the -Z option to ps
40 Policy governs the access confined processes have to files. SELinux
42 pki_ra policy is very flexible allowing users to setup their pki_ra
43 processes in as secure a method as possible.
44 The following process types are defined for pki_ra:
46 pki_ra_t
48 Note: semanage permissive -a pki_ra_t can be used to make the process
50 type pki_ra_t permissive. SELinux does not deny access to permissive
51 process types, but the AVC (SELinux denials) messages are still gener‐
52 ated.
53
56 SELinux policy is customizable based on least access required. pki_ra
57 policy is extremely flexible and has several booleans that allow you to
58 manipulate the policy and run pki_ra with the tightest access possible.
59 If you want to allow users to resolve user passwd entries directly from
63 ldap rather then using a sssd server, you must turn on the authlo‐
64 gin_nsswitch_use_ldap boolean. Disabled by default.
65 setsebool -P authlogin_nsswitch_use_ldap 1
67 If you want to allow all daemons to write corefiles to /, you must turn
71 on the daemons_dump_core boolean. Disabled by default.
72 setsebool -P daemons_dump_core 1
74 If you want to enable cluster mode for daemons, you must turn on the
78 daemons_enable_cluster_mode boolean. Enabled by default.
79 setsebool -P daemons_enable_cluster_mode 1
81 If you want to allow all daemons to use tcp wrappers, you must turn on
85 the daemons_use_tcp_wrapper boolean. Disabled by default.
86 setsebool -P daemons_use_tcp_wrapper 1
88 If you want to allow all daemons the ability to read/write terminals,
92 you must turn on the daemons_use_tty boolean. Disabled by default.
93 setsebool -P daemons_use_tty 1
95 If you want to deny any process from ptracing or debugging any other
99 processes, you must turn on the deny_ptrace boolean. Enabled by
100 default.
101 setsebool -P deny_ptrace 1
103 If you want to allow any process to mmap any file on system with
107 attribute file_type, you must turn on the domain_can_mmap_files bool‐
108 ean. Enabled by default.
109 setsebool -P domain_can_mmap_files 1
111 If you want to allow all domains write to kmsg_device, while kernel is
115 executed with systemd.log_target=kmsg parameter, you must turn on the
116 domain_can_write_kmsg boolean. Disabled by default.
117 setsebool -P domain_can_write_kmsg 1
119 If you want to allow all domains to use other domains file descriptors,
123 you must turn on the domain_fd_use boolean. Enabled by default.
124 setsebool -P domain_fd_use 1
126 If you want to allow all domains to have the kernel load modules, you
130 must turn on the domain_kernel_load_modules boolean. Disabled by
131 default.
132 setsebool -P domain_kernel_load_modules 1
134 If you want to allow all domains to execute in fips_mode, you must turn
138 on the fips_mode boolean. Enabled by default.
139 setsebool -P fips_mode 1
141 If you want to enable reading of urandom for all domains, you must turn
145 on the global_ssp boolean. Disabled by default.
146 setsebool -P global_ssp 1
148 If you want to allow confined applications to run with kerberos, you
152 must turn on the kerberos_enabled boolean. Enabled by default.
153 setsebool -P kerberos_enabled 1
155 If you want to allow system to run with NIS, you must turn on the
159 nis_enabled boolean. Disabled by default.
160 setsebool -P nis_enabled 1
162 If you want to allow confined applications to use nscd shared memory,
166 you must turn on the nscd_use_shm boolean. Disabled by default.
167 setsebool -P nscd_use_shm 1
169
173 SELinux defines port types to represent TCP and UDP ports.
174 You can see the types associated with a port by using the following
176 command:
177 semanage port -l
179 Policy governs the access confined processes have to these ports.
182 SELinux pki_ra policy is very flexible allowing users to setup their
183 pki_ra processes in as secure a method as possible.
184 The following port types are defined for pki_ra:
186 pki_ra_port_t
189 Default Defined Ports:
193 tcp 12888-12889
194
196 The SELinux process type pki_ra_t can manage files labeled with the
197 following file types. The paths listed are the default paths for these
198 file types. Note the processes UID still need to have DAC permissions.
199 cluster_conf_t
201 /etc/cluster(/.*)?
203 cluster_var_lib_t
205 /var/lib/pcsd(/.*)?
207 /var/lib/cluster(/.*)?
208 /var/lib/openais(/.*)?
209 /var/lib/pengine(/.*)?
210 /var/lib/corosync(/.*)?
211 /usr/lib/heartbeat(/.*)?
212 /var/lib/heartbeat(/.*)?
213 /var/lib/pacemaker(/.*)?
214 cluster_var_run_t
216 /var/run/crm(/.*)?
218 /var/run/cman_.*
219 /var/run/rsctmp(/.*)?
220 /var/run/aisexec.*
221 /var/run/heartbeat(/.*)?
222 /var/run/corosync-qnetd(/.*)?
223 /var/run/corosync-qdevice(/.*)?
224 /var/run/cpglockd.pid
225 /var/run/corosync.pid
226 /var/run/rgmanager.pid
227 /var/run/cluster/rgmanager.sk
228 mail_spool_t
230 /var/mail(/.*)?
232 /var/spool/imap(/.*)?
233 /var/spool/mail(/.*)?
234 /var/spool/smtpd(/.*)?
235 mqueue_spool_t
237 /var/spool/(client)?mqueue(/.*)?
239 /var/spool/mqueue.in(/.*)?
240 pki_common_t
242 /opt/nfast(/.*)?
244 pki_ra_etc_rw_t
246 /etc/pki-ra(/.*)?
248 /etc/sysconfig/pki/ra(/.*)?
249 pki_ra_lock_t
251 pki_ra_log_t
254 /var/log/pki-ra(/.*)?
256 pki_ra_tmp_t
258 pki_ra_var_lib_t
261 /var/lib/pki-ra(/.*)?
263 pki_ra_var_run_t
265 /var/run/pki/ra(/.*)?
267 root_t
269 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
271 /
272 /initrd
273
276 SELinux requires files to have an extended attribute to define the file
277 type.
278 You can see the context of a file using the -Z option to ls
280 Policy governs the access confined processes have to these files.
282 SELinux pki_ra policy is very flexible allowing users to setup their
283 pki_ra processes in as secure a method as possible.
284 EQUIVALENCE DIRECTORIES
286 pki_ra policy stores data with multiple different file context types
289 under the /var/lib/pki-ra directory. If you would like to store the
290 data in a different directory you can use the semanage command to cre‐
291 ate an equivalence mapping. If you wanted to store this data under the
292 /srv dirctory you would execute the following command:
293 semanage fcontext -a -e /var/lib/pki-ra /srv/pki-ra
295 restorecon -R -v /srv/pki-ra
296 STANDARD FILE CONTEXT
298 SELinux defines the file context types for the pki_ra, if you wanted to
300 store files with these types in a diffent paths, you need to execute
301 the semanage command to sepecify alternate labeling and then use
302 restorecon to put the labels on disk.
303 semanage fcontext -a -t pki_ra_var_run_t '/srv/mypki_ra_content(/.*)?'
305 restorecon -R -v /srv/mypki_ra_content
306 Note: SELinux often uses regular expressions to specify labels that
308 match multiple files.
309 The following file types are defined for pki_ra:
311 pki_ra_etc_rw_t
315 - Set files with the pki_ra_etc_rw_t type, if you want to treat the
317 files as pki ra etc read/write content.
318 Paths:
321 /etc/pki-ra(/.*)?, /etc/sysconfig/pki/ra(/.*)?
322 pki_ra_exec_t
325 - Set files with the pki_ra_exec_t type, if you want to transition an
327 executable to the pki_ra_t domain.
328 pki_ra_lock_t
332 - Set files with the pki_ra_lock_t type, if you want to treat the files
334 as pki ra lock data, stored under the /var/lock directory
335 pki_ra_log_t
339 - Set files with the pki_ra_log_t type, if you want to treat the data
341 as pki ra log data, usually stored under the /var/log directory.
342 pki_ra_script_exec_t
346 - Set files with the pki_ra_script_exec_t type, if you want to transi‐
348 tion an executable to the pki_ra_script_t domain.
349 pki_ra_tmp_t
353 - Set files with the pki_ra_tmp_t type, if you want to store pki ra
355 temporary files in the /tmp directories.
356 pki_ra_tomcat_exec_t
360 - Set files with the pki_ra_tomcat_exec_t type, if you want to transi‐
362 tion an executable to the pki_ra_tomcat_t domain.
363 pki_ra_var_lib_t
367 - Set files with the pki_ra_var_lib_t type, if you want to store the
369 pki ra files under the /var/lib directory.
370 pki_ra_var_run_t
374 - Set files with the pki_ra_var_run_t type, if you want to store the
376 pki ra files under the /run or /var/run directory.
377 Note: File context can be temporarily modified with the chcon command.
381 If you want to permanently change the file context you need to use the
382 semanage fcontext command. This will modify the SELinux labeling data‐
383 base. You will need to use restorecon to apply the labels.
384
387 semanage fcontext can also be used to manipulate default file context
388 mappings.
389 semanage permissive can also be used to manipulate whether or not a
391 process type is permissive.
392 semanage module can also be used to enable/disable/install/remove pol‐
394 icy modules.
395 semanage port can also be used to manipulate the port definitions
397 semanage boolean can also be used to manipulate the booleans
399 system-config-selinux is a GUI tool available to customize SELinux pol‐
402 icy settings.
403
406 This manual page was auto-generated using sepolicy manpage .
407
410 selinux(8), pki_ra(8), semanage(8), restorecon(8), chcon(1), sepol‐
411 icy(8) , setsebool(8)
412pki_ra 19-04-25 pki_ra_selinux(8)