pki_tomcat_selinux(8)

1pki_tomcat_selinux(8)      SELinux Policy pki_tomcat     pki_tomcat_selinux(8)
2
3
4

NAME

6       pki_tomcat_selinux  - Security Enhanced Linux Policy for the pki_tomcat
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the pki_tomcat processes  via  flexible
11       mandatory access control.
12
13       The  pki_tomcat  processes  execute with the pki_tomcat_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pki_tomcat_t
20
21
22

ENTRYPOINTS

24       The  pki_tomcat_t SELinux type can be entered via the pki_tomcat_exec_t
25       file type.
26
27       The default entrypoint paths for the pki_tomcat_t domain are  the  fol‐
28       lowing:
29
30       /usr/bin/pkidaemon
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       pki_tomcat  policy  is  very  flexible  allowing  users  to setup their
40       pki_tomcat processes in as secure a method as possible.
41
42       The following process types are defined for pki_tomcat:
43
44       pki_tomcat_t, pki_tomcat_script_t
45
46       Note: semanage permissive -a pki_tomcat_t  can  be  used  to  make  the
47       process  type  pki_tomcat_t permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       pki_tomcat policy is extremely flexible and has several  booleans  that
55       allow you to manipulate the policy and run pki_tomcat with the tightest
56       access possible.
57
58
59
60       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
61       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
62       Enabled by default.
63
64       setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to  allow  system  to run with NIS, you must turn on the
76       nis_enabled boolean. Disabled by default.
77
78       setsebool -P nis_enabled 1
79
80
81
82       If you want to allow tomcat to use  executable  memory  and  executable
83       stack, you must turn on the tomcat_use_execmem boolean. Disabled by de‐
84       fault.
85
86       setsebool -P tomcat_use_execmem 1
87
88
89

MANAGED FILES

91       The SELinux process type pki_tomcat_t can manage files labeled with the
92       following file types.  The paths listed are the default paths for these
93       file types.  Note the processes UID still need to have DAC permissions.
94
95       cluster_conf_t
96
97            /etc/cluster(/.*)?
98
99       cluster_var_lib_t
100
101            /var/lib/pcsd(/.*)?
102            /var/lib/cluster(/.*)?
103            /var/lib/openais(/.*)?
104            /var/lib/pengine(/.*)?
105            /var/lib/corosync(/.*)?
106            /usr/lib/heartbeat(/.*)?
107            /var/lib/heartbeat(/.*)?
108            /var/lib/pacemaker(/.*)?
109
110       cluster_var_run_t
111
112            /var/run/crm(/.*)?
113            /var/run/cman_.*
114            /var/run/rsctmp(/.*)?
115            /var/run/aisexec.*
116            /var/run/heartbeat(/.*)?
117            /var/run/pcsd-ruby.socket
118            /var/run/corosync-qnetd(/.*)?
119            /var/run/corosync-qdevice(/.*)?
120            /var/run/corosync.pid
121            /var/run/cpglockd.pid
122            /var/run/rgmanager.pid
123            /var/run/cluster/rgmanager.sk
124
125       dirsrv_var_lib_t
126
127            /var/lib/dirsrv(/.*)?
128
129       krb5_host_rcache_t
130
131            /var/tmp/krb5_0.rcache2
132            /var/cache/krb5rcache(/.*)?
133            /var/tmp/nfs_0
134            /var/tmp/DNS_25
135            /var/tmp/host_0
136            /var/tmp/imap_0
137            /var/tmp/HTTP_23
138            /var/tmp/HTTP_48
139            /var/tmp/ldap_55
140            /var/tmp/ldap_487
141            /var/tmp/ldapmap1_0
142
143       pki_common_t
144
145            /opt/nfast(/.*)?
146
147       pki_tomcat_cache_t
148
149
150       pki_tomcat_cert_t
151
152            /var/lib/pki-ca/alias(/.*)?
153            /etc/pki/pki-tomcat/ca(/.*)?
154            /var/lib/pki-kra/alias(/.*)?
155            /var/lib/pki-tks/alias(/.*)?
156            /var/lib/pki-ocsp/alias(/.*)?
157            /etc/pki/pki-tomcat/alias(/.*)?
158            /var/lib/ipa/pki-ca/publish(/.*)?
159
160       pki_tomcat_etc_rw_t
161
162            /etc/pki-ca(/.*)?
163            /etc/pki-kra(/.*)?
164            /etc/pki-tks(/.*)?
165            /etc/pki-ocsp(/.*)?
166            /etc/pki/pki-tomcat(/.*)?
167            /etc/sysconfig/pki/tomcat(/.*)?
168
169       pki_tomcat_lock_t
170
171            /var/lock/subsys/pkidaemon
172
173       pki_tomcat_log_t
174
175            /var/log/pki-ca(/.*)?
176            /var/log/pki-kra(/.*)?
177            /var/log/pki-tks(/.*)?
178            /var/log/pki-ocsp(/.*)?
179            /var/log/pki/pki-tomcat(/.*)?
180
181       pki_tomcat_tmp_t
182
183
184       pki_tomcat_var_lib_t
185
186            /var/lib/pki-ca(/.*)?
187            /var/lib/pki-kra(/.*)?
188            /var/lib/pki-tks(/.*)?
189            /var/lib/pki-ocsp(/.*)?
190            /var/lib/pki/pki-tomcat(/.*)?
191
192       pki_tomcat_var_run_t
193
194            /var/run/pki-ca.pid
195            /var/run/pki-kra.pid
196            /var/run/pki-tks.pid
197            /var/run/pki-ocsp.pid
198            /var/run/pki/tomcat(/.*)?
199
200       root_t
201
202            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
203            /
204            /initrd
205
206       user_tmp_t
207
208            /dev/shm/mono.*
209            /var/run/user/[^/]+
210            /tmp/.ICE-unix(/.*)?
211            /tmp/.X11-unix(/.*)?
212            /dev/shm/pulse-shm.*
213            /tmp/.X0-lock
214            /var/run/user
215            /tmp/hsperfdata_root
216            /var/tmp/hsperfdata_root
217            /home/[^/]+/tmp
218            /home/[^/]+/.tmp
219            /var/run/user/[0-9]+
220            /tmp/gconfd-[^/]+
221
222

FILE CONTEXTS

224       SELinux requires files to have an extended attribute to define the file
225       type.
226
227       You can see the context of a file using the -Z option to ls
228
229       Policy  governs  the  access  confined  processes  have to these files.
230       SELinux pki_tomcat policy is very  flexible  allowing  users  to  setup
231       their pki_tomcat processes in as secure a method as possible.
232
233       EQUIVALENCE DIRECTORIES
234
235
236       pki_tomcat  policy  stores  data  with  multiple different file context
237       types under the /var/lib/pki-ca directory.  If you would like to  store
238       the  data  in a different directory you can use the semanage command to
239       create an equivalence mapping.  If you wanted to store this data  under
240       the /srv directory you would execute the following command:
241
242       semanage fcontext -a -e /var/lib/pki-ca /srv/pki-ca
243       restorecon -R -v /srv/pki-ca
244
245       pki_tomcat  policy  stores  data  with  multiple different file context
246       types under the /var/lib/pki-kra directory.  If you would like to store
247       the  data  in a different directory you can use the semanage command to
248       create an equivalence mapping.  If you wanted to store this data  under
249       the /srv directory you would execute the following command:
250
251       semanage fcontext -a -e /var/lib/pki-kra /srv/pki-kra
252       restorecon -R -v /srv/pki-kra
253
254       pki_tomcat  policy  stores  data  with  multiple different file context
255       types under the /var/lib/pki-ocsp directory.   If  you  would  like  to
256       store  the  data in a different directory you can use the semanage com‐
257       mand to create an equivalence mapping.  If you  wanted  to  store  this
258       data under the /srv directory you would execute the following command:
259
260       semanage fcontext -a -e /var/lib/pki-ocsp /srv/pki-ocsp
261       restorecon -R -v /srv/pki-ocsp
262
263       pki_tomcat  policy  stores  data  with  multiple different file context
264       types under the /var/lib/pki-tks directory.  If you would like to store
265       the  data  in a different directory you can use the semanage command to
266       create an equivalence mapping.  If you wanted to store this data  under
267       the /srv directory you would execute the following command:
268
269       semanage fcontext -a -e /var/lib/pki-tks /srv/pki-tks
270       restorecon -R -v /srv/pki-tks
271
272       STANDARD FILE CONTEXT
273
274       SELinux  defines  the  file  context  types  for the pki_tomcat, if you
275       wanted to store files with these types in a different paths,  you  need
276       to  execute the semanage command to specify alternate labeling and then
277       use restorecon to put the labels on disk.
278
279       semanage  fcontext  -a  -t  pki_tomcat_etc_rw_t   '/srv/pki_tomcat/con‐
280       tent(/.*)?'
281       restorecon -R -v /srv/mypki_tomcat_content
282
283       Note:  SELinux  often  uses  regular expressions to specify labels that
284       match multiple files.
285
286       The following file types are defined for pki_tomcat:
287
288
289
290       pki_tomcat_cache_t
291
292       - Set files with the pki_tomcat_cache_t type, if you want to store  the
293       files under the /var/cache directory.
294
295
296
297       pki_tomcat_cert_t
298
299       -  Set  files with the pki_tomcat_cert_t type, if you want to treat the
300       files as pki tomcat certificate data.
301
302
303       Paths:
304            /var/lib/pki-ca/alias(/.*)?,         /etc/pki/pki-tomcat/ca(/.*)?,
305            /var/lib/pki-kra/alias(/.*)?,        /var/lib/pki-tks/alias(/.*)?,
306            /var/lib/pki-ocsp/alias(/.*)?,    /etc/pki/pki-tomcat/alias(/.*)?,
307            /var/lib/ipa/pki-ca/publish(/.*)?
308
309
310       pki_tomcat_etc_rw_t
311
312       - Set files with the pki_tomcat_etc_rw_t type, if you want to treat the
313       files as pki tomcat etc read/write content.
314
315
316       Paths:
317            /etc/pki-ca(/.*)?,     /etc/pki-kra(/.*)?,     /etc/pki-tks(/.*)?,
318            /etc/pki-ocsp(/.*)?,    /etc/pki/pki-tomcat(/.*)?,    /etc/syscon‐
319            fig/pki/tomcat(/.*)?
320
321
322       pki_tomcat_exec_t
323
324       - Set files with the pki_tomcat_exec_t type, if you want to  transition
325       an executable to the pki_tomcat_t domain.
326
327
328
329       pki_tomcat_lock_t
330
331       -  Set  files with the pki_tomcat_lock_t type, if you want to treat the
332       files as pki tomcat lock data, stored under the /var/lock directory
333
334
335
336       pki_tomcat_log_t
337
338       - Set files with the pki_tomcat_log_t type, if you want  to  treat  the
339       data  as  pki tomcat log data, usually stored under the /var/log direc‐
340       tory.
341
342
343       Paths:
344            /var/log/pki-ca(/.*)?,    /var/log/pki-kra(/.*)?,    /var/log/pki-
345            tks(/.*)?, /var/log/pki-ocsp(/.*)?, /var/log/pki/pki-tomcat(/.*)?
346
347
348       pki_tomcat_tmp_t
349
350       -  Set  files  with the pki_tomcat_tmp_t type, if you want to store pki
351       tomcat temporary files in the /tmp directories.
352
353
354
355       pki_tomcat_unit_file_t
356
357       - Set files with the pki_tomcat_unit_file_t type, if you want to  treat
358       the files as pki tomcat unit content.
359
360
361
362       pki_tomcat_var_lib_t
363
364       -  Set  files  with the pki_tomcat_var_lib_t type, if you want to store
365       the pki tomcat files under the /var/lib directory.
366
367
368       Paths:
369            /var/lib/pki-ca(/.*)?,    /var/lib/pki-kra(/.*)?,    /var/lib/pki-
370            tks(/.*)?, /var/lib/pki-ocsp(/.*)?, /var/lib/pki/pki-tomcat(/.*)?
371
372
373       pki_tomcat_var_run_t
374
375       -  Set  files  with the pki_tomcat_var_run_t type, if you want to store
376       the pki tomcat files under the /run or /var/run directory.
377
378
379       Paths:
380            /var/run/pki-ca.pid,  /var/run/pki-kra.pid,  /var/run/pki-tks.pid,
381            /var/run/pki-ocsp.pid, /var/run/pki/tomcat(/.*)?
382
383
384       Note:  File context can be temporarily modified with the chcon command.
385       If you want to permanently change the file context you need to use  the
386       semanage fcontext command.  This will modify the SELinux labeling data‐
387       base.  You will need to use restorecon to apply the labels.
388
389

COMMANDS

391       semanage fcontext can also be used to manipulate default  file  context
392       mappings.
393
394       semanage  permissive  can  also  be used to manipulate whether or not a
395       process type is permissive.
396
397       semanage module can also be used to enable/disable/install/remove  pol‐
398       icy modules.
399
400       semanage boolean can also be used to manipulate the booleans
401
402
403       system-config-selinux is a GUI tool available to customize SELinux pol‐
404       icy settings.
405
406

AUTHOR

408       This manual page was auto-generated using sepolicy manpage .
409
410