1pki_tomcat_selinux(8)      SELinux Policy pki_tomcat     pki_tomcat_selinux(8)
2
3
4

NAME

6       pki_tomcat_selinux  - Security Enhanced Linux Policy for the pki_tomcat
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the pki_tomcat processes  via  flexible
11       mandatory access control.
12
13       The  pki_tomcat  processes  execute with the pki_tomcat_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pki_tomcat_t
20
21
22

ENTRYPOINTS

24       The  pki_tomcat_t SELinux type can be entered via the pki_tomcat_exec_t
25       file type.
26
27       The default entrypoint paths for the pki_tomcat_t domain are  the  fol‐
28       lowing:
29
30       /usr/bin/pkidaemon
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       pki_tomcat  policy  is  very  flexible  allowing  users  to setup their
40       pki_tomcat processes in as secure a method as possible.
41
42       The following process types are defined for pki_tomcat:
43
44       pki_tomcat_t, pki_tomcat_script_t
45
46       Note: semanage permissive -a pki_tomcat_t  can  be  used  to  make  the
47       process  type  pki_tomcat_t permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       pki_tomcat policy is extremely flexible and has several  booleans  that
55       allow you to manipulate the policy and run pki_tomcat with the tightest
56       access possible.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66
67       If  you  want  to  allow tomcat to use executable memory and executable
68       stack, you must turn on the  tomcat_use_execmem  boolean.  Disabled  by
69       default.
70
71       setsebool -P tomcat_use_execmem 1
72
73
74

MANAGED FILES

76       The SELinux process type pki_tomcat_t can manage files labeled with the
77       following file types.  The paths listed are the default paths for these
78       file types.  Note the processes UID still need to have DAC permissions.
79
80       cluster_conf_t
81
82            /etc/cluster(/.*)?
83
84       cluster_var_lib_t
85
86            /var/lib/pcsd(/.*)?
87            /var/lib/cluster(/.*)?
88            /var/lib/openais(/.*)?
89            /var/lib/pengine(/.*)?
90            /var/lib/corosync(/.*)?
91            /usr/lib/heartbeat(/.*)?
92            /var/lib/heartbeat(/.*)?
93            /var/lib/pacemaker(/.*)?
94
95       cluster_var_run_t
96
97            /var/run/crm(/.*)?
98            /var/run/cman_.*
99            /var/run/rsctmp(/.*)?
100            /var/run/aisexec.*
101            /var/run/heartbeat(/.*)?
102            /var/run/corosync-qnetd(/.*)?
103            /var/run/corosync-qdevice(/.*)?
104            /var/run/corosync.pid
105            /var/run/cpglockd.pid
106            /var/run/rgmanager.pid
107            /var/run/cluster/rgmanager.sk
108
109       dirsrv_var_lib_t
110
111            /var/lib/dirsrv(/.*)?
112
113       pki_common_t
114
115            /opt/nfast(/.*)?
116
117       pki_tomcat_cache_t
118
119
120       pki_tomcat_cert_t
121
122            /var/lib/pki-ca/alias(/.*)?
123            /etc/pki/pki-tomcat/ca(/.*)?
124            /var/lib/pki-kra/alias(/.*)?
125            /var/lib/pki-tks/alias(/.*)?
126            /var/lib/pki-ocsp/alias(/.*)?
127            /etc/pki/pki-tomcat/alias(/.*)?
128            /var/lib/ipa/pki-ca/publish(/.*)?
129
130       pki_tomcat_etc_rw_t
131
132            /etc/pki-ca(/.*)?
133            /etc/pki-kra(/.*)?
134            /etc/pki-tks(/.*)?
135            /etc/pki-ocsp(/.*)?
136            /etc/pki/pki-tomcat(/.*)?
137            /etc/sysconfig/pki/tomcat(/.*)?
138
139       pki_tomcat_lock_t
140
141            /var/lock/subsys/pkidaemon
142
143       pki_tomcat_log_t
144
145            /var/log/pki-ca(/.*)?
146            /var/log/pki-kra(/.*)?
147            /var/log/pki-tks(/.*)?
148            /var/log/pki-ocsp(/.*)?
149            /var/log/pki/pki-tomcat(/.*)?
150
151       pki_tomcat_var_lib_t
152
153            /var/lib/pki-ca(/.*)?
154            /var/lib/pki-kra(/.*)?
155            /var/lib/pki-tks(/.*)?
156            /var/lib/pki-ocsp(/.*)?
157            /var/lib/pki/pki-tomcat(/.*)?
158
159       pki_tomcat_var_run_t
160
161            /var/run/pki-ca.pid
162            /var/run/pki-kra.pid
163            /var/run/pki-tks.pid
164            /var/run/pki-ocsp.pid
165            /var/run/pki/tomcat(/.*)?
166
167       root_t
168
169            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
170            /
171            /initrd
172
173

FILE CONTEXTS

175       SELinux requires files to have an extended attribute to define the file
176       type.
177
178       You can see the context of a file using the -Z option to ls
179
180       Policy governs the access  confined  processes  have  to  these  files.
181       SELinux  pki_tomcat  policy  is  very  flexible allowing users to setup
182       their pki_tomcat processes in as secure a method as possible.
183
184       EQUIVALENCE DIRECTORIES
185
186
187       pki_tomcat policy stores data  with  multiple  different  file  context
188       types  under the /var/lib/pki-ca directory.  If you would like to store
189       the data in a different directory you can use the semanage  command  to
190       create  an equivalence mapping.  If you wanted to store this data under
191       the /srv directory you would execute the following command:
192
193       semanage fcontext -a -e /var/lib/pki-ca /srv/pki-ca
194       restorecon -R -v /srv/pki-ca
195
196       pki_tomcat policy stores data  with  multiple  different  file  context
197       types under the /var/lib/pki-kra directory.  If you would like to store
198       the data in a different directory you can use the semanage  command  to
199       create  an equivalence mapping.  If you wanted to store this data under
200       the /srv directory you would execute the following command:
201
202       semanage fcontext -a -e /var/lib/pki-kra /srv/pki-kra
203       restorecon -R -v /srv/pki-kra
204
205       pki_tomcat policy stores data  with  multiple  different  file  context
206       types  under  the  /var/lib/pki-ocsp  directory.   If you would like to
207       store the data in a different directory you can use the  semanage  com‐
208       mand  to  create  an  equivalence mapping.  If you wanted to store this
209       data under the /srv directory you would execute the following command:
210
211       semanage fcontext -a -e /var/lib/pki-ocsp /srv/pki-ocsp
212       restorecon -R -v /srv/pki-ocsp
213
214       pki_tomcat policy stores data  with  multiple  different  file  context
215       types under the /var/lib/pki-tks directory.  If you would like to store
216       the data in a different directory you can use the semanage  command  to
217       create  an equivalence mapping.  If you wanted to store this data under
218       the /srv directory you would execute the following command:
219
220       semanage fcontext -a -e /var/lib/pki-tks /srv/pki-tks
221       restorecon -R -v /srv/pki-tks
222
223       STANDARD FILE CONTEXT
224
225       SELinux defines the file context  types  for  the  pki_tomcat,  if  you
226       wanted  to store files with these types in a diffent paths, you need to
227       execute the semanage command to sepecify alternate  labeling  and  then
228       use restorecon to put the labels on disk.
229
230       semanage   fcontext  -a  -t  pki_tomcat_lock_t  '/srv/mypki_tomcat_con‐
231       tent(/.*)?'
232       restorecon -R -v /srv/mypki_tomcat_content
233
234       Note: SELinux often uses regular expressions  to  specify  labels  that
235       match multiple files.
236
237       The following file types are defined for pki_tomcat:
238
239
240
241       pki_tomcat_cache_t
242
243       -  Set files with the pki_tomcat_cache_t type, if you want to store the
244       files under the /var/cache directory.
245
246
247
248       pki_tomcat_cert_t
249
250       - Set files with the pki_tomcat_cert_t type, if you want to  treat  the
251       files as pki tomcat certificate data.
252
253
254       Paths:
255            /var/lib/pki-ca/alias(/.*)?,         /etc/pki/pki-tomcat/ca(/.*)?,
256            /var/lib/pki-kra/alias(/.*)?,        /var/lib/pki-tks/alias(/.*)?,
257            /var/lib/pki-ocsp/alias(/.*)?,    /etc/pki/pki-tomcat/alias(/.*)?,
258            /var/lib/ipa/pki-ca/publish(/.*)?
259
260
261       pki_tomcat_etc_rw_t
262
263       - Set files with the pki_tomcat_etc_rw_t type, if you want to treat the
264       files as pki tomcat etc read/write content.
265
266
267       Paths:
268            /etc/pki-ca(/.*)?,     /etc/pki-kra(/.*)?,     /etc/pki-tks(/.*)?,
269            /etc/pki-ocsp(/.*)?,    /etc/pki/pki-tomcat(/.*)?,    /etc/syscon‐
270            fig/pki/tomcat(/.*)?
271
272
273       pki_tomcat_exec_t
274
275       -  Set files with the pki_tomcat_exec_t type, if you want to transition
276       an executable to the pki_tomcat_t domain.
277
278
279
280       pki_tomcat_lock_t
281
282       - Set files with the pki_tomcat_lock_t type, if you want to  treat  the
283       files as pki tomcat lock data, stored under the /var/lock directory
284
285
286
287       pki_tomcat_log_t
288
289       -  Set  files  with the pki_tomcat_log_t type, if you want to treat the
290       data as pki tomcat log data, usually stored under the  /var/log  direc‐
291       tory.
292
293
294       Paths:
295            /var/log/pki-ca(/.*)?,    /var/log/pki-kra(/.*)?,    /var/log/pki-
296            tks(/.*)?, /var/log/pki-ocsp(/.*)?, /var/log/pki/pki-tomcat(/.*)?
297
298
299       pki_tomcat_tmp_t
300
301       - Set files with the pki_tomcat_tmp_t type, if you want  to  store  pki
302       tomcat temporary files in the /tmp directories.
303
304
305
306       pki_tomcat_unit_file_t
307
308       -  Set files with the pki_tomcat_unit_file_t type, if you want to treat
309       the files as pki tomcat unit content.
310
311
312
313       pki_tomcat_var_lib_t
314
315       - Set files with the pki_tomcat_var_lib_t type, if you  want  to  store
316       the pki tomcat files under the /var/lib directory.
317
318
319       Paths:
320            /var/lib/pki-ca(/.*)?,    /var/lib/pki-kra(/.*)?,    /var/lib/pki-
321            tks(/.*)?, /var/lib/pki-ocsp(/.*)?, /var/lib/pki/pki-tomcat(/.*)?
322
323
324       pki_tomcat_var_run_t
325
326       - Set files with the pki_tomcat_var_run_t type, if you  want  to  store
327       the pki tomcat files under the /run or /var/run directory.
328
329
330       Paths:
331            /var/run/pki-ca.pid,  /var/run/pki-kra.pid,  /var/run/pki-tks.pid,
332            /var/run/pki-ocsp.pid, /var/run/pki/tomcat(/.*)?
333
334
335       Note: File context can be temporarily modified with the chcon  command.
336       If  you want to permanently change the file context you need to use the
337       semanage fcontext command.  This will modify the SELinux labeling data‐
338       base.  You will need to use restorecon to apply the labels.
339
340

COMMANDS

342       semanage  fcontext  can also be used to manipulate default file context
343       mappings.
344
345       semanage permissive can also be used to manipulate  whether  or  not  a
346       process type is permissive.
347
348       semanage  module can also be used to enable/disable/install/remove pol‐
349       icy modules.
350
351       semanage boolean can also be used to manipulate the booleans
352
353
354       system-config-selinux is a GUI tool available to customize SELinux pol‐
355       icy settings.
356
357

AUTHOR

359       This manual page was auto-generated using sepolicy manpage .
360
361

SEE ALSO

363       selinux(8), pki_tomcat(8), semanage(8), restorecon(8), chcon(1), sepol‐
364       icy(8),    setsebool(8),     pki_tomcat_script_selinux(8),     pki_tom‐
365       cat_script_selinux(8)
366
367
368
369pki_tomcat                         21-03-26              pki_tomcat_selinux(8)
Impressum