1prelude_selinux(8)          SELinux Policy prelude          prelude_selinux(8)
2
3
4

NAME

6       prelude_selinux  -  Security Enhanced Linux Policy for the prelude pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  prelude  processes  via  flexible
11       mandatory access control.
12
13       The  prelude processes execute with the prelude_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep prelude_t
20
21
22

ENTRYPOINTS

24       The  prelude_t  SELinux type can be entered via the prelude_exec_t file
25       type.
26
27       The default entrypoint paths for the prelude_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/prelude-manager
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       prelude  policy  is very flexible allowing users to setup their prelude
40       processes in as secure a method as possible.
41
42       The following process types are defined for prelude:
43
44       prelude_t, prelude_audisp_t, prelude_correlator_t, prelude_lml_t
45
46       Note: semanage permissive -a prelude_t can be used to make the  process
47       type  prelude_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  prelude
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run prelude with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all daemons to write corefiles to /, you must turn
69       on the daemons_dump_core boolean. Disabled by default.
70
71       setsebool -P daemons_dump_core 1
72
73
74
75       If  you  want  to enable cluster mode for daemons, you must turn on the
76       daemons_enable_cluster_mode boolean. Enabled by default.
77
78       setsebool -P daemons_enable_cluster_mode 1
79
80
81
82       If you want to allow all daemons to use tcp wrappers, you must turn  on
83       the daemons_use_tcp_wrapper boolean. Disabled by default.
84
85       setsebool -P daemons_use_tcp_wrapper 1
86
87
88
89       If  you  want to allow all daemons the ability to read/write terminals,
90       you must turn on the daemons_use_tty boolean. Disabled by default.
91
92       setsebool -P daemons_use_tty 1
93
94
95
96       If you want to deny any process from ptracing or  debugging  any  other
97       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
98       default.
99
100       setsebool -P deny_ptrace 1
101
102
103
104       If you want to allow any process  to  mmap  any  file  on  system  with
105       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
106       ean. Enabled by default.
107
108       setsebool -P domain_can_mmap_files 1
109
110
111
112       If you want to allow all domains write to kmsg_device, while kernel  is
113       executed  with  systemd.log_target=kmsg parameter, you must turn on the
114       domain_can_write_kmsg boolean. Disabled by default.
115
116       setsebool -P domain_can_write_kmsg 1
117
118
119
120       If you want to allow all domains to use other domains file descriptors,
121       you must turn on the domain_fd_use boolean. Enabled by default.
122
123       setsebool -P domain_fd_use 1
124
125
126
127       If  you  want to allow all domains to have the kernel load modules, you
128       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
129       default.
130
131       setsebool -P domain_kernel_load_modules 1
132
133
134
135       If you want to allow all domains to execute in fips_mode, you must turn
136       on the fips_mode boolean. Enabled by default.
137
138       setsebool -P fips_mode 1
139
140
141
142       If you want to enable reading of urandom for all domains, you must turn
143       on the global_ssp boolean. Disabled by default.
144
145       setsebool -P global_ssp 1
146
147
148
149       If  you  want  to allow confined applications to run with kerberos, you
150       must turn on the kerberos_enabled boolean. Enabled by default.
151
152       setsebool -P kerberos_enabled 1
153
154
155
156       If you want to allow system to run with  NIS,  you  must  turn  on  the
157       nis_enabled boolean. Disabled by default.
158
159       setsebool -P nis_enabled 1
160
161
162
163       If  you  want to allow confined applications to use nscd shared memory,
164       you must turn on the nscd_use_shm boolean. Disabled by default.
165
166       setsebool -P nscd_use_shm 1
167
168
169

PORT TYPES

171       SELinux defines port types to represent TCP and UDP ports.
172
173       You can see the types associated with a port  by  using  the  following
174       command:
175
176       semanage port -l
177
178
179       Policy  governs  the  access  confined  processes  have to these ports.
180       SELinux prelude policy is very flexible allowing users to  setup  their
181       prelude processes in as secure a method as possible.
182
183       The following port types are defined for prelude:
184
185
186       prelude_port_t
187
188
189
190       Default Defined Ports:
191                 tcp 4690
192                 udp 4690
193

MANAGED FILES

195       The  SELinux  process  type prelude_t can manage files labeled with the
196       following file types.  The paths listed are the default paths for these
197       file types.  Note the processes UID still need to have DAC permissions.
198
199       anon_inodefs_t
200
201
202       cluster_conf_t
203
204            /etc/cluster(/.*)?
205
206       cluster_var_lib_t
207
208            /var/lib/pcsd(/.*)?
209            /var/lib/cluster(/.*)?
210            /var/lib/openais(/.*)?
211            /var/lib/pengine(/.*)?
212            /var/lib/corosync(/.*)?
213            /usr/lib/heartbeat(/.*)?
214            /var/lib/heartbeat(/.*)?
215            /var/lib/pacemaker(/.*)?
216
217       cluster_var_run_t
218
219            /var/run/crm(/.*)?
220            /var/run/cman_.*
221            /var/run/rsctmp(/.*)?
222            /var/run/aisexec.*
223            /var/run/heartbeat(/.*)?
224            /var/run/corosync-qnetd(/.*)?
225            /var/run/corosync-qdevice(/.*)?
226            /var/run/cpglockd.pid
227            /var/run/corosync.pid
228            /var/run/rgmanager.pid
229            /var/run/cluster/rgmanager.sk
230
231       prelude_spool_t
232
233            /var/spool/prelude(/.*)?
234            /var/spool/prelude-manager(/.*)?
235
236       prelude_var_lib_t
237
238            /var/lib/prelude-lml(/.*)?
239
240       prelude_var_run_t
241
242            /var/run/prelude-manager(/.*)?
243
244       root_t
245
246            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
247            /
248            /initrd
249
250

FILE CONTEXTS

252       SELinux requires files to have an extended attribute to define the file
253       type.
254
255       You can see the context of a file using the -Z option to ls
256
257       Policy governs the access  confined  processes  have  to  these  files.
258       SELinux  prelude  policy is very flexible allowing users to setup their
259       prelude processes in as secure a method as possible.
260
261       EQUIVALENCE DIRECTORIES
262
263
264       prelude policy stores data with multiple different file  context  types
265       under the /var/spool/prelude directory.  If you would like to store the
266       data in a different directory you can use the semanage command to  cre‐
267       ate an equivalence mapping.  If you wanted to store this data under the
268       /srv dirctory you would execute the following command:
269
270       semanage fcontext -a -e /var/spool/prelude /srv/prelude
271       restorecon -R -v /srv/prelude
272
273       STANDARD FILE CONTEXT
274
275       SELinux defines the file context types for the prelude, if  you  wanted
276       to store files with these types in a diffent paths, you need to execute
277       the semanage command  to  sepecify  alternate  labeling  and  then  use
278       restorecon to put the labels on disk.
279
280       semanage   fcontext   -a   -t   prelude_var_run_t  '/srv/myprelude_con‐
281       tent(/.*)?'
282       restorecon -R -v /srv/myprelude_content
283
284       Note: SELinux often uses regular expressions  to  specify  labels  that
285       match multiple files.
286
287       The following file types are defined for prelude:
288
289
290
291       prelude_audisp_exec_t
292
293       - Set files with the prelude_audisp_exec_t type, if you want to transi‐
294       tion an executable to the prelude_audisp_t domain.
295
296
297       Paths:
298            /sbin/audisp-prelude, /usr/sbin/audisp-prelude
299
300
301       prelude_audisp_var_run_t
302
303       - Set files with the prelude_audisp_var_run_t  type,  if  you  want  to
304       store the prelude audisp files under the /run or /var/run directory.
305
306
307
308       prelude_correlator_config_t
309
310       -  Set  files with the prelude_correlator_config_t type, if you want to
311       treat the files  as  prelude  correlator  configuration  data,  usually
312       stored under the /etc directory.
313
314
315
316       prelude_correlator_exec_t
317
318       -  Set  files  with  the prelude_correlator_exec_t type, if you want to
319       transition an executable to the prelude_correlator_t domain.
320
321
322
323       prelude_exec_t
324
325       - Set files with the prelude_exec_t type, if you want to transition  an
326       executable to the prelude_t domain.
327
328
329
330       prelude_initrc_exec_t
331
332       - Set files with the prelude_initrc_exec_t type, if you want to transi‐
333       tion an executable to the prelude_initrc_t domain.
334
335
336       Paths:
337            /etc/rc.d/init.d/prelude-lml,    /etc/rc.d/init.d/prelude-manager,
338            /etc/rc.d/init.d/prelude-correlator
339
340
341       prelude_lml_exec_t
342
343       - Set files with the prelude_lml_exec_t type, if you want to transition
344       an executable to the prelude_lml_t domain.
345
346
347
348       prelude_lml_tmp_t
349
350       - Set files with the prelude_lml_tmp_t type, if you want to store  pre‐
351       lude lml temporary files in the /tmp directories.
352
353
354
355       prelude_lml_var_run_t
356
357       -  Set  files with the prelude_lml_var_run_t type, if you want to store
358       the prelude lml files under the /run or /var/run directory.
359
360
361
362       prelude_log_t
363
364       - Set files with the prelude_log_t type, if you want to treat the  data
365       as prelude log data, usually stored under the /var/log directory.
366
367
368
369       prelude_spool_t
370
371       -  Set  files  with  the prelude_spool_t type, if you want to store the
372       prelude files under the /var/spool directory.
373
374
375       Paths:
376            /var/spool/prelude(/.*)?, /var/spool/prelude-manager(/.*)?
377
378
379       prelude_var_lib_t
380
381       - Set files with the prelude_var_lib_t type, if you want to  store  the
382       prelude files under the /var/lib directory.
383
384
385
386       prelude_var_run_t
387
388       -  Set  files with the prelude_var_run_t type, if you want to store the
389       prelude files under the /run or /var/run directory.
390
391
392
393       Note: File context can be temporarily modified with the chcon  command.
394       If  you want to permanently change the file context you need to use the
395       semanage fcontext command.  This will modify the SELinux labeling data‐
396       base.  You will need to use restorecon to apply the labels.
397
398

COMMANDS

400       semanage  fcontext  can also be used to manipulate default file context
401       mappings.
402
403       semanage permissive can also be used to manipulate  whether  or  not  a
404       process type is permissive.
405
406       semanage  module can also be used to enable/disable/install/remove pol‐
407       icy modules.
408
409       semanage port can also be used to manipulate the port definitions
410
411       semanage boolean can also be used to manipulate the booleans
412
413
414       system-config-selinux is a GUI tool available to customize SELinux pol‐
415       icy settings.
416
417

AUTHOR

419       This manual page was auto-generated using sepolicy manpage .
420
421

SEE ALSO

423       selinux(8),  prelude(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
424       icy(8)   ,   setsebool(8),   prelude_audisp_selinux(8),    prelude_aud‐
425       isp_selinux(8),     prelude_correlator_selinux(8),     prelude_correla‐
426       tor_selinux(8), prelude_lml_selinux(8), prelude_lml_selinux(8)
427
428
429
430prelude                            19-04-25                 prelude_selinux(8)
Impressum