1haproxy_selinux(8) SELinux Policy haproxy haproxy_selinux(8)
2
6 haproxy_selinux - Security Enhanced Linux Policy for the haproxy pro‐
7 cesses
8
10 Security-Enhanced Linux secures the haproxy processes via flexible
11 mandatory access control.
12 The haproxy processes execute with the haproxy_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep haproxy_t
20
24 The haproxy_t SELinux type can be entered via the haproxy_exec_t file
25 type.
26 The default entrypoint paths for the haproxy_t domain are the follow‐
28 ing:
29 /usr/sbin/haproxy, /usr/sbin/haproxy-systemd-wrapper
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 haproxy policy is very flexible allowing users to setup their haproxy
40 processes in as secure a method as possible.
41 The following process types are defined for haproxy:
43 haproxy_t
45 Note: semanage permissive -a haproxy_t can be used to make the process
47 type haproxy_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
53 SELinux policy is customizable based on least access required. haproxy
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run haproxy with the tightest access possi‐
56 ble.
57 If you want to determine whether haproxy can connect to all TCP ports,
61 you must turn on the haproxy_connect_any boolean. Disabled by default.
62 setsebool -P haproxy_connect_any 1
64 If you want to allow users to resolve user passwd entries directly from
68 ldap rather then using a sssd server, you must turn on the authlo‐
69 gin_nsswitch_use_ldap boolean. Disabled by default.
70 setsebool -P authlogin_nsswitch_use_ldap 1
72 If you want to allow cluster administrative cluster domains memcheck-
76 amd64- to use executable memory, you must turn on the clus‐
77 ter_use_execmem boolean. Disabled by default.
78 setsebool -P cluster_use_execmem 1
80 If you want to allow all daemons to write corefiles to /, you must turn
84 on the daemons_dump_core boolean. Disabled by default.
85 setsebool -P daemons_dump_core 1
87 If you want to enable cluster mode for daemons, you must turn on the
91 daemons_enable_cluster_mode boolean. Enabled by default.
92 setsebool -P daemons_enable_cluster_mode 1
94 If you want to allow all daemons to use tcp wrappers, you must turn on
98 the daemons_use_tcp_wrapper boolean. Disabled by default.
99 setsebool -P daemons_use_tcp_wrapper 1
101 If you want to allow all daemons the ability to read/write terminals,
105 you must turn on the daemons_use_tty boolean. Disabled by default.
106 setsebool -P daemons_use_tty 1
108 If you want to deny any process from ptracing or debugging any other
112 processes, you must turn on the deny_ptrace boolean. Enabled by
113 default.
114 setsebool -P deny_ptrace 1
116 If you want to allow any process to mmap any file on system with
120 attribute file_type, you must turn on the domain_can_mmap_files bool‐
121 ean. Enabled by default.
122 setsebool -P domain_can_mmap_files 1
124 If you want to allow all domains write to kmsg_device, while kernel is
128 executed with systemd.log_target=kmsg parameter, you must turn on the
129 domain_can_write_kmsg boolean. Disabled by default.
130 setsebool -P domain_can_write_kmsg 1
132 If you want to allow all domains to use other domains file descriptors,
136 you must turn on the domain_fd_use boolean. Enabled by default.
137 setsebool -P domain_fd_use 1
139 If you want to allow all domains to have the kernel load modules, you
143 must turn on the domain_kernel_load_modules boolean. Disabled by
144 default.
145 setsebool -P domain_kernel_load_modules 1
147 If you want to allow all domains to execute in fips_mode, you must turn
151 on the fips_mode boolean. Enabled by default.
152 setsebool -P fips_mode 1
154 If you want to enable reading of urandom for all domains, you must turn
158 on the global_ssp boolean. Disabled by default.
159 setsebool -P global_ssp 1
161 If you want to allow confined applications to run with kerberos, you
165 must turn on the kerberos_enabled boolean. Enabled by default.
166 setsebool -P kerberos_enabled 1
168 If you want to allow system to run with NIS, you must turn on the
172 nis_enabled boolean. Disabled by default.
173 setsebool -P nis_enabled 1
175 If you want to allow confined applications to use nscd shared memory,
179 you must turn on the nscd_use_shm boolean. Disabled by default.
180 setsebool -P nscd_use_shm 1
182
186 The SELinux process type haproxy_t can manage files labeled with the
187 following file types. The paths listed are the default paths for these
188 file types. Note the processes UID still need to have DAC permissions.
189 cluster_conf_t
191 /etc/cluster(/.*)?
193 cluster_log
195 cluster_var_lib_t
198 /var/lib/pcsd(/.*)?
200 /var/lib/cluster(/.*)?
201 /var/lib/openais(/.*)?
202 /var/lib/pengine(/.*)?
203 /var/lib/corosync(/.*)?
204 /usr/lib/heartbeat(/.*)?
205 /var/lib/heartbeat(/.*)?
206 /var/lib/pacemaker(/.*)?
207 cluster_var_run_t
209 /var/run/crm(/.*)?
211 /var/run/cman_.*
212 /var/run/rsctmp(/.*)?
213 /var/run/aisexec.*
214 /var/run/heartbeat(/.*)?
215 /var/run/corosync-qnetd(/.*)?
216 /var/run/corosync-qdevice(/.*)?
217 /var/run/cpglockd.pid
218 /var/run/corosync.pid
219 /var/run/rgmanager.pid
220 /var/run/cluster/rgmanager.sk
221 haproxy_tmpfs_t
223 haproxy_var_lib_t
226 /var/lib/haproxy(/.*)?
228 haproxy_var_run_t
230 /var/run/haproxy.stat.*
232 /var/run/haproxy.sock.*
233 /var/run/haproxy.pid
234 root_t
236 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
238 /
239 /initrd
240
243 SELinux requires files to have an extended attribute to define the file
244 type.
245 You can see the context of a file using the -Z option to ls
247 Policy governs the access confined processes have to these files.
249 SELinux haproxy policy is very flexible allowing users to setup their
250 haproxy processes in as secure a method as possible.
251 STANDARD FILE CONTEXT
253 SELinux defines the file context types for the haproxy, if you wanted
255 to store files with these types in a diffent paths, you need to execute
256 the semanage command to sepecify alternate labeling and then use
257 restorecon to put the labels on disk.
258 semanage fcontext -a -t haproxy_var_run_t '/srv/myhaproxy_con‐
260 tent(/.*)?'
261 restorecon -R -v /srv/myhaproxy_content
262 Note: SELinux often uses regular expressions to specify labels that
264 match multiple files.
265 The following file types are defined for haproxy:
267 haproxy_exec_t
271 - Set files with the haproxy_exec_t type, if you want to transition an
273 executable to the haproxy_t domain.
274 Paths:
277 /usr/sbin/haproxy, /usr/sbin/haproxy-systemd-wrapper
278 haproxy_tmpfs_t
281 - Set files with the haproxy_tmpfs_t type, if you want to store haproxy
283 files on a tmpfs file system.
284 haproxy_unit_file_t
288 - Set files with the haproxy_unit_file_t type, if you want to treat the
290 files as haproxy unit content.
291 haproxy_var_lib_t
295 - Set files with the haproxy_var_lib_t type, if you want to store the
297 haproxy files under the /var/lib directory.
298 haproxy_var_log_t
302 - Set files with the haproxy_var_log_t type, if you want to treat the
304 data as haproxy var log data, usually stored under the /var/log direc‐
305 tory.
306 haproxy_var_run_t
310 - Set files with the haproxy_var_run_t type, if you want to store the
312 haproxy files under the /run or /var/run directory.
313 Paths:
316 /var/run/haproxy.stat.*, /var/run/haproxy.sock.*,
317 /var/run/haproxy.pid
318 Note: File context can be temporarily modified with the chcon command.
321 If you want to permanently change the file context you need to use the
322 semanage fcontext command. This will modify the SELinux labeling data‐
323 base. You will need to use restorecon to apply the labels.
324
327 semanage fcontext can also be used to manipulate default file context
328 mappings.
329 semanage permissive can also be used to manipulate whether or not a
331 process type is permissive.
332 semanage module can also be used to enable/disable/install/remove pol‐
334 icy modules.
335 semanage boolean can also be used to manipulate the booleans
337 system-config-selinux is a GUI tool available to customize SELinux pol‐
340 icy settings.
341
344 This manual page was auto-generated using sepolicy manpage .
345
348 selinux(8), haproxy(8), semanage(8), restorecon(8), chcon(1), sepol‐
349 icy(8) , setsebool(8)
350haproxy 19-04-25 haproxy_selinux(8)