1gpg_web_selinux(8)          SELinux Policy gpg_web          gpg_web_selinux(8)
2
3
4

NAME

6       gpg_web_selinux  -  Security Enhanced Linux Policy for the gpg_web pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  gpg_web  processes  via  flexible
11       mandatory access control.
12
13       The  gpg_web processes execute with the gpg_web_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep gpg_web_t
20
21
22

ENTRYPOINTS

24       The gpg_web_t SELinux type can be entered via the gpg_exec_t file type.
25
26       The  default  entrypoint paths for the gpg_web_t domain are the follow‐
27       ing:
28
29       /usr/lib(64)?/gnupg/.*, /usr/bin/gpg(2)?, /usr/bin/kgpg
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       gpg_web policy is very flexible allowing users to setup  their  gpg_web
39       processes in as secure a method as possible.
40
41       The following process types are defined for gpg_web:
42
43       gpg_web_t
44
45       Note:  semanage permissive -a gpg_web_t can be used to make the process
46       type gpg_web_t permissive. SELinux does not deny access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.  gpg_web
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run gpg_web with the tightest  access  possi‐
55       ble.
56
57
58
59       If you want to allow all domains to use other domains file descriptors,
60       you must turn on the allow_domain_fd_use boolean. Enabled by default.
61
62       setsebool -P allow_domain_fd_use 1
63
64
65
66       If you want to allow sysadm to debug or ptrace all processes, you  must
67       turn on the allow_ptrace boolean. Disabled by default.
68
69       setsebool -P allow_ptrace 1
70
71
72
73       If  you  want to allow all domains to have the kernel load modules, you
74       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
75       default.
76
77       setsebool -P domain_kernel_load_modules 1
78
79
80
81       If you want to allow all domains to execute in fips_mode, you must turn
82       on the fips_mode boolean. Enabled by default.
83
84       setsebool -P fips_mode 1
85
86
87
88       If you want to enable reading of urandom for all domains, you must turn
89       on the global_ssp boolean. Disabled by default.
90
91       setsebool -P global_ssp 1
92
93
94
95       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
96       httpd_enable_cgi boolean. Enabled by default.
97
98       setsebool -P httpd_enable_cgi 1
99
100
101
102       If you want to allow httpd to run gpg in gpg-web domain, you must  turn
103       on the httpd_use_gpg boolean. Disabled by default.
104
105       setsebool -P httpd_use_gpg 1
106
107
108

MANAGED FILES

110       The  SELinux  process  type gpg_web_t can manage files labeled with the
111       following file types.  The paths listed are the default paths for these
112       file types.  Note the processes UID still need to have DAC permissions.
113
114       httpd_sys_rw_content_t
115
116            /etc/drupal.*
117            /var/lib/svn(/.*)?
118            /var/www/svn(/.*)?
119            /etc/dokuwiki(/.*)?
120            /etc/owncloud(/.*)?
121            /var/lib/koji(/.*)?
122            /etc/mock/koji(/.*)?
123            /var/www/html/[^/]*/sites/default/files(/.*)?
124            /var/www/html/[^/]*/sites/default/settings.php
125            /var/lib/drupal.*
126            /etc/zabbix/web(/.*)?
127            /var/log/z-push(/.*)?
128            /var/spool/gosa(/.*)?
129            /var/www/moodle(/.*)?
130            /var/lib/dokuwiki(/.*)?
131            /var/lib/owncloud(/.*)?
132            /var/spool/viewvc(/.*)?
133            /var/www/moodledata(/.*)?
134            /var/www/gallery/albums(/.*)?
135            /var/www/html/owncloud/data(/.*)?
136            /usr/share/wordpress-mu/wp-content(/.*)?
137            /usr/share/wordpress/wp-content/uploads(/.*)?
138            /usr/share/wordpress/wp-content/upgrade(/.*)?
139            /var/www/html/configuration.php
140
141       initrc_tmp_t
142
143
144       mnt_t
145
146            /mnt(/[^/]*)
147            /mnt(/[^/]*)?
148            /rhev(/[^/]*)?
149            /media(/[^/]*)
150            /media(/[^/]*)?
151            /etc/rhgb(/.*)?
152            /media/.hal-.*
153            /net
154            /afs
155            /rhev
156            /misc
157
158       public_content_rw_t
159
160            /var/spool/abrt-upload(/.*)?
161
162       tmp_t
163
164            /tmp
165            /usr/tmp
166            /var/tmp
167            /tmp-inst
168            /var/tmp-inst
169            /var/tmp/vi.recover
170
171

SHARING FILES

173       If  you  want to share files with multiple domains (Apache, FTP, rsync,
174       Samba), you can set a file context of public_content_t and  public_con‐
175       tent_rw_t.   These  context  allow any of the above domains to read the
176       content.  If you want a particular domain to write to  the  public_con‐
177       tent_rw_t domain, you must set the appropriate boolean.
178
179       Allow  gpg_web servers to read the /var/gpg_web directory by adding the
180       public_content_t file type to the directory and by restoring  the  file
181       type.
182
183       semanage fcontext -a -t public_content_t "/var/gpg_web(/.*)?"
184       restorecon -F -R -v /var/gpg_web
185
186       Allow gpg_web servers to read and write /var/gpg_web/incoming by adding
187       the public_content_rw_t type to the directory and by restoring the file
188       type.  You also need to turn on the gpg_web_anon_write boolean.
189
190       semanage   fcontext   -a  -t  public_content_rw_t  "/var/gpg_web/incom‐
191       ing(/.*)?"
192       restorecon -F -R -v /var/gpg_web/incoming
193       setsebool -P gpg_web_anon_write 1
194
195
196       If you want to allow gpg web domain to modify  public  files  used  for
197       public file transfer services., you must turn on the gpg_web_anon_write
198       boolean.
199
200       setsebool -P gpg_web_anon_write 1
201
202

COMMANDS

204       semanage fcontext can also be used to manipulate default  file  context
205       mappings.
206
207       semanage  permissive  can  also  be used to manipulate whether or not a
208       process type is permissive.
209
210       semanage module can also be used to enable/disable/install/remove  pol‐
211       icy modules.
212
213       semanage boolean can also be used to manipulate the booleans
214
215
216       system-config-selinux is a GUI tool available to customize SELinux pol‐
217       icy settings.
218
219

AUTHOR

221       This manual page was auto-generated using sepolicy manpage .
222
223

SEE ALSO

225       selinux(8), gpg_web(8), semanage(8), restorecon(8), chcon(1)  ,  setse‐
226       bool(8)
227
228
229
230gpg_web                            15-06-03                 gpg_web_selinux(8)
Impressum