1dirsrvadmin_selinux(8) SELinux Policy dirsrvadmin dirsrvadmin_selinux(8)
2
6 dirsrvadmin_selinux - Security Enhanced Linux Policy for the dirsrvad‐
7 min processes
8
10 Security-Enhanced Linux secures the dirsrvadmin processes via flexible
11 mandatory access control.
12 The dirsrvadmin processes execute with the dirsrvadmin_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16 For example:
18 ps -eZ | grep dirsrvadmin_t
20
24 The dirsrvadmin_t SELinux type can be entered via the shell_exec_t,
25 dirsrvadmin_exec_t file types.
26 The default entrypoint paths for the dirsrvadmin_t domain are the fol‐
28 lowing:
29 /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /bin/sash, /bin/tcsh, /bin/yash,
31 /bin/mksh, /bin/fish, /bin/bash, /bin/bash2, /usr/bin/fish, /sbin/nolo‐
32 gin, /usr/sbin/sesh, /usr/sbin/smrsh, /usr/bin/scponly,
33 /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell,
34 /usr/libexec/git-core/git-shell, /usr/sbin/stop-ds-admin,
35 /usr/sbin/start-ds-admin, /usr/sbin/restart-ds-admin
36
38 SELinux defines process types (domains) for each process running on the
39 system
40 You can see the context of a process using the -Z option to ps
42 Policy governs the access confined processes have to files. SELinux
44 dirsrvadmin policy is very flexible allowing users to setup their
45 dirsrvadmin processes in as secure a method as possible.
46 The following process types are defined for dirsrvadmin:
48 dirsrvadmin_unconfined_script_t, dirsrvadmin_t
50 Note: semanage permissive -a dirsrvadmin_t can be used to make the
52 process type dirsrvadmin_t permissive. SELinux does not deny access to
53 permissive process types, but the AVC (SELinux denials) messages are
54 still generated.
55
58 SELinux policy is customizable based on least access required. dirsr‐
59 vadmin policy is extremely flexible and has several booleans that allow
60 you to manipulate the policy and run dirsrvadmin with the tightest
61 access possible.
62 If you want to allow all daemons to write corefiles to /, you must turn
66 on the allow_daemons_dump_core boolean. Disabled by default.
67 setsebool -P allow_daemons_dump_core 1
69 If you want to allow all daemons to use tcp wrappers, you must turn on
73 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
74 setsebool -P allow_daemons_use_tcp_wrapper 1
76 If you want to allow all daemons the ability to read/write terminals,
80 you must turn on the allow_daemons_use_tty boolean. Disabled by
81 default.
82 setsebool -P allow_daemons_use_tty 1
84 If you want to allow all domains to use other domains file descriptors,
88 you must turn on the allow_domain_fd_use boolean. Enabled by default.
89 setsebool -P allow_domain_fd_use 1
91 If you want to allow sysadm to debug or ptrace all processes, you must
95 turn on the allow_ptrace boolean. Disabled by default.
96 setsebool -P allow_ptrace 1
98 If you want to enable cluster mode for daemons, you must turn on the
102 daemons_enable_cluster_mode boolean. Disabled by default.
103 setsebool -P daemons_enable_cluster_mode 1
105 If you want to allow all domains to have the kernel load modules, you
109 must turn on the domain_kernel_load_modules boolean. Disabled by
110 default.
111 setsebool -P domain_kernel_load_modules 1
113 If you want to allow all domains to execute in fips_mode, you must turn
117 on the fips_mode boolean. Enabled by default.
118 setsebool -P fips_mode 1
120 If you want to enable reading of urandom for all domains, you must turn
124 on the global_ssp boolean. Disabled by default.
125 setsebool -P global_ssp 1
127 If you want to enable support for upstart as the init program, you must
131 turn on the init_upstart boolean. Enabled by default.
132 setsebool -P init_upstart 1
134
138 The SELinux process type dirsrvadmin_t can manage files labeled with
139 the following file types. The paths listed are the default paths for
140 these file types. Note the processes UID still need to have DAC per‐
141 missions.
142 cluster_conf_t
144 /etc/cluster(/.*)?
146 cluster_var_lib_t
148 /var/lib(64)?/openais(/.*)?
150 /var/lib(64)?/pengine(/.*)?
151 /var/lib(64)?/corosync(/.*)?
152 /usr/lib(64)?/heartbeat(/.*)?
153 /var/lib(64)?/heartbeat(/.*)?
154 /var/lib(64)?/pacemaker(/.*)?
155 /var/lib/cluster(/.*)?
156 cluster_var_run_t
158 /var/run/crm(/.*)?
160 /var/run/cman_.*
161 /var/run/rsctmp(/.*)?
162 /var/run/aisexec.*
163 /var/run/heartbeat(/.*)?
164 /var/run/cpglockd.pid
165 /var/run/corosync.pid
166 /var/run/rgmanager.pid
167 /var/run/cluster/rgmanager.sk
168 dirsrvadmin_tmp_t
170 initrc_tmp_t
173 mnt_t
176 /mnt(/[^/]*)
178 /mnt(/[^/]*)?
179 /rhev(/[^/]*)?
180 /media(/[^/]*)
181 /media(/[^/]*)?
182 /etc/rhgb(/.*)?
183 /media/.hal-.*
184 /net
185 /afs
186 /rhev
187 /misc
188 root_t
190 /
192 /initrd
193 tmp_t
195 /tmp
197 /usr/tmp
198 /var/tmp
199 /tmp-inst
200 /var/tmp-inst
201 /var/tmp/vi.recover
202
205 SELinux requires files to have an extended attribute to define the file
206 type.
207 You can see the context of a file using the -Z option to ls
209 Policy governs the access confined processes have to these files.
211 SELinux dirsrvadmin policy is very flexible allowing users to setup
212 their dirsrvadmin processes in as secure a method as possible.
213 STANDARD FILE CONTEXT
215 SELinux defines the file context types for the dirsrvadmin, if you
217 wanted to store files with these types in a diffent paths, you need to
218 execute the semanage command to sepecify alternate labeling and then
219 use restorecon to put the labels on disk.
220 semanage fcontext -a -t dirsrvadmin_tmp_t '/srv/mydirsrvadmin_con‐
222 tent(/.*)?'
223 restorecon -R -v /srv/mydirsrvadmin_content
224 Note: SELinux often uses regular expressions to specify labels that
226 match multiple files.
227 The following file types are defined for dirsrvadmin:
229 dirsrvadmin_config_t
233 - Set files with the dirsrvadmin_config_t type, if you want to treat
235 the files as dirsrvadmin configuration data, usually stored under the
236 /etc directory.
237 Paths:
240 /etc/dirsrv/dsgw(/.*)?, /etc/dirsrv/admin-serv(/.*)?
241 dirsrvadmin_exec_t
244 - Set files with the dirsrvadmin_exec_t type, if you want to transition
246 an executable to the dirsrvadmin_t domain.
247 Paths:
250 /usr/sbin/stop-ds-admin, /usr/sbin/start-ds-admin,
251 /usr/sbin/restart-ds-admin
252 dirsrvadmin_tmp_t
255 - Set files with the dirsrvadmin_tmp_t type, if you want to store
257 dirsrvadmin temporary files in the /tmp directories.
258 dirsrvadmin_unconfined_script_exec_t
262 - Set files with the dirsrvadmin_unconfined_script_exec_t type, if you
264 want to transition an executable to the dirsrvadmin_unconfined_script_t
265 domain.
266 Paths:
269 /usr/lib(64)?/dirsrv/cgi-bin/ds_create, /usr/lib(64)?/dirsrv/cgi-
270 bin/ds_remove
271 Note: File context can be temporarily modified with the chcon command.
274 If you want to permanently change the file context you need to use the
275 semanage fcontext command. This will modify the SELinux labeling data‐
276 base. You will need to use restorecon to apply the labels.
277
280 semanage fcontext can also be used to manipulate default file context
281 mappings.
282 semanage permissive can also be used to manipulate whether or not a
284 process type is permissive.
285 semanage module can also be used to enable/disable/install/remove pol‐
287 icy modules.
288 semanage boolean can also be used to manipulate the booleans
290 system-config-selinux is a GUI tool available to customize SELinux pol‐
293 icy settings.
294
297 This manual page was auto-generated using sepolicy manpage .
298
301 selinux(8), dirsrvadmin(8), semanage(8), restorecon(8), chcon(1) , set‐
302 sebool(8), dirsrvadmin_unconfined_script_selinux(8), dirsrvadmin_uncon‐
303 fined_script_selinux(8)
304dirsrvadmin 15-06-03 dirsrvadmin_selinux(8)