glusterd_selinux(8)

1glusterd_selinux(8)         SELinux Policy glusterd        glusterd_selinux(8)
2
3
4

NAME

6       glusterd_selinux - Security Enhanced Linux Policy for the glusterd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  glusterd  processes  via  flexible
11       mandatory access control.
12
13       The  glusterd  processes  execute with the glusterd_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep glusterd_t
20
21
22

ENTRYPOINTS

24       The glusterd_t SELinux type can be entered via the glusterd_exec_t file
25       type.
26
27       The default entrypoint paths for the glusterd_t domain are the  follow‐
28       ing:
29
30       /opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/sbin/glusterfsd
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       glusterd policy is very flexible allowing users to setup their glusterd
40       processes in as secure a method as possible.
41
42       The following process types are defined for glusterd:
43
44       glusterd_t
45
46       Note: semanage permissive -a glusterd_t can be used to make the process
47       type  glusterd_t permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is customizable based on least access required.  glus‐
54       terd policy is extremely flexible and has several booleans  that  allow
55       you  to manipulate the policy and run glusterd with the tightest access
56       possible.
57
58
59
60       If you want to allow glusterfsd to share any file/directory read  only,
61       you  must  turn  on  the  gluster_export_all_ro  boolean.  Disabled  by
62       default.
63
64       setsebool -P gluster_export_all_ro 1
65
66
67
68       If you want to allow glusterfsd to share any file/directory read/write,
69       you must turn on the gluster_export_all_rw boolean. Enabled by default.
70
71       setsebool -P gluster_export_all_rw 1
72
73
74
75       If you want to allow all daemons to write corefiles to /, you must turn
76       on the allow_daemons_dump_core boolean. Disabled by default.
77
78       setsebool -P allow_daemons_dump_core 1
79
80
81
82       If you want to allow all daemons to use tcp wrappers, you must turn  on
83       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
84
85       setsebool -P allow_daemons_use_tcp_wrapper 1
86
87
88
89       If  you  want to allow all daemons the ability to read/write terminals,
90       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
91       default.
92
93       setsebool -P allow_daemons_use_tty 1
94
95
96
97       If you want to allow all domains to use other domains file descriptors,
98       you must turn on the allow_domain_fd_use boolean. Enabled by default.
99
100       setsebool -P allow_domain_fd_use 1
101
102
103
104       If you want to allow confined applications to run  with  kerberos,  you
105       must turn on the allow_kerberos boolean. Enabled by default.
106
107       setsebool -P allow_kerberos 1
108
109
110
111       If  you want to allow sysadm to debug or ptrace all processes, you must
112       turn on the allow_ptrace boolean. Disabled by default.
113
114       setsebool -P allow_ptrace 1
115
116
117
118       If you want to allow system to run with  NIS,  you  must  turn  on  the
119       allow_ypbind boolean. Disabled by default.
120
121       setsebool -P allow_ypbind 1
122
123
124
125       If  you  want  to enable cluster mode for daemons, you must turn on the
126       daemons_enable_cluster_mode boolean. Disabled by default.
127
128       setsebool -P daemons_enable_cluster_mode 1
129
130
131
132       If you want to allow all domains to have the kernel load  modules,  you
133       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
134       default.
135
136       setsebool -P domain_kernel_load_modules 1
137
138
139
140       If you want to allow all domains to execute in fips_mode, you must turn
141       on the fips_mode boolean. Enabled by default.
142
143       setsebool -P fips_mode 1
144
145
146
147       If you want to enable reading of urandom for all domains, you must turn
148       on the global_ssp boolean. Disabled by default.
149
150       setsebool -P global_ssp 1
151
152
153
154       If you want to enable support for upstart as the init program, you must
155       turn on the init_upstart boolean. Enabled by default.
156
157       setsebool -P init_upstart 1
158
159
160
161       If  you  want to allow confined applications to use nscd shared memory,
162       you must turn on the nscd_use_shm boolean. Enabled by default.
163
164       setsebool -P nscd_use_shm 1
165
166
167

PORT TYPES

169       SELinux defines port types to represent TCP and UDP ports.
170
171       You can see the types associated with a port  by  using  the  following
172       command:
173
174       semanage port -l
175
176
177       Policy  governs  the  access  confined  processes  have to these ports.
178       SELinux glusterd policy is very flexible allowing users to setup  their
179       glusterd processes in as secure a method as possible.
180
181       The following port types are defined for glusterd:
182
183
184       gluster_port_t
185
186
187
188       Default Defined Ports:
189                 tcp 24007-24027,38465-38469
190

MANAGED FILES

192       The  SELinux  process type glusterd_t can manage files labeled with the
193       following file types.  The paths listed are the default paths for these
194       file types.  Note the processes UID still need to have DAC permissions.
195
196       cluster_var_lib_t
197
198            /var/lib(64)?/openais(/.*)?
199            /var/lib(64)?/pengine(/.*)?
200            /var/lib(64)?/corosync(/.*)?
201            /usr/lib(64)?/heartbeat(/.*)?
202            /var/lib(64)?/heartbeat(/.*)?
203            /var/lib(64)?/pacemaker(/.*)?
204            /var/lib/cluster(/.*)?
205
206       cluster_var_run_t
207
208            /var/run/crm(/.*)?
209            /var/run/cman_.*
210            /var/run/rsctmp(/.*)?
211            /var/run/aisexec.*
212            /var/run/heartbeat(/.*)?
213            /var/run/cpglockd.pid
214            /var/run/corosync.pid
215            /var/run/rgmanager.pid
216            /var/run/cluster/rgmanager.sk
217
218       non_security_file_type
219
220
221       noxattrfs
222
223            all files on file systems which do not support extended attributes
224
225

FILE CONTEXTS

227       SELinux requires files to have an extended attribute to define the file
228       type.
229
230       You can see the context of a file using the -Z option to ls
231
232       Policy governs the access  confined  processes  have  to  these  files.
233       SELinux  glusterd policy is very flexible allowing users to setup their
234       glusterd processes in as secure a method as possible.
235
236       EQUIVALENCE DIRECTORIES
237
238
239       glusterd policy stores data with multiple different file context  types
240       under  the  /var/run/gluster directory.  If you would like to store the
241       data in a different directory you can use the semanage command to  cre‐
242       ate an equivalence mapping.  If you wanted to store this data under the
243       /srv dirctory you would execute the following command:
244
245       semanage fcontext -a -e /var/run/gluster /srv/gluster
246       restorecon -R -v /srv/gluster
247
248       STANDARD FILE CONTEXT
249
250       SELinux defines the file context types for the glusterd, if you  wanted
251       to store files with these types in a diffent paths, you need to execute
252       the semanage command  to  sepecify  alternate  labeling  and  then  use
253       restorecon to put the labels on disk.
254
255       semanage   fcontext   -a  -t  glusterd_var_run_t  '/srv/myglusterd_con‐
256       tent(/.*)?'
257       restorecon -R -v /srv/myglusterd_content
258
259       Note: SELinux often uses regular expressions  to  specify  labels  that
260       match multiple files.
261
262       The following file types are defined for glusterd:
263
264
265
266       glusterd_brick_t
267
268       -  Set  files  with the glusterd_brick_t type, if you want to treat the
269       files as glusterd brick data.
270
271
272
273       glusterd_conf_t
274
275       - Set files with the glusterd_conf_t type, if you  want  to  treat  the
276       files  as  glusterd  configuration  data, usually stored under the /etc
277       directory.
278
279
280       Paths:
281            /etc/glusterd(/.*)?, /etc/glusterfs(/.*)?
282
283
284       glusterd_exec_t
285
286       - Set files with the glusterd_exec_t type, if you want to transition an
287       executable to the glusterd_t domain.
288
289
290       Paths:
291            /opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/sbin/glusterfsd
292
293
294       glusterd_initrc_exec_t
295
296       -  Set files with the glusterd_initrc_exec_t type, if you want to tran‐
297       sition an executable to the glusterd_initrc_t domain.
298
299
300       Paths:
301            /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd
302
303
304       glusterd_log_t
305
306       - Set files with the glusterd_log_t type, if you want to treat the data
307       as glusterd log data, usually stored under the /var/log directory.
308
309
310
311       glusterd_tmp_t
312
313       - Set files with the glusterd_tmp_t type, if you want to store glusterd
314       temporary files in the /tmp directories.
315
316
317
318       glusterd_var_lib_t
319
320       - Set files with the glusterd_var_lib_t type, if you want to store  the
321       glusterd files under the /var/lib directory.
322
323
324
325       glusterd_var_run_t
326
327       -  Set files with the glusterd_var_run_t type, if you want to store the
328       glusterd files under the /run or /var/run directory.
329
330
331       Paths:
332            /var/run/gluster(/.*)?, /var/run/glusterd.*, /var/run/glusterd.*
333
334
335       Note: File context can be temporarily modified with the chcon  command.
336       If  you want to permanently change the file context you need to use the
337       semanage fcontext command.  This will modify the SELinux labeling data‐
338       base.  You will need to use restorecon to apply the labels.
339
340

SHARING FILES

342       If  you  want to share files with multiple domains (Apache, FTP, rsync,
343       Samba), you can set a file context of public_content_t and  public_con‐
344       tent_rw_t.   These  context  allow any of the above domains to read the
345       content.  If you want a particular domain to write to  the  public_con‐
346       tent_rw_t domain, you must set the appropriate boolean.
347
348       Allow  glusterd  servers  to read the /var/glusterd directory by adding
349       the public_content_t file type to the directory and  by  restoring  the
350       file type.
351
352       semanage fcontext -a -t public_content_t "/var/glusterd(/.*)?"
353       restorecon -F -R -v /var/glusterd
354
355       Allow  glusterd  servers  to  read  and write /var/glusterd/incoming by
356       adding the public_content_rw_t type to the directory and  by  restoring
357       the  file type.  You also need to turn on the glusterd_anon_write bool‐
358       ean.
359
360       semanage  fcontext  -a  -t  public_content_rw_t   "/var/glusterd/incom‐
361       ing(/.*)?"
362       restorecon -F -R -v /var/glusterd/incoming
363       setsebool -P glusterd_anon_write 1
364
365
366       If  you want to allow glusterfsd to modify public files used for public
367       file transfer services.  Files/Directories must be labeled  public_con‐
368       tent_rw_t., you must turn on the gluster_anon_write boolean.
369
370       setsebool -P gluster_anon_write 1
371
372

COMMANDS

374       semanage  fcontext  can also be used to manipulate default file context
375       mappings.
376
377       semanage permissive can also be used to manipulate  whether  or  not  a
378       process type is permissive.
379
380       semanage  module can also be used to enable/disable/install/remove pol‐
381       icy modules.
382
383       semanage port can also be used to manipulate the port definitions
384
385       semanage boolean can also be used to manipulate the booleans
386
387
388       system-config-selinux is a GUI tool available to customize SELinux pol‐
389       icy settings.
390
391

AUTHOR

393       This manual page was auto-generated using sepolicy manpage .
394
395