1boinc_selinux(8) SELinux Policy boinc boinc_selinux(8)
2
6 boinc_selinux - Security Enhanced Linux Policy for the boinc processes
7
9 Security-Enhanced Linux secures the boinc processes via flexible manda‐
10 tory access control.
11 The boinc processes execute with the boinc_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep boinc_t
19
23 The boinc_t SELinux type can be entered via the boinc_exec_t file type.
24 The default entrypoint paths for the boinc_t domain are the following:
26 /usr/bin/boinc_client
28
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux
36 boinc policy is very flexible allowing users to setup their boinc pro‐
37 cesses in as secure a method as possible.
38 The following process types are defined for boinc:
40 boinc_t, boinc_project_t
42 Note: semanage permissive -a boinc_t can be used to make the process
44 type boinc_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
50 SELinux policy is customizable based on least access required. boinc
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run boinc with the tightest access possible.
53 If you want to determine whether boinc can execmem/execstack, you must
57 turn on the boinc_execmem boolean. Enabled by default.
58 setsebool -P boinc_execmem 1
60 If you want to allow all daemons to write corefiles to /, you must turn
64 on the daemons_dump_core boolean. Disabled by default.
65 setsebool -P daemons_dump_core 1
67 If you want to enable cluster mode for daemons, you must turn on the
71 daemons_enable_cluster_mode boolean. Enabled by default.
72 setsebool -P daemons_enable_cluster_mode 1
74 If you want to allow all daemons to use tcp wrappers, you must turn on
78 the daemons_use_tcp_wrapper boolean. Disabled by default.
79 setsebool -P daemons_use_tcp_wrapper 1
81 If you want to allow all daemons the ability to read/write terminals,
85 you must turn on the daemons_use_tty boolean. Disabled by default.
86 setsebool -P daemons_use_tty 1
88 If you want to deny any process from ptracing or debugging any other
92 processes, you must turn on the deny_ptrace boolean. Enabled by
93 default.
94 setsebool -P deny_ptrace 1
96 If you want to allow any process to mmap any file on system with
100 attribute file_type, you must turn on the domain_can_mmap_files bool‐
101 ean. Enabled by default.
102 setsebool -P domain_can_mmap_files 1
104 If you want to allow all domains write to kmsg_device, while kernel is
108 executed with systemd.log_target=kmsg parameter, you must turn on the
109 domain_can_write_kmsg boolean. Disabled by default.
110 setsebool -P domain_can_write_kmsg 1
112 If you want to allow all domains to use other domains file descriptors,
116 you must turn on the domain_fd_use boolean. Enabled by default.
117 setsebool -P domain_fd_use 1
119 If you want to allow all domains to have the kernel load modules, you
123 must turn on the domain_kernel_load_modules boolean. Disabled by
124 default.
125 setsebool -P domain_kernel_load_modules 1
127 If you want to allow all domains to execute in fips_mode, you must turn
131 on the fips_mode boolean. Enabled by default.
132 setsebool -P fips_mode 1
134 If you want to enable reading of urandom for all domains, you must turn
138 on the global_ssp boolean. Disabled by default.
139 setsebool -P global_ssp 1
141 If you want to allow confined applications to use nscd shared memory,
145 you must turn on the nscd_use_shm boolean. Disabled by default.
146 setsebool -P nscd_use_shm 1
148
152 SELinux defines port types to represent TCP and UDP ports.
153 You can see the types associated with a port by using the following
155 command:
156 semanage port -l
158 Policy governs the access confined processes have to these ports.
161 SELinux boinc policy is very flexible allowing users to setup their
162 boinc processes in as secure a method as possible.
163 The following port types are defined for boinc:
165 boinc_client_port_t
168 Default Defined Ports:
172 tcp 1043
173 udp 1034
174 boinc_port_t
177 Default Defined Ports:
181 tcp 31416
182
184 The SELinux process type boinc_t can manage files labeled with the fol‐
185 lowing file types. The paths listed are the default paths for these
186 file types. Note the processes UID still need to have DAC permissions.
187 boinc_log_t
189 /var/log/boinc.log.*
191 boinc_project_var_lib_t
193 /var/lib/boinc/slots(/.*)?
195 /var/lib/boinc/projects(/.*)?
196 boinc_tmp_t
198 boinc_tmpfs_t
201 boinc_var_lib_t
204 /var/lib/boinc(/.*)?
206 cluster_conf_t
208 /etc/cluster(/.*)?
210 cluster_var_lib_t
212 /var/lib/pcsd(/.*)?
214 /var/lib/cluster(/.*)?
215 /var/lib/openais(/.*)?
216 /var/lib/pengine(/.*)?
217 /var/lib/corosync(/.*)?
218 /usr/lib/heartbeat(/.*)?
219 /var/lib/heartbeat(/.*)?
220 /var/lib/pacemaker(/.*)?
221 cluster_var_run_t
223 /var/run/crm(/.*)?
225 /var/run/cman_.*
226 /var/run/rsctmp(/.*)?
227 /var/run/aisexec.*
228 /var/run/heartbeat(/.*)?
229 /var/run/corosync-qnetd(/.*)?
230 /var/run/corosync-qdevice(/.*)?
231 /var/run/cpglockd.pid
232 /var/run/corosync.pid
233 /var/run/rgmanager.pid
234 /var/run/cluster/rgmanager.sk
235 root_t
237 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
239 /
240 /initrd
241
244 SELinux requires files to have an extended attribute to define the file
245 type.
246 You can see the context of a file using the -Z option to ls
248 Policy governs the access confined processes have to these files.
250 SELinux boinc policy is very flexible allowing users to setup their
251 boinc processes in as secure a method as possible.
252 EQUIVALENCE DIRECTORIES
254 boinc policy stores data with multiple different file context types
257 under the /var/lib/boinc directory. If you would like to store the
258 data in a different directory you can use the semanage command to cre‐
259 ate an equivalence mapping. If you wanted to store this data under the
260 /srv dirctory you would execute the following command:
261 semanage fcontext -a -e /var/lib/boinc /srv/boinc
263 restorecon -R -v /srv/boinc
264 STANDARD FILE CONTEXT
266 SELinux defines the file context types for the boinc, if you wanted to
268 store files with these types in a diffent paths, you need to execute
269 the semanage command to sepecify alternate labeling and then use
270 restorecon to put the labels on disk.
271 semanage fcontext -a -t boinc_var_lib_t '/srv/myboinc_content(/.*)?'
273 restorecon -R -v /srv/myboinc_content
274 Note: SELinux often uses regular expressions to specify labels that
276 match multiple files.
277 The following file types are defined for boinc:
279 boinc_exec_t
283 - Set files with the boinc_exec_t type, if you want to transition an
285 executable to the boinc_t domain.
286 boinc_initrc_exec_t
290 - Set files with the boinc_initrc_exec_t type, if you want to transi‐
292 tion an executable to the boinc_initrc_t domain.
293 boinc_log_t
297 - Set files with the boinc_log_t type, if you want to treat the data as
299 boinc log data, usually stored under the /var/log directory.
300 boinc_project_tmp_t
304 - Set files with the boinc_project_tmp_t type, if you want to store
306 boinc project temporary files in the /tmp directories.
307 boinc_project_var_lib_t
311 - Set files with the boinc_project_var_lib_t type, if you want to store
313 the boinc project files under the /var/lib directory.
314 Paths:
317 /var/lib/boinc/slots(/.*)?, /var/lib/boinc/projects(/.*)?
318 boinc_tmp_t
321 - Set files with the boinc_tmp_t type, if you want to store boinc tem‐
323 porary files in the /tmp directories.
324 boinc_tmpfs_t
328 - Set files with the boinc_tmpfs_t type, if you want to store boinc
330 files on a tmpfs file system.
331 boinc_unit_file_t
335 - Set files with the boinc_unit_file_t type, if you want to treat the
337 files as boinc unit content.
338 boinc_var_lib_t
342 - Set files with the boinc_var_lib_t type, if you want to store the
344 boinc files under the /var/lib directory.
345 Note: File context can be temporarily modified with the chcon command.
349 If you want to permanently change the file context you need to use the
350 semanage fcontext command. This will modify the SELinux labeling data‐
351 base. You will need to use restorecon to apply the labels.
352
355 semanage fcontext can also be used to manipulate default file context
356 mappings.
357 semanage permissive can also be used to manipulate whether or not a
359 process type is permissive.
360 semanage module can also be used to enable/disable/install/remove pol‐
362 icy modules.
363 semanage port can also be used to manipulate the port definitions
365 semanage boolean can also be used to manipulate the booleans
367 system-config-selinux is a GUI tool available to customize SELinux pol‐
370 icy settings.
371
374 This manual page was auto-generated using sepolicy manpage .
375
378 selinux(8), boinc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
379 , setsebool(8), boinc_project_selinux(8), boinc_project_selinux(8)
380boinc 19-04-25 boinc_selinux(8)