1postgrey_selinux(8) SELinux Policy postgrey postgrey_selinux(8)
2
6 postgrey_selinux - Security Enhanced Linux Policy for the postgrey pro‐
7 cesses
8
10 Security-Enhanced Linux secures the postgrey processes via flexible
11 mandatory access control.
12 The postgrey processes execute with the postgrey_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16 For example:
18 ps -eZ | grep postgrey_t
20
24 The postgrey_t SELinux type can be entered via the postgrey_exec_t file
25 type.
26 The default entrypoint paths for the postgrey_t domain are the follow‐
28 ing:
29 /usr/sbin/postgrey
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 postgrey policy is very flexible allowing users to setup their postgrey
40 processes in as secure a method as possible.
41 The following process types are defined for postgrey:
43 postgrey_t
45 Note: semanage permissive -a postgrey_t can be used to make the process
47 type postgrey_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
53 SELinux policy is customizable based on least access required. post‐
54 grey policy is extremely flexible and has several booleans that allow
55 you to manipulate the policy and run postgrey with the tightest access
56 possible.
57 If you want to allow all daemons to write corefiles to /, you must turn
61 on the allow_daemons_dump_core boolean. Disabled by default.
62 setsebool -P allow_daemons_dump_core 1
64 If you want to allow all daemons to use tcp wrappers, you must turn on
68 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
69 setsebool -P allow_daemons_use_tcp_wrapper 1
71 If you want to allow all daemons the ability to read/write terminals,
75 you must turn on the allow_daemons_use_tty boolean. Disabled by
76 default.
77 setsebool -P allow_daemons_use_tty 1
79 If you want to allow all domains to use other domains file descriptors,
83 you must turn on the allow_domain_fd_use boolean. Enabled by default.
84 setsebool -P allow_domain_fd_use 1
86 If you want to allow sysadm to debug or ptrace all processes, you must
90 turn on the allow_ptrace boolean. Disabled by default.
91 setsebool -P allow_ptrace 1
93 If you want to allow system to run with NIS, you must turn on the
97 allow_ypbind boolean. Disabled by default.
98 setsebool -P allow_ypbind 1
100 If you want to enable cluster mode for daemons, you must turn on the
104 daemons_enable_cluster_mode boolean. Disabled by default.
105 setsebool -P daemons_enable_cluster_mode 1
107 If you want to allow all domains to have the kernel load modules, you
111 must turn on the domain_kernel_load_modules boolean. Disabled by
112 default.
113 setsebool -P domain_kernel_load_modules 1
115 If you want to allow all domains to execute in fips_mode, you must turn
119 on the fips_mode boolean. Enabled by default.
120 setsebool -P fips_mode 1
122 If you want to enable reading of urandom for all domains, you must turn
126 on the global_ssp boolean. Disabled by default.
127 setsebool -P global_ssp 1
129 If you want to enable support for upstart as the init program, you must
133 turn on the init_upstart boolean. Enabled by default.
134 setsebool -P init_upstart 1
136
140 SELinux defines port types to represent TCP and UDP ports.
141 You can see the types associated with a port by using the following
143 command:
144 semanage port -l
146 Policy governs the access confined processes have to these ports.
149 SELinux postgrey policy is very flexible allowing users to setup their
150 postgrey processes in as secure a method as possible.
151 The following port types are defined for postgrey:
153 postgrey_port_t
156 Default Defined Ports:
160 tcp 60000
161
163 The SELinux process type postgrey_t can manage files labeled with the
164 following file types. The paths listed are the default paths for these
165 file types. Note the processes UID still need to have DAC permissions.
166 cluster_conf_t
168 /etc/cluster(/.*)?
170 cluster_var_lib_t
172 /var/lib(64)?/openais(/.*)?
174 /var/lib(64)?/pengine(/.*)?
175 /var/lib(64)?/corosync(/.*)?
176 /usr/lib(64)?/heartbeat(/.*)?
177 /var/lib(64)?/heartbeat(/.*)?
178 /var/lib(64)?/pacemaker(/.*)?
179 /var/lib/cluster(/.*)?
180 cluster_var_run_t
182 /var/run/crm(/.*)?
184 /var/run/cman_.*
185 /var/run/rsctmp(/.*)?
186 /var/run/aisexec.*
187 /var/run/heartbeat(/.*)?
188 /var/run/cpglockd.pid
189 /var/run/corosync.pid
190 /var/run/rgmanager.pid
191 /var/run/cluster/rgmanager.sk
192 initrc_tmp_t
194 mnt_t
197 /mnt(/[^/]*)
199 /mnt(/[^/]*)?
200 /rhev(/[^/]*)?
201 /media(/[^/]*)
202 /media(/[^/]*)?
203 /etc/rhgb(/.*)?
204 /media/.hal-.*
205 /net
206 /afs
207 /rhev
208 /misc
209 postfix_spool_type
211 postgrey_spool_t
214 /var/spool/postfix/postgrey(/.*)?
216 postgrey_var_lib_t
218 /var/lib/postgrey(/.*)?
220 postgrey_var_run_t
222 /var/run/postgrey(/.*)?
224 /var/run/postgrey.pid
225 root_t
227 /
229 /initrd
230 tmp_t
232 /tmp
234 /usr/tmp
235 /var/tmp
236 /tmp-inst
237 /var/tmp-inst
238 /var/tmp/vi.recover
239
242 SELinux requires files to have an extended attribute to define the file
243 type.
244 You can see the context of a file using the -Z option to ls
246 Policy governs the access confined processes have to these files.
248 SELinux postgrey policy is very flexible allowing users to setup their
249 postgrey processes in as secure a method as possible.
250 EQUIVALENCE DIRECTORIES
252 postgrey policy stores data with multiple different file context types
255 under the /var/run/postgrey directory. If you would like to store the
256 data in a different directory you can use the semanage command to cre‐
257 ate an equivalence mapping. If you wanted to store this data under the
258 /srv dirctory you would execute the following command:
259 semanage fcontext -a -e /var/run/postgrey /srv/postgrey
261 restorecon -R -v /srv/postgrey
262 STANDARD FILE CONTEXT
264 SELinux defines the file context types for the postgrey, if you wanted
266 to store files with these types in a diffent paths, you need to execute
267 the semanage command to sepecify alternate labeling and then use
268 restorecon to put the labels on disk.
269 semanage fcontext -a -t postgrey_var_run_t '/srv/mypostgrey_con‐
271 tent(/.*)?'
272 restorecon -R -v /srv/mypostgrey_content
273 Note: SELinux often uses regular expressions to specify labels that
275 match multiple files.
276 The following file types are defined for postgrey:
278 postgrey_etc_t
282 - Set files with the postgrey_etc_t type, if you want to store postgrey
284 files in the /etc directories.
285 postgrey_exec_t
289 - Set files with the postgrey_exec_t type, if you want to transition an
291 executable to the postgrey_t domain.
292 postgrey_initrc_exec_t
296 - Set files with the postgrey_initrc_exec_t type, if you want to tran‐
298 sition an executable to the postgrey_initrc_t domain.
299 postgrey_spool_t
303 - Set files with the postgrey_spool_t type, if you want to store the
305 postgrey files under the /var/spool directory.
306 postgrey_var_lib_t
310 - Set files with the postgrey_var_lib_t type, if you want to store the
312 postgrey files under the /var/lib directory.
313 postgrey_var_run_t
317 - Set files with the postgrey_var_run_t type, if you want to store the
319 postgrey files under the /run or /var/run directory.
320 Paths:
323 /var/run/postgrey(/.*)?, /var/run/postgrey.pid
324 Note: File context can be temporarily modified with the chcon command.
327 If you want to permanently change the file context you need to use the
328 semanage fcontext command. This will modify the SELinux labeling data‐
329 base. You will need to use restorecon to apply the labels.
330
333 semanage fcontext can also be used to manipulate default file context
334 mappings.
335 semanage permissive can also be used to manipulate whether or not a
337 process type is permissive.
338 semanage module can also be used to enable/disable/install/remove pol‐
340 icy modules.
341 semanage port can also be used to manipulate the port definitions
343 semanage boolean can also be used to manipulate the booleans
345 system-config-selinux is a GUI tool available to customize SELinux pol‐
348 icy settings.
349
352 This manual page was auto-generated using sepolicy manpage .
353
356 selinux(8), postgrey(8), semanage(8), restorecon(8), chcon(1) , setse‐
357 bool(8)
358postgrey 15-06-03 postgrey_selinux(8)