cobblerd_selinux(8)

1cobblerd_selinux(8)         SELinux Policy cobblerd        cobblerd_selinux(8)
2
3
4

NAME

6       cobblerd_selinux - Security Enhanced Linux Policy for the cobblerd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  cobblerd  processes  via  flexible
11       mandatory access control.
12
13       The  cobblerd  processes  execute with the cobblerd_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep cobblerd_t
20
21
22

ENTRYPOINTS

24       The cobblerd_t SELinux type can be entered via the cobblerd_exec_t file
25       type.
26
27       The default entrypoint paths for the cobblerd_t domain are the  follow‐
28       ing:
29
30       /usr/bin/cobblerd
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       cobblerd policy is very flexible allowing users to setup their cobblerd
40       processes in as secure a method as possible.
41
42       The following process types are defined for cobblerd:
43
44       cobblerd_t
45
46       Note: semanage permissive -a cobblerd_t can be used to make the process
47       type  cobblerd_t permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is  customizable based on least access required.  cob‐
54       blerd policy is extremely flexible and has several booleans that  allow
55       you  to manipulate the policy and run cobblerd with the tightest access
56       possible.
57
58
59
60       If you want to determine whether Cobbler can  connect  to  the  network
61       using  TCP,  you  must turn on the cobbler_can_network_connect boolean.
62       Disabled by default.
63
64       setsebool -P cobbler_can_network_connect 1
65
66
67
68       If you want to determine whether Cobbler can access cifs file  systems,
69       you must turn on the cobbler_use_cifs boolean. Disabled by default.
70
71       setsebool -P cobbler_use_cifs 1
72
73
74
75       If  you  want to determine whether Cobbler can access nfs file systems,
76       you must turn on the cobbler_use_nfs boolean. Disabled by default.
77
78       setsebool -P cobbler_use_nfs 1
79
80
81
82       If you want to allow users to resolve user passwd entries directly from
83       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
84       gin_nsswitch_use_ldap boolean. Disabled by default.
85
86       setsebool -P authlogin_nsswitch_use_ldap 1
87
88
89
90       If you want to allow all daemons to write corefiles to /, you must turn
91       on the daemons_dump_core boolean. Disabled by default.
92
93       setsebool -P daemons_dump_core 1
94
95
96
97       If  you  want  to enable cluster mode for daemons, you must turn on the
98       daemons_enable_cluster_mode boolean. Enabled by default.
99
100       setsebool -P daemons_enable_cluster_mode 1
101
102
103
104       If you want to allow all daemons to use tcp wrappers, you must turn  on
105       the daemons_use_tcp_wrapper boolean. Disabled by default.
106
107       setsebool -P daemons_use_tcp_wrapper 1
108
109
110
111       If  you  want to allow all daemons the ability to read/write terminals,
112       you must turn on the daemons_use_tty boolean. Disabled by default.
113
114       setsebool -P daemons_use_tty 1
115
116
117
118       If you want to deny any process from ptracing or  debugging  any  other
119       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
120       default.
121
122       setsebool -P deny_ptrace 1
123
124
125
126       If you want to allow any process  to  mmap  any  file  on  system  with
127       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
128       ean. Enabled by default.
129
130       setsebool -P domain_can_mmap_files 1
131
132
133
134       If you want to allow all domains write to kmsg_device, while kernel  is
135       executed  with  systemd.log_target=kmsg parameter, you must turn on the
136       domain_can_write_kmsg boolean. Disabled by default.
137
138       setsebool -P domain_can_write_kmsg 1
139
140
141
142       If you want to allow all domains to use other domains file descriptors,
143       you must turn on the domain_fd_use boolean. Enabled by default.
144
145       setsebool -P domain_fd_use 1
146
147
148
149       If  you  want to allow all domains to have the kernel load modules, you
150       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
151       default.
152
153       setsebool -P domain_kernel_load_modules 1
154
155
156
157       If you want to allow all domains to execute in fips_mode, you must turn
158       on the fips_mode boolean. Enabled by default.
159
160       setsebool -P fips_mode 1
161
162
163
164       If you want to enable reading of urandom for all domains, you must turn
165       on the global_ssp boolean. Disabled by default.
166
167       setsebool -P global_ssp 1
168
169
170
171       If  you  want  to allow confined applications to run with kerberos, you
172       must turn on the kerberos_enabled boolean. Enabled by default.
173
174       setsebool -P kerberos_enabled 1
175
176
177
178       If you want to allow system to run with  NIS,  you  must  turn  on  the
179       nis_enabled boolean. Disabled by default.
180
181       setsebool -P nis_enabled 1
182
183
184
185       If  you  want to allow confined applications to use nscd shared memory,
186       you must turn on the nscd_use_shm boolean. Disabled by default.
187
188       setsebool -P nscd_use_shm 1
189
190
191

PORT TYPES

193       SELinux defines port types to represent TCP and UDP ports.
194
195       You can see the types associated with a port  by  using  the  following
196       command:
197
198       semanage port -l
199
200
201       Policy  governs  the  access  confined  processes  have to these ports.
202       SELinux cobblerd policy is very flexible allowing users to setup  their
203       cobblerd processes in as secure a method as possible.
204
205       The following port types are defined for cobblerd:
206
207
208       cobbler_port_t
209
210
211
212       Default Defined Ports:
213                 tcp 25151
214

MANAGED FILES

216       The  SELinux  process type cobblerd_t can manage files labeled with the
217       following file types.  The paths listed are the default paths for these
218       file types.  Note the processes UID still need to have DAC permissions.
219
220       cifs_t
221
222
223       cluster_conf_t
224
225            /etc/cluster(/.*)?
226
227       cluster_var_lib_t
228
229            /var/lib/pcsd(/.*)?
230            /var/lib/cluster(/.*)?
231            /var/lib/openais(/.*)?
232            /var/lib/pengine(/.*)?
233            /var/lib/corosync(/.*)?
234            /usr/lib/heartbeat(/.*)?
235            /var/lib/heartbeat(/.*)?
236            /var/lib/pacemaker(/.*)?
237
238       cluster_var_run_t
239
240            /var/run/crm(/.*)?
241            /var/run/cman_.*
242            /var/run/rsctmp(/.*)?
243            /var/run/aisexec.*
244            /var/run/heartbeat(/.*)?
245            /var/run/corosync-qnetd(/.*)?
246            /var/run/corosync-qdevice(/.*)?
247            /var/run/cpglockd.pid
248            /var/run/corosync.pid
249            /var/run/rgmanager.pid
250            /var/run/cluster/rgmanager.sk
251
252       cobbler_tmp_t
253
254
255       cobbler_var_lib_t
256
257            /var/lib/cobbler(/.*)?
258            /var/www/cobbler(/.*)?
259            /var/cache/cobbler(/.*)?
260            /var/lib/tftpboot/etc(/.*)?
261            /var/lib/tftpboot/ppc(/.*)?
262            /var/lib/tftpboot/boot(/.*)?
263            /var/lib/tftpboot/grub(/.*)?
264            /var/lib/tftpboot/s390x(/.*)?
265            /var/lib/tftpboot/images(/.*)?
266            /var/lib/tftpboot/aarch64(/.*)?
267            /var/lib/tftpboot/images2(/.*)?
268            /var/lib/tftpboot/pxelinux.cfg(/.*)?
269            /var/lib/tftpboot/yaboot
270            /var/lib/tftpboot/memdisk
271            /var/lib/tftpboot/menu.c32
272            /var/lib/tftpboot/pxelinux.0
273
274       dhcp_etc_t
275
276            /etc/dhcpc.*
277            /etc/dhcp3?(/.*)?
278            /etc/dhcpd(6)?.conf
279            /etc/dhcp3?/dhclient.*
280            /etc/dhclient.*conf
281            /etc/dhcp/dhcpd(6)?.conf
282            /etc/dhclient-script
283
284       dnsmasq_etc_t
285
286            /etc/dnsmasq.d(/.*)?
287            /etc/dnsmasq.conf
288
289       named_conf_t
290
291            /etc/rndc.*
292            /etc/unbound(/.*)?
293            /var/named/chroot(/.*)?
294            /etc/named.rfc1912.zones
295            /var/named/chroot/etc/named.rfc1912.zones
296            /etc/named.conf
297            /var/named/named.ca
298            /etc/named.root.hints
299            /var/named/chroot/etc/named.conf
300            /etc/named.caching-nameserver.conf
301            /var/named/chroot/var/named/named.ca
302            /var/named/chroot/etc/named.root.hints
303            /var/named/chroot/etc/named.caching-nameserver.conf
304
305       named_zone_t
306
307            /var/named(/.*)?
308            /var/named/chroot/var/named(/.*)?
309
310       net_conf_t
311
312            /etc/hosts[^/]*
313            /etc/yp.conf.*
314            /etc/denyhosts.*
315            /etc/hosts.deny.*
316            /etc/resolv.conf.*
317            /etc/.resolv.conf.*
318            /etc/resolv-secure.conf.*
319            /var/run/systemd/network(/.*)?
320            /etc/sysconfig/networking(/.*)?
321            /etc/sysconfig/network-scripts(/.*)?
322            /etc/sysconfig/network-scripts/.*resolv.conf
323            /var/run/NetworkManager/resolv.conf.*
324            /etc/ethers
325            /etc/ntp.conf
326            /var/run/systemd/resolve/resolv.conf
327
328       nfs_t
329
330
331       public_content_rw_t
332
333            /var/spool/abrt-upload(/.*)?
334
335       root_t
336
337            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
338            /
339            /initrd
340
341       rsync_etc_t
342
343            /etc/rsyncd.conf
344
345       systemd_passwd_var_run_t
346
347            /var/run/systemd/ask-password(/.*)?
348            /var/run/systemd/ask-password-block(/.*)?
349
350       tftpd_etc_t
351
352            /etc/(x)?inetd.d/tftp
353
354

FILE CONTEXTS

356       SELinux requires files to have an extended attribute to define the file
357       type.
358
359       You can see the context of a file using the -Z option to ls
360
361       Policy governs the access  confined  processes  have  to  these  files.
362       SELinux  cobblerd policy is very flexible allowing users to setup their
363       cobblerd processes in as secure a method as possible.
364
365       The following file types are defined for cobblerd:
366
367
368
369       cobblerd_exec_t
370
371       - Set files with the cobblerd_exec_t type, if you want to transition an
372       executable to the cobblerd_t domain.
373
374
375
376       cobblerd_initrc_exec_t
377
378       -  Set files with the cobblerd_initrc_exec_t type, if you want to tran‐
379       sition an executable to the cobblerd_initrc_t domain.
380
381
382
383       Note: File context can be temporarily modified with the chcon  command.
384       If  you want to permanently change the file context you need to use the
385       semanage fcontext command.  This will modify the SELinux labeling data‐
386       base.  You will need to use restorecon to apply the labels.
387
388

SHARING FILES

390       If  you  want to share files with multiple domains (Apache, FTP, rsync,
391       Samba), you can set a file context of public_content_t and  public_con‐
392       tent_rw_t.   These  context  allow any of the above domains to read the
393       content.  If you want a particular domain to write to  the  public_con‐
394       tent_rw_t domain, you must set the appropriate boolean.
395
396       Allow  cobblerd  servers  to read the /var/cobblerd directory by adding
397       the public_content_t file type to the directory and  by  restoring  the
398       file type.
399
400       semanage fcontext -a -t public_content_t "/var/cobblerd(/.*)?"
401       restorecon -F -R -v /var/cobblerd
402
403       Allow  cobblerd  servers  to  read  and write /var/cobblerd/incoming by
404       adding the public_content_rw_t type to the directory and  by  restoring
405       the  file type.  You also need to turn on the cobblerd_anon_write bool‐
406       ean.
407
408       semanage  fcontext  -a  -t  public_content_rw_t   "/var/cobblerd/incom‐
409       ing(/.*)?"
410       restorecon -F -R -v /var/cobblerd/incoming
411       setsebool -P cobblerd_anon_write 1
412
413
414       If  you  want to determine whether Cobbler can modify public files used
415       for  public  file  transfer  services.,  you  must  turn  on  the  cob‐
416       bler_anon_write boolean.
417
418       setsebool -P cobbler_anon_write 1
419
420

COMMANDS

422       semanage  fcontext  can also be used to manipulate default file context
423       mappings.
424
425       semanage permissive can also be used to manipulate  whether  or  not  a
426       process type is permissive.
427
428       semanage  module can also be used to enable/disable/install/remove pol‐
429       icy modules.
430
431       semanage port can also be used to manipulate the port definitions
432
433       semanage boolean can also be used to manipulate the booleans
434
435
436       system-config-selinux is a GUI tool available to customize SELinux pol‐
437       icy settings.
438
439

AUTHOR

441       This manual page was auto-generated using sepolicy manpage .
442
443