1ricci_modclusterd_selinuSxE(L8i)nux Policy ricci_modclusrtiecrcdi_modclusterd_selinux(8)
2
3
4

NAME

6       ricci_modclusterd_selinux  -  Security  Enhanced  Linux  Policy for the
7       ricci_modclusterd processes
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  ricci_modclusterd  processes  via
11       flexible mandatory access control.
12
13       The  ricci_modclusterd  processes  execute with the ricci_modclusterd_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep ricci_modclusterd_t
20
21
22

ENTRYPOINTS

24       The  ricci_modclusterd_t SELinux type can be entered via the ricci_mod‐
25       clusterd_exec_t file type.
26
27       The default entrypoint paths for the ricci_modclusterd_t domain are the
28       following:
29
30       /usr/sbin/modclusterd
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       ricci_modclusterd policy is very flexible allowing users to setup their
40       ricci_modclusterd processes in as secure a method as possible.
41
42       The following process types are defined for ricci_modclusterd:
43
44       ricci_modcluster_t, ricci_modclusterd_t
45
46       Note: semanage permissive -a ricci_modclusterd_t can be  used  to  make
47       the  process type ricci_modclusterd_t permissive. SELinux does not deny
48       access to permissive process types, but the AVC (SELinux denials)  mes‐
49       sages are still generated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       ricci_modclusterd policy is extremely flexible and has several booleans
55       that  allow you to manipulate the policy and run ricci_modclusterd with
56       the tightest access possible.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Disabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88
89       If  you  want to allow confined applications to use nscd shared memory,
90       you must turn on the nscd_use_shm boolean. Disabled by default.
91
92       setsebool -P nscd_use_shm 1
93
94
95

PORT TYPES

97       SELinux defines port types to represent TCP and UDP ports.
98
99       You can see the types associated with a port  by  using  the  following
100       command:
101
102       semanage port -l
103
104
105       Policy  governs  the  access  confined  processes  have to these ports.
106       SELinux ricci_modclusterd policy is very  flexible  allowing  users  to
107       setup their ricci_modclusterd processes in as secure a method as possi‐
108       ble.
109
110       The following port types are defined for ricci_modclusterd:
111
112
113       ricci_modcluster_port_t
114
115
116
117       Default Defined Ports:
118                 tcp 16851
119                 udp 16851
120

MANAGED FILES

122       The SELinux process type ricci_modclusterd_t can manage  files  labeled
123       with  the following file types.  The paths listed are the default paths
124       for these file types.  Note the processes UID still need  to  have  DAC
125       permissions.
126
127       cluster_conf_t
128
129            /etc/cluster(/.*)?
130
131       cluster_var_lib_t
132
133            /var/lib/pcsd(/.*)?
134            /var/lib/cluster(/.*)?
135            /var/lib/openais(/.*)?
136            /var/lib/pengine(/.*)?
137            /var/lib/corosync(/.*)?
138            /usr/lib/heartbeat(/.*)?
139            /var/lib/heartbeat(/.*)?
140            /var/lib/pacemaker(/.*)?
141
142       cluster_var_run_t
143
144            /var/run/crm(/.*)?
145            /var/run/cman_.*
146            /var/run/rsctmp(/.*)?
147            /var/run/aisexec.*
148            /var/run/heartbeat(/.*)?
149            /var/run/corosync-qnetd(/.*)?
150            /var/run/corosync-qdevice(/.*)?
151            /var/run/corosync.pid
152            /var/run/cpglockd.pid
153            /var/run/rgmanager.pid
154            /var/run/cluster/rgmanager.sk
155
156       ricci_modcluster_var_run_t
157
158            /var/run/clumond.sock
159            /var/run/modclusterd.pid
160
161       ricci_modclusterd_tmpfs_t
162
163
164       root_t
165
166            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
167            /
168            /initrd
169
170

FILE CONTEXTS

172       SELinux requires files to have an extended attribute to define the file
173       type.
174
175       You can see the context of a file using the -Z option to ls
176
177       Policy governs the access  confined  processes  have  to  these  files.
178       SELinux  ricci_modclusterd  policy  is  very flexible allowing users to
179       setup their ricci_modclusterd processes in as secure a method as possi‐
180       ble.
181
182       STANDARD FILE CONTEXT
183
184       SELinux  defines  the  file context types for the ricci_modclusterd, if
185       you wanted to store files with these types in a diffent paths, you need
186       to execute the semanage command to sepecify alternate labeling and then
187       use restorecon to put the labels on disk.
188
189       semanage fcontext -a  -t  ricci_modclusterd_tmpfs_t  '/srv/myricci_mod‐
190       clusterd_content(/.*)?'
191       restorecon -R -v /srv/myricci_modclusterd_content
192
193       Note:  SELinux  often  uses  regular expressions to specify labels that
194       match multiple files.
195
196       The following file types are defined for ricci_modclusterd:
197
198
199
200       ricci_modclusterd_exec_t
201
202       - Set files with the ricci_modclusterd_exec_t  type,  if  you  want  to
203       transition an executable to the ricci_modclusterd_t domain.
204
205
206
207       ricci_modclusterd_tmpfs_t
208
209       -  Set  files  with  the ricci_modclusterd_tmpfs_t type, if you want to
210       store ricci modclusterd files on a tmpfs file system.
211
212
213
214       Note: File context can be temporarily modified with the chcon  command.
215       If  you want to permanently change the file context you need to use the
216       semanage fcontext command.  This will modify the SELinux labeling data‐
217       base.  You will need to use restorecon to apply the labels.
218
219

COMMANDS

221       semanage  fcontext  can also be used to manipulate default file context
222       mappings.
223
224       semanage permissive can also be used to manipulate  whether  or  not  a
225       process type is permissive.
226
227       semanage  module can also be used to enable/disable/install/remove pol‐
228       icy modules.
229
230       semanage port can also be used to manipulate the port definitions
231
232       semanage boolean can also be used to manipulate the booleans
233
234
235       system-config-selinux is a GUI tool available to customize SELinux pol‐
236       icy settings.
237
238

AUTHOR

240       This manual page was auto-generated using sepolicy manpage .
241
242

SEE ALSO

244       selinux(8), ricci_modclusterd(8), semanage(8), restorecon(8), chcon(1),
245       sepolicy(8), setsebool(8)
246
247
248
249ricci_modclusterd                  19-12-02       ricci_modclusterd_selinux(8)
Impressum