abrt_selinux(8)

1abrt_selinux(8)               SELinux Policy abrt              abrt_selinux(8)
2
3
4

NAME

6       abrt_selinux - Security Enhanced Linux Policy for the abrt processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the abrt processes via flexible manda‐
10       tory access control.
11
12       The abrt processes execute with the abrt_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep abrt_t
19
20
21

ENTRYPOINTS

23       The abrt_t SELinux type can be entered via the abrt_exec_t file type.
24
25       The default entrypoint paths for the abrt_t domain are the following:
26
27       /usr/sbin/abrt-harvest.*,     /usr/sbin/abrtd,     /usr/sbin/abrt-dbus,
28       /usr/sbin/abrt-install-ccpp-hook
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       abrt  policy  is  very flexible allowing users to setup their abrt pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for abrt:
41
42       abrt_t, abrt_dump_oops_t, abrt_handle_event_t, abrt_helper_t, abrt_retrace_worker_t, abrt_retrace_coredump_t, abrt_watch_log_t, abrt_upload_watch_t
43
44       Note: semanage permissive -a abrt_t can be used  to  make  the  process
45       type  abrt_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  abrt
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run abrt with the tightest access possible.
54
55
56
57       If  you  want  to  determine  whether  ABRT  can  run  in the abrt_han‐
58       dle_event_t domain to handle ABRT event scripts, you must turn  on  the
59       abrt_handle_event boolean. Disabled by default.
60
61       setsebool -P abrt_handle_event 1
62
63
64
65       If you want to allow users to resolve user passwd entries directly from
66       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
67       gin_nsswitch_use_ldap boolean. Disabled by default.
68
69       setsebool -P authlogin_nsswitch_use_ldap 1
70
71
72
73       If you want to allow all daemons to write corefiles to /, you must turn
74       on the daemons_dump_core boolean. Disabled by default.
75
76       setsebool -P daemons_dump_core 1
77
78
79
80       If you want to enable cluster mode for daemons, you must  turn  on  the
81       daemons_enable_cluster_mode boolean. Enabled by default.
82
83       setsebool -P daemons_enable_cluster_mode 1
84
85
86
87       If  you want to allow all daemons to use tcp wrappers, you must turn on
88       the daemons_use_tcp_wrapper boolean. Disabled by default.
89
90       setsebool -P daemons_use_tcp_wrapper 1
91
92
93
94       If you want to allow all daemons the ability to  read/write  terminals,
95       you must turn on the daemons_use_tty boolean. Disabled by default.
96
97       setsebool -P daemons_use_tty 1
98
99
100
101       If  you  want  to deny any process from ptracing or debugging any other
102       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
103       default.
104
105       setsebool -P deny_ptrace 1
106
107
108
109       If  you  want  to  allow  any  process  to mmap any file on system with
110       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
111       ean. Enabled by default.
112
113       setsebool -P domain_can_mmap_files 1
114
115
116
117       If  you want to allow all domains write to kmsg_device, while kernel is
118       executed with systemd.log_target=kmsg parameter, you must turn  on  the
119       domain_can_write_kmsg boolean. Disabled by default.
120
121       setsebool -P domain_can_write_kmsg 1
122
123
124
125       If you want to allow all domains to use other domains file descriptors,
126       you must turn on the domain_fd_use boolean. Enabled by default.
127
128       setsebool -P domain_fd_use 1
129
130
131
132       If you want to allow all domains to have the kernel load  modules,  you
133       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
134       default.
135
136       setsebool -P domain_kernel_load_modules 1
137
138
139
140       If you want to allow all domains to execute in fips_mode, you must turn
141       on the fips_mode boolean. Enabled by default.
142
143       setsebool -P fips_mode 1
144
145
146
147       If you want to enable reading of urandom for all domains, you must turn
148       on the global_ssp boolean. Disabled by default.
149
150       setsebool -P global_ssp 1
151
152
153
154       If you want to allow confined applications to run  with  kerberos,  you
155       must turn on the kerberos_enabled boolean. Enabled by default.
156
157       setsebool -P kerberos_enabled 1
158
159
160
161       If  you  want  to  allow  system  to run with NIS, you must turn on the
162       nis_enabled boolean. Disabled by default.
163
164       setsebool -P nis_enabled 1
165
166
167
168       If you want to allow confined applications to use nscd  shared  memory,
169       you must turn on the nscd_use_shm boolean. Disabled by default.
170
171       setsebool -P nscd_use_shm 1
172
173
174

MANAGED FILES

176       The  SELinux process type abrt_t can manage files labeled with the fol‐
177       lowing file types.  The paths listed are the default  paths  for  these
178       file types.  Note the processes UID still need to have DAC permissions.
179
180       abrt_etc_t
181
182            /etc/abrt(/.*)?
183
184       abrt_tmp_t
185
186
187       abrt_upload_watch_tmp_t
188
189
190       abrt_var_cache_t
191
192            /var/tmp/abrt(/.*)?
193            /var/cache/abrt(/.*)?
194            /var/spool/abrt(/.*)?
195            /var/spool/debug(/.*)?
196            /var/cache/abrt-di(/.*)?
197            /var/spool/rhsm/debug(/.*)?
198
199       abrt_var_log_t
200
201            /var/log/abrt-logger.*
202
203       abrt_var_run_t
204
205            /var/run/abrt(/.*)?
206            /var/run/abrtd?.lock
207            /var/run/abrtd?.socket
208            /var/run/abrt.pid
209
210       cluster_conf_t
211
212            /etc/cluster(/.*)?
213
214       cluster_var_lib_t
215
216            /var/lib/pcsd(/.*)?
217            /var/lib/cluster(/.*)?
218            /var/lib/openais(/.*)?
219            /var/lib/pengine(/.*)?
220            /var/lib/corosync(/.*)?
221            /usr/lib/heartbeat(/.*)?
222            /var/lib/heartbeat(/.*)?
223            /var/lib/pacemaker(/.*)?
224
225       cluster_var_run_t
226
227            /var/run/crm(/.*)?
228            /var/run/cman_.*
229            /var/run/rsctmp(/.*)?
230            /var/run/aisexec.*
231            /var/run/heartbeat(/.*)?
232            /var/run/corosync-qnetd(/.*)?
233            /var/run/corosync-qdevice(/.*)?
234            /var/run/cpglockd.pid
235            /var/run/corosync.pid
236            /var/run/rgmanager.pid
237            /var/run/cluster/rgmanager.sk
238
239       kdump_crash_t
240
241            /var/crash(/.*)?
242
243       mock_var_lib_t
244
245            /var/lib/mock(/.*)?
246
247       public_content_rw_t
248
249            /var/spool/abrt-upload(/.*)?
250
251       rhsmcertd_var_run_t
252
253            /var/run/rhsm(/.*)?
254
255       root_t
256
257            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
258            /
259            /initrd
260
261       rpm_log_t
262
263            /var/log/yum.log.*
264            /var/log/up2date.*
265
266       rpm_var_cache_t
267
268            /var/cache/yum(/.*)?
269            /var/cache/dnf(/.*)?
270            /var/spool/up2date(/.*)?
271            /var/cache/PackageKit(/.*)?
272
273       rpm_var_run_t
274
275            /var/run/yum.*
276            /var/run/PackageKit(/.*)?
277
278       sysfs_t
279
280            /sys(/.*)?
281
282       usermodehelper_t
283
284            /sys/kernel/uevent_helper
285
286

FILE CONTEXTS

288       SELinux requires files to have an extended attribute to define the file
289       type.
290
291       You can see the context of a file using the -Z option to ls
292
293       Policy governs the access  confined  processes  have  to  these  files.
294       SELinux abrt policy is very flexible allowing users to setup their abrt
295       processes in as secure a method as possible.
296
297       EQUIVALENCE DIRECTORIES
298
299
300       abrt policy stores data with  multiple  different  file  context  types
301       under  the  /var/cache/abrt  directory.  If you would like to store the
302       data in a different directory you can use the semanage command to  cre‐
303       ate an equivalence mapping.  If you wanted to store this data under the
304       /srv dirctory you would execute the following command:
305
306       semanage fcontext -a -e /var/cache/abrt /srv/abrt
307       restorecon -R -v /srv/abrt
308
309       abrt policy stores data with  multiple  different  file  context  types
310       under  the  /var/spool/abrt  directory.  If you would like to store the
311       data in a different directory you can use the semanage command to  cre‐
312       ate an equivalence mapping.  If you wanted to store this data under the
313       /srv dirctory you would execute the following command:
314
315       semanage fcontext -a -e /var/spool/abrt /srv/abrt
316       restorecon -R -v /srv/abrt
317
318       abrt policy stores data with  multiple  different  file  context  types
319       under the /var/run/abrt directory.  If you would like to store the data
320       in a different directory you can use the semanage command to create  an
321       equivalence  mapping.   If you wanted to store this data under the /srv
322       dirctory you would execute the following command:
323
324       semanage fcontext -a -e /var/run/abrt /srv/abrt
325       restorecon -R -v /srv/abrt
326
327       STANDARD FILE CONTEXT
328
329       SELinux defines the file context types for the abrt, if you  wanted  to
330       store  files  with  these types in a diffent paths, you need to execute
331       the semanage command  to  sepecify  alternate  labeling  and  then  use
332       restorecon to put the labels on disk.
333
334       semanage fcontext -a -t abrt_var_run_t '/srv/myabrt_content(/.*)?'
335       restorecon -R -v /srv/myabrt_content
336
337       Note:  SELinux  often  uses  regular expressions to specify labels that
338       match multiple files.
339
340       The following file types are defined for abrt:
341
342
343
344       abrt_dump_oops_exec_t
345
346       - Set files with the abrt_dump_oops_exec_t type, if you want to transi‐
347       tion an executable to the abrt_dump_oops_t domain.
348
349
350       Paths:
351            /usr/bin/abrt-dump-.*,                /usr/bin/abrt-uefioops-oops,
352            /usr/libexec/abrt-hook-ccpp
353
354
355       abrt_etc_t
356
357       - Set files with the abrt_etc_t type, if you want to store  abrt  files
358       in the /etc directories.
359
360
361
362       abrt_exec_t
363
364       -  Set  files  with  the abrt_exec_t type, if you want to transition an
365       executable to the abrt_t domain.
366
367
368       Paths:
369            /usr/sbin/abrt-harvest.*,  /usr/sbin/abrtd,   /usr/sbin/abrt-dbus,
370            /usr/sbin/abrt-install-ccpp-hook
371
372
373       abrt_handle_event_exec_t
374
375       -  Set  files  with  the  abrt_handle_event_exec_t type, if you want to
376       transition an executable to the abrt_handle_event_t domain.
377
378
379
380       abrt_helper_exec_t
381
382       - Set files with the abrt_helper_exec_t type, if you want to transition
383       an executable to the abrt_helper_t domain.
384
385
386
387       abrt_initrc_exec_t
388
389       - Set files with the abrt_initrc_exec_t type, if you want to transition
390       an executable to the abrt_initrc_t domain.
391
392
393
394       abrt_retrace_cache_t
395
396       - Set files with the abrt_retrace_cache_t type, if you  want  to  store
397       the files under the /var/cache directory.
398
399
400       Paths:
401            /var/cache/abrt-retrace(/.*)?, /var/cache/retrace-server(/.*)?
402
403
404       abrt_retrace_coredump_exec_t
405
406       -  Set files with the abrt_retrace_coredump_exec_t type, if you want to
407       transition an executable to the abrt_retrace_coredump_t domain.
408
409
410
411       abrt_retrace_spool_t
412
413       - Set files with the abrt_retrace_spool_t type, if you  want  to  store
414       the abrt retrace files under the /var/spool directory.
415
416
417       Paths:
418            /var/spool/faf(/.*)?,               /var/spool/abrt-retrace(/.*)?,
419            /var/spool/retrace-server(/.*)?
420
421
422       abrt_retrace_worker_exec_t
423
424       - Set files with the abrt_retrace_worker_exec_t type, if  you  want  to
425       transition an executable to the abrt_retrace_worker_t domain.
426
427
428       Paths:
429            /usr/bin/abrt-retrace-worker, /usr/bin/retrace-server-worker
430
431
432       abrt_tmp_t
433
434       -  Set files with the abrt_tmp_t type, if you want to store abrt tempo‐
435       rary files in the /tmp directories.
436
437
438
439       abrt_unit_file_t
440
441       - Set files with the abrt_unit_file_t type, if you want  to  treat  the
442       files as abrt unit content.
443
444
445
446       abrt_upload_watch_exec_t
447
448       -  Set  files  with  the  abrt_upload_watch_exec_t type, if you want to
449       transition an executable to the abrt_upload_watch_t domain.
450
451
452
453       abrt_upload_watch_tmp_t
454
455       - Set files with the abrt_upload_watch_tmp_t type, if you want to store
456       abrt upload watch temporary files in the /tmp directories.
457
458
459
460       abrt_var_cache_t
461
462       -  Set  files  with the abrt_var_cache_t type, if you want to store the
463       files under the /var/cache directory.
464
465
466       Paths:
467            /var/tmp/abrt(/.*)?, /var/cache/abrt(/.*)?, /var/spool/abrt(/.*)?,
468            /var/spool/debug(/.*)?,                  /var/cache/abrt-di(/.*)?,
469            /var/spool/rhsm/debug(/.*)?
470
471
472       abrt_var_lib_t
473
474       - Set files with the abrt_var_lib_t type, if you want to store the abrt
475       files under the /var/lib directory.
476
477
478
479       abrt_var_log_t
480
481       - Set files with the abrt_var_log_t type, if you want to treat the data
482       as abrt var log data, usually stored under the /var/log directory.
483
484
485
486       abrt_var_run_t
487
488       - Set files with the abrt_var_run_t type, if you want to store the abrt
489       files under the /run or /var/run directory.
490
491
492       Paths:
493            /var/run/abrt(/.*)?, /var/run/abrtd?.lock, /var/run/abrtd?.socket,
494            /var/run/abrt.pid
495
496
497       abrt_watch_log_exec_t
498
499       - Set files with the abrt_watch_log_exec_t type, if you want to transi‐
500       tion an executable to the abrt_watch_log_t domain.
501
502
503
504       Note:  File context can be temporarily modified with the chcon command.
505       If you want to permanently change the file context you need to use  the
506       semanage fcontext command.  This will modify the SELinux labeling data‐
507       base.  You will need to use restorecon to apply the labels.
508
509

SHARING FILES

511       If you want to share files with multiple domains (Apache,  FTP,  rsync,
512       Samba),  you can set a file context of public_content_t and public_con‐
513       tent_rw_t.  These context allow any of the above domains  to  read  the
514       content.   If  you want a particular domain to write to the public_con‐
515       tent_rw_t domain, you must set the appropriate boolean.
516
517       Allow abrt servers to read the /var/abrt directory by adding  the  pub‐
518       lic_content_t  file  type  to  the  directory and by restoring the file
519       type.
520
521       semanage fcontext -a -t public_content_t "/var/abrt(/.*)?"
522       restorecon -F -R -v /var/abrt
523
524       Allow abrt servers to read and write /var/abrt/incoming by  adding  the
525       public_content_rw_t  type  to  the  directory and by restoring the file
526       type.  You also need to turn on the abrt_anon_write boolean.
527
528       semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?"
529       restorecon -F -R -v /var/abrt/incoming
530       setsebool -P abrt_anon_write 1
531
532
533       If you want to allow ABRT to modify public files used for  public  file
534       transfer services., you must turn on the abrt_anon_write boolean.
535
536       setsebool -P abrt_anon_write 1
537
538

COMMANDS

540       semanage  fcontext  can also be used to manipulate default file context
541       mappings.
542
543       semanage permissive can also be used to manipulate  whether  or  not  a
544       process type is permissive.
545
546       semanage  module can also be used to enable/disable/install/remove pol‐
547       icy modules.
548
549       semanage boolean can also be used to manipulate the booleans
550
551
552       system-config-selinux is a GUI tool available to customize SELinux pol‐
553       icy settings.
554
555

AUTHOR

557       This manual page was auto-generated using sepolicy manpage .
558
559