1swift_selinux(8) SELinux Policy swift swift_selinux(8)
2
3
4
6 swift_selinux - Security Enhanced Linux Policy for the swift processes
7
9 Security-Enhanced Linux secures the swift processes via flexible manda‐
10 tory access control.
11
12 The swift processes execute with the swift_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep swift_t
19
20
21
23 The swift_t SELinux type can be entered via the swift_exec_t file type.
24
25 The default entrypoint paths for the swift_t domain are the following:
26
27 /usr/bin/swift-object-info, /usr/bin/swift-proxy-server,
28 /usr/bin/swift-object-server, /usr/bin/swift-account-reaper,
29 /usr/bin/swift-account-server, /usr/bin/swift-container-sync,
30 /usr/bin/swift-object-auditor, /usr/bin/swift-object-updater,
31 /usr/bin/swift-object-expirer, /usr/bin/swift-account-auditor,
32 /usr/bin/swift-container-server, /usr/bin/swift-container-auditor,
33 /usr/bin/swift-container-updater, /usr/bin/swift-object-replicator,
34 /usr/bin/swift-account-replicator, /usr/bin/swift-container-replicator
35
37 SELinux defines process types (domains) for each process running on the
38 system
39
40 You can see the context of a process using the -Z option to ps
41
42 Policy governs the access confined processes have to files. SELinux
43 swift policy is very flexible allowing users to setup their swift pro‐
44 cesses in as secure a method as possible.
45
46 The following process types are defined for swift:
47
48 swift_t
49
50 Note: semanage permissive -a swift_t can be used to make the process
51 type swift_t permissive. SELinux does not deny access to permissive
52 process types, but the AVC (SELinux denials) messages are still gener‐
53 ated.
54
55
57 SELinux policy is customizable based on least access required. swift
58 policy is extremely flexible and has several booleans that allow you to
59 manipulate the policy and run swift with the tightest access possible.
60
61
62
63 If you want to determine whether swift can connect to all TCP ports,
64 you must turn on the swift_can_network boolean. Disabled by default.
65
66 setsebool -P swift_can_network 1
67
68
69
70 If you want to allow all daemons to write corefiles to /, you must turn
71 on the allow_daemons_dump_core boolean. Disabled by default.
72
73 setsebool -P allow_daemons_dump_core 1
74
75
76
77 If you want to allow all daemons to use tcp wrappers, you must turn on
78 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
79
80 setsebool -P allow_daemons_use_tcp_wrapper 1
81
82
83
84 If you want to allow all daemons the ability to read/write terminals,
85 you must turn on the allow_daemons_use_tty boolean. Disabled by
86 default.
87
88 setsebool -P allow_daemons_use_tty 1
89
90
91
92 If you want to allow all domains to use other domains file descriptors,
93 you must turn on the allow_domain_fd_use boolean. Enabled by default.
94
95 setsebool -P allow_domain_fd_use 1
96
97
98
99 If you want to allow confined applications to run with kerberos, you
100 must turn on the allow_kerberos boolean. Enabled by default.
101
102 setsebool -P allow_kerberos 1
103
104
105
106 If you want to allow sysadm to debug or ptrace all processes, you must
107 turn on the allow_ptrace boolean. Disabled by default.
108
109 setsebool -P allow_ptrace 1
110
111
112
113 If you want to allow system to run with NIS, you must turn on the
114 allow_ypbind boolean. Disabled by default.
115
116 setsebool -P allow_ypbind 1
117
118
119
120 If you want to enable cluster mode for daemons, you must turn on the
121 daemons_enable_cluster_mode boolean. Disabled by default.
122
123 setsebool -P daemons_enable_cluster_mode 1
124
125
126
127 If you want to allow all domains to have the kernel load modules, you
128 must turn on the domain_kernel_load_modules boolean. Disabled by
129 default.
130
131 setsebool -P domain_kernel_load_modules 1
132
133
134
135 If you want to allow all domains to execute in fips_mode, you must turn
136 on the fips_mode boolean. Enabled by default.
137
138 setsebool -P fips_mode 1
139
140
141
142 If you want to enable reading of urandom for all domains, you must turn
143 on the global_ssp boolean. Disabled by default.
144
145 setsebool -P global_ssp 1
146
147
148
149 If you want to enable support for upstart as the init program, you must
150 turn on the init_upstart boolean. Enabled by default.
151
152 setsebool -P init_upstart 1
153
154
155
156 If you want to allow confined applications to use nscd shared memory,
157 you must turn on the nscd_use_shm boolean. Enabled by default.
158
159 setsebool -P nscd_use_shm 1
160
161
162
164 The SELinux process type swift_t can manage files labeled with the fol‐
165 lowing file types. The paths listed are the default paths for these
166 file types. Note the processes UID still need to have DAC permissions.
167
168 cluster_conf_t
169
170 /etc/cluster(/.*)?
171
172 cluster_var_lib_t
173
174 /var/lib(64)?/openais(/.*)?
175 /var/lib(64)?/pengine(/.*)?
176 /var/lib(64)?/corosync(/.*)?
177 /usr/lib(64)?/heartbeat(/.*)?
178 /var/lib(64)?/heartbeat(/.*)?
179 /var/lib(64)?/pacemaker(/.*)?
180 /var/lib/cluster(/.*)?
181
182 cluster_var_run_t
183
184 /var/run/crm(/.*)?
185 /var/run/cman_.*
186 /var/run/rsctmp(/.*)?
187 /var/run/aisexec.*
188 /var/run/heartbeat(/.*)?
189 /var/run/cpglockd.pid
190 /var/run/corosync.pid
191 /var/run/rgmanager.pid
192 /var/run/cluster/rgmanager.sk
193
194 initrc_tmp_t
195
196
197 mnt_t
198
199 /mnt(/[^/]*)
200 /mnt(/[^/]*)?
201 /rhev(/[^/]*)?
202 /media(/[^/]*)
203 /media(/[^/]*)?
204 /etc/rhgb(/.*)?
205 /media/.hal-.*
206 /net
207 /afs
208 /rhev
209 /misc
210
211 root_t
212
213 /
214 /initrd
215
216 swift_data_t
217
218 /srv/node(/.*)?
219 /srv/loopback-device(/.*)?
220
221 swift_lock_t
222
223 /var/lock/swift.*
224
225 swift_log_t
226
227 /var/log/swift-startup.*
228
229 swift_tmp_t
230
231
232 swift_tmpfs_t
233
234
235 swift_var_cache_t
236
237 /var/cache/swift(/.*)?
238
239 swift_var_run_t
240
241 /var/run/swift(/.*)?
242
243 tmp_t
244
245 /tmp
246 /usr/tmp
247 /var/tmp
248 /tmp-inst
249 /var/tmp-inst
250 /var/tmp/vi.recover
251
252
254 SELinux requires files to have an extended attribute to define the file
255 type.
256
257 You can see the context of a file using the -Z option to ls
258
259 Policy governs the access confined processes have to these files.
260 SELinux swift policy is very flexible allowing users to setup their
261 swift processes in as secure a method as possible.
262
263 STANDARD FILE CONTEXT
264
265 SELinux defines the file context types for the swift, if you wanted to
266 store files with these types in a diffent paths, you need to execute
267 the semanage command to sepecify alternate labeling and then use
268 restorecon to put the labels on disk.
269
270 semanage fcontext -a -t swift_var_run_t '/srv/myswift_content(/.*)?'
271 restorecon -R -v /srv/myswift_content
272
273 Note: SELinux often uses regular expressions to specify labels that
274 match multiple files.
275
276 The following file types are defined for swift:
277
278
279
280 swift_data_t
281
282 - Set files with the swift_data_t type, if you want to treat the files
283 as swift content.
284
285
286 Paths:
287 /srv/node(/.*)?, /srv/loopback-device(/.*)?
288
289
290 swift_exec_t
291
292 - Set files with the swift_exec_t type, if you want to transition an
293 executable to the swift_t domain.
294
295
296 Paths:
297 /usr/bin/swift-object-info, /usr/bin/swift-proxy-server,
298 /usr/bin/swift-object-server, /usr/bin/swift-account-reaper,
299 /usr/bin/swift-account-server, /usr/bin/swift-container-sync,
300 /usr/bin/swift-object-auditor, /usr/bin/swift-object-updater,
301 /usr/bin/swift-object-expirer, /usr/bin/swift-account-auditor,
302 /usr/bin/swift-container-server, /usr/bin/swift-container-auditor,
303 /usr/bin/swift-container-updater, /usr/bin/swift-object-replica‐
304 tor, /usr/bin/swift-account-replicator, /usr/bin/swift-container-
305 replicator
306
307
308 swift_initrc_exec_t
309
310 - Set files with the swift_initrc_exec_t type, if you want to transi‐
311 tion an executable to the swift_initrc_t domain.
312
313
314 Paths:
315 /etc/rc.d/init.d/openstack-swift-proxy, /etc/rc.d/init.d/open‐
316 stack-swift-object-expirer
317
318
319 swift_lock_t
320
321 - Set files with the swift_lock_t type, if you want to treat the files
322 as swift lock data, stored under the /var/lock directory
323
324
325
326 swift_log_t
327
328 - Set files with the swift_log_t type, if you want to treat the data as
329 swift log data, usually stored under the /var/log directory.
330
331
332
333 swift_tmp_t
334
335 - Set files with the swift_tmp_t type, if you want to store swift tem‐
336 porary files in the /tmp directories.
337
338
339
340 swift_tmpfs_t
341
342 - Set files with the swift_tmpfs_t type, if you want to store swift
343 files on a tmpfs file system.
344
345
346
347 swift_var_cache_t
348
349 - Set files with the swift_var_cache_t type, if you want to store the
350 files under the /var/cache directory.
351
352
353
354 swift_var_run_t
355
356 - Set files with the swift_var_run_t type, if you want to store the
357 swift files under the /run or /var/run directory.
358
359
360
361 Note: File context can be temporarily modified with the chcon command.
362 If you want to permanently change the file context you need to use the
363 semanage fcontext command. This will modify the SELinux labeling data‐
364 base. You will need to use restorecon to apply the labels.
365
366
368 semanage fcontext can also be used to manipulate default file context
369 mappings.
370
371 semanage permissive can also be used to manipulate whether or not a
372 process type is permissive.
373
374 semanage module can also be used to enable/disable/install/remove pol‐
375 icy modules.
376
377 semanage boolean can also be used to manipulate the booleans
378
379
380 system-config-selinux is a GUI tool available to customize SELinux pol‐
381 icy settings.
382
383
385 This manual page was auto-generated using sepolicy manpage .
386
387
389 selinux(8), swift(8), semanage(8), restorecon(8), chcon(1) , setse‐
390 bool(8)
391
392
393
394swift 15-06-03 swift_selinux(8)