glusterd_selinux(8)

1glusterd_selinux(8)         SELinux Policy glusterd        glusterd_selinux(8)
2
3
4

NAME

6       glusterd_selinux - Security Enhanced Linux Policy for the glusterd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  glusterd  processes  via  flexible
11       mandatory access control.
12
13       The  glusterd  processes  execute with the glusterd_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep glusterd_t
20
21
22

ENTRYPOINTS

24       The glusterd_t SELinux type can be entered via the glusterd_exec_t file
25       type.
26
27       The default entrypoint paths for the glusterd_t domain are the  follow‐
28       ing:
29
30       /opt/glusterfs/[^/]+/sbin/glusterfsd,                /usr/libexec/glus‐
31       terfs/peer_eventsapi.py,            /usr/libexec/glusterfs/events/glus‐
32       tereventsd.py,      /usr/sbin/glusterfsd,     /usr/sbin/glustereventsd,
33       /usr/sbin/gluster-eventsapi
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       glusterd policy is very flexible allowing users to setup their glusterd
43       processes in as secure a method as possible.
44
45       The following process types are defined for glusterd:
46
47       glusterd_t
48
49       Note: semanage permissive -a glusterd_t can be used to make the process
50       type glusterd_t permissive. SELinux does not deny access to  permissive
51       process  types, but the AVC (SELinux denials) messages are still gener‐
52       ated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access  required.   glus‐
57       terd  policy  is extremely flexible and has several booleans that allow
58       you to manipulate the policy and run glusterd with the tightest  access
59       possible.
60
61
62
63       If  you want to allow glusterfsd to share any file/directory read only,
64       you  must  turn  on  the  gluster_export_all_ro  boolean.  Disabled  by
65       default.
66
67       setsebool -P gluster_export_all_ro 1
68
69
70
71       If you want to allow glusterfsd to share any file/directory read/write,
72       you must turn on the gluster_export_all_rw boolean. Enabled by default.
73
74       setsebool -P gluster_export_all_rw 1
75
76
77
78       If you want to allow glusterd_t domain to use  executable  memory,  you
79       must turn on the gluster_use_execmem boolean. Disabled by default.
80
81       setsebool -P gluster_use_execmem 1
82
83
84
85       If you want to allow users to resolve user passwd entries directly from
86       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
87       gin_nsswitch_use_ldap boolean. Disabled by default.
88
89       setsebool -P authlogin_nsswitch_use_ldap 1
90
91
92
93       If you want to allow all daemons to write corefiles to /, you must turn
94       on the daemons_dump_core boolean. Disabled by default.
95
96       setsebool -P daemons_dump_core 1
97
98
99
100       If you want to enable cluster mode for daemons, you must  turn  on  the
101       daemons_enable_cluster_mode boolean. Enabled by default.
102
103       setsebool -P daemons_enable_cluster_mode 1
104
105
106
107       If  you want to allow all daemons to use tcp wrappers, you must turn on
108       the daemons_use_tcp_wrapper boolean. Disabled by default.
109
110       setsebool -P daemons_use_tcp_wrapper 1
111
112
113
114       If you want to allow all daemons the ability to  read/write  terminals,
115       you must turn on the daemons_use_tty boolean. Disabled by default.
116
117       setsebool -P daemons_use_tty 1
118
119
120
121       If  you  want  to deny any process from ptracing or debugging any other
122       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
123       default.
124
125       setsebool -P deny_ptrace 1
126
127
128
129       If  you  want  to  allow  any  process  to mmap any file on system with
130       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
131       ean. Enabled by default.
132
133       setsebool -P domain_can_mmap_files 1
134
135
136
137       If  you want to allow all domains write to kmsg_device, while kernel is
138       executed with systemd.log_target=kmsg parameter, you must turn  on  the
139       domain_can_write_kmsg boolean. Disabled by default.
140
141       setsebool -P domain_can_write_kmsg 1
142
143
144
145       If you want to allow all domains to use other domains file descriptors,
146       you must turn on the domain_fd_use boolean. Enabled by default.
147
148       setsebool -P domain_fd_use 1
149
150
151
152       If you want to allow all domains to have the kernel load  modules,  you
153       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
154       default.
155
156       setsebool -P domain_kernel_load_modules 1
157
158
159
160       If you want to allow all domains to execute in fips_mode, you must turn
161       on the fips_mode boolean. Enabled by default.
162
163       setsebool -P fips_mode 1
164
165
166
167       If you want to enable reading of urandom for all domains, you must turn
168       on the global_ssp boolean. Disabled by default.
169
170       setsebool -P global_ssp 1
171
172
173
174       If you want to allow confined applications to run  with  kerberos,  you
175       must turn on the kerberos_enabled boolean. Enabled by default.
176
177       setsebool -P kerberos_enabled 1
178
179
180
181       If  you  want  to  allow  system  to run with NIS, you must turn on the
182       nis_enabled boolean. Disabled by default.
183
184       setsebool -P nis_enabled 1
185
186
187
188       If you want to allow confined applications to use nscd  shared  memory,
189       you must turn on the nscd_use_shm boolean. Disabled by default.
190
191       setsebool -P nscd_use_shm 1
192
193
194

PORT TYPES

196       SELinux defines port types to represent TCP and UDP ports.
197
198       You  can  see  the  types associated with a port by using the following
199       command:
200
201       semanage port -l
202
203
204       Policy governs the access  confined  processes  have  to  these  ports.
205       SELinux  glusterd policy is very flexible allowing users to setup their
206       glusterd processes in as secure a method as possible.
207
208       The following port types are defined for glusterd:
209
210
211       gluster_port_t
212
213
214
215       Default Defined Ports:
216                 tcp 38465-38469,24007-24027
217                 udp 24007-24027
218

MANAGED FILES

220       The SELinux process type glusterd_t can manage files labeled  with  the
221       following file types.  The paths listed are the default paths for these
222       file types.  Note the processes UID still need to have DAC permissions.
223
224       cluster_var_lib_t
225
226            /var/lib/pcsd(/.*)?
227            /var/lib/cluster(/.*)?
228            /var/lib/openais(/.*)?
229            /var/lib/pengine(/.*)?
230            /var/lib/corosync(/.*)?
231            /usr/lib/heartbeat(/.*)?
232            /var/lib/heartbeat(/.*)?
233            /var/lib/pacemaker(/.*)?
234
235       cluster_var_run_t
236
237            /var/run/crm(/.*)?
238            /var/run/cman_.*
239            /var/run/rsctmp(/.*)?
240            /var/run/aisexec.*
241            /var/run/heartbeat(/.*)?
242            /var/run/corosync-qnetd(/.*)?
243            /var/run/corosync-qdevice(/.*)?
244            /var/run/cpglockd.pid
245            /var/run/corosync.pid
246            /var/run/rgmanager.pid
247            /var/run/cluster/rgmanager.sk
248
249       non_security_file_type
250
251
252       noxattrfs
253
254            all files on file systems which do not support extended attributes
255
256       systemd_passwd_var_run_t
257
258            /var/run/systemd/ask-password(/.*)?
259            /var/run/systemd/ask-password-block(/.*)?
260
261       user_tmp_t
262
263            /dev/shm/mono.*
264            /var/run/user(/.*)?
265            /tmp/.X11-unix(/.*)?
266            /tmp/.ICE-unix(/.*)?
267            /dev/shm/pulse-shm.*
268            /tmp/.X0-lock
269            /tmp/hsperfdata_root
270            /var/tmp/hsperfdata_root
271            /home/[^/]+/tmp
272            /home/[^/]+/.tmp
273            /tmp/gconfd-[^/]+
274
275

FILE CONTEXTS

277       SELinux requires files to have an extended attribute to define the file
278       type.
279
280       You can see the context of a file using the -Z option to ls
281
282       Policy  governs  the  access  confined  processes  have to these files.
283       SELinux glusterd policy is very flexible allowing users to setup  their
284       glusterd processes in as secure a method as possible.
285
286       EQUIVALENCE DIRECTORIES
287
288
289       glusterd  policy stores data with multiple different file context types
290       under the /var/run/gluster directory.  If you would like to  store  the
291       data  in a different directory you can use the semanage command to cre‐
292       ate an equivalence mapping.  If you wanted to store this data under the
293       /srv dirctory you would execute the following command:
294
295       semanage fcontext -a -e /var/run/gluster /srv/gluster
296       restorecon -R -v /srv/gluster
297
298       STANDARD FILE CONTEXT
299
300       SELinux  defines the file context types for the glusterd, if you wanted
301       to store files with these types in a diffent paths, you need to execute
302       the  semanage  command  to  sepecify  alternate  labeling  and then use
303       restorecon to put the labels on disk.
304
305       semanage  fcontext  -a  -t   glusterd_var_run_t   '/srv/myglusterd_con‐
306       tent(/.*)?'
307       restorecon -R -v /srv/myglusterd_content
308
309       Note:  SELinux  often  uses  regular expressions to specify labels that
310       match multiple files.
311
312       The following file types are defined for glusterd:
313
314
315
316       glusterd_brick_t
317
318       - Set files with the glusterd_brick_t type, if you want  to  treat  the
319       files as glusterd brick data.
320
321
322
323       glusterd_conf_t
324
325       -  Set  files  with  the glusterd_conf_t type, if you want to treat the
326       files as glusterd configuration data, usually  stored  under  the  /etc
327       directory.
328
329
330       Paths:
331            /etc/glusterd(/.*)?, /etc/glusterfs(/.*)?
332
333
334       glusterd_exec_t
335
336       - Set files with the glusterd_exec_t type, if you want to transition an
337       executable to the glusterd_t domain.
338
339
340       Paths:
341            /opt/glusterfs/[^/]+/sbin/glusterfsd,           /usr/libexec/glus‐
342            terfs/peer_eventsapi.py,       /usr/libexec/glusterfs/events/glus‐
343            tereventsd.py,   /usr/sbin/glusterfsd,   /usr/sbin/glustereventsd,
344            /usr/sbin/gluster-eventsapi
345
346
347       glusterd_initrc_exec_t
348
349       -  Set files with the glusterd_initrc_exec_t type, if you want to tran‐
350       sition an executable to the glusterd_initrc_t domain.
351
352
353       Paths:
354            /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd
355
356
357       glusterd_log_t
358
359       - Set files with the glusterd_log_t type, if you want to treat the data
360       as glusterd log data, usually stored under the /var/log directory.
361
362
363
364       glusterd_tmp_t
365
366       - Set files with the glusterd_tmp_t type, if you want to store glusterd
367       temporary files in the /tmp directories.
368
369
370
371       glusterd_tmpfs_t
372
373       - Set files with the glusterd_tmpfs_t type, if you want to store  glus‐
374       terd files on a tmpfs file system.
375
376
377
378       glusterd_var_lib_t
379
380       -  Set files with the glusterd_var_lib_t type, if you want to store the
381       glusterd files under the /var/lib directory.
382
383
384
385       glusterd_var_run_t
386
387       - Set files with the glusterd_var_run_t type, if you want to store  the
388       glusterd files under the /run or /var/run directory.
389
390
391       Paths:
392            /var/run/gluster(/.*)?,  /var/run/glusterd.*, /var/run/glusterd.*,
393            /var/run/glusterd(/.*)?
394
395
396       Note: File context can be temporarily modified with the chcon  command.
397       If  you want to permanently change the file context you need to use the
398       semanage fcontext command.  This will modify the SELinux labeling data‐
399       base.  You will need to use restorecon to apply the labels.
400
401

SHARING FILES

403       If  you  want to share files with multiple domains (Apache, FTP, rsync,
404       Samba), you can set a file context of public_content_t and  public_con‐
405       tent_rw_t.   These  context  allow any of the above domains to read the
406       content.  If you want a particular domain to write to  the  public_con‐
407       tent_rw_t domain, you must set the appropriate boolean.
408
409       Allow  glusterd  servers  to read the /var/glusterd directory by adding
410       the public_content_t file type to the directory and  by  restoring  the
411       file type.
412
413       semanage fcontext -a -t public_content_t "/var/glusterd(/.*)?"
414       restorecon -F -R -v /var/glusterd
415
416       Allow  glusterd  servers  to  read  and write /var/glusterd/incoming by
417       adding the public_content_rw_t type to the directory and  by  restoring
418       the  file type.  You also need to turn on the glusterd_anon_write bool‐
419       ean.
420
421       semanage  fcontext  -a  -t  public_content_rw_t   "/var/glusterd/incom‐
422       ing(/.*)?"
423       restorecon -F -R -v /var/glusterd/incoming
424       setsebool -P glusterd_anon_write 1
425
426
427       If  you want to allow glusterfsd to modify public files used for public
428       file transfer services.  Files/Directories must be labeled  public_con‐
429       tent_rw_t., you must turn on the gluster_anon_write boolean.
430
431       setsebool -P gluster_anon_write 1
432
433

COMMANDS

435       semanage  fcontext  can also be used to manipulate default file context
436       mappings.
437
438       semanage permissive can also be used to manipulate  whether  or  not  a
439       process type is permissive.
440
441       semanage  module can also be used to enable/disable/install/remove pol‐
442       icy modules.
443
444       semanage port can also be used to manipulate the port definitions
445
446       semanage boolean can also be used to manipulate the booleans
447
448
449       system-config-selinux is a GUI tool available to customize SELinux pol‐
450       icy settings.
451
452

AUTHOR

454       This manual page was auto-generated using sepolicy manpage .
455
456