1piranha_web_selinux(8) SELinux Policy piranha_web piranha_web_selinux(8)
2
6 piranha_web_selinux - Security Enhanced Linux Policy for the
7 piranha_web processes
8
10 Security-Enhanced Linux secures the piranha_web processes via flexible
11 mandatory access control.
12 The piranha_web processes execute with the piranha_web_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16 For example:
18 ps -eZ | grep piranha_web_t
20
24 The piranha_web_t SELinux type can be entered via the
25 piranha_web_exec_t file type.
26 The default entrypoint paths for the piranha_web_t domain are the fol‐
28 lowing:
29 /usr/sbin/luci, /usr/bin/paster, /usr/sbin/piranha_gui
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 piranha_web policy is very flexible allowing users to setup their
40 piranha_web processes in as secure a method as possible.
41 The following process types are defined for piranha_web:
43 piranha_web_t
45 Note: semanage permissive -a piranha_web_t can be used to make the
47 process type piranha_web_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
53 SELinux policy is customizable based on least access required.
54 piranha_web policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run piranha_web with the tight‐
56 est access possible.
57 If you want to allow all daemons to write corefiles to /, you must turn
61 on the allow_daemons_dump_core boolean. Disabled by default.
62 setsebool -P allow_daemons_dump_core 1
64 If you want to allow all daemons to use tcp wrappers, you must turn on
68 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
69 setsebool -P allow_daemons_use_tcp_wrapper 1
71 If you want to allow all daemons the ability to read/write terminals,
75 you must turn on the allow_daemons_use_tty boolean. Disabled by
76 default.
77 setsebool -P allow_daemons_use_tty 1
79 If you want to allow all domains to use other domains file descriptors,
83 you must turn on the allow_domain_fd_use boolean. Enabled by default.
84 setsebool -P allow_domain_fd_use 1
86 If you want to allow confined applications to run with kerberos, you
90 must turn on the allow_kerberos boolean. Enabled by default.
91 setsebool -P allow_kerberos 1
93 If you want to allow sysadm to debug or ptrace all processes, you must
97 turn on the allow_ptrace boolean. Disabled by default.
98 setsebool -P allow_ptrace 1
100 If you want to allow system to run with NIS, you must turn on the
104 allow_ypbind boolean. Disabled by default.
105 setsebool -P allow_ypbind 1
107 If you want to enable cluster mode for daemons, you must turn on the
111 daemons_enable_cluster_mode boolean. Disabled by default.
112 setsebool -P daemons_enable_cluster_mode 1
114 If you want to allow all domains to have the kernel load modules, you
118 must turn on the domain_kernel_load_modules boolean. Disabled by
119 default.
120 setsebool -P domain_kernel_load_modules 1
122 If you want to allow all domains to execute in fips_mode, you must turn
126 on the fips_mode boolean. Enabled by default.
127 setsebool -P fips_mode 1
129 If you want to enable reading of urandom for all domains, you must turn
133 on the global_ssp boolean. Disabled by default.
134 setsebool -P global_ssp 1
136 If you want to enable support for upstart as the init program, you must
140 turn on the init_upstart boolean. Enabled by default.
141 setsebool -P init_upstart 1
143 If you want to allow confined applications to use nscd shared memory,
147 you must turn on the nscd_use_shm boolean. Enabled by default.
148 setsebool -P nscd_use_shm 1
150
154 The SELinux process type piranha_web_t can manage files labeled with
155 the following file types. The paths listed are the default paths for
156 these file types. Note the processes UID still need to have DAC per‐
157 missions.
158 cluster_conf_t
160 /etc/cluster(/.*)?
162 cluster_var_lib_t
164 /var/lib(64)?/openais(/.*)?
166 /var/lib(64)?/pengine(/.*)?
167 /var/lib(64)?/corosync(/.*)?
168 /usr/lib(64)?/heartbeat(/.*)?
169 /var/lib(64)?/heartbeat(/.*)?
170 /var/lib(64)?/pacemaker(/.*)?
171 /var/lib/cluster(/.*)?
172 cluster_var_run_t
174 /var/run/crm(/.*)?
176 /var/run/cman_.*
177 /var/run/rsctmp(/.*)?
178 /var/run/aisexec.*
179 /var/run/heartbeat(/.*)?
180 /var/run/cpglockd.pid
181 /var/run/corosync.pid
182 /var/run/rgmanager.pid
183 /var/run/cluster/rgmanager.sk
184 initrc_tmp_t
186 mnt_t
189 /mnt(/[^/]*)
191 /mnt(/[^/]*)?
192 /rhev(/[^/]*)?
193 /media(/[^/]*)
194 /media(/[^/]*)?
195 /etc/rhgb(/.*)?
196 /media/.hal-.*
197 /net
198 /afs
199 /rhev
200 /misc
201 piranha_etc_rw_t
203 /etc/piranha/lvs.cf
205 /etc/sysconfig/ha/lvs.cf
206 piranha_log_t
208 /var/log/luci(/.*)?
210 /var/log/piranha(/.*)?
211 piranha_web_conf_t
213 /var/lib/luci/etc(/.*)?
215 /var/lib/luci/cert(/.*)?
216 piranha_web_data_t
218 /var/lib/luci(/.*)?
220 piranha_web_tmp_t
222 piranha_web_tmpfs_t
225 piranha_web_var_run_t
228 /var/run/luci(/.*)?
230 /var/run/piranha-httpd.pid
231 root_t
233 /
235 /initrd
236 tmp_t
238 /tmp
240 /usr/tmp
241 /var/tmp
242 /tmp-inst
243 /var/tmp-inst
244 /var/tmp/vi.recover
245
248 SELinux requires files to have an extended attribute to define the file
249 type.
250 You can see the context of a file using the -Z option to ls
252 Policy governs the access confined processes have to these files.
254 SELinux piranha_web policy is very flexible allowing users to setup
255 their piranha_web processes in as secure a method as possible.
256 EQUIVALENCE DIRECTORIES
258 piranha_web policy stores data with multiple different file context
261 types under the /var/lib/luci directory. If you would like to store
262 the data in a different directory you can use the semanage command to
263 create an equivalence mapping. If you wanted to store this data under
264 the /srv dirctory you would execute the following command:
265 semanage fcontext -a -e /var/lib/luci /srv/luci
267 restorecon -R -v /srv/luci
268 STANDARD FILE CONTEXT
270 SELinux defines the file context types for the piranha_web, if you
272 wanted to store files with these types in a diffent paths, you need to
273 execute the semanage command to sepecify alternate labeling and then
274 use restorecon to put the labels on disk.
275 semanage fcontext -a -t piranha_web_var_run_t '/srv/mypiranha_web_con‐
277 tent(/.*)?'
278 restorecon -R -v /srv/mypiranha_web_content
279 Note: SELinux often uses regular expressions to specify labels that
281 match multiple files.
282 The following file types are defined for piranha_web:
284 piranha_web_conf_t
288 - Set files with the piranha_web_conf_t type, if you want to treat the
290 files as piranha web configuration data, usually stored under the /etc
291 directory.
292 Paths:
295 /var/lib/luci/etc(/.*)?, /var/lib/luci/cert(/.*)?
296 piranha_web_data_t
299 - Set files with the piranha_web_data_t type, if you want to treat the
301 files as piranha web content.
302 piranha_web_exec_t
306 - Set files with the piranha_web_exec_t type, if you want to transition
308 an executable to the piranha_web_t domain.
309 Paths:
312 /usr/sbin/luci, /usr/bin/paster, /usr/sbin/piranha_gui
313 piranha_web_initrc_exec_t
316 - Set files with the piranha_web_initrc_exec_t type, if you want to
318 transition an executable to the piranha_web_initrc_t domain.
319 piranha_web_tmp_t
323 - Set files with the piranha_web_tmp_t type, if you want to store
325 piranha web temporary files in the /tmp directories.
326 piranha_web_tmpfs_t
330 - Set files with the piranha_web_tmpfs_t type, if you want to store
332 piranha web files on a tmpfs file system.
333 piranha_web_var_run_t
337 - Set files with the piranha_web_var_run_t type, if you want to store
339 the piranha web files under the /run or /var/run directory.
340 Paths:
343 /var/run/luci(/.*)?, /var/run/piranha-httpd.pid
344 Note: File context can be temporarily modified with the chcon command.
347 If you want to permanently change the file context you need to use the
348 semanage fcontext command. This will modify the SELinux labeling data‐
349 base. You will need to use restorecon to apply the labels.
350
353 semanage fcontext can also be used to manipulate default file context
354 mappings.
355 semanage permissive can also be used to manipulate whether or not a
357 process type is permissive.
358 semanage module can also be used to enable/disable/install/remove pol‐
360 icy modules.
361 semanage boolean can also be used to manipulate the booleans
363 system-config-selinux is a GUI tool available to customize SELinux pol‐
366 icy settings.
367
370 This manual page was auto-generated using sepolicy manpage .
371
374 selinux(8), piranha_web(8), semanage(8), restorecon(8), chcon(1) , set‐
375 sebool(8)
376piranha_web 15-06-03 piranha_web_selinux(8)