1certmaster_selinux(8)      SELinux Policy certmaster     certmaster_selinux(8)
2
3
4

NAME

6       certmaster_selinux  - Security Enhanced Linux Policy for the certmaster
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the certmaster processes  via  flexible
11       mandatory access control.
12
13       The  certmaster  processes  execute with the certmaster_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep certmaster_t
20
21
22

ENTRYPOINTS

24       The  certmaster_t SELinux type can be entered via the certmaster_exec_t
25       file type.
26
27       The default entrypoint paths for the certmaster_t domain are  the  fol‐
28       lowing:
29
30       /usr/bin/certmaster
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       certmaster  policy is very flexible allowing users to setup their cert‐
40       master processes in as secure a method as possible.
41
42       The following process types are defined for certmaster:
43
44       certmaster_t
45
46       Note: semanage permissive -a certmaster_t  can  be  used  to  make  the
47       process  type  certmaster_t permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux  policy  is customizable based on least access required.  cert‐
54       master policy is extremely flexible and has several booleans that allow
55       you  to  manipulate  the  policy  and  run certmaster with the tightest
56       access possible.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Enabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88
89       If  you  want to allow confined applications to use nscd shared memory,
90       you must turn on the nscd_use_shm boolean. Enabled by default.
91
92       setsebool -P nscd_use_shm 1
93
94
95

PORT TYPES

97       SELinux defines port types to represent TCP and UDP ports.
98
99       You can see the types associated with a port  by  using  the  following
100       command:
101
102       semanage port -l
103
104
105       Policy  governs  the  access  confined  processes  have to these ports.
106       SELinux certmaster policy is very  flexible  allowing  users  to  setup
107       their certmaster processes in as secure a method as possible.
108
109       The following port types are defined for certmaster:
110
111
112       certmaster_port_t
113
114
115
116       Default Defined Ports:
117                 tcp 51235
118

MANAGED FILES

120       The SELinux process type certmaster_t can manage files labeled with the
121       following file types.  The paths listed are the default paths for these
122       file types.  Note the processes UID still need to have DAC permissions.
123
124       cert_t
125
126            /etc/(letsencrypt|certbot)/(live|archive)(/.*)?
127            /etc/pki(/.*)?
128            /etc/ssl(/.*)?
129            /etc/ipa/nssdb(/.*)?
130            /etc/httpd/alias(/.*)?
131            /etc/docker/certs.d(/.*)?
132            /usr/share/ssl/certs(/.*)?
133            /var/lib/letsencrypt(/.*)?
134            /usr/share/ssl/private(/.*)?
135            /var/named/chroot/etc/pki(/.*)?
136            /usr/share/ca-certificates(/.*)?
137            /usr/share/pki/ca-certificates(/.*)?
138            /usr/share/pki/ca-trust-source(/.*)?
139
140       certmaster_etc_rw_t
141
142            /etc/certmaster(/.*)?
143
144       certmaster_var_lib_t
145
146            /var/lib/certmaster(/.*)?
147
148       certmaster_var_run_t
149
150            /var/run/certmaster.*
151
152       cluster_conf_t
153
154            /etc/cluster(/.*)?
155
156       cluster_var_lib_t
157
158            /var/lib/pcsd(/.*)?
159            /var/lib/cluster(/.*)?
160            /var/lib/openais(/.*)?
161            /var/lib/pengine(/.*)?
162            /var/lib/corosync(/.*)?
163            /usr/lib/heartbeat(/.*)?
164            /var/lib/heartbeat(/.*)?
165            /var/lib/pacemaker(/.*)?
166
167       cluster_var_run_t
168
169            /var/run/crm(/.*)?
170            /var/run/cman_.*
171            /var/run/rsctmp(/.*)?
172            /var/run/aisexec.*
173            /var/run/heartbeat(/.*)?
174            /var/run/corosync-qnetd(/.*)?
175            /var/run/corosync-qdevice(/.*)?
176            /var/run/corosync.pid
177            /var/run/cpglockd.pid
178            /var/run/rgmanager.pid
179            /var/run/cluster/rgmanager.sk
180
181       root_t
182
183            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
184            /
185            /initrd
186
187

FILE CONTEXTS

189       SELinux requires files to have an extended attribute to define the file
190       type.
191
192       You can see the context of a file using the -Z option to ls
193
194       Policy governs the access  confined  processes  have  to  these  files.
195       SELinux  certmaster  policy  is  very  flexible allowing users to setup
196       their certmaster processes in as secure a method as possible.
197
198       STANDARD FILE CONTEXT
199
200       SELinux defines the file context  types  for  the  certmaster,  if  you
201       wanted  to store files with these types in a diffent paths, you need to
202       execute the semanage command to sepecify alternate  labeling  and  then
203       use restorecon to put the labels on disk.
204
205       semanage  fcontext  -a  -t certmaster_var_run_t '/srv/mycertmaster_con‐
206       tent(/.*)?'
207       restorecon -R -v /srv/mycertmaster_content
208
209       Note: SELinux often uses regular expressions  to  specify  labels  that
210       match multiple files.
211
212       The following file types are defined for certmaster:
213
214
215
216       certmaster_etc_rw_t
217
218       - Set files with the certmaster_etc_rw_t type, if you want to treat the
219       files as certmaster etc read/write content.
220
221
222
223       certmaster_exec_t
224
225       - Set files with the certmaster_exec_t type, if you want to  transition
226       an executable to the certmaster_t domain.
227
228
229
230       certmaster_initrc_exec_t
231
232       -  Set  files  with  the  certmaster_initrc_exec_t type, if you want to
233       transition an executable to the certmaster_initrc_t domain.
234
235
236
237       certmaster_var_lib_t
238
239       - Set files with the certmaster_var_lib_t type, if you  want  to  store
240       the certmaster files under the /var/lib directory.
241
242
243
244       certmaster_var_log_t
245
246       -  Set  files  with the certmaster_var_log_t type, if you want to treat
247       the data as certmaster var log data, usually stored under the  /var/log
248       directory.
249
250
251
252       certmaster_var_run_t
253
254       -  Set  files  with the certmaster_var_run_t type, if you want to store
255       the certmaster files under the /run or /var/run directory.
256
257
258
259       Note: File context can be temporarily modified with the chcon  command.
260       If  you want to permanently change the file context you need to use the
261       semanage fcontext command.  This will modify the SELinux labeling data‐
262       base.  You will need to use restorecon to apply the labels.
263
264

COMMANDS

266       semanage  fcontext  can also be used to manipulate default file context
267       mappings.
268
269       semanage permissive can also be used to manipulate  whether  or  not  a
270       process type is permissive.
271
272       semanage  module can also be used to enable/disable/install/remove pol‐
273       icy modules.
274
275       semanage port can also be used to manipulate the port definitions
276
277       semanage boolean can also be used to manipulate the booleans
278
279
280       system-config-selinux is a GUI tool available to customize SELinux pol‐
281       icy settings.
282
283

AUTHOR

285       This manual page was auto-generated using sepolicy manpage .
286
287

SEE ALSO

289       selinux(8), certmaster(8), semanage(8), restorecon(8), chcon(1), sepol‐
290       icy(8), setsebool(8)
291
292
293
294certmaster                         19-10-08              certmaster_selinux(8)
Impressum