1apcupsd_selinux(8)          SELinux Policy apcupsd          apcupsd_selinux(8)
2
3
4

NAME

6       apcupsd_selinux  -  Security Enhanced Linux Policy for the apcupsd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  apcupsd  processes  via  flexible
11       mandatory access control.
12
13       The  apcupsd processes execute with the apcupsd_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep apcupsd_t
20
21
22

ENTRYPOINTS

24       The  apcupsd_t  SELinux type can be entered via the apcupsd_exec_t file
25       type.
26
27       The default entrypoint paths for the apcupsd_t domain are  the  follow‐
28       ing:
29
30       /sbin/apcupsd, /usr/sbin/apcupsd
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       apcupsd  policy  is very flexible allowing users to setup their apcupsd
40       processes in as secure a method as possible.
41
42       The following process types are defined for apcupsd:
43
44       apcupsd_t
45
46       Note: semanage permissive -a apcupsd_t can be used to make the  process
47       type  apcupsd_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  apcupsd
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run apcupsd with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow all daemons to write corefiles to /, you must turn
61       on the allow_daemons_dump_core boolean. Disabled by default.
62
63       setsebool -P allow_daemons_dump_core 1
64
65
66
67       If  you want to allow all daemons to use tcp wrappers, you must turn on
68       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
69
70       setsebool -P allow_daemons_use_tcp_wrapper 1
71
72
73
74       If you want to allow all daemons the ability to  read/write  terminals,
75       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
76       default.
77
78       setsebool -P allow_daemons_use_tty 1
79
80
81
82       If you want to allow all domains to use other domains file descriptors,
83       you must turn on the allow_domain_fd_use boolean. Enabled by default.
84
85       setsebool -P allow_domain_fd_use 1
86
87
88
89       If  you want to allow sysadm to debug or ptrace all processes, you must
90       turn on the allow_ptrace boolean. Disabled by default.
91
92       setsebool -P allow_ptrace 1
93
94
95
96       If you want to enable cluster mode for daemons, you must  turn  on  the
97       daemons_enable_cluster_mode boolean. Disabled by default.
98
99       setsebool -P daemons_enable_cluster_mode 1
100
101
102
103       If  you  want to allow all domains to have the kernel load modules, you
104       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
105       default.
106
107       setsebool -P domain_kernel_load_modules 1
108
109
110
111       If you want to allow all domains to execute in fips_mode, you must turn
112       on the fips_mode boolean. Enabled by default.
113
114       setsebool -P fips_mode 1
115
116
117
118       If you want to enable reading of urandom for all domains, you must turn
119       on the global_ssp boolean. Disabled by default.
120
121       setsebool -P global_ssp 1
122
123
124
125       If you want to enable support for upstart as the init program, you must
126       turn on the init_upstart boolean. Enabled by default.
127
128       setsebool -P init_upstart 1
129
130
131

PORT TYPES

133       SELinux defines port types to represent TCP and UDP ports.
134
135       You can see the types associated with a port  by  using  the  following
136       command:
137
138       semanage port -l
139
140
141       Policy  governs  the  access  confined  processes  have to these ports.
142       SELinux apcupsd policy is very flexible allowing users to  setup  their
143       apcupsd processes in as secure a method as possible.
144
145       The following port types are defined for apcupsd:
146
147
148       apcupsd_port_t
149
150
151
152       Default Defined Ports:
153                 tcp 3551
154                 udp 3551
155

MANAGED FILES

157       The  SELinux  process  type apcupsd_t can manage files labeled with the
158       following file types.  The paths listed are the default paths for these
159       file types.  Note the processes UID still need to have DAC permissions.
160
161       apcupsd_lock_t
162
163
164       apcupsd_log_t
165
166            /var/log/apcupsd.events.*
167            /var/log/apcupsd.status.*
168
169       apcupsd_tmp_t
170
171
172       apcupsd_var_run_t
173
174            /var/run/apcupsd.pid
175
176       cluster_conf_t
177
178            /etc/cluster(/.*)?
179
180       cluster_var_lib_t
181
182            /var/lib(64)?/openais(/.*)?
183            /var/lib(64)?/pengine(/.*)?
184            /var/lib(64)?/corosync(/.*)?
185            /usr/lib(64)?/heartbeat(/.*)?
186            /var/lib(64)?/heartbeat(/.*)?
187            /var/lib(64)?/pacemaker(/.*)?
188            /var/lib/cluster(/.*)?
189
190       cluster_var_run_t
191
192            /var/run/crm(/.*)?
193            /var/run/cman_.*
194            /var/run/rsctmp(/.*)?
195            /var/run/aisexec.*
196            /var/run/heartbeat(/.*)?
197            /var/run/cpglockd.pid
198            /var/run/corosync.pid
199            /var/run/rgmanager.pid
200            /var/run/cluster/rgmanager.sk
201
202       etc_runtime_t
203
204            /[^/]+
205            /etc/mtab.*
206            /etc/blkid(/.*)?
207            /etc/nologin.*
208            /etc/zipl.conf.*
209            /etc/smartd.conf.*
210            /etc/.fstab.hal..+
211            /etc/sysconfig/ip6?tables.save
212            /halt
213            /etc/motd
214            /fastboot
215            /poweroff
216            /etc/issue
217            /etc/cmtab
218            /forcefsck
219            /.autofsck
220            /.suspended
221            /fsckoptions
222            /etc/HOSTNAME
223            /.autorelabel
224            /etc/securetty
225            /etc/nohotplug
226            /etc/issue.net
227            /etc/killpower
228            /etc/ioctl.save
229            /etc/reader.conf
230            /etc/fstab.REVOKE
231            /etc/mtab.fuselock
232            /etc/network/ifstate
233            /etc/sysconfig/hwconf
234            /etc/ptal/ptal-printd-like
235            /etc/xorg.conf.d/00-system-setup-keyboard.conf
236
237       initrc_tmp_t
238
239
240       initrc_var_run_t
241
242            /var/run/utmp
243            /var/run/random-seed
244            /var/run/runlevel.dir
245            /var/run/setmixer_flag
246
247       mnt_t
248
249            /mnt(/[^/]*)
250            /mnt(/[^/]*)?
251            /rhev(/[^/]*)?
252            /media(/[^/]*)
253            /media(/[^/]*)?
254            /etc/rhgb(/.*)?
255            /media/.hal-.*
256            /net
257            /afs
258            /rhev
259            /misc
260
261       root_t
262
263            /
264            /initrd
265
266       tmp_t
267
268            /tmp
269            /usr/tmp
270            /var/tmp
271            /tmp-inst
272            /var/tmp-inst
273            /var/tmp/vi.recover
274
275

FILE CONTEXTS

277       SELinux requires files to have an extended attribute to define the file
278       type.
279
280       You can see the context of a file using the -Z option to ls
281
282       Policy governs the access  confined  processes  have  to  these  files.
283       SELinux  apcupsd  policy is very flexible allowing users to setup their
284       apcupsd processes in as secure a method as possible.
285
286       STANDARD FILE CONTEXT
287
288       SELinux defines the file context types for the apcupsd, if  you  wanted
289       to store files with these types in a diffent paths, you need to execute
290       the semanage command  to  sepecify  alternate  labeling  and  then  use
291       restorecon to put the labels on disk.
292
293       semanage   fcontext   -a   -t   apcupsd_var_run_t  '/srv/myapcupsd_con‐
294       tent(/.*)?'
295       restorecon -R -v /srv/myapcupsd_content
296
297       Note: SELinux often uses regular expressions  to  specify  labels  that
298       match multiple files.
299
300       The following file types are defined for apcupsd:
301
302
303
304       apcupsd_exec_t
305
306       -  Set files with the apcupsd_exec_t type, if you want to transition an
307       executable to the apcupsd_t domain.
308
309
310       Paths:
311            /sbin/apcupsd, /usr/sbin/apcupsd
312
313
314       apcupsd_initrc_exec_t
315
316       - Set files with the apcupsd_initrc_exec_t type, if you want to transi‐
317       tion an executable to the apcupsd_initrc_t domain.
318
319
320
321       apcupsd_lock_t
322
323       -  Set  files  with  the  apcupsd_lock_t type, if you want to treat the
324       files as apcupsd lock data, stored under the /var/lock directory
325
326
327
328       apcupsd_log_t
329
330       - Set files with the apcupsd_log_t type, if you want to treat the  data
331       as apcupsd log data, usually stored under the /var/log directory.
332
333
334       Paths:
335            /var/log/apcupsd.events.*, /var/log/apcupsd.status.*
336
337
338       apcupsd_tmp_t
339
340       -  Set  files with the apcupsd_tmp_t type, if you want to store apcupsd
341       temporary files in the /tmp directories.
342
343
344
345       apcupsd_var_run_t
346
347       - Set files with the apcupsd_var_run_t type, if you want to  store  the
348       apcupsd files under the /run or /var/run directory.
349
350
351
352       Note:  File context can be temporarily modified with the chcon command.
353       If you want to permanently change the file context you need to use  the
354       semanage fcontext command.  This will modify the SELinux labeling data‐
355       base.  You will need to use restorecon to apply the labels.
356
357

COMMANDS

359       semanage fcontext can also be used to manipulate default  file  context
360       mappings.
361
362       semanage  permissive  can  also  be used to manipulate whether or not a
363       process type is permissive.
364
365       semanage module can also be used to enable/disable/install/remove  pol‐
366       icy modules.
367
368       semanage port can also be used to manipulate the port definitions
369
370       semanage boolean can also be used to manipulate the booleans
371
372
373       system-config-selinux is a GUI tool available to customize SELinux pol‐
374       icy settings.
375
376

AUTHOR

378       This manual page was auto-generated using sepolicy manpage .
379
380

SEE ALSO

382       selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1)  ,  setse‐
383       bool(8)
384
385
386
387apcupsd                            15-06-03                 apcupsd_selinux(8)
Impressum