1passenger_selinux(8)       SELinux Policy passenger       passenger_selinux(8)
2
3
4

NAME

6       passenger_selinux  -  Security  Enhanced Linux Policy for the passenger
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the passenger  processes  via  flexible
11       mandatory access control.
12
13       The  passenger processes execute with the passenger_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep passenger_t
20
21
22

ENTRYPOINTS

24       The  passenger_t  SELinux  type can be entered via the passenger_exec_t
25       file type.
26
27       The default entrypoint paths for the passenger_t domain are the follow‐
28       ing:
29
30       /usr/share/.*/gems/.*/helper-scripts/prespawn, /usr/lib/gems/.*/Passen‐
31       ger.*,                /usr/lib/gems/.*/ApplicationPoolServerExecutable,
32       /usr/share/gems/.*/Passenger.*,         /usr/lib64/gems/.*/Passenger.*,
33       /usr/share/gems/.*/ApplicationPoolServerExecutable,
34       /usr/lib64/gems/.*/ApplicationPoolServerExecutable
35

PROCESS TYPES

37       SELinux defines process types (domains) for each process running on the
38       system
39
40       You can see the context of a process using the -Z option to ps
41
42       Policy governs the access confined processes have  to  files.   SELinux
43       passenger policy is very flexible allowing users to setup their passen‐
44       ger processes in as secure a method as possible.
45
46       The following process types are defined for passenger:
47
48       passenger_t
49
50       Note: semanage permissive -a  passenger_t  can  be  used  to  make  the
51       process  type  passenger_t  permissive. SELinux does not deny access to
52       permissive process types, but the AVC (SELinux  denials)  messages  are
53       still generated.
54
55

BOOLEANS

57       SELinux policy is customizable based on least access required.  passen‐
58       ger policy is extremely flexible and has several  booleans  that  allow
59       you to manipulate the policy and run passenger with the tightest access
60       possible.
61
62
63
64       If you want to allow all domains to use other domains file descriptors,
65       you must turn on the allow_domain_fd_use boolean. Enabled by default.
66
67       setsebool -P allow_domain_fd_use 1
68
69
70
71       If  you  want  to allow confined applications to run with kerberos, you
72       must turn on the allow_kerberos boolean. Enabled by default.
73
74       setsebool -P allow_kerberos 1
75
76
77
78       If you want to allow sysadm to debug or ptrace all processes, you  must
79       turn on the allow_ptrace boolean. Disabled by default.
80
81       setsebool -P allow_ptrace 1
82
83
84
85       If  you  want  to  allow  system  to run with NIS, you must turn on the
86       allow_ypbind boolean. Disabled by default.
87
88       setsebool -P allow_ypbind 1
89
90
91
92       If you want to allow all domains to have the kernel load  modules,  you
93       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
94       default.
95
96       setsebool -P domain_kernel_load_modules 1
97
98
99
100       If you want to allow all domains to execute in fips_mode, you must turn
101       on the fips_mode boolean. Enabled by default.
102
103       setsebool -P fips_mode 1
104
105
106
107       If you want to enable reading of urandom for all domains, you must turn
108       on the global_ssp boolean. Disabled by default.
109
110       setsebool -P global_ssp 1
111
112
113
114       If you want to allow Apache to run in stickshift mode,  not  transition
115       to  passenger,  you must turn on the httpd_run_stickshift boolean. Dis‐
116       abled by default.
117
118       setsebool -P httpd_run_stickshift 1
119
120
121
122       If you want to allow confined applications to use nscd  shared  memory,
123       you must turn on the nscd_use_shm boolean. Enabled by default.
124
125       setsebool -P nscd_use_shm 1
126
127
128

MANAGED FILES

130       The  SELinux process type passenger_t can manage files labeled with the
131       following file types.  The paths listed are the default paths for these
132       file types.  Note the processes UID still need to have DAC permissions.
133
134       anon_inodefs_t
135
136
137       initrc_tmp_t
138
139
140       mnt_t
141
142            /mnt(/[^/]*)
143            /mnt(/[^/]*)?
144            /rhev(/[^/]*)?
145            /media(/[^/]*)
146            /media(/[^/]*)?
147            /etc/rhgb(/.*)?
148            /media/.hal-.*
149            /net
150            /afs
151            /rhev
152            /misc
153
154       passenger_log_t
155
156            /var/log/passenger.*
157
158       passenger_tmp_t
159
160
161       passenger_var_lib_t
162
163            /var/lib(64)?/passenger(/.*)?
164            /var/lib/passenger(/.*)?
165
166       passenger_var_run_t
167
168            /var/run/passenger(/.*)?
169
170       puppet_var_lib_t
171
172            /var/lib/puppet(/.*)?
173
174       tmp_t
175
176            /tmp
177            /usr/tmp
178            /var/tmp
179            /tmp-inst
180            /var/tmp-inst
181            /var/tmp/vi.recover
182
183

FILE CONTEXTS

185       SELinux requires files to have an extended attribute to define the file
186       type.
187
188       You can see the context of a file using the -Z option to ls
189
190       Policy governs the access  confined  processes  have  to  these  files.
191       SELinux passenger policy is very flexible allowing users to setup their
192       passenger processes in as secure a method as possible.
193
194       STANDARD FILE CONTEXT
195
196       SELinux defines the file context types for the passenger, if you wanted
197       to store files with these types in a diffent paths, you need to execute
198       the semanage command  to  sepecify  alternate  labeling  and  then  use
199       restorecon to put the labels on disk.
200
201       semanage  fcontext  -a  -t  passenger_var_run_t  '/srv/mypassenger_con‐
202       tent(/.*)?'
203       restorecon -R -v /srv/mypassenger_content
204
205       Note: SELinux often uses regular expressions  to  specify  labels  that
206       match multiple files.
207
208       The following file types are defined for passenger:
209
210
211
212       passenger_exec_t
213
214       -  Set  files with the passenger_exec_t type, if you want to transition
215       an executable to the passenger_t domain.
216
217
218       Paths:
219            /usr/share/.*/gems/.*/helper-scripts/prespawn,
220            /usr/lib/gems/.*/Passenger.*,        /usr/lib/gems/.*/Application‐
221            PoolServerExecutable,              /usr/share/gems/.*/Passenger.*,
222            /usr/lib64/gems/.*/Passenger.*,    /usr/share/gems/.*/Application‐
223            PoolServerExecutable, /usr/lib64/gems/.*/ApplicationPoolServerExe‐
224            cutable
225
226
227       passenger_log_t
228
229       -  Set  files  with  the passenger_log_t type, if you want to treat the
230       data as passenger log data, usually stored under  the  /var/log  direc‐
231       tory.
232
233
234
235       passenger_tmp_t
236
237       - Set files with the passenger_tmp_t type, if you want to store passen‐
238       ger temporary files in the /tmp directories.
239
240
241
242       passenger_var_lib_t
243
244       - Set files with the passenger_var_lib_t type, if you want to store the
245       passenger files under the /var/lib directory.
246
247
248       Paths:
249            /var/lib(64)?/passenger(/.*)?, /var/lib/passenger(/.*)?
250
251
252       passenger_var_run_t
253
254       - Set files with the passenger_var_run_t type, if you want to store the
255       passenger files under the /run or /var/run directory.
256
257
258
259       Note: File context can be temporarily modified with the chcon  command.
260       If  you want to permanently change the file context you need to use the
261       semanage fcontext command.  This will modify the SELinux labeling data‐
262       base.  You will need to use restorecon to apply the labels.
263
264

COMMANDS

266       semanage  fcontext  can also be used to manipulate default file context
267       mappings.
268
269       semanage permissive can also be used to manipulate  whether  or  not  a
270       process type is permissive.
271
272       semanage  module can also be used to enable/disable/install/remove pol‐
273       icy modules.
274
275       semanage boolean can also be used to manipulate the booleans
276
277
278       system-config-selinux is a GUI tool available to customize SELinux pol‐
279       icy settings.
280
281

AUTHOR

283       This manual page was auto-generated using sepolicy manpage .
284
285

SEE ALSO

287       selinux(8), passenger(8), semanage(8), restorecon(8), chcon(1) , setse‐
288       bool(8)
289
290
291
292passenger                          15-06-03               passenger_selinux(8)
Impressum