1pki_tomcat_selinux(8) SELinux Policy pki_tomcat pki_tomcat_selinux(8)
2
3
4
6 pki_tomcat_selinux - Security Enhanced Linux Policy for the pki_tomcat
7 processes
8
10 Security-Enhanced Linux secures the pki_tomcat processes via flexible
11 mandatory access control.
12
13 The pki_tomcat processes execute with the pki_tomcat_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep pki_tomcat_t
20
21
22
24 The pki_tomcat_t SELinux type can be entered via the pki_tomcat_exec_t
25 file type.
26
27 The default entrypoint paths for the pki_tomcat_t domain are the fol‐
28 lowing:
29
30 /usr/bin/pkidaemon
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 pki_tomcat policy is very flexible allowing users to setup their
40 pki_tomcat processes in as secure a method as possible.
41
42 The following process types are defined for pki_tomcat:
43
44 pki_tomcat_t, pki_tomcat_script_t
45
46 Note: semanage permissive -a pki_tomcat_t can be used to make the
47 process type pki_tomcat_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required.
54 pki_tomcat policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run pki_tomcat with the tightest
56 access possible.
57
58
59
60 If you want to allow all domains to execute in fips_mode, you must turn
61 on the fips_mode boolean. Enabled by default.
62
63 setsebool -P fips_mode 1
64
65
66
67 If you want to allow tomcat to use executable memory and executable
68 stack, you must turn on the tomcat_use_execmem boolean. Disabled by de‐
69 fault.
70
71 setsebool -P tomcat_use_execmem 1
72
73
74
76 The SELinux process type pki_tomcat_t can manage files labeled with the
77 following file types. The paths listed are the default paths for these
78 file types. Note the processes UID still need to have DAC permissions.
79
80 cluster_conf_t
81
82 /etc/cluster(/.*)?
83
84 cluster_var_lib_t
85
86 /var/lib/pcsd(/.*)?
87 /var/lib/cluster(/.*)?
88 /var/lib/openais(/.*)?
89 /var/lib/pengine(/.*)?
90 /var/lib/corosync(/.*)?
91 /usr/lib/heartbeat(/.*)?
92 /var/lib/heartbeat(/.*)?
93 /var/lib/pacemaker(/.*)?
94
95 cluster_var_run_t
96
97 /var/run/crm(/.*)?
98 /var/run/cman_.*
99 /var/run/rsctmp(/.*)?
100 /var/run/aisexec.*
101 /var/run/heartbeat(/.*)?
102 /var/run/pcsd-ruby.socket
103 /var/run/corosync-qnetd(/.*)?
104 /var/run/corosync-qdevice(/.*)?
105 /var/run/corosync.pid
106 /var/run/cpglockd.pid
107 /var/run/rgmanager.pid
108 /var/run/cluster/rgmanager.sk
109
110 dirsrv_var_lib_t
111
112 /var/lib/dirsrv(/.*)?
113
114 krb5_host_rcache_t
115
116 /var/tmp/krb5_0.rcache2
117 /var/cache/krb5rcache(/.*)?
118 /var/tmp/nfs_0
119 /var/tmp/DNS_25
120 /var/tmp/host_0
121 /var/tmp/imap_0
122 /var/tmp/HTTP_23
123 /var/tmp/HTTP_48
124 /var/tmp/ldap_55
125 /var/tmp/ldap_487
126 /var/tmp/ldapmap1_0
127
128 pki_common_t
129
130 /opt/nfast(/.*)?
131
132 pki_tomcat_cache_t
133
134
135 pki_tomcat_cert_t
136
137 /var/lib/pki-ca/alias(/.*)?
138 /etc/pki/pki-tomcat/ca(/.*)?
139 /var/lib/pki-kra/alias(/.*)?
140 /var/lib/pki-tks/alias(/.*)?
141 /var/lib/pki-ocsp/alias(/.*)?
142 /etc/pki/pki-tomcat/alias(/.*)?
143 /var/lib/ipa/pki-ca/publish(/.*)?
144
145 pki_tomcat_etc_rw_t
146
147 /etc/pki-ca(/.*)?
148 /etc/pki-kra(/.*)?
149 /etc/pki-tks(/.*)?
150 /etc/pki-ocsp(/.*)?
151 /etc/pki/pki-tomcat(/.*)?
152 /etc/sysconfig/pki/tomcat(/.*)?
153
154 pki_tomcat_lock_t
155
156 /var/lock/subsys/pkidaemon
157
158 pki_tomcat_log_t
159
160 /var/log/pki-ca(/.*)?
161 /var/log/pki-kra(/.*)?
162 /var/log/pki-tks(/.*)?
163 /var/log/pki-ocsp(/.*)?
164 /var/log/pki/pki-tomcat(/.*)?
165
166 pki_tomcat_tmp_t
167
168
169 pki_tomcat_var_lib_t
170
171 /var/lib/pki-ca(/.*)?
172 /var/lib/pki-kra(/.*)?
173 /var/lib/pki-tks(/.*)?
174 /var/lib/pki-ocsp(/.*)?
175 /var/lib/pki/pki-tomcat(/.*)?
176
177 pki_tomcat_var_run_t
178
179 /var/run/pki-ca.pid
180 /var/run/pki-kra.pid
181 /var/run/pki-tks.pid
182 /var/run/pki-ocsp.pid
183 /var/run/pki/tomcat(/.*)?
184
185 root_t
186
187 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
188 /
189 /initrd
190
191 user_tmp_t
192
193 /dev/shm/mono.*
194 /var/run/user(/.*)?
195 /tmp/.ICE-unix(/.*)?
196 /tmp/.X11-unix(/.*)?
197 /dev/shm/pulse-shm.*
198 /tmp/.X0-lock
199 /tmp/hsperfdata_root
200 /var/tmp/hsperfdata_root
201 /home/[^/]+/tmp
202 /home/[^/]+/.tmp
203 /tmp/gconfd-[^/]+
204
205
207 SELinux requires files to have an extended attribute to define the file
208 type.
209
210 You can see the context of a file using the -Z option to ls
211
212 Policy governs the access confined processes have to these files.
213 SELinux pki_tomcat policy is very flexible allowing users to setup
214 their pki_tomcat processes in as secure a method as possible.
215
216 EQUIVALENCE DIRECTORIES
217
218
219 pki_tomcat policy stores data with multiple different file context
220 types under the /var/lib/pki-ca directory. If you would like to store
221 the data in a different directory you can use the semanage command to
222 create an equivalence mapping. If you wanted to store this data under
223 the /srv directory you would execute the following command:
224
225 semanage fcontext -a -e /var/lib/pki-ca /srv/pki-ca
226 restorecon -R -v /srv/pki-ca
227
228 pki_tomcat policy stores data with multiple different file context
229 types under the /var/lib/pki-kra directory. If you would like to store
230 the data in a different directory you can use the semanage command to
231 create an equivalence mapping. If you wanted to store this data under
232 the /srv directory you would execute the following command:
233
234 semanage fcontext -a -e /var/lib/pki-kra /srv/pki-kra
235 restorecon -R -v /srv/pki-kra
236
237 pki_tomcat policy stores data with multiple different file context
238 types under the /var/lib/pki-ocsp directory. If you would like to
239 store the data in a different directory you can use the semanage com‐
240 mand to create an equivalence mapping. If you wanted to store this
241 data under the /srv directory you would execute the following command:
242
243 semanage fcontext -a -e /var/lib/pki-ocsp /srv/pki-ocsp
244 restorecon -R -v /srv/pki-ocsp
245
246 pki_tomcat policy stores data with multiple different file context
247 types under the /var/lib/pki-tks directory. If you would like to store
248 the data in a different directory you can use the semanage command to
249 create an equivalence mapping. If you wanted to store this data under
250 the /srv directory you would execute the following command:
251
252 semanage fcontext -a -e /var/lib/pki-tks /srv/pki-tks
253 restorecon -R -v /srv/pki-tks
254
255 STANDARD FILE CONTEXT
256
257 SELinux defines the file context types for the pki_tomcat, if you
258 wanted to store files with these types in a diffent paths, you need to
259 execute the semanage command to sepecify alternate labeling and then
260 use restorecon to put the labels on disk.
261
262 semanage fcontext -a -t pki_tomcat_lock_t '/srv/mypki_tomcat_con‐
263 tent(/.*)?'
264 restorecon -R -v /srv/mypki_tomcat_content
265
266 Note: SELinux often uses regular expressions to specify labels that
267 match multiple files.
268
269 The following file types are defined for pki_tomcat:
270
271
272
273 pki_tomcat_cache_t
274
275 - Set files with the pki_tomcat_cache_t type, if you want to store the
276 files under the /var/cache directory.
277
278
279
280 pki_tomcat_cert_t
281
282 - Set files with the pki_tomcat_cert_t type, if you want to treat the
283 files as pki tomcat certificate data.
284
285
286 Paths:
287 /var/lib/pki-ca/alias(/.*)?, /etc/pki/pki-tomcat/ca(/.*)?,
288 /var/lib/pki-kra/alias(/.*)?, /var/lib/pki-tks/alias(/.*)?,
289 /var/lib/pki-ocsp/alias(/.*)?, /etc/pki/pki-tomcat/alias(/.*)?,
290 /var/lib/ipa/pki-ca/publish(/.*)?
291
292
293 pki_tomcat_etc_rw_t
294
295 - Set files with the pki_tomcat_etc_rw_t type, if you want to treat the
296 files as pki tomcat etc read/write content.
297
298
299 Paths:
300 /etc/pki-ca(/.*)?, /etc/pki-kra(/.*)?, /etc/pki-tks(/.*)?,
301 /etc/pki-ocsp(/.*)?, /etc/pki/pki-tomcat(/.*)?, /etc/syscon‐
302 fig/pki/tomcat(/.*)?
303
304
305 pki_tomcat_exec_t
306
307 - Set files with the pki_tomcat_exec_t type, if you want to transition
308 an executable to the pki_tomcat_t domain.
309
310
311
312 pki_tomcat_lock_t
313
314 - Set files with the pki_tomcat_lock_t type, if you want to treat the
315 files as pki tomcat lock data, stored under the /var/lock directory
316
317
318
319 pki_tomcat_log_t
320
321 - Set files with the pki_tomcat_log_t type, if you want to treat the
322 data as pki tomcat log data, usually stored under the /var/log direc‐
323 tory.
324
325
326 Paths:
327 /var/log/pki-ca(/.*)?, /var/log/pki-kra(/.*)?, /var/log/pki-
328 tks(/.*)?, /var/log/pki-ocsp(/.*)?, /var/log/pki/pki-tomcat(/.*)?
329
330
331 pki_tomcat_tmp_t
332
333 - Set files with the pki_tomcat_tmp_t type, if you want to store pki
334 tomcat temporary files in the /tmp directories.
335
336
337
338 pki_tomcat_unit_file_t
339
340 - Set files with the pki_tomcat_unit_file_t type, if you want to treat
341 the files as pki tomcat unit content.
342
343
344
345 pki_tomcat_var_lib_t
346
347 - Set files with the pki_tomcat_var_lib_t type, if you want to store
348 the pki tomcat files under the /var/lib directory.
349
350
351 Paths:
352 /var/lib/pki-ca(/.*)?, /var/lib/pki-kra(/.*)?, /var/lib/pki-
353 tks(/.*)?, /var/lib/pki-ocsp(/.*)?, /var/lib/pki/pki-tomcat(/.*)?
354
355
356 pki_tomcat_var_run_t
357
358 - Set files with the pki_tomcat_var_run_t type, if you want to store
359 the pki tomcat files under the /run or /var/run directory.
360
361
362 Paths:
363 /var/run/pki-ca.pid, /var/run/pki-kra.pid, /var/run/pki-tks.pid,
364 /var/run/pki-ocsp.pid, /var/run/pki/tomcat(/.*)?
365
366
367 Note: File context can be temporarily modified with the chcon command.
368 If you want to permanently change the file context you need to use the
369 semanage fcontext command. This will modify the SELinux labeling data‐
370 base. You will need to use restorecon to apply the labels.
371
372
374 semanage fcontext can also be used to manipulate default file context
375 mappings.
376
377 semanage permissive can also be used to manipulate whether or not a
378 process type is permissive.
379
380 semanage module can also be used to enable/disable/install/remove pol‐
381 icy modules.
382
383 semanage boolean can also be used to manipulate the booleans
384
385
386 system-config-selinux is a GUI tool available to customize SELinux pol‐
387 icy settings.
388
389
391 This manual page was auto-generated using sepolicy manpage .
392
393
395 selinux(8), pki_tomcat(8), semanage(8), restorecon(8), chcon(1), sepol‐
396 icy(8), setsebool(8), pki_tomcat_script_selinux(8), pki_tom‐
397 cat_script_selinux(8)
398
399
400
401pki_tomcat 21-06-09 pki_tomcat_selinux(8)