1freeipmi_bmc_watchdog_SsEeLliinnuuxx(P8o)licy freeipmi_bmfcr_eweaitpcmhid_obgmc_watchdog_selinux(8)
2
3
4

NAME

6       freeipmi_bmc_watchdog_selinux  - Security Enhanced Linux Policy for the
7       freeipmi_bmc_watchdog processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the freeipmi_bmc_watchdog processes via
11       flexible mandatory access control.
12
13       The     freeipmi_bmc_watchdog     processes     execute     with    the
14       freeipmi_bmc_watchdog_t SELinux type. You can check if you  have  these
15       processes running by executing the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep freeipmi_bmc_watchdog_t
20
21
22

ENTRYPOINTS

24       The  freeipmi_bmc_watchdog_t  SELinux  type  can  be  entered  via  the
25       freeipmi_bmc_watchdog_exec_t file type.
26
27       The default entrypoint paths for the freeipmi_bmc_watchdog_t domain are
28       the following:
29
30       /usr/sbin/bmc-watchdog
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       freeipmi_bmc_watchdog  policy  is very flexible allowing users to setup
40       their freeipmi_bmc_watchdog processes in as secure a method  as  possi‐
41       ble.
42
43       The following process types are defined for freeipmi_bmc_watchdog:
44
45       freeipmi_bmc_watchdog_t
46
47       Note:  semanage  permissive  -a  freeipmi_bmc_watchdog_t can be used to
48       make the process type freeipmi_bmc_watchdog_t permissive. SELinux  does
49       not  deny  access  to  permissive  process  types, but the AVC (SELinux
50       denials) messages are still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       freeipmi_bmc_watchdog  policy  is  extremely  flexible  and has several
56       booleans  that  allow  you   to   manipulate   the   policy   and   run
57       freeipmi_bmc_watchdog with the tightest access possible.
58
59
60
61       If you want to allow all daemons to write corefiles to /, you must turn
62       on the allow_daemons_dump_core boolean. Disabled by default.
63
64       setsebool -P allow_daemons_dump_core 1
65
66
67
68       If you want to allow all daemons to use tcp wrappers, you must turn  on
69       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
70
71       setsebool -P allow_daemons_use_tcp_wrapper 1
72
73
74
75       If  you  want to allow all daemons the ability to read/write terminals,
76       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
77       default.
78
79       setsebool -P allow_daemons_use_tty 1
80
81
82
83       If you want to allow all domains to use other domains file descriptors,
84       you must turn on the allow_domain_fd_use boolean. Enabled by default.
85
86       setsebool -P allow_domain_fd_use 1
87
88
89
90       If you want to allow confined applications to run  with  kerberos,  you
91       must turn on the allow_kerberos boolean. Enabled by default.
92
93       setsebool -P allow_kerberos 1
94
95
96
97       If  you want to allow sysadm to debug or ptrace all processes, you must
98       turn on the allow_ptrace boolean. Disabled by default.
99
100       setsebool -P allow_ptrace 1
101
102
103
104       If you want to allow system to run with  NIS,  you  must  turn  on  the
105       allow_ypbind boolean. Disabled by default.
106
107       setsebool -P allow_ypbind 1
108
109
110
111       If  you  want  to enable cluster mode for daemons, you must turn on the
112       daemons_enable_cluster_mode boolean. Disabled by default.
113
114       setsebool -P daemons_enable_cluster_mode 1
115
116
117
118       If you want to allow all domains to have the kernel load  modules,  you
119       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
120       default.
121
122       setsebool -P domain_kernel_load_modules 1
123
124
125
126       If you want to allow all domains to execute in fips_mode, you must turn
127       on the fips_mode boolean. Enabled by default.
128
129       setsebool -P fips_mode 1
130
131
132
133       If you want to enable reading of urandom for all domains, you must turn
134       on the global_ssp boolean. Disabled by default.
135
136       setsebool -P global_ssp 1
137
138
139
140       If you want to enable support for upstart as the init program, you must
141       turn on the init_upstart boolean. Enabled by default.
142
143       setsebool -P init_upstart 1
144
145
146
147       If  you  want to allow confined applications to use nscd shared memory,
148       you must turn on the nscd_use_shm boolean. Enabled by default.
149
150       setsebool -P nscd_use_shm 1
151
152
153

MANAGED FILES

155       The SELinux  process  type  freeipmi_bmc_watchdog_t  can  manage  files
156       labeled  with  the  following  file  types.   The  paths listed are the
157       default paths for these file types.  Note the processes UID still  need
158       to have DAC permissions.
159
160       cluster_conf_t
161
162            /etc/cluster(/.*)?
163
164       cluster_var_lib_t
165
166            /var/lib(64)?/openais(/.*)?
167            /var/lib(64)?/pengine(/.*)?
168            /var/lib(64)?/corosync(/.*)?
169            /usr/lib(64)?/heartbeat(/.*)?
170            /var/lib(64)?/heartbeat(/.*)?
171            /var/lib(64)?/pacemaker(/.*)?
172            /var/lib/cluster(/.*)?
173
174       cluster_var_run_t
175
176            /var/run/crm(/.*)?
177            /var/run/cman_.*
178            /var/run/rsctmp(/.*)?
179            /var/run/aisexec.*
180            /var/run/heartbeat(/.*)?
181            /var/run/cpglockd.pid
182            /var/run/corosync.pid
183            /var/run/rgmanager.pid
184            /var/run/cluster/rgmanager.sk
185
186       freeipmi_bmc_watchdog_var_run_t
187
188            /var/run/bmc-watchdog.pid
189
190       freeipmi_var_cache_t
191
192            /var/cache/ipmiseld(/.*)?
193            /var/cache/ipmimonitoringsdrcache(/.*)?
194
195       freeipmi_var_lib_t
196
197            /var/lib/freeipmi(/.*)?
198
199       initrc_tmp_t
200
201
202       mnt_t
203
204            /mnt(/[^/]*)
205            /mnt(/[^/]*)?
206            /rhev(/[^/]*)?
207            /media(/[^/]*)
208            /media(/[^/]*)?
209            /etc/rhgb(/.*)?
210            /media/.hal-.*
211            /net
212            /afs
213            /rhev
214            /misc
215
216       root_t
217
218            /
219            /initrd
220
221       tmp_t
222
223            /tmp
224            /usr/tmp
225            /var/tmp
226            /tmp-inst
227            /var/tmp-inst
228            /var/tmp/vi.recover
229
230

FILE CONTEXTS

232       SELinux requires files to have an extended attribute to define the file
233       type.
234
235       You can see the context of a file using the -Z option to ls
236
237       Policy governs the access  confined  processes  have  to  these  files.
238       SELinux freeipmi_bmc_watchdog policy is very flexible allowing users to
239       setup their freeipmi_bmc_watchdog processes in as secure  a  method  as
240       possible.
241
242       STANDARD FILE CONTEXT
243
244       SELinux  defines  the file context types for the freeipmi_bmc_watchdog,
245       if you wanted to store files with these types in a diffent  paths,  you
246       need to execute the semanage command to sepecify alternate labeling and
247       then use restorecon to put the labels on disk.
248
249       semanage     fcontext     -a     -t     freeipmi_bmc_watchdog_var_run_t
250       '/srv/myfreeipmi_bmc_watchdog_content(/.*)?'
251       restorecon -R -v /srv/myfreeipmi_bmc_watchdog_content
252
253       Note:  SELinux  often  uses  regular expressions to specify labels that
254       match multiple files.
255
256       The following file types are defined for freeipmi_bmc_watchdog:
257
258
259
260       freeipmi_bmc_watchdog_exec_t
261
262       - Set files with the freeipmi_bmc_watchdog_exec_t type, if you want  to
263       transition an executable to the freeipmi_bmc_watchdog_t domain.
264
265
266
267       freeipmi_bmc_watchdog_initrc_exec_t
268
269       -  Set  files with the freeipmi_bmc_watchdog_initrc_exec_t type, if you
270       want to transition an executable to the  freeipmi_bmc_watchdog_initrc_t
271       domain.
272
273
274
275       freeipmi_bmc_watchdog_var_run_t
276
277       -  Set files with the freeipmi_bmc_watchdog_var_run_t type, if you want
278       to store the freeipmi bmc watchdog files under  the  /run  or  /var/run
279       directory.
280
281
282
283       Note:  File context can be temporarily modified with the chcon command.
284       If you want to permanently change the file context you need to use  the
285       semanage fcontext command.  This will modify the SELinux labeling data‐
286       base.  You will need to use restorecon to apply the labels.
287
288

COMMANDS

290       semanage fcontext can also be used to manipulate default  file  context
291       mappings.
292
293       semanage  permissive  can  also  be used to manipulate whether or not a
294       process type is permissive.
295
296       semanage module can also be used to enable/disable/install/remove  pol‐
297       icy modules.
298
299       semanage boolean can also be used to manipulate the booleans
300
301
302       system-config-selinux is a GUI tool available to customize SELinux pol‐
303       icy settings.
304
305

AUTHOR

307       This manual page was auto-generated using sepolicy manpage .
308
309

SEE ALSO

311       selinux(8),   freeipmi_bmc_watchdog(8),   semanage(8),   restorecon(8),
312       chcon(1) , setsebool(8)
313
314
315
316freeipmi_bmc_watchdog              15-06-03   freeipmi_bmc_watchdog_selinux(8)
Impressum