glusterd_selinux(8)

1glusterd_selinux(8)         SELinux Policy glusterd        glusterd_selinux(8)
2
3
4

NAME

6       glusterd_selinux - Security Enhanced Linux Policy for the glusterd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  glusterd  processes  via  flexible
11       mandatory access control.
12
13       The  glusterd  processes  execute with the glusterd_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep glusterd_t
20
21
22

ENTRYPOINTS

24       The glusterd_t SELinux type can be entered via the glusterd_exec_t file
25       type.
26
27       The default entrypoint paths for the glusterd_t domain are the  follow‐
28       ing:
29
30       /opt/glusterfs/[^/]+/sbin/glusterfsd,                /usr/libexec/glus‐
31       terfs/peer_eventsapi.py,            /usr/libexec/glusterfs/events/glus‐
32       tereventsd.py,      /usr/sbin/glusterfsd,     /usr/sbin/glustereventsd,
33       /usr/sbin/gluster-eventsapi
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       glusterd policy is very flexible allowing users to setup their glusterd
43       processes in as secure a method as possible.
44
45       The following process types are defined for glusterd:
46
47       glusterd_t
48
49       Note: semanage permissive -a glusterd_t can be used to make the process
50       type glusterd_t permissive. SELinux does not deny access to  permissive
51       process  types, but the AVC (SELinux denials) messages are still gener‐
52       ated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access  required.   glus‐
57       terd  policy  is extremely flexible and has several booleans that allow
58       you to manipulate the policy and run glusterd with the tightest  access
59       possible.
60
61
62
63       If  you want to allow glusterfsd to share any file/directory read only,
64       you must turn on the gluster_export_all_ro  boolean.  Disabled  by  de‐
65       fault.
66
67       setsebool -P gluster_export_all_ro 1
68
69
70
71       If you want to allow glusterfsd to share any file/directory read/write,
72       you must turn on the gluster_export_all_rw boolean. Enabled by default.
73
74       setsebool -P gluster_export_all_rw 1
75
76
77
78       If you want to allow glusterd_t domain to use  executable  memory,  you
79       must turn on the gluster_use_execmem boolean. Disabled by default.
80
81       setsebool -P gluster_use_execmem 1
82
83
84
85       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
86       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
87       Enabled by default.
88
89       setsebool -P daemons_dontaudit_scheduling 1
90
91
92
93       If you want to allow all domains to execute in fips_mode, you must turn
94       on the fips_mode boolean. Enabled by default.
95
96       setsebool -P fips_mode 1
97
98
99
100       If you want to allow system to run with  NIS,  you  must  turn  on  the
101       nis_enabled boolean. Disabled by default.
102
103       setsebool -P nis_enabled 1
104
105
106

PORT TYPES

108       SELinux defines port types to represent TCP and UDP ports.
109
110       You  can  see  the  types associated with a port by using the following
111       command:
112
113       semanage port -l
114
115
116       Policy governs the access  confined  processes  have  to  these  ports.
117       SELinux  glusterd policy is very flexible allowing users to setup their
118       glusterd processes in as secure a method as possible.
119
120       The following port types are defined for glusterd:
121
122
123       gluster_port_t
124
125
126
127       Default Defined Ports:
128                 tcp 38465-38469,24007-24027
129

MANAGED FILES

131       The SELinux process type glusterd_t can manage files labeled  with  the
132       following file types.  The paths listed are the default paths for these
133       file types.  Note the processes UID still need to have DAC permissions.
134
135       cluster_conf_t
136
137            /etc/cluster(/.*)?
138
139       cluster_var_lib_t
140
141            /var/lib/pcsd(/.*)?
142            /var/lib/cluster(/.*)?
143            /var/lib/openais(/.*)?
144            /var/lib/pengine(/.*)?
145            /var/lib/corosync(/.*)?
146            /usr/lib/heartbeat(/.*)?
147            /var/lib/heartbeat(/.*)?
148            /var/lib/pacemaker(/.*)?
149
150       cluster_var_run_t
151
152            /var/run/crm(/.*)?
153            /var/run/cman_.*
154            /var/run/rsctmp(/.*)?
155            /var/run/aisexec.*
156            /var/run/heartbeat(/.*)?
157            /var/run/pcsd-ruby.socket
158            /var/run/corosync-qnetd(/.*)?
159            /var/run/corosync-qdevice(/.*)?
160            /var/run/corosync.pid
161            /var/run/cpglockd.pid
162            /var/run/rgmanager.pid
163            /var/run/cluster/rgmanager.sk
164
165       glusterd_brick_t
166
167
168       glusterd_conf_t
169
170            /etc/glusterd(/.*)?
171            /etc/glusterfs(/.*)?
172
173       glusterd_log_t
174
175            /var/log/glusterfs(/.*)?
176
177       glusterd_tmp_t
178
179
180       glusterd_tmpfs_t
181
182
183       glusterd_var_lib_t
184
185            /var/lib/glusterd(/.*)?
186
187       glusterd_var_run_t
188
189            /var/run/gluster(/.*)?
190            /var/run/glusterd.*
191            /var/run/glusterd.*
192            /var/run/glusterd(/.*)?
193
194       initrc_state_t
195
196
197       krb5_host_rcache_t
198
199            /var/tmp/krb5_0.rcache2
200            /var/cache/krb5rcache(/.*)?
201            /var/tmp/nfs_0
202            /var/tmp/DNS_25
203            /var/tmp/host_0
204            /var/tmp/imap_0
205            /var/tmp/HTTP_23
206            /var/tmp/HTTP_48
207            /var/tmp/ldap_55
208            /var/tmp/ldap_487
209            /var/tmp/ldapmap1_0
210
211       non_security_file_type
212
213
214       noxattrfs
215
216            all files on file systems which do not support extended attributes
217
218       root_t
219
220            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
221            /
222            /initrd
223
224       systemd_passwd_var_run_t
225
226            /var/run/systemd/ask-password(/.*)?
227            /var/run/systemd/ask-password-block(/.*)?
228
229       var_lib_nfs_t
230
231            /var/lib/nfs(/.*)?
232
233

FILE CONTEXTS

235       SELinux requires files to have an extended attribute to define the file
236       type.
237
238       You can see the context of a file using the -Z option to ls
239
240       Policy  governs  the  access  confined  processes  have to these files.
241       SELinux glusterd policy is very flexible allowing users to setup  their
242       glusterd processes in as secure a method as possible.
243
244       EQUIVALENCE DIRECTORIES
245
246
247       glusterd  policy stores data with multiple different file context types
248       under the /var/run/gluster directory.  If you would like to  store  the
249       data  in a different directory you can use the semanage command to cre‐
250       ate an equivalence mapping.  If you wanted to store this data under the
251       /srv directory you would execute the following command:
252
253       semanage fcontext -a -e /var/run/gluster /srv/gluster
254       restorecon -R -v /srv/gluster
255
256       STANDARD FILE CONTEXT
257
258       SELinux  defines the file context types for the glusterd, if you wanted
259       to store files with these types in a different paths, you need to  exe‐
260       cute  the  semanage  command to specify alternate labeling and then use
261       restorecon to put the labels on disk.
262
263       semanage fcontext -a -t glusterd_exec_t '/srv/glusterd/content(/.*)?'
264       restorecon -R -v /srv/myglusterd_content
265
266       Note: SELinux often uses regular expressions  to  specify  labels  that
267       match multiple files.
268
269       The following file types are defined for glusterd:
270
271
272
273       glusterd_brick_t
274
275       -  Set  files  with the glusterd_brick_t type, if you want to treat the
276       files as glusterd brick data.
277
278
279
280       glusterd_conf_t
281
282       - Set files with the glusterd_conf_t type, if you  want  to  treat  the
283       files as glusterd configuration data, usually stored under the /etc di‐
284       rectory.
285
286
287       Paths:
288            /etc/glusterd(/.*)?, /etc/glusterfs(/.*)?
289
290
291       glusterd_exec_t
292
293       - Set files with the glusterd_exec_t type, if you want to transition an
294       executable to the glusterd_t domain.
295
296
297       Paths:
298            /opt/glusterfs/[^/]+/sbin/glusterfsd,           /usr/libexec/glus‐
299            terfs/peer_eventsapi.py,       /usr/libexec/glusterfs/events/glus‐
300            tereventsd.py,   /usr/sbin/glusterfsd,   /usr/sbin/glustereventsd,
301            /usr/sbin/gluster-eventsapi
302
303
304       glusterd_initrc_exec_t
305
306       - Set files with the glusterd_initrc_exec_t type, if you want to  tran‐
307       sition an executable to the glusterd_initrc_t domain.
308
309
310       Paths:
311            /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd
312
313
314       glusterd_log_t
315
316       - Set files with the glusterd_log_t type, if you want to treat the data
317       as glusterd log data, usually stored under the /var/log directory.
318
319
320
321       glusterd_tmp_t
322
323       - Set files with the glusterd_tmp_t type, if you want to store glusterd
324       temporary files in the /tmp directories.
325
326
327
328       glusterd_tmpfs_t
329
330       -  Set files with the glusterd_tmpfs_t type, if you want to store glus‐
331       terd files on a tmpfs file system.
332
333
334
335       glusterd_var_lib_t
336
337       - Set files with the glusterd_var_lib_t type, if you want to store  the
338       glusterd files under the /var/lib directory.
339
340
341
342       glusterd_var_run_t
343
344       -  Set files with the glusterd_var_run_t type, if you want to store the
345       glusterd files under the /run or /var/run directory.
346
347
348       Paths:
349            /var/run/gluster(/.*)?, /var/run/glusterd.*,  /var/run/glusterd.*,
350            /var/run/glusterd(/.*)?
351
352
353       Note:  File context can be temporarily modified with the chcon command.
354       If you want to permanently change the file context you need to use  the
355       semanage fcontext command.  This will modify the SELinux labeling data‐
356       base.  You will need to use restorecon to apply the labels.
357
358

SHARING FILES

360       If you want to share files with multiple domains (Apache,  FTP,  rsync,
361       Samba),  you can set a file context of public_content_t and public_con‐
362       tent_rw_t.  These context allow any of the above domains  to  read  the
363       content.   If  you want a particular domain to write to the public_con‐
364       tent_rw_t domain, you must set the appropriate boolean.
365
366       Allow glusterd servers to read the /var/glusterd  directory  by  adding
367       the  public_content_t  file  type to the directory and by restoring the
368       file type.
369
370       semanage fcontext -a -t public_content_t "/var/glusterd(/.*)?"
371       restorecon -F -R -v /var/glusterd
372
373       Allow glusterd servers to  read  and  write  /var/glusterd/incoming  by
374       adding  the  public_content_rw_t type to the directory and by restoring
375       the file type.  You also need to turn on the glusterd_anon_write  bool‐
376       ean.
377
378       semanage   fcontext  -a  -t  public_content_rw_t  "/var/glusterd/incom‐
379       ing(/.*)?"
380       restorecon -F -R -v /var/glusterd/incoming
381       setsebool -P glusterd_anon_write 1
382
383
384       If you want to allow glusterfsd to modify public files used for  public
385       file  transfer services.  Files/Directories must be labeled public_con‐
386       tent_rw_t., you must turn on the gluster_anon_write boolean.
387
388       setsebool -P gluster_anon_write 1
389
390

COMMANDS

392       semanage fcontext can also be used to manipulate default  file  context
393       mappings.
394
395       semanage  permissive  can  also  be used to manipulate whether or not a
396       process type is permissive.
397
398       semanage module can also be used to enable/disable/install/remove  pol‐
399       icy modules.
400
401       semanage port can also be used to manipulate the port definitions
402
403       semanage boolean can also be used to manipulate the booleans
404
405
406       system-config-selinux is a GUI tool available to customize SELinux pol‐
407       icy settings.
408
409

AUTHOR

411       This manual page was auto-generated using sepolicy manpage .
412
413