dspam_selinux(8)

1dspam_selinux(8)             SELinux Policy dspam             dspam_selinux(8)
2
3
4

NAME

6       dspam_selinux - Security Enhanced Linux Policy for the dspam processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the dspam processes via flexible manda‐
10       tory access control.
11
12       The dspam processes execute with the  dspam_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep dspam_t
19
20
21

ENTRYPOINTS

23       The dspam_t SELinux type can be entered via the dspam_exec_t file type.
24
25       The default entrypoint paths for the dspam_t domain are the following:
26
27       /usr/bin/dspam
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       dspam policy is very flexible allowing users to setup their dspam  pro‐
37       cesses in as secure a method as possible.
38
39       The following process types are defined for dspam:
40
41       dspam_t, dspam_script_t
42
43       Note:  semanage  permissive  -a dspam_t can be used to make the process
44       type dspam_t permissive. SELinux does not  deny  access  to  permissive
45       process  types, but the AVC (SELinux denials) messages are still gener‐
46       ated.
47
48

BOOLEANS

50       SELinux policy is customizable based on least access  required.   dspam
51       policy is extremely flexible and has several booleans that allow you to
52       manipulate the policy and run dspam with the tightest access possible.
53
54
55
56       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
57       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
58       Enabled by default.
59
60       setsebool -P daemons_dontaudit_scheduling 1
61
62
63
64       If you want to allow all domains to execute in fips_mode, you must turn
65       on the fips_mode boolean. Enabled by default.
66
67       setsebool -P fips_mode 1
68
69
70
71       If  you  want  to  allow  system  to run with NIS, you must turn on the
72       nis_enabled boolean. Disabled by default.
73
74       setsebool -P nis_enabled 1
75
76
77

MANAGED FILES

79       The SELinux process type dspam_t can manage files labeled with the fol‐
80       lowing  file  types.   The paths listed are the default paths for these
81       file types.  Note the processes UID still need to have DAC permissions.
82
83       cluster_conf_t
84
85            /etc/cluster(/.*)?
86
87       cluster_var_lib_t
88
89            /var/lib/pcsd(/.*)?
90            /var/lib/cluster(/.*)?
91            /var/lib/openais(/.*)?
92            /var/lib/pengine(/.*)?
93            /var/lib/corosync(/.*)?
94            /usr/lib/heartbeat(/.*)?
95            /var/lib/heartbeat(/.*)?
96            /var/lib/pacemaker(/.*)?
97
98       cluster_var_run_t
99
100            /var/run/crm(/.*)?
101            /var/run/cman_.*
102            /var/run/rsctmp(/.*)?
103            /var/run/aisexec.*
104            /var/run/heartbeat(/.*)?
105            /var/run/pcsd-ruby.socket
106            /var/run/corosync-qnetd(/.*)?
107            /var/run/corosync-qdevice(/.*)?
108            /var/run/corosync.pid
109            /var/run/cpglockd.pid
110            /var/run/rgmanager.pid
111            /var/run/cluster/rgmanager.sk
112
113       dspam_rw_content_t
114
115            /var/lib/dspam/data(/.*)?
116
117       dspam_var_lib_t
118
119            /var/lib/dspam(/.*)?
120
121       dspam_var_run_t
122
123            /var/run/dspam(/.*)?
124
125       krb5_host_rcache_t
126
127            /var/tmp/krb5_0.rcache2
128            /var/cache/krb5rcache(/.*)?
129            /var/tmp/nfs_0
130            /var/tmp/DNS_25
131            /var/tmp/host_0
132            /var/tmp/imap_0
133            /var/tmp/HTTP_23
134            /var/tmp/HTTP_48
135            /var/tmp/ldap_55
136            /var/tmp/ldap_487
137            /var/tmp/ldapmap1_0
138
139       root_t
140
141            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
142            /
143            /initrd
144
145

FILE CONTEXTS

147       SELinux requires files to have an extended attribute to define the file
148       type.
149
150       You can see the context of a file using the -Z option to ls
151
152       Policy  governs  the  access  confined  processes  have to these files.
153       SELinux dspam policy is very flexible allowing  users  to  setup  their
154       dspam processes in as secure a method as possible.
155
156       EQUIVALENCE DIRECTORIES
157
158
159       dspam policy stores data with multiple different file context types un‐
160       der the /var/lib/dspam directory.  If you would like to store the  data
161       in  a different directory you can use the semanage command to create an
162       equivalence mapping.  If you wanted to store this data under  the  /srv
163       directory you would execute the following command:
164
165       semanage fcontext -a -e /var/lib/dspam /srv/dspam
166       restorecon -R -v /srv/dspam
167
168       STANDARD FILE CONTEXT
169
170       SELinux  defines the file context types for the dspam, if you wanted to
171       store files with these types in a different paths, you need to  execute
172       the  semanage  command  to  specify alternate labeling and then use re‐
173       storecon to put the labels on disk.
174
175       semanage fcontext -a -t dspam_exec_t '/srv/dspam/content(/.*)?'
176       restorecon -R -v /srv/mydspam_content
177
178       Note: SELinux often uses regular expressions  to  specify  labels  that
179       match multiple files.
180
181       The following file types are defined for dspam:
182
183
184
185       dspam_content_t
186
187       -  Set  files  with  the dspam_content_t type, if you want to treat the
188       files as dspam content.
189
190
191
192       dspam_exec_t
193
194       - Set files with the dspam_exec_t type, if you want  to  transition  an
195       executable to the dspam_t domain.
196
197
198
199       dspam_htaccess_t
200
201       -  Set  files  with the dspam_htaccess_t type, if you want to treat the
202       file as a dspam access file.
203
204
205
206       dspam_initrc_exec_t
207
208       - Set files with the dspam_initrc_exec_t type, if you want  to  transi‐
209       tion an executable to the dspam_initrc_t domain.
210
211
212
213       dspam_log_t
214
215       - Set files with the dspam_log_t type, if you want to treat the data as
216       dspam log data, usually stored under the /var/log directory.
217
218
219
220       dspam_ra_content_t
221
222       - Set files with the dspam_ra_content_t type, if you want to treat  the
223       files as dspam read/append content.
224
225
226
227       dspam_rw_content_t
228
229       -  Set files with the dspam_rw_content_t type, if you want to treat the
230       files as dspam read/write content.
231
232
233
234       dspam_script_exec_t
235
236       - Set files with the dspam_script_exec_t type, if you want  to  transi‐
237       tion an executable to the dspam_script_t domain.
238
239
240       Paths:
241            /var/www/dspam/.*.cgi, /usr/share/dspam-web/dspam.cgi
242
243
244       dspam_var_lib_t
245
246       -  Set  files  with  the dspam_var_lib_t type, if you want to store the
247       dspam files under the /var/lib directory.
248
249
250
251       dspam_var_run_t
252
253       - Set files with the dspam_var_run_t type, if you  want  to  store  the
254       dspam files under the /run or /var/run directory.
255
256
257
258       Note:  File context can be temporarily modified with the chcon command.
259       If you want to permanently change the file context you need to use  the
260       semanage fcontext command.  This will modify the SELinux labeling data‐
261       base.  You will need to use restorecon to apply the labels.
262
263

COMMANDS

265       semanage fcontext can also be used to manipulate default  file  context
266       mappings.
267
268       semanage  permissive  can  also  be used to manipulate whether or not a
269       process type is permissive.
270
271       semanage module can also be used to enable/disable/install/remove  pol‐
272       icy modules.
273
274       semanage boolean can also be used to manipulate the booleans
275
276
277       system-config-selinux is a GUI tool available to customize SELinux pol‐
278       icy settings.
279
280

AUTHOR

282       This manual page was auto-generated using sepolicy manpage .
283
284