1quota_selinux(8)             SELinux Policy quota             quota_selinux(8)
2
3
4

NAME

6       quota_selinux - Security Enhanced Linux Policy for the quota processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the quota processes via flexible manda‐
10       tory access control.
11
12       The quota processes execute with the  quota_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep quota_t
19
20
21

ENTRYPOINTS

23       The quota_t SELinux type can be entered via the quota_exec_t file type.
24
25       The default entrypoint paths for the quota_t domain are the following:
26
27       /sbin/quota(check|on),    /usr/sbin/quota(check|on),     /usr/sbin/con‐
28       vertquota
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       quota  policy is very flexible allowing users to setup their quota pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for quota:
41
42       quota_t, quota_nld_t
43
44       Note: semanage permissive -a quota_t can be used to  make  the  process
45       type  quota_t  permissive.  SELinux  does not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is customizable based on least access required.  quota
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run quota with the tightest access possible.
54
55
56
57       If you want to allow all domains to execute in fips_mode, you must turn
58       on the fips_mode boolean. Enabled by default.
59
60       setsebool -P fips_mode 1
61
62
63

MANAGED FILES

65       The SELinux process type quota_t can manage files labeled with the fol‐
66       lowing  file  types.   The paths listed are the default paths for these
67       file types.  Note the processes UID still need to have DAC permissions.
68
69       quota_db_t
70
71            /a?quota.(user|group)
72            /etc/a?quota.(user|group)
73            /var/a?quota.(user|group)
74            /boot/a?quota.(user|group)
75            /var/spool/(.*/)?a?quota.(user|group)
76            /var/spool/cron/a?quota.(user|group)
77            /var/lib/openshift/a?quota.(user|group)
78            /var/lib/stickshift/a?quota.(user|group)
79            /home/[^/]+/a?quota.(user|group)
80            /home/a?quota.(user|group)
81
82

FILE CONTEXTS

84       SELinux requires files to have an extended attribute to define the file
85       type.
86
87       You can see the context of a file using the -Z option to ls
88
89       Policy  governs  the  access  confined  processes  have to these files.
90       SELinux quota policy is very flexible allowing  users  to  setup  their
91       quota processes in as secure a method as possible.
92
93       STANDARD FILE CONTEXT
94
95       SELinux  defines the file context types for the quota, if you wanted to
96       store files with these types in a diffent paths, you  need  to  execute
97       the  semanage  command  to  sepecify  alternate  labeling  and then use
98       restorecon to put the labels on disk.
99
100       semanage  fcontext   -a   -t   quota_nld_var_run_t   '/srv/myquota_con‐
101       tent(/.*)?'
102       restorecon -R -v /srv/myquota_content
103
104       Note:  SELinux  often  uses  regular expressions to specify labels that
105       match multiple files.
106
107       The following file types are defined for quota:
108
109
110
111       quota_db_t
112
113       - Set files with the quota_db_t type, if you want to treat the files as
114       quota database content.
115
116
117       Paths:
118            /a?quota.(user|group),                  /etc/a?quota.(user|group),
119            /var/a?quota.(user|group),             /boot/a?quota.(user|group),
120            /var/spool/(.*/)?a?quota.(user|group),
121            /var/spool/cron/a?quota.(user|group),               /var/lib/open‐
122            shift/a?quota.(user|group),                        /var/lib/stick‐
123            shift/a?quota.(user|group),      /home/[^/]+/a?quota.(user|group),
124            /home/a?quota.(user|group)
125
126
127       quota_exec_t
128
129       -  Set  files  with the quota_exec_t type, if you want to transition an
130       executable to the quota_t domain.
131
132
133       Paths:
134            /sbin/quota(check|on),  /usr/sbin/quota(check|on),  /usr/sbin/con‐
135            vertquota
136
137
138       quota_flag_t
139
140       -  Set files with the quota_flag_t type, if you want to treat the files
141       as quota flag data.
142
143
144
145       quota_nld_exec_t
146
147       - Set files with the quota_nld_exec_t type, if you want  to  transition
148       an executable to the quota_nld_t domain.
149
150
151
152       quota_nld_var_run_t
153
154       - Set files with the quota_nld_var_run_t type, if you want to store the
155       quota nld files under the /run or /var/run directory.
156
157
158
159       Note: File context can be temporarily modified with the chcon  command.
160       If  you want to permanently change the file context you need to use the
161       semanage fcontext command.  This will modify the SELinux labeling data‐
162       base.  You will need to use restorecon to apply the labels.
163
164

COMMANDS

166       semanage  fcontext  can also be used to manipulate default file context
167       mappings.
168
169       semanage permissive can also be used to manipulate  whether  or  not  a
170       process type is permissive.
171
172       semanage  module can also be used to enable/disable/install/remove pol‐
173       icy modules.
174
175       semanage boolean can also be used to manipulate the booleans
176
177
178       system-config-selinux is a GUI tool available to customize SELinux pol‐
179       icy settings.
180
181

AUTHOR

183       This manual page was auto-generated using sepolicy manpage .
184
185

SEE ALSO

187       selinux(8),  quota(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
188       icy(8), setsebool(8), quota_nld_selinux(8), quota_nld_selinux(8)
189
190
191
192quota                              19-06-18                   quota_selinux(8)
Impressum