neutron_selinux(8)

1neutron_selinux(8)          SELinux Policy neutron          neutron_selinux(8)
2
3
4

NAME

6       neutron_selinux  -  Security Enhanced Linux Policy for the neutron pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  neutron  processes  via  flexible
11       mandatory access control.
12
13       The  neutron processes execute with the neutron_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep neutron_t
20
21
22

ENTRYPOINTS

24       The  neutron_t  SELinux type can be entered via the neutron_exec_t file
25       type.
26
27       The default entrypoint paths for the neutron_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/neutron-server,   /usr/bin/quantum-server,   /usr/bin/neutron-
31       l3-agent,     /usr/bin/neutron-rootwrap,     /usr/bin/quantum-l3-agent,
32       /usr/bin/neutron-ryu-agent,  /usr/bin/quantum-ryu-agent,  /usr/bin/neu‐
33       tron-dhcp-agent,  /usr/bin/quantum-dhcp-agent,  /usr/bin/neutron-lbaas-
34       agent,    /usr/bin/neutron-ovs-cleanup,   /usr/bin/quantum-ovs-cleanup,
35       /usr/bin/neutron-netns-cleanup,        /usr/bin/neutron-metadata-agent,
36       /usr/bin/neutron-linuxbridge-agent, /usr/bin/neutron-ns-metadata-proxy,
37       /usr/bin/neutron-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent,
38       /usr/bin/quantum-openvswitch-agent
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       neutron  policy  is very flexible allowing users to setup their neutron
48       processes in as secure a method as possible.
49
50       The following process types are defined for neutron:
51
52       neutron_t
53
54       Note: semanage permissive -a neutron_t can be used to make the  process
55       type  neutron_t  permissive. SELinux does not deny access to permissive
56       process types, but the AVC (SELinux denials) messages are still  gener‐
57       ated.
58
59

BOOLEANS

61       SELinux policy is customizable based on least access required.  neutron
62       policy is extremely flexible and has several booleans that allow you to
63       manipulate  the  policy and run neutron with the tightest access possi‐
64       ble.
65
66
67
68       If you want to determine whether neutron can connect to all TCP  ports,
69       you must turn on the neutron_can_network boolean. Disabled by default.
70
71       setsebool -P neutron_can_network 1
72
73
74
75       If you want to allow all domains to execute in fips_mode, you must turn
76       on the fips_mode boolean. Enabled by default.
77
78       setsebool -P fips_mode 1
79
80
81
82       If you want to allow confined applications to run  with  kerberos,  you
83       must turn on the kerberos_enabled boolean. Disabled by default.
84
85       setsebool -P kerberos_enabled 1
86
87
88
89       If  you  want  to  allow  system  to run with NIS, you must turn on the
90       nis_enabled boolean. Disabled by default.
91
92       setsebool -P nis_enabled 1
93
94
95

PORT TYPES

97       SELinux defines port types to represent TCP and UDP ports.
98
99       You can see the types associated with a port  by  using  the  following
100       command:
101
102       semanage port -l
103
104
105       Policy  governs  the  access  confined  processes  have to these ports.
106       SELinux neutron policy is very flexible allowing users to  setup  their
107       neutron processes in as secure a method as possible.
108
109       The following port types are defined for neutron:
110
111
112       neutron_port_t
113
114
115
116       Default Defined Ports:
117                 tcp 8775,9696,9697
118

MANAGED FILES

120       The  SELinux  process  type neutron_t can manage files labeled with the
121       following file types.  The paths listed are the default paths for these
122       file types.  Note the processes UID still need to have DAC permissions.
123
124       cluster_conf_t
125
126            /etc/cluster(/.*)?
127
128       cluster_var_lib_t
129
130            /var/lib/pcsd(/.*)?
131            /var/lib/cluster(/.*)?
132            /var/lib/openais(/.*)?
133            /var/lib/pengine(/.*)?
134            /var/lib/corosync(/.*)?
135            /usr/lib/heartbeat(/.*)?
136            /var/lib/heartbeat(/.*)?
137            /var/lib/pacemaker(/.*)?
138
139       cluster_var_run_t
140
141            /var/run/crm(/.*)?
142            /var/run/cman_.*
143            /var/run/rsctmp(/.*)?
144            /var/run/aisexec.*
145            /var/run/heartbeat(/.*)?
146            /var/run/corosync-qnetd(/.*)?
147            /var/run/corosync-qdevice(/.*)?
148            /var/run/corosync.pid
149            /var/run/cpglockd.pid
150            /var/run/rgmanager.pid
151            /var/run/cluster/rgmanager.sk
152
153       faillog_t
154
155            /var/log/btmp.*
156            /var/log/faillog.*
157            /var/log/tallylog.*
158            /var/run/faillock(/.*)?
159
160       ifconfig_var_run_t
161
162            /var/run/netns(/.*)?
163
164       initrc_var_run_t
165
166            /var/run/utmp
167            /var/run/random-seed
168            /var/run/runlevel.dir
169            /var/run/setmixer_flag
170
171       krb5_keytab_t
172
173            /var/kerberos/krb5(/.*)?
174            /etc/krb5.keytab
175            /etc/krb5kdc/kadm5.keytab
176            /var/kerberos/krb5kdc/kadm5.keytab
177
178       lastlog_t
179
180            /var/log/lastlog.*
181
182       neutron_var_lib_t
183
184            /var/lib/neutron(/.*)?
185            /var/lib/quantum(/.*)?
186
187       neutron_var_run_t
188
189            /var/run/neutron(/.*)?
190            /var/run/quantum(/.*)?
191
192       root_t
193
194            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
195            /
196            /initrd
197
198       security_t
199
200            /selinux
201
202

FILE CONTEXTS

204       SELinux requires files to have an extended attribute to define the file
205       type.
206
207       You can see the context of a file using the -Z option to ls
208
209       Policy governs the access  confined  processes  have  to  these  files.
210       SELinux  neutron  policy is very flexible allowing users to setup their
211       neutron processes in as secure a method as possible.
212
213       STANDARD FILE CONTEXT
214
215       SELinux defines the file context types for the neutron, if  you  wanted
216       to store files with these types in a diffent paths, you need to execute
217       the semanage command  to  sepecify  alternate  labeling  and  then  use
218       restorecon to put the labels on disk.
219
220       semanage   fcontext   -a  -t  neutron_unit_file_t  '/srv/myneutron_con‐
221       tent(/.*)?'
222       restorecon -R -v /srv/myneutron_content
223
224       Note: SELinux often uses regular expressions  to  specify  labels  that
225       match multiple files.
226
227       The following file types are defined for neutron:
228
229
230
231       neutron_exec_t
232
233       -  Set files with the neutron_exec_t type, if you want to transition an
234       executable to the neutron_t domain.
235
236
237       Paths:
238            /usr/bin/neutron-server,  /usr/bin/quantum-server,   /usr/bin/neu‐
239            tron-l3-agent,     /usr/bin/neutron-rootwrap,    /usr/bin/quantum-
240            l3-agent, /usr/bin/neutron-ryu-agent,  /usr/bin/quantum-ryu-agent,
241            /usr/bin/neutron-dhcp-agent,          /usr/bin/quantum-dhcp-agent,
242            /usr/bin/neutron-lbaas-agent,        /usr/bin/neutron-ovs-cleanup,
243            /usr/bin/quantum-ovs-cleanup,      /usr/bin/neutron-netns-cleanup,
244            /usr/bin/neutron-metadata-agent,     /usr/bin/neutron-linuxbridge-
245            agent,  /usr/bin/neutron-ns-metadata-proxy, /usr/bin/neutron-open‐
246            vswitch-agent, /usr/bin/quantum-linuxbridge-agent,  /usr/bin/quan‐
247            tum-openvswitch-agent
248
249
250       neutron_initrc_exec_t
251
252       - Set files with the neutron_initrc_exec_t type, if you want to transi‐
253       tion an executable to the neutron_initrc_t domain.
254
255
256       Paths:
257            /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*
258
259
260       neutron_log_t
261
262       - Set files with the neutron_log_t type, if you want to treat the  data
263       as neutron log data, usually stored under the /var/log directory.
264
265
266       Paths:
267            /var/log/neutron(/.*)?, /var/log/quantum(/.*)?
268
269
270       neutron_tmp_t
271
272       -  Set  files with the neutron_tmp_t type, if you want to store neutron
273       temporary files in the /tmp directories.
274
275
276
277       neutron_unit_file_t
278
279       - Set files with the neutron_unit_file_t type, if you want to treat the
280       files as neutron unit content.
281
282
283       Paths:
284            /usr/lib/systemd/system/neutron.*,   /usr/lib/systemd/system/quan‐
285            tum.*
286
287
288       neutron_var_lib_t
289
290       - Set files with the neutron_var_lib_t type, if you want to  store  the
291       neutron files under the /var/lib directory.
292
293
294       Paths:
295            /var/lib/neutron(/.*)?, /var/lib/quantum(/.*)?
296
297
298       neutron_var_run_t
299
300       -  Set  files with the neutron_var_run_t type, if you want to store the
301       neutron files under the /run or /var/run directory.
302
303
304       Paths:
305            /var/run/neutron(/.*)?, /var/run/quantum(/.*)?
306
307
308       Note: File context can be temporarily modified with the chcon  command.
309       If  you want to permanently change the file context you need to use the
310       semanage fcontext command.  This will modify the SELinux labeling data‐
311       base.  You will need to use restorecon to apply the labels.
312
313

COMMANDS

315       semanage  fcontext  can also be used to manipulate default file context
316       mappings.
317
318       semanage permissive can also be used to manipulate  whether  or  not  a
319       process type is permissive.
320
321       semanage  module can also be used to enable/disable/install/remove pol‐
322       icy modules.
323
324       semanage port can also be used to manipulate the port definitions
325
326       semanage boolean can also be used to manipulate the booleans
327
328
329       system-config-selinux is a GUI tool available to customize SELinux pol‐
330       icy settings.
331
332

AUTHOR

334       This manual page was auto-generated using sepolicy manpage .
335
336