1cinder_api_selinux(8) SELinux Policy cinder_api cinder_api_selinux(8)
2
3
4
6 cinder_api_selinux - Security Enhanced Linux Policy for the cinder_api
7 processes
8
10 Security-Enhanced Linux secures the cinder_api processes via flexible
11 mandatory access control.
12
13 The cinder_api processes execute with the cinder_api_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep cinder_api_t
20
21
22
24 The cinder_api_t SELinux type can be entered via the cinder_api_exec_t
25 file type.
26
27 The default entrypoint paths for the cinder_api_t domain are the fol‐
28 lowing:
29
30 /usr/bin/cinder-api
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 cinder_api policy is very flexible allowing users to setup their cin‐
40 der_api processes in as secure a method as possible.
41
42 The following process types are defined for cinder_api:
43
44 cinder_api_t
45
46 Note: semanage permissive -a cinder_api_t can be used to make the
47 process type cinder_api_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required. cin‐
54 der_api policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run cinder_api with the tightest
56 access possible.
57
58
59
60 If you want to allow all daemons to write corefiles to /, you must turn
61 on the daemons_dump_core boolean. Disabled by default.
62
63 setsebool -P daemons_dump_core 1
64
65
66
67 If you want to enable cluster mode for daemons, you must turn on the
68 daemons_enable_cluster_mode boolean. Enabled by default.
69
70 setsebool -P daemons_enable_cluster_mode 1
71
72
73
74 If you want to allow all daemons to use tcp wrappers, you must turn on
75 the daemons_use_tcp_wrapper boolean. Disabled by default.
76
77 setsebool -P daemons_use_tcp_wrapper 1
78
79
80
81 If you want to allow all daemons the ability to read/write terminals,
82 you must turn on the daemons_use_tty boolean. Disabled by default.
83
84 setsebool -P daemons_use_tty 1
85
86
87
88 If you want to deny user domains applications to map a memory region as
89 both executable and writable, this is dangerous and the executable
90 should be reported in bugzilla, you must turn on the deny_execmem bool‐
91 ean. Enabled by default.
92
93 setsebool -P deny_execmem 1
94
95
96
97 If you want to deny any process from ptracing or debugging any other
98 processes, you must turn on the deny_ptrace boolean. Enabled by
99 default.
100
101 setsebool -P deny_ptrace 1
102
103
104
105 If you want to allow any process to mmap any file on system with
106 attribute file_type, you must turn on the domain_can_mmap_files bool‐
107 ean. Enabled by default.
108
109 setsebool -P domain_can_mmap_files 1
110
111
112
113 If you want to allow all domains write to kmsg_device, while kernel is
114 executed with systemd.log_target=kmsg parameter, you must turn on the
115 domain_can_write_kmsg boolean. Disabled by default.
116
117 setsebool -P domain_can_write_kmsg 1
118
119
120
121 If you want to allow all domains to use other domains file descriptors,
122 you must turn on the domain_fd_use boolean. Enabled by default.
123
124 setsebool -P domain_fd_use 1
125
126
127
128 If you want to allow all domains to have the kernel load modules, you
129 must turn on the domain_kernel_load_modules boolean. Disabled by
130 default.
131
132 setsebool -P domain_kernel_load_modules 1
133
134
135
136 If you want to allow all domains to execute in fips_mode, you must turn
137 on the fips_mode boolean. Enabled by default.
138
139 setsebool -P fips_mode 1
140
141
142
143 If you want to enable reading of urandom for all domains, you must turn
144 on the global_ssp boolean. Disabled by default.
145
146 setsebool -P global_ssp 1
147
148
149
150 If you want to control the ability to mmap a low area of the address
151 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
152 the mmap_low_allowed boolean. Disabled by default.
153
154 setsebool -P mmap_low_allowed 1
155
156
157
158 If you want to disable kernel module loading, you must turn on the
159 secure_mode_insmod boolean. Enabled by default.
160
161 setsebool -P secure_mode_insmod 1
162
163
164
165 If you want to boolean to determine whether the system permits loading
166 policy, setting enforcing mode, and changing boolean values. Set this
167 to true and you have to reboot to set it back, you must turn on the
168 secure_mode_policyload boolean. Enabled by default.
169
170 setsebool -P secure_mode_policyload 1
171
172
173
174 If you want to allow unconfined executables to make their heap memory
175 executable. Doing this is a really bad idea. Probably indicates a
176 badly coded executable, but could indicate an attack. This executable
177 should be reported in bugzilla, you must turn on the selin‐
178 uxuser_execheap boolean. Disabled by default.
179
180 setsebool -P selinuxuser_execheap 1
181
182
183
184 If you want to allow all unconfined executables to use libraries
185 requiring text relocation that are not labeled textrel_shlib_t, you
186 must turn on the selinuxuser_execmod boolean. Enabled by default.
187
188 setsebool -P selinuxuser_execmod 1
189
190
191
192 If you want to allow unconfined executables to make their stack exe‐
193 cutable. This should never, ever be necessary. Probably indicates a
194 badly coded executable, but could indicate an attack. This executable
195 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
196 stack boolean. Enabled by default.
197
198 setsebool -P selinuxuser_execstack 1
199
200
201
202 If you want to support X userspace object manager, you must turn on the
203 xserver_object_manager boolean. Enabled by default.
204
205 setsebool -P xserver_object_manager 1
206
207
208
210 The SELinux process type cinder_api_t can manage files labeled with the
211 following file types. The paths listed are the default paths for these
212 file types. Note the processes UID still need to have DAC permissions.
213
214 file_type
215
216 all files on the system
217
218
220 SELinux requires files to have an extended attribute to define the file
221 type.
222
223 You can see the context of a file using the -Z option to ls
224
225 Policy governs the access confined processes have to these files.
226 SELinux cinder_api policy is very flexible allowing users to setup
227 their cinder_api processes in as secure a method as possible.
228
229 STANDARD FILE CONTEXT
230
231 SELinux defines the file context types for the cinder_api, if you
232 wanted to store files with these types in a diffent paths, you need to
233 execute the semanage command to sepecify alternate labeling and then
234 use restorecon to put the labels on disk.
235
236 semanage fcontext -a -t cinder_api_unit_file_t '/srv/mycinder_api_con‐
237 tent(/.*)?'
238 restorecon -R -v /srv/mycinder_api_content
239
240 Note: SELinux often uses regular expressions to specify labels that
241 match multiple files.
242
243 The following file types are defined for cinder_api:
244
245
246
247 cinder_api_exec_t
248
249 - Set files with the cinder_api_exec_t type, if you want to transition
250 an executable to the cinder_api_t domain.
251
252
253
254 cinder_api_tmp_t
255
256 - Set files with the cinder_api_tmp_t type, if you want to store cinder
257 api temporary files in the /tmp directories.
258
259
260
261 cinder_api_unit_file_t
262
263 - Set files with the cinder_api_unit_file_t type, if you want to treat
264 the files as cinder api unit content.
265
266
267
268 Note: File context can be temporarily modified with the chcon command.
269 If you want to permanently change the file context you need to use the
270 semanage fcontext command. This will modify the SELinux labeling data‐
271 base. You will need to use restorecon to apply the labels.
272
273
275 semanage fcontext can also be used to manipulate default file context
276 mappings.
277
278 semanage permissive can also be used to manipulate whether or not a
279 process type is permissive.
280
281 semanage module can also be used to enable/disable/install/remove pol‐
282 icy modules.
283
284 semanage boolean can also be used to manipulate the booleans
285
286
287 system-config-selinux is a GUI tool available to customize SELinux pol‐
288 icy settings.
289
290
292 This manual page was auto-generated using sepolicy manpage .
293
294
296 selinux(8), cinder_api(8), semanage(8), restorecon(8), chcon(1), sepol‐
297 icy(8) , setsebool(8)
298
299
300
301cinder_api 19-04-25 cinder_api_selinux(8)