1certmaster_selinux(8)      SELinux Policy certmaster     certmaster_selinux(8)
2
3
4

NAME

6       certmaster_selinux  - Security Enhanced Linux Policy for the certmaster
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the certmaster processes  via  flexible
11       mandatory access control.
12
13       The  certmaster  processes  execute with the certmaster_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep certmaster_t
20
21
22

ENTRYPOINTS

24       The  certmaster_t SELinux type can be entered via the certmaster_exec_t
25       file type.
26
27       The default entrypoint paths for the certmaster_t domain are  the  fol‐
28       lowing:
29
30       /usr/bin/certmaster
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       certmaster  policy is very flexible allowing users to setup their cert‐
40       master processes in as secure a method as possible.
41
42       The following process types are defined for certmaster:
43
44       certmaster_t
45
46       Note: semanage permissive -a certmaster_t  can  be  used  to  make  the
47       process  type  certmaster_t permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux  policy  is customizable based on least access required.  cert‐
54       master policy is extremely flexible and has several booleans that allow
55       you  to  manipulate the policy and run certmaster with the tightest ac‐
56       cess possible.
57
58
59
60       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
61       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
62       Enabled by default.
63
64       setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to  allow  system  to run with NIS, you must turn on the
76       nis_enabled boolean. Disabled by default.
77
78       setsebool -P nis_enabled 1
79
80
81

PORT TYPES

83       SELinux defines port types to represent TCP and UDP ports.
84
85       You can see the types associated with a port  by  using  the  following
86       command:
87
88       semanage port -l
89
90
91       Policy  governs  the  access  confined  processes  have to these ports.
92       SELinux certmaster policy is very  flexible  allowing  users  to  setup
93       their certmaster processes in as secure a method as possible.
94
95       The following port types are defined for certmaster:
96
97
98       certmaster_port_t
99
100
101
102       Default Defined Ports:
103                 tcp 51235
104

MANAGED FILES

106       The SELinux process type certmaster_t can manage files labeled with the
107       following file types.  The paths listed are the default paths for these
108       file types.  Note the processes UID still need to have DAC permissions.
109
110       certmaster_etc_rw_t
111
112            /etc/certmaster(/.*)?
113
114       certmaster_var_lib_t
115
116            /var/lib/certmaster(/.*)?
117
118       certmaster_var_run_t
119
120            /var/run/certmaster.*
121
122       cluster_conf_t
123
124            /etc/cluster(/.*)?
125
126       cluster_var_lib_t
127
128            /var/lib/pcsd(/.*)?
129            /var/lib/cluster(/.*)?
130            /var/lib/openais(/.*)?
131            /var/lib/pengine(/.*)?
132            /var/lib/corosync(/.*)?
133            /usr/lib/heartbeat(/.*)?
134            /var/lib/heartbeat(/.*)?
135            /var/lib/pacemaker(/.*)?
136
137       cluster_var_run_t
138
139            /var/run/crm(/.*)?
140            /var/run/cman_.*
141            /var/run/rsctmp(/.*)?
142            /var/run/aisexec.*
143            /var/run/heartbeat(/.*)?
144            /var/run/pcsd-ruby.socket
145            /var/run/corosync-qnetd(/.*)?
146            /var/run/corosync-qdevice(/.*)?
147            /var/run/corosync.pid
148            /var/run/cpglockd.pid
149            /var/run/rgmanager.pid
150            /var/run/cluster/rgmanager.sk
151
152       krb5_host_rcache_t
153
154            /var/tmp/krb5_0.rcache2
155            /var/cache/krb5rcache(/.*)?
156            /var/tmp/nfs_0
157            /var/tmp/DNS_25
158            /var/tmp/host_0
159            /var/tmp/imap_0
160            /var/tmp/HTTP_23
161            /var/tmp/HTTP_48
162            /var/tmp/ldap_55
163            /var/tmp/ldap_487
164            /var/tmp/ldapmap1_0
165
166       root_t
167
168            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
169            /
170            /initrd
171
172

FILE CONTEXTS

174       SELinux requires files to have an extended attribute to define the file
175       type.
176
177       You can see the context of a file using the -Z option to ls
178
179       Policy governs the access  confined  processes  have  to  these  files.
180       SELinux  certmaster  policy  is  very  flexible allowing users to setup
181       their certmaster processes in as secure a method as possible.
182
183       STANDARD FILE CONTEXT
184
185       SELinux defines the file context  types  for  the  certmaster,  if  you
186       wanted  to  store files with these types in a different paths, you need
187       to execute the semanage command to specify alternate labeling and  then
188       use restorecon to put the labels on disk.
189
190       semanage   fcontext   -a   -t  certmaster_exec_t  '/srv/certmaster/con‐
191       tent(/.*)?'
192       restorecon -R -v /srv/mycertmaster_content
193
194       Note: SELinux often uses regular expressions  to  specify  labels  that
195       match multiple files.
196
197       The following file types are defined for certmaster:
198
199
200
201       certmaster_etc_rw_t
202
203       - Set files with the certmaster_etc_rw_t type, if you want to treat the
204       files as certmaster etc read/write content.
205
206
207
208       certmaster_exec_t
209
210       - Set files with the certmaster_exec_t type, if you want to  transition
211       an executable to the certmaster_t domain.
212
213
214
215       certmaster_initrc_exec_t
216
217       -  Set  files  with  the  certmaster_initrc_exec_t type, if you want to
218       transition an executable to the certmaster_initrc_t domain.
219
220
221
222       certmaster_var_lib_t
223
224       - Set files with the certmaster_var_lib_t type, if you  want  to  store
225       the certmaster files under the /var/lib directory.
226
227
228
229       certmaster_var_log_t
230
231       -  Set  files  with the certmaster_var_log_t type, if you want to treat
232       the data as certmaster var log data, usually stored under the  /var/log
233       directory.
234
235
236
237       certmaster_var_run_t
238
239       -  Set  files  with the certmaster_var_run_t type, if you want to store
240       the certmaster files under the /run or /var/run directory.
241
242
243
244       Note: File context can be temporarily modified with the chcon  command.
245       If  you want to permanently change the file context you need to use the
246       semanage fcontext command.  This will modify the SELinux labeling data‐
247       base.  You will need to use restorecon to apply the labels.
248
249

COMMANDS

251       semanage  fcontext  can also be used to manipulate default file context
252       mappings.
253
254       semanage permissive can also be used to manipulate  whether  or  not  a
255       process type is permissive.
256
257       semanage  module can also be used to enable/disable/install/remove pol‐
258       icy modules.
259
260       semanage port can also be used to manipulate the port definitions
261
262       semanage boolean can also be used to manipulate the booleans
263
264
265       system-config-selinux is a GUI tool available to customize SELinux pol‐
266       icy settings.
267
268

AUTHOR

270       This manual page was auto-generated using sepolicy manpage .
271
272

SEE ALSO

274       selinux(8), certmaster(8), semanage(8), restorecon(8), chcon(1), sepol‐
275       icy(8), setsebool(8)
276
277
278
279certmaster                         23-10-20              certmaster_selinux(8)
Impressum