1ricci_selinux(8) SELinux Policy ricci ricci_selinux(8)
2
6 ricci_selinux - Security Enhanced Linux Policy for the ricci processes
7
9 Security-Enhanced Linux secures the ricci processes via flexible manda‐
10 tory access control.
11 The ricci processes execute with the ricci_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep ricci_t
19
23 The ricci_t SELinux type can be entered via the ricci_exec_t, usr_t,
24 bin_t file types.
25 The default entrypoint paths for the ricci_t domain are the following:
27 All executeables with the default executable label, usually stored in
29 /usr/bin and /usr/sbin. /usr/sbin/ricci, /usr/.*, /opt/.*, /emul/.*,
30 /ostree(/.*)?, /export(/.*)?, /usr/doc(/.*)?/lib(/.*)?,
31 /usr/inclu.e(/.*)?, /usr/share/doc(/.*)?/README.*, /usr, /opt, /emul
32
34 SELinux defines process types (domains) for each process running on the
35 system
36 You can see the context of a process using the -Z option to ps
38 Policy governs the access confined processes have to files. SELinux
40 ricci policy is very flexible allowing users to setup their ricci pro‐
41 cesses in as secure a method as possible.
42 The following process types are defined for ricci:
44 ricci_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_modlog_t, ricci_modrpm_t, ricci_modservice_t, ricci_modstorage_t
46 Note: semanage permissive -a ricci_t can be used to make the process
48 type ricci_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
54 SELinux policy is customizable based on least access required. ricci
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run ricci with the tightest access possible.
57 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63 setsebool -P authlogin_nsswitch_use_ldap 1
65 If you want to allow all daemons to write corefiles to /, you must turn
69 on the daemons_dump_core boolean. Disabled by default.
70 setsebool -P daemons_dump_core 1
72 If you want to enable cluster mode for daemons, you must turn on the
76 daemons_enable_cluster_mode boolean. Enabled by default.
77 setsebool -P daemons_enable_cluster_mode 1
79 If you want to allow all daemons to use tcp wrappers, you must turn on
83 the daemons_use_tcp_wrapper boolean. Disabled by default.
84 setsebool -P daemons_use_tcp_wrapper 1
86 If you want to allow all daemons the ability to read/write terminals,
90 you must turn on the daemons_use_tty boolean. Disabled by default.
91 setsebool -P daemons_use_tty 1
93 If you want to deny any process from ptracing or debugging any other
97 processes, you must turn on the deny_ptrace boolean. Enabled by
98 default.
99 setsebool -P deny_ptrace 1
101 If you want to allow any process to mmap any file on system with
105 attribute file_type, you must turn on the domain_can_mmap_files bool‐
106 ean. Enabled by default.
107 setsebool -P domain_can_mmap_files 1
109 If you want to allow all domains write to kmsg_device, while kernel is
113 executed with systemd.log_target=kmsg parameter, you must turn on the
114 domain_can_write_kmsg boolean. Disabled by default.
115 setsebool -P domain_can_write_kmsg 1
117 If you want to allow all domains to use other domains file descriptors,
121 you must turn on the domain_fd_use boolean. Enabled by default.
122 setsebool -P domain_fd_use 1
124 If you want to allow all domains to have the kernel load modules, you
128 must turn on the domain_kernel_load_modules boolean. Disabled by
129 default.
130 setsebool -P domain_kernel_load_modules 1
132 If you want to allow all domains to execute in fips_mode, you must turn
136 on the fips_mode boolean. Enabled by default.
137 setsebool -P fips_mode 1
139 If you want to enable reading of urandom for all domains, you must turn
143 on the global_ssp boolean. Disabled by default.
144 setsebool -P global_ssp 1
146 If you want to allow confined applications to run with kerberos, you
150 must turn on the kerberos_enabled boolean. Enabled by default.
151 setsebool -P kerberos_enabled 1
153 If you want to allow system to run with NIS, you must turn on the
157 nis_enabled boolean. Disabled by default.
158 setsebool -P nis_enabled 1
160 If you want to allow confined applications to use nscd shared memory,
164 you must turn on the nscd_use_shm boolean. Disabled by default.
165 setsebool -P nscd_use_shm 1
167
171 SELinux defines port types to represent TCP and UDP ports.
172 You can see the types associated with a port by using the following
174 command:
175 semanage port -l
177 Policy governs the access confined processes have to these ports.
180 SELinux ricci policy is very flexible allowing users to setup their
181 ricci processes in as secure a method as possible.
182 The following port types are defined for ricci:
184 ricci_modcluster_port_t
187 Default Defined Ports:
191 tcp 16851
192 udp 16851
193 ricci_port_t
196 Default Defined Ports:
200 tcp 11111
201 udp 11111
202
204 The SELinux process type ricci_t can manage files labeled with the fol‐
205 lowing file types. The paths listed are the default paths for these
206 file types. Note the processes UID still need to have DAC permissions.
207 cluster_conf_t
209 /etc/cluster(/.*)?
211 cluster_var_lib_t
213 /var/lib/pcsd(/.*)?
215 /var/lib/cluster(/.*)?
216 /var/lib/openais(/.*)?
217 /var/lib/pengine(/.*)?
218 /var/lib/corosync(/.*)?
219 /usr/lib/heartbeat(/.*)?
220 /var/lib/heartbeat(/.*)?
221 /var/lib/pacemaker(/.*)?
222 cluster_var_run_t
224 /var/run/crm(/.*)?
226 /var/run/cman_.*
227 /var/run/rsctmp(/.*)?
228 /var/run/aisexec.*
229 /var/run/heartbeat(/.*)?
230 /var/run/corosync-qnetd(/.*)?
231 /var/run/corosync-qdevice(/.*)?
232 /var/run/cpglockd.pid
233 /var/run/corosync.pid
234 /var/run/rgmanager.pid
235 /var/run/cluster/rgmanager.sk
236 etc_runtime_t
238 /[^/]+
240 /etc/mtab.*
241 /etc/blkid(/.*)?
242 /etc/nologin.*
243 /etc/.fstab.hal..+
244 /halt
245 /fastboot
246 /poweroff
247 /etc/cmtab
248 /forcefsck
249 /.autofsck
250 /.suspended
251 /fsckoptions
252 /var/.updated
253 /etc/.updated
254 /.autorelabel
255 /etc/securetty
256 /etc/nohotplug
257 /etc/killpower
258 /etc/ioctl.save
259 /etc/fstab.REVOKE
260 /etc/network/ifstate
261 /etc/sysconfig/hwconf
262 /etc/ptal/ptal-printd-like
263 /etc/sysconfig/iptables.save
264 /etc/xorg.conf.d/00-system-setup-keyboard.conf
265 /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
266 faillog_t
268 /var/log/btmp.*
270 /var/log/faillog.*
271 /var/log/tallylog.*
272 /var/run/faillock(/.*)?
273 ricci_tmp_t
275 ricci_var_lib_t
278 /var/lib/ricci(/.*)?
280 ricci_var_run_t
282 /var/run/ricci.pid
284 root_t
286 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
288 /
289 /initrd
290 systemd_passwd_var_run_t
292 /var/run/systemd/ask-password(/.*)?
294 /var/run/systemd/ask-password-block(/.*)?
295
298 SELinux requires files to have an extended attribute to define the file
299 type.
300 You can see the context of a file using the -Z option to ls
302 Policy governs the access confined processes have to these files.
304 SELinux ricci policy is very flexible allowing users to setup their
305 ricci processes in as secure a method as possible.
306 STANDARD FILE CONTEXT
308 SELinux defines the file context types for the ricci, if you wanted to
310 store files with these types in a diffent paths, you need to execute
311 the semanage command to sepecify alternate labeling and then use
312 restorecon to put the labels on disk.
313 semanage fcontext -a -t ricci_var_run_t '/srv/myricci_content(/.*)?'
315 restorecon -R -v /srv/myricci_content
316 Note: SELinux often uses regular expressions to specify labels that
318 match multiple files.
319 The following file types are defined for ricci:
321 ricci_exec_t
325 - Set files with the ricci_exec_t type, if you want to transition an
327 executable to the ricci_t domain.
328 ricci_initrc_exec_t
332 - Set files with the ricci_initrc_exec_t type, if you want to transi‐
334 tion an executable to the ricci_initrc_t domain.
335 ricci_modcluster_exec_t
339 - Set files with the ricci_modcluster_exec_t type, if you want to tran‐
341 sition an executable to the ricci_modcluster_t domain.
342 ricci_modcluster_var_lib_t
346 - Set files with the ricci_modcluster_var_lib_t type, if you want to
348 store the ricci modcluster files under the /var/lib directory.
349 ricci_modcluster_var_log_t
353 - Set files with the ricci_modcluster_var_log_t type, if you want to
355 treat the data as ricci modcluster var log data, usually stored under
356 the /var/log directory.
357 ricci_modcluster_var_run_t
361 - Set files with the ricci_modcluster_var_run_t type, if you want to
363 store the ricci modcluster files under the /run or /var/run directory.
364 Paths:
367 /var/run/clumond.sock, /var/run/modclusterd.pid
368 ricci_modclusterd_exec_t
371 - Set files with the ricci_modclusterd_exec_t type, if you want to
373 transition an executable to the ricci_modclusterd_t domain.
374 ricci_modclusterd_tmpfs_t
378 - Set files with the ricci_modclusterd_tmpfs_t type, if you want to
380 store ricci modclusterd files on a tmpfs file system.
381 ricci_modlog_exec_t
385 - Set files with the ricci_modlog_exec_t type, if you want to transi‐
387 tion an executable to the ricci_modlog_t domain.
388 ricci_modrpm_exec_t
392 - Set files with the ricci_modrpm_exec_t type, if you want to transi‐
394 tion an executable to the ricci_modrpm_t domain.
395 ricci_modservice_exec_t
399 - Set files with the ricci_modservice_exec_t type, if you want to tran‐
401 sition an executable to the ricci_modservice_t domain.
402 ricci_modstorage_exec_t
406 - Set files with the ricci_modstorage_exec_t type, if you want to tran‐
408 sition an executable to the ricci_modstorage_t domain.
409 ricci_modstorage_lock_t
413 - Set files with the ricci_modstorage_lock_t type, if you want to treat
415 the files as ricci modstorage lock data, stored under the /var/lock
416 directory
417 ricci_tmp_t
421 - Set files with the ricci_tmp_t type, if you want to store ricci tem‐
423 porary files in the /tmp directories.
424 ricci_var_lib_t
428 - Set files with the ricci_var_lib_t type, if you want to store the
430 ricci files under the /var/lib directory.
431 ricci_var_log_t
435 - Set files with the ricci_var_log_t type, if you want to treat the
437 data as ricci var log data, usually stored under the /var/log direc‐
438 tory.
439 ricci_var_run_t
443 - Set files with the ricci_var_run_t type, if you want to store the
445 ricci files under the /run or /var/run directory.
446 Note: File context can be temporarily modified with the chcon command.
450 If you want to permanently change the file context you need to use the
451 semanage fcontext command. This will modify the SELinux labeling data‐
452 base. You will need to use restorecon to apply the labels.
453
456 semanage fcontext can also be used to manipulate default file context
457 mappings.
458 semanage permissive can also be used to manipulate whether or not a
460 process type is permissive.
461 semanage module can also be used to enable/disable/install/remove pol‐
463 icy modules.
464 semanage port can also be used to manipulate the port definitions
466 semanage boolean can also be used to manipulate the booleans
468 system-config-selinux is a GUI tool available to customize SELinux pol‐
471 icy settings.
472
475 This manual page was auto-generated using sepolicy manpage .
476
479 selinux(8), ricci(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
480 , setsebool(8), ricci_modcluster_selinux(8), ricci_modclus‐
481 ter_selinux(8), ricci_modclusterd_selinux(8), ricci_modclus‐
482 terd_selinux(8), ricci_modlog_selinux(8), ricci_modlog_selinux(8),
483 ricci_modrpm_selinux(8), ricci_modrpm_selinux(8), ricci_modser‐
484 vice_selinux(8), ricci_modservice_selinux(8), ricci_modstor‐
485 age_selinux(8), ricci_modstorage_selinux(8)
486ricci 19-04-25 ricci_selinux(8)