1shorewall_selinux(8)       SELinux Policy shorewall       shorewall_selinux(8)
2
3
4

NAME

6       shorewall_selinux  -  Security  Enhanced Linux Policy for the shorewall
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the shorewall  processes  via  flexible
11       mandatory access control.
12
13       The  shorewall processes execute with the shorewall_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep shorewall_t
20
21
22

ENTRYPOINTS

24       The  shorewall_t  SELinux type can be entered via the shorewall_exec_t,
25       shorewall_var_lib_t file types.
26
27       The default entrypoint paths for the shorewall_t domain are the follow‐
28       ing:
29
30       /sbin/shorewall6?,     /usr/sbin/shorewall6?,     /sbin/shorewall-lite,
31       /usr/sbin/shorewall-lite,   /var/lib/shorewall(/.*)?,   /var/lib/shore‐
32       wall6(/.*)?, /var/lib/shorewall-lite(/.*)?
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       shorewall  policy is very flexible allowing users to setup their shore‐
42       wall processes in as secure a method as possible.
43
44       The following process types are defined for shorewall:
45
46       shorewall_t
47
48       Note: semanage permissive -a  shorewall_t  can  be  used  to  make  the
49       process  type  shorewall_t  permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy is customizable based on least access required.  shore‐
56       wall policy is extremely flexible and has several booleans  that  allow
57       you to manipulate the policy and run shorewall with the tightest access
58       possible.
59
60
61
62       If you want to allow all domains to execute in fips_mode, you must turn
63       on the fips_mode boolean. Enabled by default.
64
65       setsebool -P fips_mode 1
66
67
68
69       If  you  want  to  allow  system  to run with NIS, you must turn on the
70       nis_enabled boolean. Disabled by default.
71
72       setsebool -P nis_enabled 1
73
74
75

MANAGED FILES

77       The SELinux process type shorewall_t can manage files labeled with  the
78       following file types.  The paths listed are the default paths for these
79       file types.  Note the processes UID still need to have DAC permissions.
80
81       cluster_conf_t
82
83            /etc/cluster(/.*)?
84
85       cluster_var_lib_t
86
87            /var/lib/pcsd(/.*)?
88            /var/lib/cluster(/.*)?
89            /var/lib/openais(/.*)?
90            /var/lib/pengine(/.*)?
91            /var/lib/corosync(/.*)?
92            /usr/lib/heartbeat(/.*)?
93            /var/lib/heartbeat(/.*)?
94            /var/lib/pacemaker(/.*)?
95
96       cluster_var_run_t
97
98            /var/run/crm(/.*)?
99            /var/run/cman_.*
100            /var/run/rsctmp(/.*)?
101            /var/run/aisexec.*
102            /var/run/heartbeat(/.*)?
103            /var/run/corosync-qnetd(/.*)?
104            /var/run/corosync-qdevice(/.*)?
105            /var/run/corosync.pid
106            /var/run/cpglockd.pid
107            /var/run/rgmanager.pid
108            /var/run/cluster/rgmanager.sk
109
110       initrc_var_run_t
111
112            /var/run/utmp
113            /var/run/random-seed
114            /var/run/runlevel.dir
115            /var/run/setmixer_flag
116
117       root_t
118
119            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
120            /
121            /initrd
122
123       shorewall_lock_t
124
125            /var/lock/subsys/shorewall
126
127       shorewall_log_t
128
129            /var/log/shorewall.*
130
131       shorewall_var_lib_t
132
133            /var/lib/shorewall(/.*)?
134            /var/lib/shorewall6(/.*)?
135            /var/lib/shorewall-lite(/.*)?
136
137

FILE CONTEXTS

139       SELinux requires files to have an extended attribute to define the file
140       type.
141
142       You can see the context of a file using the -Z option to ls
143
144       Policy  governs  the  access  confined  processes  have to these files.
145       SELinux shorewall policy is very flexible allowing users to setup their
146       shorewall processes in as secure a method as possible.
147
148       EQUIVALENCE DIRECTORIES
149
150
151       shorewall policy stores data with multiple different file context types
152       under the /var/lib/shorewall directory.  If you would like to store the
153       data  in a different directory you can use the semanage command to cre‐
154       ate an equivalence mapping.  If you wanted to store this data under the
155       /srv directory you would execute the following command:
156
157       semanage fcontext -a -e /var/lib/shorewall /srv/shorewall
158       restorecon -R -v /srv/shorewall
159
160       STANDARD FILE CONTEXT
161
162       SELinux defines the file context types for the shorewall, if you wanted
163       to store files with these types in a diffent paths, you need to execute
164       the  semanage  command  to  sepecify  alternate  labeling  and then use
165       restorecon to put the labels on disk.
166
167       semanage  fcontext   -a   -t   shorewall_log_t   '/srv/myshorewall_con‐
168       tent(/.*)?'
169       restorecon -R -v /srv/myshorewall_content
170
171       Note:  SELinux  often  uses  regular expressions to specify labels that
172       match multiple files.
173
174       The following file types are defined for shorewall:
175
176
177
178       shorewall_etc_t
179
180       - Set files with the shorewall_etc_t type, if you want to store  shore‐
181       wall files in the /etc directories.
182
183
184       Paths:
185            /etc/shorewall(/.*)?,    /etc/shorewall6(/.*)?,    /etc/shorewall-
186            lite(/.*)?
187
188
189       shorewall_exec_t
190
191       - Set files with the shorewall_exec_t type, if you want  to  transition
192       an executable to the shorewall_t domain.
193
194
195       Paths:
196            /sbin/shorewall6?,   /usr/sbin/shorewall6?,  /sbin/shorewall-lite,
197            /usr/sbin/shorewall-lite
198
199
200       shorewall_initrc_exec_t
201
202       - Set files with the shorewall_initrc_exec_t type, if you want to tran‐
203       sition an executable to the shorewall_initrc_t domain.
204
205
206
207       shorewall_lock_t
208
209       -  Set  files  with the shorewall_lock_t type, if you want to treat the
210       files as shorewall lock data, stored under the /var/lock directory
211
212
213
214       shorewall_log_t
215
216       - Set files with the shorewall_log_t type, if you  want  to  treat  the
217       data  as  shorewall  log data, usually stored under the /var/log direc‐
218       tory.
219
220
221
222       shorewall_tmp_t
223
224       - Set files with the shorewall_tmp_t type, if you want to store  shore‐
225       wall temporary files in the /tmp directories.
226
227
228
229       shorewall_var_lib_t
230
231       - Set files with the shorewall_var_lib_t type, if you want to store the
232       shorewall files under the /var/lib directory.
233
234
235       Paths:
236            /var/lib/shorewall(/.*)?,               /var/lib/shorewall6(/.*)?,
237            /var/lib/shorewall-lite(/.*)?
238
239
240       Note:  File context can be temporarily modified with the chcon command.
241       If you want to permanently change the file context you need to use  the
242       semanage fcontext command.  This will modify the SELinux labeling data‐
243       base.  You will need to use restorecon to apply the labels.
244
245

COMMANDS

247       semanage fcontext can also be used to manipulate default  file  context
248       mappings.
249
250       semanage  permissive  can  also  be used to manipulate whether or not a
251       process type is permissive.
252
253       semanage module can also be used to enable/disable/install/remove  pol‐
254       icy modules.
255
256       semanage boolean can also be used to manipulate the booleans
257
258
259       system-config-selinux is a GUI tool available to customize SELinux pol‐
260       icy settings.
261
262

AUTHOR

264       This manual page was auto-generated using sepolicy manpage .
265
266

SEE ALSO

268       selinux(8), shorewall(8), semanage(8), restorecon(8), chcon(1),  sepol‐
269       icy(8), setsebool(8)
270
271
272
273shorewall                          20-05-05               shorewall_selinux(8)
Impressum