1zebra_selinux(8)             SELinux Policy zebra             zebra_selinux(8)
2
3
4

NAME

6       zebra_selinux - Security Enhanced Linux Policy for the zebra processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the zebra processes via flexible manda‐
10       tory access control.
11
12       The zebra processes execute with the  zebra_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep zebra_t
19
20
21

ENTRYPOINTS

23       The zebra_t SELinux type can be entered via the zebra_exec_t file type.
24
25       The default entrypoint paths for the zebra_t domain are the following:
26
27       /usr/sbin/rip.*,  /usr/sbin/ospf.*,   /usr/sbin/bgpd,   /usr/sbin/pimd,
28       /usr/sbin/isisd, /usr/sbin/nhrpd, /usr/sbin/zebra, /usr/sbin/babeld
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       zebra  policy is very flexible allowing users to setup their zebra pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for zebra:
41
42       zebra_t
43
44       Note: semanage permissive -a zebra_t can be used to  make  the  process
45       type  zebra_t  permissive.  SELinux  does not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is customizable based on least access required.  zebra
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run zebra with the tightest access possible.
54
55
56
57       If  you want to allow zebra daemon to write it configuration files, you
58       must turn on the zebra_write_config boolean. Disabled by default.
59
60       setsebool -P zebra_write_config 1
61
62
63
64       If you want to allow users to resolve user passwd entries directly from
65       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
66       gin_nsswitch_use_ldap boolean. Disabled by default.
67
68       setsebool -P authlogin_nsswitch_use_ldap 1
69
70
71
72       If you want to allow all domains to execute in fips_mode, you must turn
73       on the fips_mode boolean. Enabled by default.
74
75       setsebool -P fips_mode 1
76
77
78
79       If  you  want  to allow confined applications to run with kerberos, you
80       must turn on the kerberos_enabled boolean. Enabled by default.
81
82       setsebool -P kerberos_enabled 1
83
84
85
86       If you want to allow system to run with  NIS,  you  must  turn  on  the
87       nis_enabled boolean. Disabled by default.
88
89       setsebool -P nis_enabled 1
90
91
92
93       If  you  want to allow confined applications to use nscd shared memory,
94       you must turn on the nscd_use_shm boolean. Enabled by default.
95
96       setsebool -P nscd_use_shm 1
97
98
99

PORT TYPES

101       SELinux defines port types to represent TCP and UDP ports.
102
103       You can see the types associated with a port  by  using  the  following
104       command:
105
106       semanage port -l
107
108
109       Policy  governs  the  access  confined  processes  have to these ports.
110       SELinux zebra policy is very flexible allowing  users  to  setup  their
111       zebra processes in as secure a method as possible.
112
113       The following port types are defined for zebra:
114
115
116       zebra_port_t
117
118
119
120       Default Defined Ports:
121                 tcp 2606,2608-2609,2600-2604
122                 udp 2606,2608-2609,2600-2604
123

MANAGED FILES

125       The SELinux process type zebra_t can manage files labeled with the fol‐
126       lowing file types.  The paths listed are the default  paths  for  these
127       file types.  Note the processes UID still need to have DAC permissions.
128
129       cluster_conf_t
130
131            /etc/cluster(/.*)?
132
133       cluster_var_lib_t
134
135            /var/lib/pcsd(/.*)?
136            /var/lib/cluster(/.*)?
137            /var/lib/openais(/.*)?
138            /var/lib/pengine(/.*)?
139            /var/lib/corosync(/.*)?
140            /usr/lib/heartbeat(/.*)?
141            /var/lib/heartbeat(/.*)?
142            /var/lib/pacemaker(/.*)?
143
144       cluster_var_run_t
145
146            /var/run/crm(/.*)?
147            /var/run/cman_.*
148            /var/run/rsctmp(/.*)?
149            /var/run/aisexec.*
150            /var/run/heartbeat(/.*)?
151            /var/run/corosync-qnetd(/.*)?
152            /var/run/corosync-qdevice(/.*)?
153            /var/run/corosync.pid
154            /var/run/cpglockd.pid
155            /var/run/rgmanager.pid
156            /var/run/cluster/rgmanager.sk
157
158       root_t
159
160            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
161            /
162            /initrd
163
164       zebra_conf_t
165
166            /etc/zebra(/.*)?
167            /etc/quagga(/.*)?
168
169       zebra_log_t
170
171            /var/log/zebra(/.*)?
172            /var/log/quagga(/.*)?
173
174       zebra_tmp_t
175
176
177       zebra_var_run_t
178
179            /var/run/quagga(/.*)?
180            /var/run/.zebra
181            /var/run/.zserv
182
183

FILE CONTEXTS

185       SELinux requires files to have an extended attribute to define the file
186       type.
187
188       You can see the context of a file using the -Z option to ls
189
190       Policy governs the access  confined  processes  have  to  these  files.
191       SELinux  zebra  policy  is  very flexible allowing users to setup their
192       zebra processes in as secure a method as possible.
193
194       STANDARD FILE CONTEXT
195
196       SELinux defines the file context types for the zebra, if you wanted  to
197       store  files  with  these types in a diffent paths, you need to execute
198       the semanage command  to  sepecify  alternate  labeling  and  then  use
199       restorecon to put the labels on disk.
200
201       semanage fcontext -a -t zebra_var_run_t '/srv/myzebra_content(/.*)?'
202       restorecon -R -v /srv/myzebra_content
203
204       Note:  SELinux  often  uses  regular expressions to specify labels that
205       match multiple files.
206
207       The following file types are defined for zebra:
208
209
210
211       zebra_conf_t
212
213       - Set files with the zebra_conf_t type, if you want to treat the  files
214       as zebra configuration data, usually stored under the /etc directory.
215
216
217       Paths:
218            /etc/zebra(/.*)?, /etc/quagga(/.*)?
219
220
221       zebra_exec_t
222
223       -  Set  files  with the zebra_exec_t type, if you want to transition an
224       executable to the zebra_t domain.
225
226
227       Paths:
228            /usr/sbin/rip.*, /usr/sbin/ospf.*, /usr/sbin/bgpd, /usr/sbin/pimd,
229            /usr/sbin/isisd,         /usr/sbin/nhrpd,         /usr/sbin/zebra,
230            /usr/sbin/babeld
231
232
233       zebra_initrc_exec_t
234
235       - Set files with the zebra_initrc_exec_t type, if you want  to  transi‐
236       tion an executable to the zebra_initrc_t domain.
237
238
239       Paths:
240            /etc/rc.d/init.d/bgpd,                      /etc/rc.d/init.d/ripd,
241            /etc/rc.d/init.d/isisd,                    /etc/rc.d/init.d/ospfd,
242            /etc/rc.d/init.d/zebra,                   /etc/rc.d/init.d/babeld,
243            /etc/rc.d/init.d/ospf6d, /etc/rc.d/init.d/ripngd
244
245
246       zebra_log_t
247
248       - Set files with the zebra_log_t type, if you want to treat the data as
249       zebra log data, usually stored under the /var/log directory.
250
251
252       Paths:
253            /var/log/zebra(/.*)?, /var/log/quagga(/.*)?
254
255
256       zebra_tmp_t
257
258       -  Set files with the zebra_tmp_t type, if you want to store zebra tem‐
259       porary files in the /tmp directories.
260
261
262
263       zebra_unit_file_t
264
265       - Set files with the zebra_unit_file_t type, if you want to  treat  the
266       files as zebra unit content.
267
268
269       Paths:
270            /usr/lib/systemd/system/bgpd.*,    /usr/lib/systemd/system/ripd.*,
271            /usr/lib/systemd/system/isisd.*,  /usr/lib/systemd/system/ospfd.*,
272            /usr/lib/systemd/system/zebra.*, /usr/lib/systemd/system/babeld.*,
273            /usr/lib/systemd/system/ospf6d.*, /usr/lib/systemd/system/ripngd.*
274
275
276       zebra_var_run_t
277
278       - Set files with the zebra_var_run_t type, if you  want  to  store  the
279       zebra files under the /run or /var/run directory.
280
281
282       Paths:
283            /var/run/quagga(/.*)?, /var/run/.zebra, /var/run/.zserv
284
285
286       Note:  File context can be temporarily modified with the chcon command.
287       If you want to permanently change the file context you need to use  the
288       semanage fcontext command.  This will modify the SELinux labeling data‐
289       base.  You will need to use restorecon to apply the labels.
290
291

COMMANDS

293       semanage fcontext can also be used to manipulate default  file  context
294       mappings.
295
296       semanage  permissive  can  also  be used to manipulate whether or not a
297       process type is permissive.
298
299       semanage module can also be used to enable/disable/install/remove  pol‐
300       icy modules.
301
302       semanage port can also be used to manipulate the port definitions
303
304       semanage boolean can also be used to manipulate the booleans
305
306
307       system-config-selinux is a GUI tool available to customize SELinux pol‐
308       icy settings.
309
310

AUTHOR

312       This manual page was auto-generated using sepolicy manpage .
313
314

SEE ALSO

316       selinux(8),  zebra(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
317       icy(8), setsebool(8)
318
319
320
321zebra                              19-10-08                   zebra_selinux(8)
Impressum