1prosody_selinux(8)          SELinux Policy prosody          prosody_selinux(8)
2
3
4

NAME

6       prosody_selinux  -  Security Enhanced Linux Policy for the prosody pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  prosody  processes  via  flexible
11       mandatory access control.
12
13       The  prosody processes execute with the prosody_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep prosody_t
20
21
22

ENTRYPOINTS

24       The  prosody_t  SELinux type can be entered via the prosody_exec_t file
25       type.
26
27       The default entrypoint paths for the prosody_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/prosody, /usr/bin/prosodyctl
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       prosody  policy  is very flexible allowing users to setup their prosody
40       processes in as secure a method as possible.
41
42       The following process types are defined for prosody:
43
44       prosody_t
45
46       Note: semanage permissive -a prosody_t can be used to make the  process
47       type  prosody_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  prosody
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run prosody with the tightest access possi‐
56       ble.
57
58
59
60       If you want to permit to prosody to bind apache port. Need to be  acti‐
61       vated to use BOSH, you must turn on the prosody_bind_http_port boolean.
62       Disabled by default.
63
64       setsebool -P prosody_bind_http_port 1
65
66
67
68       If you want to allow users to resolve user passwd entries directly from
69       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
70       gin_nsswitch_use_ldap boolean. Disabled by default.
71
72       setsebool -P authlogin_nsswitch_use_ldap 1
73
74
75
76       If you want to allow all daemons to write corefiles to /, you must turn
77       on the daemons_dump_core boolean. Disabled by default.
78
79       setsebool -P daemons_dump_core 1
80
81
82
83       If  you  want  to enable cluster mode for daemons, you must turn on the
84       daemons_enable_cluster_mode boolean. Enabled by default.
85
86       setsebool -P daemons_enable_cluster_mode 1
87
88
89
90       If you want to allow all daemons to use tcp wrappers, you must turn  on
91       the daemons_use_tcp_wrapper boolean. Disabled by default.
92
93       setsebool -P daemons_use_tcp_wrapper 1
94
95
96
97       If  you  want to allow all daemons the ability to read/write terminals,
98       you must turn on the daemons_use_tty boolean. Disabled by default.
99
100       setsebool -P daemons_use_tty 1
101
102
103
104       If you want to deny any process from ptracing or  debugging  any  other
105       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
106       default.
107
108       setsebool -P deny_ptrace 1
109
110
111
112       If you want to allow any process  to  mmap  any  file  on  system  with
113       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
114       ean. Enabled by default.
115
116       setsebool -P domain_can_mmap_files 1
117
118
119
120       If you want to allow all domains write to kmsg_device, while kernel  is
121       executed  with  systemd.log_target=kmsg parameter, you must turn on the
122       domain_can_write_kmsg boolean. Disabled by default.
123
124       setsebool -P domain_can_write_kmsg 1
125
126
127
128       If you want to allow all domains to use other domains file descriptors,
129       you must turn on the domain_fd_use boolean. Enabled by default.
130
131       setsebool -P domain_fd_use 1
132
133
134
135       If  you  want to allow all domains to have the kernel load modules, you
136       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
137       default.
138
139       setsebool -P domain_kernel_load_modules 1
140
141
142
143       If you want to allow all domains to execute in fips_mode, you must turn
144       on the fips_mode boolean. Enabled by default.
145
146       setsebool -P fips_mode 1
147
148
149
150       If you want to enable reading of urandom for all domains, you must turn
151       on the global_ssp boolean. Disabled by default.
152
153       setsebool -P global_ssp 1
154
155
156
157       If  you  want  to allow confined applications to run with kerberos, you
158       must turn on the kerberos_enabled boolean. Enabled by default.
159
160       setsebool -P kerberos_enabled 1
161
162
163
164       If you want to allow system to run with  NIS,  you  must  turn  on  the
165       nis_enabled boolean. Disabled by default.
166
167       setsebool -P nis_enabled 1
168
169
170
171       If  you  want to allow confined applications to use nscd shared memory,
172       you must turn on the nscd_use_shm boolean. Disabled by default.
173
174       setsebool -P nscd_use_shm 1
175
176
177

PORT TYPES

179       SELinux defines port types to represent TCP and UDP ports.
180
181       You can see the types associated with a port  by  using  the  following
182       command:
183
184       semanage port -l
185
186
187       Policy  governs  the  access  confined  processes  have to these ports.
188       SELinux prosody policy is very flexible allowing users to  setup  their
189       prosody processes in as secure a method as possible.
190
191       The following port types are defined for prosody:
192
193
194       prosody_port_t
195
196
197
198       Default Defined Ports:
199                 tcp 5280-5281
200

MANAGED FILES

202       The  SELinux  process  type prosody_t can manage files labeled with the
203       following file types.  The paths listed are the default paths for these
204       file types.  Note the processes UID still need to have DAC permissions.
205
206       cluster_conf_t
207
208            /etc/cluster(/.*)?
209
210       cluster_var_lib_t
211
212            /var/lib/pcsd(/.*)?
213            /var/lib/cluster(/.*)?
214            /var/lib/openais(/.*)?
215            /var/lib/pengine(/.*)?
216            /var/lib/corosync(/.*)?
217            /usr/lib/heartbeat(/.*)?
218            /var/lib/heartbeat(/.*)?
219            /var/lib/pacemaker(/.*)?
220
221       cluster_var_run_t
222
223            /var/run/crm(/.*)?
224            /var/run/cman_.*
225            /var/run/rsctmp(/.*)?
226            /var/run/aisexec.*
227            /var/run/heartbeat(/.*)?
228            /var/run/corosync-qnetd(/.*)?
229            /var/run/corosync-qdevice(/.*)?
230            /var/run/cpglockd.pid
231            /var/run/corosync.pid
232            /var/run/rgmanager.pid
233            /var/run/cluster/rgmanager.sk
234
235       prosody_log_t
236
237            /var/log/prosody(/.*)?
238
239       prosody_tmp_t
240
241
242       prosody_var_lib_t
243
244            /var/lib/prosody(/.*)?
245
246       prosody_var_run_t
247
248            /var/run/prosody(/.*)?
249
250       root_t
251
252            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
253            /
254            /initrd
255
256

FILE CONTEXTS

258       SELinux requires files to have an extended attribute to define the file
259       type.
260
261       You can see the context of a file using the -Z option to ls
262
263       Policy governs the access  confined  processes  have  to  these  files.
264       SELinux  prosody  policy is very flexible allowing users to setup their
265       prosody processes in as secure a method as possible.
266
267       STANDARD FILE CONTEXT
268
269       SELinux defines the file context types for the prosody, if  you  wanted
270       to store files with these types in a diffent paths, you need to execute
271       the semanage command  to  sepecify  alternate  labeling  and  then  use
272       restorecon to put the labels on disk.
273
274       semanage   fcontext   -a   -t   prosody_var_run_t  '/srv/myprosody_con‐
275       tent(/.*)?'
276       restorecon -R -v /srv/myprosody_content
277
278       Note: SELinux often uses regular expressions  to  specify  labels  that
279       match multiple files.
280
281       The following file types are defined for prosody:
282
283
284
285       prosody_exec_t
286
287       -  Set files with the prosody_exec_t type, if you want to transition an
288       executable to the prosody_t domain.
289
290
291       Paths:
292            /usr/bin/prosody, /usr/bin/prosodyctl
293
294
295       prosody_log_t
296
297       - Set files with the prosody_log_t type, if you want to treat the  data
298       as prosody log data, usually stored under the /var/log directory.
299
300
301
302       prosody_tmp_t
303
304       -  Set  files with the prosody_tmp_t type, if you want to store prosody
305       temporary files in the /tmp directories.
306
307
308
309       prosody_unit_file_t
310
311       - Set files with the prosody_unit_file_t type, if you want to treat the
312       files as prosody unit content.
313
314
315
316       prosody_var_lib_t
317
318       -  Set  files with the prosody_var_lib_t type, if you want to store the
319       prosody files under the /var/lib directory.
320
321
322
323       prosody_var_run_t
324
325       - Set files with the prosody_var_run_t type, if you want to  store  the
326       prosody files under the /run or /var/run directory.
327
328
329
330       Note:  File context can be temporarily modified with the chcon command.
331       If you want to permanently change the file context you need to use  the
332       semanage fcontext command.  This will modify the SELinux labeling data‐
333       base.  You will need to use restorecon to apply the labels.
334
335

COMMANDS

337       semanage fcontext can also be used to manipulate default  file  context
338       mappings.
339
340       semanage  permissive  can  also  be used to manipulate whether or not a
341       process type is permissive.
342
343       semanage module can also be used to enable/disable/install/remove  pol‐
344       icy modules.
345
346       semanage port can also be used to manipulate the port definitions
347
348       semanage boolean can also be used to manipulate the booleans
349
350
351       system-config-selinux is a GUI tool available to customize SELinux pol‐
352       icy settings.
353
354

AUTHOR

356       This manual page was auto-generated using sepolicy manpage .
357
358

SEE ALSO

360       selinux(8), prosody(8), semanage(8),  restorecon(8),  chcon(1),  sepol‐
361       icy(8) , setsebool(8)
362
363
364
365prosody                            19-04-25                 prosody_selinux(8)
Impressum