1ccs_selinux(8) SELinux Policy ccs ccs_selinux(8)
2
6 ccs_selinux - Security Enhanced Linux Policy for the ccs processes
7
9 Security-Enhanced Linux secures the ccs processes via flexible manda‐
10 tory access control.
11 The ccs processes execute with the ccs_t SELinux type. You can check if
13 you have these processes running by executing the ps command with the
14 -Z qualifier.
15 For example:
17 ps -eZ | grep ccs_t
19
23 The ccs_t SELinux type can be entered via the ccs_exec_t file type.
24 The default entrypoint paths for the ccs_t domain are the following:
26 /sbin/ccsd
28
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux
36 ccs policy is very flexible allowing users to setup their ccs processes
37 in as secure a method as possible.
38 The following process types are defined for ccs:
40 ccs_t
42 Note: semanage permissive -a ccs_t can be used to make the process type
44 ccs_t permissive. SELinux does not deny access to permissive process
45 types, but the AVC (SELinux denials) messages are still generated.
46
49 SELinux policy is customizable based on least access required. ccs
50 policy is extremely flexible and has several booleans that allow you to
51 manipulate the policy and run ccs with the tightest access possible.
52 If you want to allow all daemons to write corefiles to /, you must turn
56 on the allow_daemons_dump_core boolean. Disabled by default.
57 setsebool -P allow_daemons_dump_core 1
59 If you want to allow all daemons to use tcp wrappers, you must turn on
63 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
64 setsebool -P allow_daemons_use_tcp_wrapper 1
66 If you want to allow all daemons the ability to read/write terminals,
70 you must turn on the allow_daemons_use_tty boolean. Disabled by
71 default.
72 setsebool -P allow_daemons_use_tty 1
74 If you want to allow all domains to use other domains file descriptors,
78 you must turn on the allow_domain_fd_use boolean. Enabled by default.
79 setsebool -P allow_domain_fd_use 1
81 If you want to allow sysadm to debug or ptrace all processes, you must
85 turn on the allow_ptrace boolean. Disabled by default.
86 setsebool -P allow_ptrace 1
88 If you want to enable cluster mode for daemons, you must turn on the
92 daemons_enable_cluster_mode boolean. Disabled by default.
93 setsebool -P daemons_enable_cluster_mode 1
95 If you want to allow all domains to have the kernel load modules, you
99 must turn on the domain_kernel_load_modules boolean. Disabled by
100 default.
101 setsebool -P domain_kernel_load_modules 1
103 If you want to allow all domains to execute in fips_mode, you must turn
107 on the fips_mode boolean. Enabled by default.
108 setsebool -P fips_mode 1
110 If you want to enable reading of urandom for all domains, you must turn
114 on the global_ssp boolean. Disabled by default.
115 setsebool -P global_ssp 1
117 If you want to enable support for upstart as the init program, you must
121 turn on the init_upstart boolean. Enabled by default.
122 setsebool -P init_upstart 1
124
128 The SELinux process type ccs_t can manage files labeled with the fol‐
129 lowing file types. The paths listed are the default paths for these
130 file types. Note the processes UID still need to have DAC permissions.
131 ccs_tmp_t
133 ccs_tmpfs_t
136 ccs_var_lib_t
139 ccs_var_log_t
142 ccs_var_run_t
145 /var/run/cluster/ccsd.pid
147 /var/run/cluster/ccsd.sock
148 cluster_conf_t
150 /etc/cluster(/.*)?
152 cluster_var_lib_t
154 /var/lib(64)?/openais(/.*)?
156 /var/lib(64)?/pengine(/.*)?
157 /var/lib(64)?/corosync(/.*)?
158 /usr/lib(64)?/heartbeat(/.*)?
159 /var/lib(64)?/heartbeat(/.*)?
160 /var/lib(64)?/pacemaker(/.*)?
161 /var/lib/cluster(/.*)?
162 cluster_var_run_t
164 /var/run/crm(/.*)?
166 /var/run/cman_.*
167 /var/run/rsctmp(/.*)?
168 /var/run/aisexec.*
169 /var/run/heartbeat(/.*)?
170 /var/run/cpglockd.pid
171 /var/run/corosync.pid
172 /var/run/rgmanager.pid
173 /var/run/cluster/rgmanager.sk
174 file_t
176 initrc_tmp_t
179 mnt_t
182 /mnt(/[^/]*)
184 /mnt(/[^/]*)?
185 /rhev(/[^/]*)?
186 /media(/[^/]*)
187 /media(/[^/]*)?
188 /etc/rhgb(/.*)?
189 /media/.hal-.*
190 /net
191 /afs
192 /rhev
193 /misc
194 qpidd_tmpfs_t
196 root_t
199 /
201 /initrd
202 tmp_t
204 /tmp
206 /usr/tmp
207 /var/tmp
208 /tmp-inst
209 /var/tmp-inst
210 /var/tmp/vi.recover
211
214 SELinux requires files to have an extended attribute to define the file
215 type.
216 You can see the context of a file using the -Z option to ls
218 Policy governs the access confined processes have to these files.
220 SELinux ccs policy is very flexible allowing users to setup their ccs
221 processes in as secure a method as possible.
222 STANDARD FILE CONTEXT
224 SELinux defines the file context types for the ccs, if you wanted to
226 store files with these types in a diffent paths, you need to execute
227 the semanage command to sepecify alternate labeling and then use
228 restorecon to put the labels on disk.
229 semanage fcontext -a -t ccs_var_run_t '/srv/myccs_content(/.*)?'
231 restorecon -R -v /srv/myccs_content
232 Note: SELinux often uses regular expressions to specify labels that
234 match multiple files.
235 The following file types are defined for ccs:
237 ccs_exec_t
241 - Set files with the ccs_exec_t type, if you want to transition an exe‐
243 cutable to the ccs_t domain.
244 ccs_tmp_t
248 - Set files with the ccs_tmp_t type, if you want to store ccs temporary
250 files in the /tmp directories.
251 ccs_tmpfs_t
255 - Set files with the ccs_tmpfs_t type, if you want to store ccs files
257 on a tmpfs file system.
258 ccs_var_lib_t
262 - Set files with the ccs_var_lib_t type, if you want to store the ccs
264 files under the /var/lib directory.
265 ccs_var_log_t
269 - Set files with the ccs_var_log_t type, if you want to treat the data
271 as ccs var log data, usually stored under the /var/log directory.
272 ccs_var_run_t
276 - Set files with the ccs_var_run_t type, if you want to store the ccs
278 files under the /run or /var/run directory.
279 Paths:
282 /var/run/cluster/ccsd.pid, /var/run/cluster/ccsd.sock
283 Note: File context can be temporarily modified with the chcon command.
286 If you want to permanently change the file context you need to use the
287 semanage fcontext command. This will modify the SELinux labeling data‐
288 base. You will need to use restorecon to apply the labels.
289
292 semanage fcontext can also be used to manipulate default file context
293 mappings.
294 semanage permissive can also be used to manipulate whether or not a
296 process type is permissive.
297 semanage module can also be used to enable/disable/install/remove pol‐
299 icy modules.
300 semanage boolean can also be used to manipulate the booleans
302 system-config-selinux is a GUI tool available to customize SELinux pol‐
305 icy settings.
306
309 This manual page was auto-generated using sepolicy manpage .
310
313 selinux(8), ccs(8), semanage(8), restorecon(8), chcon(1) , setsebool(8)
314ccs 15-06-03 ccs_selinux(8)