openshift_selinux(8)

1openshift_selinux(8)       SELinux Policy openshift       openshift_selinux(8)
2
3
4

NAME

6       openshift_selinux  -  Security  Enhanced Linux Policy for the openshift
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the openshift  processes  via  flexible
11       mandatory access control.
12
13       The  openshift processes execute with the openshift_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openshift_t
20
21
22

ENTRYPOINTS

24       The  openshift_t SELinux type can be entered via the user_cron_spool_t,
25       gpg_exec_t, bin_t, openshift_file_type, httpd_exec_t, shell_exec_t file
26       types.
27
28       The default entrypoint paths for the openshift_t domain are the follow‐
29       ing:
30
31       All executeables with the default executable label, usually  stored  in
32       /usr/bin    and   /usr/sbin.    /var/spool/at(/.*)?,   /var/spool/cron,
33       /usr/lib(64)?/gnupg/.*,        /usr/bin/gpg(2)?,         /usr/bin/kgpg,
34       /usr/sbin/httpd(.worker)?,    /usr/sbin/apache(2)?,    /usr/lib/apache-
35       ssl/.+,  /usr/sbin/apache-ssl(2)?,  /usr/sbin/nginx,  /usr/sbin/thttpd,
36       /usr/sbin/php-fpm,        /usr/sbin/cherokee,       /usr/sbin/lighttpd,
37       /usr/bin/mongrel_rails, /usr/sbin/htcacheclean, /bin/d?ash, /bin/zsh.*,
38       /bin/ksh.*,  /bin/sash,  /bin/tcsh,  /bin/yash,  /bin/mksh,  /bin/fish,
39       /bin/bash, /bin/bash2,  /usr/bin/fish,  /sbin/nologin,  /usr/sbin/sesh,
40       /usr/sbin/smrsh,  /usr/bin/scponly, /usr/libexec/sesh, /usr/sbin/scpon‐
41       lyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell
42

PROCESS TYPES

44       SELinux defines process types (domains) for each process running on the
45       system
46
47       You can see the context of a process using the -Z option to ps
48
49       Policy  governs  the  access confined processes have to files.  SELinux
50       openshift policy is very flexible allowing users to setup  their  open‐
51       shift processes in as secure a method as possible.
52
53       The following process types are defined for openshift:
54
55       openshift_app_t, openshift_cgroup_read_t, openshift_initrc_t, openshift_cron_t, openshift_t
56
57       Note:  semanage  permissive  -a  openshift_t  can  be  used to make the
58       process type openshift_t permissive. SELinux does not  deny  access  to
59       permissive  process  types,  but the AVC (SELinux denials) messages are
60       still generated.
61
62

BOOLEANS

64       SELinux policy is customizable based on least access  required.   open‐
65       shift  policy is extremely flexible and has several booleans that allow
66       you to manipulate the policy and run openshift with the tightest access
67       possible.
68
69
70
71       If  you  want  to  allow  openshift  to access nfs file systems without
72       labels, you must turn on the  openshift_use_nfs  boolean.  Disabled  by
73       default.
74
75       setsebool -P openshift_use_nfs 1
76
77
78
79       If you want to allow all domains to use other domains file descriptors,
80       you must turn on the allow_domain_fd_use boolean. Enabled by default.
81
82       setsebool -P allow_domain_fd_use 1
83
84
85
86       If you want to allow confined applications to run  with  kerberos,  you
87       must turn on the allow_kerberos boolean. Enabled by default.
88
89       setsebool -P allow_kerberos 1
90
91
92
93       If  you want to allow sysadm to debug or ptrace all processes, you must
94       turn on the allow_ptrace boolean. Disabled by default.
95
96       setsebool -P allow_ptrace 1
97
98
99
100       If you want to allow system to run with  NIS,  you  must  turn  on  the
101       allow_ypbind boolean. Disabled by default.
102
103       setsebool -P allow_ypbind 1
104
105
106
107       If  you  want to allow all domains to have the kernel load modules, you
108       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
109       default.
110
111       setsebool -P domain_kernel_load_modules 1
112
113
114
115       If you want to allow all domains to execute in fips_mode, you must turn
116       on the fips_mode boolean. Enabled by default.
117
118       setsebool -P fips_mode 1
119
120
121
122       If you want to enable reading of urandom for all domains, you must turn
123       on the global_ssp boolean. Disabled by default.
124
125       setsebool -P global_ssp 1
126
127
128
129       If  you  want to allow confined applications to use nscd shared memory,
130       you must turn on the nscd_use_shm boolean. Enabled by default.
131
132       setsebool -P nscd_use_shm 1
133
134
135

PORT TYPES

137       SELinux defines port types to represent TCP and UDP ports.
138
139       You can see the types associated with a port  by  using  the  following
140       command:
141
142       semanage port -l
143
144
145       Policy  governs  the  access  confined  processes  have to these ports.
146       SELinux openshift policy is very flexible allowing users to setup their
147       openshift processes in as secure a method as possible.
148
149       The following port types are defined for openshift:
150
151
152       openshift_port_t
153
154
155
156       MANAGED FILES
157
158              The  SELinux  process  type openshift_t can manage files labeled
159              with the following file types.  The paths listed are the default
160              paths  for  these file types.  Note the processes UID still need
161              to have DAC permissions.
162
163              anon_inodefs_t
164
165
166              hugetlbfs_t
167
168
169              initrc_tmp_t
170
171
172              mnt_t
173
174                   /mnt(/[^/]*)
175                   /mnt(/[^/]*)?
176                   /rhev(/[^/]*)?
177                   /media(/[^/]*)
178                   /media(/[^/]*)?
179                   /etc/rhgb(/.*)?
180                   /media/.hal-.*
181                   /net
182                   /afs
183                   /rhev
184                   /misc
185
186              nfs_t
187
188
189              openshift_file_type
190
191
192              openshift_tmpfs_t
193
194
195              postfix_spool_maildrop_t
196
197                   /var/spool/postfix/defer(/.*)?
198                   /var/spool/postfix/deferred(/.*)?
199                   /var/spool/postfix/maildrop(/.*)?
200
201              security_t
202
203
204              tmp_t
205
206                   /tmp
207                   /usr/tmp
208                   /var/tmp
209                   /tmp-inst
210                   /var/tmp-inst
211                   /var/tmp/vi.recover
212
213

FILE CONTEXTS

215       SELinux requires files to have an extended attribute to define the file
216       type.
217
218       You can see the context of a file using the -Z option to ls
219
220       Policy  governs  the  access  confined  processes  have to these files.
221       SELinux openshift policy is very flexible allowing users to setup their
222       openshift processes in as secure a method as possible.
223
224       EQUIVALENCE DIRECTORIES
225
226
227       openshift policy stores data with multiple different file context types
228       under the /var/lib/openshift directory.  If you would like to store the
229       data  in a different directory you can use the semanage command to cre‐
230       ate an equivalence mapping.  If you wanted to store this data under the
231       /srv dirctory you would execute the following command:
232
233       semanage fcontext -a -e /var/lib/openshift /srv/openshift
234       restorecon -R -v /srv/openshift
235
236       openshift policy stores data with multiple different file context types
237       under the /var/lib/stickshift directory.  If you would  like  to  store
238       the  data  in a different directory you can use the semanage command to
239       create an equivalence mapping.  If you wanted to store this data  under
240       the /srv dirctory you would execute the following command:
241
242       semanage fcontext -a -e /var/lib/stickshift /srv/stickshift
243       restorecon -R -v /srv/stickshift
244
245       STANDARD FILE CONTEXT
246
247       SELinux defines the file context types for the openshift, if you wanted
248       to store files with these types in a diffent paths, you need to execute
249       the  semanage  command  to  sepecify  alternate  labeling  and then use
250       restorecon to put the labels on disk.
251
252       semanage  fcontext  -a  -t  openshift_var_run_t  '/srv/myopenshift_con‐
253       tent(/.*)?'
254       restorecon -R -v /srv/myopenshift_content
255
256       Note:  SELinux  often  uses  regular expressions to specify labels that
257       match multiple files.
258
259       The following file types are defined for openshift:
260
261
262
263       openshift_cgroup_read_exec_t
264
265       - Set files with the openshift_cgroup_read_exec_t type, if you want  to
266       transition an executable to the openshift_cgroup_read_t domain.
267
268
269
270       openshift_cgroup_read_tmp_t
271
272       -  Set  files with the openshift_cgroup_read_tmp_t type, if you want to
273       store openshift cgroup read temporary files in the /tmp directories.
274
275
276
277       openshift_cron_exec_t
278
279       - Set files with the openshift_cron_exec_t type, if you want to transi‐
280       tion an executable to the openshift_cron_t domain.
281
282
283
284       openshift_cron_tmp_t
285
286       -  Set  files  with the openshift_cron_tmp_t type, if you want to store
287       openshift cron temporary files in the /tmp directories.
288
289
290
291       openshift_initrc_exec_t
292
293       - Set files with the openshift_initrc_exec_t type, if you want to tran‐
294       sition an executable to the openshift_initrc_t domain.
295
296
297       Paths:
298            /usr/s?bin/mcollectived,             /usr/s?bin/(oo|rhc)-restorer,
299            /usr/s?bin/(oo|rhc)-admin-ctl-gears,       /etc/rc.d/init.d/libra,
300            /etc/rc.d/init.d/mcollective
301
302
303       openshift_initrc_tmp_t
304
305       -  Set files with the openshift_initrc_tmp_t type, if you want to store
306       openshift initrc temporary files in the /tmp directories.
307
308
309
310       openshift_log_t
311
312       - Set files with the openshift_log_t type, if you  want  to  treat  the
313       data  as  openshift  log data, usually stored under the /var/log direc‐
314       tory.
315
316
317       Paths:
318            /var/log/openshift(/.*)?, /var/log/mcollective.log.*
319
320
321       openshift_rw_file_t
322
323       - Set files with the openshift_rw_file_t type, if you want to treat the
324       files as openshift rw content.
325
326
327       Paths:
328            /var/lib/openshift/.*/data(/.*)?,                  /var/lib/stick‐
329            shift/.*/data(/.*)?
330
331
332       openshift_tmp_t
333
334       - Set files with the openshift_tmp_t type, if you want to  store  open‐
335       shift temporary files in the /tmp directories.
336
337
338       Paths:
339            /var/lib/openshift/.*/.tmp(/.*)?,     /var/lib/openshift/.*/.sand‐
340            box(/.*)?,   /var/lib/stickshift/.*/.tmp(/.*)?,    /var/lib/stick‐
341            shift/.*/.sandbox(/.*)?
342
343
344       openshift_tmpfs_t
345
346       - Set files with the openshift_tmpfs_t type, if you want to store open‐
347       shift files on a tmpfs file system.
348
349
350
351       openshift_var_lib_t
352
353       - Set files with the openshift_var_lib_t type, if you want to store the
354       openshift files under the /var/lib directory.
355
356
357       Paths:
358            /var/lib/openshift(/.*)?, /var/lib/stickshift(/.*)?
359
360
361       openshift_var_run_t
362
363       - Set files with the openshift_var_run_t type, if you want to store the
364       openshift files under the /run or /var/run directory.
365
366
367       Paths:
368            /var/run/openshift(/.*)?, /var/run/stickshift(/.*)?
369
370
371       Note: File context can be temporarily modified with the chcon  command.
372       If  you want to permanently change the file context you need to use the
373       semanage fcontext command.  This will modify the SELinux labeling data‐
374       base.  You will need to use restorecon to apply the labels.
375
376

COMMANDS

378       semanage  fcontext  can also be used to manipulate default file context
379       mappings.
380
381       semanage permissive can also be used to manipulate  whether  or  not  a
382       process type is permissive.
383
384       semanage  module can also be used to enable/disable/install/remove pol‐
385       icy modules.
386
387       semanage port can also be used to manipulate the port definitions
388
389       semanage boolean can also be used to manipulate the booleans
390
391
392       system-config-selinux is a GUI tool available to customize SELinux pol‐
393       icy settings.
394
395

AUTHOR

397       This manual page was auto-generated using sepolicy manpage .
398
399