dirsrv_selinux(8)

1dirsrv_selinux(8)            SELinux Policy dirsrv           dirsrv_selinux(8)
2
3
4

NAME

6       dirsrv_selinux  -  Security  Enhanced  Linux Policy for the dirsrv pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  dirsrv  processes  via  flexible
11       mandatory access control.
12
13       The  dirsrv  processes  execute with the dirsrv_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep dirsrv_t
20
21
22

ENTRYPOINTS

24       The  dirsrv_t  SELinux  type  can be entered via the dirsrv_exec_t file
25       type.
26
27       The default entrypoint paths for the dirsrv_t domain are the following:
28
29       /usr/sbin/ns-slapd
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       dirsrv policy is very flexible allowing users  to  setup  their  dirsrv
39       processes in as secure a method as possible.
40
41       The following process types are defined for dirsrv:
42
43       dirsrv_t, dirsrv_snmp_t, dirsrvadmin_t, dirsrvadmin_unconfined_script_t, dirsrvadmin_script_t
44
45       Note:  semanage  permissive -a dirsrv_t can be used to make the process
46       type dirsrv_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   dirsrv
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run dirsrv with the tightest access possible.
55
56
57
58       If you want to allow users to resolve user passwd entries directly from
59       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
60       gin_nsswitch_use_ldap boolean. Disabled by default.
61
62       setsebool -P authlogin_nsswitch_use_ldap 1
63
64
65
66       If you want to allow all daemons to write corefiles to /, you must turn
67       on the daemons_dump_core boolean. Disabled by default.
68
69       setsebool -P daemons_dump_core 1
70
71
72
73       If  you  want  to enable cluster mode for daemons, you must turn on the
74       daemons_enable_cluster_mode boolean. Enabled by default.
75
76       setsebool -P daemons_enable_cluster_mode 1
77
78
79
80       If you want to allow all daemons to use tcp wrappers, you must turn  on
81       the daemons_use_tcp_wrapper boolean. Disabled by default.
82
83       setsebool -P daemons_use_tcp_wrapper 1
84
85
86
87       If  you  want to allow all daemons the ability to read/write terminals,
88       you must turn on the daemons_use_tty boolean. Disabled by default.
89
90       setsebool -P daemons_use_tty 1
91
92
93
94       If you want to deny any process from ptracing or  debugging  any  other
95       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
96       default.
97
98       setsebool -P deny_ptrace 1
99
100
101
102       If you want to allow any process  to  mmap  any  file  on  system  with
103       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
104       ean. Enabled by default.
105
106       setsebool -P domain_can_mmap_files 1
107
108
109
110       If you want to allow all domains write to kmsg_device, while kernel  is
111       executed  with  systemd.log_target=kmsg parameter, you must turn on the
112       domain_can_write_kmsg boolean. Disabled by default.
113
114       setsebool -P domain_can_write_kmsg 1
115
116
117
118       If you want to allow all domains to use other domains file descriptors,
119       you must turn on the domain_fd_use boolean. Enabled by default.
120
121       setsebool -P domain_fd_use 1
122
123
124
125       If  you  want to allow all domains to have the kernel load modules, you
126       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
127       default.
128
129       setsebool -P domain_kernel_load_modules 1
130
131
132
133       If you want to allow all domains to execute in fips_mode, you must turn
134       on the fips_mode boolean. Enabled by default.
135
136       setsebool -P fips_mode 1
137
138
139
140       If you want to enable reading of urandom for all domains, you must turn
141       on the global_ssp boolean. Disabled by default.
142
143       setsebool -P global_ssp 1
144
145
146
147       If  you  want  to allow confined applications to run with kerberos, you
148       must turn on the kerberos_enabled boolean. Enabled by default.
149
150       setsebool -P kerberos_enabled 1
151
152
153
154       If you want to allow system to run with  NIS,  you  must  turn  on  the
155       nis_enabled boolean. Disabled by default.
156
157       setsebool -P nis_enabled 1
158
159
160
161       If  you  want to allow confined applications to use nscd shared memory,
162       you must turn on the nscd_use_shm boolean. Disabled by default.
163
164       setsebool -P nscd_use_shm 1
165
166
167

MANAGED FILES

169       The SELinux process type dirsrv_t can manage  files  labeled  with  the
170       following file types.  The paths listed are the default paths for these
171       file types.  Note the processes UID still need to have DAC permissions.
172
173       cluster_conf_t
174
175            /etc/cluster(/.*)?
176
177       cluster_var_lib_t
178
179            /var/lib/pcsd(/.*)?
180            /var/lib/cluster(/.*)?
181            /var/lib/openais(/.*)?
182            /var/lib/pengine(/.*)?
183            /var/lib/corosync(/.*)?
184            /usr/lib/heartbeat(/.*)?
185            /var/lib/heartbeat(/.*)?
186            /var/lib/pacemaker(/.*)?
187
188       cluster_var_run_t
189
190            /var/run/crm(/.*)?
191            /var/run/cman_.*
192            /var/run/rsctmp(/.*)?
193            /var/run/aisexec.*
194            /var/run/heartbeat(/.*)?
195            /var/run/corosync-qnetd(/.*)?
196            /var/run/corosync-qdevice(/.*)?
197            /var/run/cpglockd.pid
198            /var/run/corosync.pid
199            /var/run/rgmanager.pid
200            /var/run/cluster/rgmanager.sk
201
202       dirsrv_config_t
203
204            /etc/dirsrv(/.*)?
205
206       dirsrv_tmp_t
207
208
209       dirsrv_tmpfs_t
210
211
212       dirsrv_var_lib_t
213
214            /var/lib/dirsrv(/.*)?
215
216       dirsrv_var_lock_t
217
218            /var/lock/dirsrv(/.*)?
219
220       dirsrv_var_log_t
221
222            /var/log/dirsrv(/.*)?
223
224       dirsrv_var_run_t
225
226            /var/run/slapd.*
227            /var/run/dirsrv(/.*)?
228
229       faillog_t
230
231            /var/log/btmp.*
232            /var/log/faillog.*
233            /var/log/tallylog.*
234            /var/run/faillock(/.*)?
235
236       krb5_host_rcache_t
237
238            /var/cache/krb5rcache(/.*)?
239            /var/tmp/nfs_0
240            /var/tmp/DNS_25
241            /var/tmp/host_0
242            /var/tmp/imap_0
243            /var/tmp/HTTP_23
244            /var/tmp/HTTP_48
245            /var/tmp/ldap_55
246            /var/tmp/ldap_487
247            /var/tmp/ldapmap1_0
248
249       lastlog_t
250
251            /var/log/lastlog.*
252
253       root_t
254
255            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
256            /
257            /initrd
258
259       security_t
260
261            /selinux
262
263       systemd_passwd_var_run_t
264
265            /var/run/systemd/ask-password(/.*)?
266            /var/run/systemd/ask-password-block(/.*)?
267
268

FILE CONTEXTS

270       SELinux requires files to have an extended attribute to define the file
271       type.
272
273       You can see the context of a file using the -Z option to ls
274
275       Policy  governs  the  access  confined  processes  have to these files.
276       SELinux dirsrv policy is very flexible allowing users  to  setup  their
277       dirsrv processes in as secure a method as possible.
278
279       EQUIVALENCE DIRECTORIES
280
281
282       dirsrv  policy  stores  data with multiple different file context types
283       under the /var/log/dirsrv directory.  If you would like  to  store  the
284       data  in a different directory you can use the semanage command to cre‐
285       ate an equivalence mapping.  If you wanted to store this data under the
286       /srv dirctory you would execute the following command:
287
288       semanage fcontext -a -e /var/log/dirsrv /srv/dirsrv
289       restorecon -R -v /srv/dirsrv
290
291       STANDARD FILE CONTEXT
292
293       SELinux defines the file context types for the dirsrv, if you wanted to
294       store files with these types in a diffent paths, you  need  to  execute
295       the  semanage  command  to  sepecify  alternate  labeling  and then use
296       restorecon to put the labels on disk.
297
298       semanage fcontext  -a  -t  dirsrvadmin_unit_file_t  '/srv/mydirsrv_con‐
299       tent(/.*)?'
300       restorecon -R -v /srv/mydirsrv_content
301
302       Note:  SELinux  often  uses  regular expressions to specify labels that
303       match multiple files.
304
305       The following file types are defined for dirsrv:
306
307
308
309       dirsrv_config_t
310
311       - Set files with the dirsrv_config_t type, if you  want  to  treat  the
312       files  as  dirsrv  configuration  data,  usually  stored under the /etc
313       directory.
314
315
316
317       dirsrv_exec_t
318
319       - Set files with the dirsrv_exec_t type, if you want to  transition  an
320       executable to the dirsrv_t domain.
321
322
323
324       dirsrv_share_t
325
326       -  Set  files  with  the  dirsrv_share_t type, if you want to treat the
327       files as dirsrv share data.
328
329
330
331       dirsrv_snmp_exec_t
332
333       - Set files with the dirsrv_snmp_exec_t type, if you want to transition
334       an executable to the dirsrv_snmp_t domain.
335
336
337       Paths:
338            /usr/sbin/ldap-agent, /usr/sbin/ldap-agent-bin
339
340
341       dirsrv_snmp_var_log_t
342
343       -  Set  files with the dirsrv_snmp_var_log_t type, if you want to treat
344       the data as dirsrv snmp var log data, usually stored under the /var/log
345       directory.
346
347
348
349       dirsrv_snmp_var_run_t
350
351       -  Set  files with the dirsrv_snmp_var_run_t type, if you want to store
352       the dirsrv snmp files under the /run or /var/run directory.
353
354
355
356       dirsrv_tmp_t
357
358       - Set files with the dirsrv_tmp_t type, if you  want  to  store  dirsrv
359       temporary files in the /tmp directories.
360
361
362
363       dirsrv_tmpfs_t
364
365       -  Set  files with the dirsrv_tmpfs_t type, if you want to store dirsrv
366       files on a tmpfs file system.
367
368
369
370       dirsrv_var_lib_t
371
372       - Set files with the dirsrv_var_lib_t type, if you want  to  store  the
373       dirsrv files under the /var/lib directory.
374
375
376
377       dirsrv_var_lock_t
378
379       -  Set  files with the dirsrv_var_lock_t type, if you want to treat the
380       files as dirsrv var lock data, stored under the /var/lock directory
381
382
383
384       dirsrv_var_log_t
385
386       - Set files with the dirsrv_var_log_t type, if you want  to  treat  the
387       data  as  dirsrv var log data, usually stored under the /var/log direc‐
388       tory.
389
390
391
392       dirsrv_var_run_t
393
394       - Set files with the dirsrv_var_run_t type, if you want  to  store  the
395       dirsrv files under the /run or /var/run directory.
396
397
398       Paths:
399            /var/run/slapd.*, /var/run/dirsrv(/.*)?
400
401
402       dirsrvadmin_config_t
403
404       -  Set  files  with the dirsrvadmin_config_t type, if you want to treat
405       the files as dirsrvadmin configuration data, usually stored  under  the
406       /etc directory.
407
408
409       Paths:
410            /etc/dirsrv/dsgw(/.*)?, /etc/dirsrv/admin-serv(/.*)?
411
412
413       dirsrvadmin_content_t
414
415       -  Set  files with the dirsrvadmin_content_t type, if you want to treat
416       the files as dirsrvadmin content.
417
418
419
420       dirsrvadmin_exec_t
421
422       - Set files with the dirsrvadmin_exec_t type, if you want to transition
423       an executable to the dirsrvadmin_t domain.
424
425
426       Paths:
427            /usr/sbin/stop-ds-admin,                 /usr/sbin/start-ds-admin,
428            /usr/sbin/restart-ds-admin
429
430
431       dirsrvadmin_htaccess_t
432
433       - Set files with the dirsrvadmin_htaccess_t type, if you want to  treat
434       the file as a dirsrvadmin access file.
435
436
437
438       dirsrvadmin_lock_t
439
440       -  Set files with the dirsrvadmin_lock_t type, if you want to treat the
441       files as dirsrvadmin lock data, stored under the /var/lock directory
442
443
444
445       dirsrvadmin_ra_content_t
446
447       - Set files with the dirsrvadmin_ra_content_t  type,  if  you  want  to
448       treat the files as dirsrvadmin  read/append content.
449
450
451
452       dirsrvadmin_rw_content_t
453
454       -  Set  files  with  the  dirsrvadmin_rw_content_t type, if you want to
455       treat the files as dirsrvadmin read/write content.
456
457
458
459       dirsrvadmin_script_exec_t
460
461       - Set files with the dirsrvadmin_script_exec_t type,  if  you  want  to
462       transition an executable to the dirsrvadmin_script_t domain.
463
464
465       Paths:
466            /usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)?
467
468
469       dirsrvadmin_tmp_t
470
471       -  Set  files  with  the  dirsrvadmin_tmp_t  type, if you want to store
472       dirsrvadmin temporary files in the /tmp directories.
473
474
475
476       dirsrvadmin_unconfined_script_exec_t
477
478       - Set files with the dirsrvadmin_unconfined_script_exec_t type, if  you
479       want to transition an executable to the dirsrvadmin_unconfined_script_t
480       domain.
481
482
483       Paths:
484            /usr/lib/dirsrv/cgi-bin/ds_create,            /usr/lib/dirsrv/cgi-
485            bin/ds_remove
486
487
488       dirsrvadmin_unit_file_t
489
490       - Set files with the dirsrvadmin_unit_file_t type, if you want to treat
491       the files as dirsrvadmin unit content.
492
493
494
495       Note: File context can be temporarily modified with the chcon  command.
496       If  you want to permanently change the file context you need to use the
497       semanage fcontext command.  This will modify the SELinux labeling data‐
498       base.  You will need to use restorecon to apply the labels.
499
500

COMMANDS

502       semanage  fcontext  can also be used to manipulate default file context
503       mappings.
504
505       semanage permissive can also be used to manipulate  whether  or  not  a
506       process type is permissive.
507
508       semanage  module can also be used to enable/disable/install/remove pol‐
509       icy modules.
510
511       semanage boolean can also be used to manipulate the booleans
512
513
514       system-config-selinux is a GUI tool available to customize SELinux pol‐
515       icy settings.
516
517

AUTHOR

519       This manual page was auto-generated using sepolicy manpage .
520
521