keystone_selinux(8)

1keystone_selinux(8)         SELinux Policy keystone        keystone_selinux(8)
2
3
4

NAME

6       keystone_selinux - Security Enhanced Linux Policy for the keystone pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  keystone  processes  via  flexible
11       mandatory access control.
12
13       The  keystone  processes  execute with the keystone_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep keystone_t
20
21
22

ENTRYPOINTS

24       The keystone_t SELinux type can be entered via the keystone_exec_t file
25       type.
26
27       The default entrypoint paths for the keystone_t domain are the  follow‐
28       ing:
29
30       /usr/bin/keystone-all
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       keystone policy is very flexible allowing users to setup their keystone
40       processes in as secure a method as possible.
41
42       The following process types are defined for keystone:
43
44       keystone_t, keystone_cgi_script_t
45
46       Note: semanage permissive -a keystone_t can be used to make the process
47       type  keystone_t permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is  customizable based on least access required.  key‐
54       stone policy is extremely flexible and has several booleans that  allow
55       you  to manipulate the policy and run keystone with the tightest access
56       possible.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Disabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88
89       If  you  want to allow confined applications to use nscd shared memory,
90       you must turn on the nscd_use_shm boolean. Disabled by default.
91
92       setsebool -P nscd_use_shm 1
93
94
95

PORT TYPES

97       SELinux defines port types to represent TCP and UDP ports.
98
99       You can see the types associated with a port  by  using  the  following
100       command:
101
102       semanage port -l
103
104
105       Policy  governs  the  access  confined  processes  have to these ports.
106       SELinux keystone policy is very flexible allowing users to setup  their
107       keystone processes in as secure a method as possible.
108
109       The following port types are defined for keystone:
110
111
112       keystone_port_t
113
114
115
116       Default Defined Ports:
117                 tcp 35357
118                 udp 35357
119

MANAGED FILES

121       The  SELinux  process type keystone_t can manage files labeled with the
122       following file types.  The paths listed are the default paths for these
123       file types.  Note the processes UID still need to have DAC permissions.
124
125       cluster_conf_t
126
127            /etc/cluster(/.*)?
128
129       cluster_var_lib_t
130
131            /var/lib/pcsd(/.*)?
132            /var/lib/cluster(/.*)?
133            /var/lib/openais(/.*)?
134            /var/lib/pengine(/.*)?
135            /var/lib/corosync(/.*)?
136            /usr/lib/heartbeat(/.*)?
137            /var/lib/heartbeat(/.*)?
138            /var/lib/pacemaker(/.*)?
139
140       cluster_var_run_t
141
142            /var/run/crm(/.*)?
143            /var/run/cman_.*
144            /var/run/rsctmp(/.*)?
145            /var/run/aisexec.*
146            /var/run/heartbeat(/.*)?
147            /var/run/corosync-qnetd(/.*)?
148            /var/run/corosync-qdevice(/.*)?
149            /var/run/corosync.pid
150            /var/run/cpglockd.pid
151            /var/run/rgmanager.pid
152            /var/run/cluster/rgmanager.sk
153
154       faillog_t
155
156            /var/log/btmp.*
157            /var/log/faillog.*
158            /var/log/tallylog.*
159            /var/run/faillock(/.*)?
160
161       keystone_tmp_t
162
163
164       keystone_var_lib_t
165
166            /var/lib/keystone(/.*)?
167
168       keystone_var_run_t
169
170            /var/run/keystone(/.*)?
171
172       krb5_host_rcache_t
173
174            /var/cache/krb5rcache(/.*)?
175            /var/tmp/nfs_0
176            /var/tmp/DNS_25
177            /var/tmp/host_0
178            /var/tmp/imap_0
179            /var/tmp/HTTP_23
180            /var/tmp/HTTP_48
181            /var/tmp/ldap_55
182            /var/tmp/ldap_487
183            /var/tmp/ldapmap1_0
184
185       lastlog_t
186
187            /var/log/lastlog.*
188
189       root_t
190
191            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
192            /
193            /initrd
194
195       security_t
196
197            /selinux
198
199

FILE CONTEXTS

201       SELinux requires files to have an extended attribute to define the file
202       type.
203
204       You can see the context of a file using the -Z option to ls
205
206       Policy governs the access  confined  processes  have  to  these  files.
207       SELinux  keystone policy is very flexible allowing users to setup their
208       keystone processes in as secure a method as possible.
209
210       STANDARD FILE CONTEXT
211
212       SELinux defines the file context types for the keystone, if you  wanted
213       to store files with these types in a diffent paths, you need to execute
214       the semanage command  to  sepecify  alternate  labeling  and  then  use
215       restorecon to put the labels on disk.
216
217       semanage fcontext -a -t keystone_cgi_ra_content_t '/srv/mykeystone_con‐
218       tent(/.*)?'
219       restorecon -R -v /srv/mykeystone_content
220
221       Note: SELinux often uses regular expressions  to  specify  labels  that
222       match multiple files.
223
224       The following file types are defined for keystone:
225
226
227
228       keystone_cgi_content_t
229
230       -  Set files with the keystone_cgi_content_t type, if you want to treat
231       the files as keystone cgi content.
232
233
234
235       keystone_cgi_htaccess_t
236
237       - Set files with the keystone_cgi_htaccess_t type, if you want to treat
238       the file as a keystone cgi access file.
239
240
241
242       keystone_cgi_ra_content_t
243
244       -  Set  files  with  the keystone_cgi_ra_content_t type, if you want to
245       treat the files as keystone cgi read/append content.
246
247
248
249       keystone_cgi_rw_content_t
250
251       - Set files with the keystone_cgi_rw_content_t type,  if  you  want  to
252       treat the files as keystone cgi read/write content.
253
254
255
256       keystone_cgi_script_exec_t
257
258       -  Set  files  with the keystone_cgi_script_exec_t type, if you want to
259       transition an executable to the keystone_cgi_script_t domain.
260
261
262
263       keystone_exec_t
264
265       - Set files with the keystone_exec_t type, if you want to transition an
266       executable to the keystone_t domain.
267
268
269
270       keystone_initrc_exec_t
271
272       -  Set files with the keystone_initrc_exec_t type, if you want to tran‐
273       sition an executable to the keystone_initrc_t domain.
274
275
276
277       keystone_log_t
278
279       - Set files with the keystone_log_t type, if you want to treat the data
280       as keystone log data, usually stored under the /var/log directory.
281
282
283
284       keystone_tmp_t
285
286       - Set files with the keystone_tmp_t type, if you want to store keystone
287       temporary files in the /tmp directories.
288
289
290
291       keystone_unit_file_t
292
293       - Set files with the keystone_unit_file_t type, if you  want  to  treat
294       the files as keystone unit content.
295
296
297
298       keystone_var_lib_t
299
300       -  Set files with the keystone_var_lib_t type, if you want to store the
301       keystone files under the /var/lib directory.
302
303
304
305       keystone_var_run_t
306
307       - Set files with the keystone_var_run_t type, if you want to store  the
308       keystone files under the /run or /var/run directory.
309
310
311
312       Note:  File context can be temporarily modified with the chcon command.
313       If you want to permanently change the file context you need to use  the
314       semanage fcontext command.  This will modify the SELinux labeling data‐
315       base.  You will need to use restorecon to apply the labels.
316
317

COMMANDS

319       semanage fcontext can also be used to manipulate default  file  context
320       mappings.
321
322       semanage  permissive  can  also  be used to manipulate whether or not a
323       process type is permissive.
324
325       semanage module can also be used to enable/disable/install/remove  pol‐
326       icy modules.
327
328       semanage port can also be used to manipulate the port definitions
329
330       semanage boolean can also be used to manipulate the booleans
331
332
333       system-config-selinux is a GUI tool available to customize SELinux pol‐
334       icy settings.
335
336

AUTHOR

338       This manual page was auto-generated using sepolicy manpage .
339
340