1cinder_volume_selinux(8) SELinux Policy cinder_volume cinder_volume_selinux(8)
2
3
4
6 cinder_volume_selinux - Security Enhanced Linux Policy for the cin‐
7 der_volume processes
8
10 Security-Enhanced Linux secures the cinder_volume processes via flexi‐
11 ble mandatory access control.
12
13 The cinder_volume processes execute with the cinder_volume_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep cinder_volume_t
20
21
22
24 The cinder_volume_t SELinux type can be entered via the cinder_vol‐
25 ume_exec_t file type.
26
27 The default entrypoint paths for the cinder_volume_t domain are the
28 following:
29
30 /usr/bin/cinder-volume
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 cinder_volume policy is very flexible allowing users to setup their
40 cinder_volume processes in as secure a method as possible.
41
42 The following process types are defined for cinder_volume:
43
44 cinder_volume_t
45
46 Note: semanage permissive -a cinder_volume_t can be used to make the
47 process type cinder_volume_t permissive. SELinux does not deny access
48 to permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required. cin‐
54 der_volume policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run cinder_volume with the
56 tightest access possible.
57
58
59
60 If you want to allow all daemons to write corefiles to /, you must turn
61 on the daemons_dump_core boolean. Disabled by default.
62
63 setsebool -P daemons_dump_core 1
64
65
66
67 If you want to enable cluster mode for daemons, you must turn on the
68 daemons_enable_cluster_mode boolean. Enabled by default.
69
70 setsebool -P daemons_enable_cluster_mode 1
71
72
73
74 If you want to allow all daemons to use tcp wrappers, you must turn on
75 the daemons_use_tcp_wrapper boolean. Disabled by default.
76
77 setsebool -P daemons_use_tcp_wrapper 1
78
79
80
81 If you want to allow all daemons the ability to read/write terminals,
82 you must turn on the daemons_use_tty boolean. Disabled by default.
83
84 setsebool -P daemons_use_tty 1
85
86
87
88 If you want to deny user domains applications to map a memory region as
89 both executable and writable, this is dangerous and the executable
90 should be reported in bugzilla, you must turn on the deny_execmem bool‐
91 ean. Enabled by default.
92
93 setsebool -P deny_execmem 1
94
95
96
97 If you want to deny any process from ptracing or debugging any other
98 processes, you must turn on the deny_ptrace boolean. Enabled by
99 default.
100
101 setsebool -P deny_ptrace 1
102
103
104
105 If you want to allow any process to mmap any file on system with
106 attribute file_type, you must turn on the domain_can_mmap_files bool‐
107 ean. Enabled by default.
108
109 setsebool -P domain_can_mmap_files 1
110
111
112
113 If you want to allow all domains write to kmsg_device, while kernel is
114 executed with systemd.log_target=kmsg parameter, you must turn on the
115 domain_can_write_kmsg boolean. Disabled by default.
116
117 setsebool -P domain_can_write_kmsg 1
118
119
120
121 If you want to allow all domains to use other domains file descriptors,
122 you must turn on the domain_fd_use boolean. Enabled by default.
123
124 setsebool -P domain_fd_use 1
125
126
127
128 If you want to allow all domains to have the kernel load modules, you
129 must turn on the domain_kernel_load_modules boolean. Disabled by
130 default.
131
132 setsebool -P domain_kernel_load_modules 1
133
134
135
136 If you want to allow all domains to execute in fips_mode, you must turn
137 on the fips_mode boolean. Enabled by default.
138
139 setsebool -P fips_mode 1
140
141
142
143 If you want to enable reading of urandom for all domains, you must turn
144 on the global_ssp boolean. Disabled by default.
145
146 setsebool -P global_ssp 1
147
148
149
150 If you want to control the ability to mmap a low area of the address
151 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
152 the mmap_low_allowed boolean. Disabled by default.
153
154 setsebool -P mmap_low_allowed 1
155
156
157
158 If you want to disable kernel module loading, you must turn on the
159 secure_mode_insmod boolean. Enabled by default.
160
161 setsebool -P secure_mode_insmod 1
162
163
164
165 If you want to boolean to determine whether the system permits loading
166 policy, setting enforcing mode, and changing boolean values. Set this
167 to true and you have to reboot to set it back, you must turn on the
168 secure_mode_policyload boolean. Enabled by default.
169
170 setsebool -P secure_mode_policyload 1
171
172
173
174 If you want to allow unconfined executables to make their heap memory
175 executable. Doing this is a really bad idea. Probably indicates a
176 badly coded executable, but could indicate an attack. This executable
177 should be reported in bugzilla, you must turn on the selin‐
178 uxuser_execheap boolean. Disabled by default.
179
180 setsebool -P selinuxuser_execheap 1
181
182
183
184 If you want to allow all unconfined executables to use libraries
185 requiring text relocation that are not labeled textrel_shlib_t, you
186 must turn on the selinuxuser_execmod boolean. Enabled by default.
187
188 setsebool -P selinuxuser_execmod 1
189
190
191
192 If you want to allow unconfined executables to make their stack exe‐
193 cutable. This should never, ever be necessary. Probably indicates a
194 badly coded executable, but could indicate an attack. This executable
195 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
196 stack boolean. Enabled by default.
197
198 setsebool -P selinuxuser_execstack 1
199
200
201
202 If you want to support X userspace object manager, you must turn on the
203 xserver_object_manager boolean. Enabled by default.
204
205 setsebool -P xserver_object_manager 1
206
207
208
210 The SELinux process type cinder_volume_t can manage files labeled with
211 the following file types. The paths listed are the default paths for
212 these file types. Note the processes UID still need to have DAC per‐
213 missions.
214
215 file_type
216
217 all files on the system
218
219
221 SELinux requires files to have an extended attribute to define the file
222 type.
223
224 You can see the context of a file using the -Z option to ls
225
226 Policy governs the access confined processes have to these files.
227 SELinux cinder_volume policy is very flexible allowing users to setup
228 their cinder_volume processes in as secure a method as possible.
229
230 STANDARD FILE CONTEXT
231
232 SELinux defines the file context types for the cinder_volume, if you
233 wanted to store files with these types in a diffent paths, you need to
234 execute the semanage command to sepecify alternate labeling and then
235 use restorecon to put the labels on disk.
236
237 semanage fcontext -a -t cinder_volume_unit_file_t '/srv/mycinder_vol‐
238 ume_content(/.*)?'
239 restorecon -R -v /srv/mycinder_volume_content
240
241 Note: SELinux often uses regular expressions to specify labels that
242 match multiple files.
243
244 The following file types are defined for cinder_volume:
245
246
247
248 cinder_volume_exec_t
249
250 - Set files with the cinder_volume_exec_t type, if you want to transi‐
251 tion an executable to the cinder_volume_t domain.
252
253
254
255 cinder_volume_tmp_t
256
257 - Set files with the cinder_volume_tmp_t type, if you want to store
258 cinder volume temporary files in the /tmp directories.
259
260
261
262 cinder_volume_unit_file_t
263
264 - Set files with the cinder_volume_unit_file_t type, if you want to
265 treat the files as cinder volume unit content.
266
267
268
269 Note: File context can be temporarily modified with the chcon command.
270 If you want to permanently change the file context you need to use the
271 semanage fcontext command. This will modify the SELinux labeling data‐
272 base. You will need to use restorecon to apply the labels.
273
274
276 semanage fcontext can also be used to manipulate default file context
277 mappings.
278
279 semanage permissive can also be used to manipulate whether or not a
280 process type is permissive.
281
282 semanage module can also be used to enable/disable/install/remove pol‐
283 icy modules.
284
285 semanage boolean can also be used to manipulate the booleans
286
287
288 system-config-selinux is a GUI tool available to customize SELinux pol‐
289 icy settings.
290
291
293 This manual page was auto-generated using sepolicy manpage .
294
295
297 selinux(8), cinder_volume(8), semanage(8), restorecon(8), chcon(1),
298 sepolicy(8) , setsebool(8)
299
300
301
302cinder_volume 19-04-25 cinder_volume_selinux(8)