1glusterd_selinux(8) SELinux Policy glusterd glusterd_selinux(8)
2
3
4
6 glusterd_selinux - Security Enhanced Linux Policy for the glusterd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the glusterd processes via flexible
11 mandatory access control.
12
13 The glusterd processes execute with the glusterd_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep glusterd_t
20
21
22
24 The glusterd_t SELinux type can be entered via the glusterd_exec_t file
25 type.
26
27 The default entrypoint paths for the glusterd_t domain are the follow‐
28 ing:
29
30 /opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/libexec/glus‐
31 terfs/peer_eventsapi.py, /usr/libexec/glusterfs/events/glus‐
32 tereventsd.py, /usr/sbin/glusterfsd, /usr/sbin/glustereventsd,
33 /usr/sbin/gluster-eventsapi
34
36 SELinux defines process types (domains) for each process running on the
37 system
38
39 You can see the context of a process using the -Z option to ps
40
41 Policy governs the access confined processes have to files. SELinux
42 glusterd policy is very flexible allowing users to setup their glusterd
43 processes in as secure a method as possible.
44
45 The following process types are defined for glusterd:
46
47 glusterd_t
48
49 Note: semanage permissive -a glusterd_t can be used to make the process
50 type glusterd_t permissive. SELinux does not deny access to permissive
51 process types, but the AVC (SELinux denials) messages are still gener‐
52 ated.
53
54
56 SELinux policy is customizable based on least access required. glus‐
57 terd policy is extremely flexible and has several booleans that allow
58 you to manipulate the policy and run glusterd with the tightest access
59 possible.
60
61
62
63 If you want to allow glusterfsd to share any file/directory read only,
64 you must turn on the gluster_export_all_ro boolean. Disabled by
65 default.
66
67 setsebool -P gluster_export_all_ro 1
68
69
70
71 If you want to allow glusterfsd to share any file/directory read/write,
72 you must turn on the gluster_export_all_rw boolean. Enabled by default.
73
74 setsebool -P gluster_export_all_rw 1
75
76
77
78 If you want to allow glusterd_t domain to use executable memory, you
79 must turn on the gluster_use_execmem boolean. Disabled by default.
80
81 setsebool -P gluster_use_execmem 1
82
83
84
85 If you want to allow users to resolve user passwd entries directly from
86 ldap rather then using a sssd server, you must turn on the authlo‐
87 gin_nsswitch_use_ldap boolean. Disabled by default.
88
89 setsebool -P authlogin_nsswitch_use_ldap 1
90
91
92
93 If you want to allow all domains to execute in fips_mode, you must turn
94 on the fips_mode boolean. Enabled by default.
95
96 setsebool -P fips_mode 1
97
98
99
100 If you want to allow confined applications to run with kerberos, you
101 must turn on the kerberos_enabled boolean. Enabled by default.
102
103 setsebool -P kerberos_enabled 1
104
105
106
107 If you want to allow system to run with NIS, you must turn on the
108 nis_enabled boolean. Disabled by default.
109
110 setsebool -P nis_enabled 1
111
112
113
114 If you want to allow confined applications to use nscd shared memory,
115 you must turn on the nscd_use_shm boolean. Enabled by default.
116
117 setsebool -P nscd_use_shm 1
118
119
120
122 SELinux defines port types to represent TCP and UDP ports.
123
124 You can see the types associated with a port by using the following
125 command:
126
127 semanage port -l
128
129
130 Policy governs the access confined processes have to these ports.
131 SELinux glusterd policy is very flexible allowing users to setup their
132 glusterd processes in as secure a method as possible.
133
134 The following port types are defined for glusterd:
135
136
137 gluster_port_t
138
139
140
141 Default Defined Ports:
142 tcp 38465-38469,24007-24027
143
145 The SELinux process type glusterd_t can manage files labeled with the
146 following file types. The paths listed are the default paths for these
147 file types. Note the processes UID still need to have DAC permissions.
148
149 cluster_conf_t
150
151 /etc/cluster(/.*)?
152
153 cluster_var_lib_t
154
155 /var/lib/pcsd(/.*)?
156 /var/lib/cluster(/.*)?
157 /var/lib/openais(/.*)?
158 /var/lib/pengine(/.*)?
159 /var/lib/corosync(/.*)?
160 /usr/lib/heartbeat(/.*)?
161 /var/lib/heartbeat(/.*)?
162 /var/lib/pacemaker(/.*)?
163
164 cluster_var_run_t
165
166 /var/run/crm(/.*)?
167 /var/run/cman_.*
168 /var/run/rsctmp(/.*)?
169 /var/run/aisexec.*
170 /var/run/heartbeat(/.*)?
171 /var/run/corosync-qnetd(/.*)?
172 /var/run/corosync-qdevice(/.*)?
173 /var/run/corosync.pid
174 /var/run/cpglockd.pid
175 /var/run/rgmanager.pid
176 /var/run/cluster/rgmanager.sk
177
178 glusterd_brick_t
179
180
181 glusterd_conf_t
182
183 /etc/glusterd(/.*)?
184 /etc/glusterfs(/.*)?
185
186 glusterd_log_t
187
188 /var/log/glusterfs(/.*)?
189
190 glusterd_tmp_t
191
192
193 glusterd_tmpfs_t
194
195
196 glusterd_var_lib_t
197
198 /var/lib/glusterd(/.*)?
199
200 glusterd_var_run_t
201
202 /var/run/gluster(/.*)?
203 /var/run/glusterd.*
204 /var/run/glusterd.*
205 /var/run/glusterd(/.*)?
206
207 initrc_state_t
208
209
210 initrc_tmp_t
211
212
213 non_security_file_type
214
215
216 noxattrfs
217
218 all files on file systems which do not support extended attributes
219
220 public_content_rw_t
221
222 /var/spool/abrt-upload(/.*)?
223
224 root_t
225
226 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
227 /
228 /initrd
229
230 samba_etc_t
231
232 /etc/samba(/.*)?
233
234 systemd_passwd_var_run_t
235
236 /var/run/systemd/ask-password(/.*)?
237 /var/run/systemd/ask-password-block(/.*)?
238
239 user_tmp_t
240
241 /dev/shm/mono.*
242 /var/run/user(/.*)?
243 /tmp/.ICE-unix(/.*)?
244 /tmp/.X11-unix(/.*)?
245 /dev/shm/pulse-shm.*
246 /tmp/.X0-lock
247 /tmp/hsperfdata_root
248 /var/tmp/hsperfdata_root
249 /home/[^/]+/tmp
250 /home/[^/]+/.tmp
251 /tmp/gconfd-[^/]+
252
253 var_lib_nfs_t
254
255 /var/lib/nfs(/.*)?
256
257
259 SELinux requires files to have an extended attribute to define the file
260 type.
261
262 You can see the context of a file using the -Z option to ls
263
264 Policy governs the access confined processes have to these files.
265 SELinux glusterd policy is very flexible allowing users to setup their
266 glusterd processes in as secure a method as possible.
267
268 EQUIVALENCE DIRECTORIES
269
270
271 glusterd policy stores data with multiple different file context types
272 under the /var/run/gluster directory. If you would like to store the
273 data in a different directory you can use the semanage command to cre‐
274 ate an equivalence mapping. If you wanted to store this data under the
275 /srv dirctory you would execute the following command:
276
277 semanage fcontext -a -e /var/run/gluster /srv/gluster
278 restorecon -R -v /srv/gluster
279
280 STANDARD FILE CONTEXT
281
282 SELinux defines the file context types for the glusterd, if you wanted
283 to store files with these types in a diffent paths, you need to execute
284 the semanage command to sepecify alternate labeling and then use
285 restorecon to put the labels on disk.
286
287 semanage fcontext -a -t glusterd_brick_t '/srv/myglusterd_con‐
288 tent(/.*)?'
289 restorecon -R -v /srv/myglusterd_content
290
291 Note: SELinux often uses regular expressions to specify labels that
292 match multiple files.
293
294 The following file types are defined for glusterd:
295
296
297
298 glusterd_brick_t
299
300 - Set files with the glusterd_brick_t type, if you want to treat the
301 files as glusterd brick data.
302
303
304
305 glusterd_conf_t
306
307 - Set files with the glusterd_conf_t type, if you want to treat the
308 files as glusterd configuration data, usually stored under the /etc
309 directory.
310
311
312 Paths:
313 /etc/glusterd(/.*)?, /etc/glusterfs(/.*)?
314
315
316 glusterd_exec_t
317
318 - Set files with the glusterd_exec_t type, if you want to transition an
319 executable to the glusterd_t domain.
320
321
322 Paths:
323 /opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/libexec/glus‐
324 terfs/peer_eventsapi.py, /usr/libexec/glusterfs/events/glus‐
325 tereventsd.py, /usr/sbin/glusterfsd, /usr/sbin/glustereventsd,
326 /usr/sbin/gluster-eventsapi
327
328
329 glusterd_initrc_exec_t
330
331 - Set files with the glusterd_initrc_exec_t type, if you want to tran‐
332 sition an executable to the glusterd_initrc_t domain.
333
334
335 Paths:
336 /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd
337
338
339 glusterd_log_t
340
341 - Set files with the glusterd_log_t type, if you want to treat the data
342 as glusterd log data, usually stored under the /var/log directory.
343
344
345
346 glusterd_tmp_t
347
348 - Set files with the glusterd_tmp_t type, if you want to store glusterd
349 temporary files in the /tmp directories.
350
351
352
353 glusterd_tmpfs_t
354
355 - Set files with the glusterd_tmpfs_t type, if you want to store glus‐
356 terd files on a tmpfs file system.
357
358
359
360 glusterd_var_lib_t
361
362 - Set files with the glusterd_var_lib_t type, if you want to store the
363 glusterd files under the /var/lib directory.
364
365
366
367 glusterd_var_run_t
368
369 - Set files with the glusterd_var_run_t type, if you want to store the
370 glusterd files under the /run or /var/run directory.
371
372
373 Paths:
374 /var/run/gluster(/.*)?, /var/run/glusterd.*, /var/run/glusterd.*,
375 /var/run/glusterd(/.*)?
376
377
378 Note: File context can be temporarily modified with the chcon command.
379 If you want to permanently change the file context you need to use the
380 semanage fcontext command. This will modify the SELinux labeling data‐
381 base. You will need to use restorecon to apply the labels.
382
383
385 If you want to share files with multiple domains (Apache, FTP, rsync,
386 Samba), you can set a file context of public_content_t and public_con‐
387 tent_rw_t. These context allow any of the above domains to read the
388 content. If you want a particular domain to write to the public_con‐
389 tent_rw_t domain, you must set the appropriate boolean.
390
391 Allow glusterd servers to read the /var/glusterd directory by adding
392 the public_content_t file type to the directory and by restoring the
393 file type.
394
395 semanage fcontext -a -t public_content_t "/var/glusterd(/.*)?"
396 restorecon -F -R -v /var/glusterd
397
398 Allow glusterd servers to read and write /var/glusterd/incoming by
399 adding the public_content_rw_t type to the directory and by restoring
400 the file type. You also need to turn on the glusterd_anon_write bool‐
401 ean.
402
403 semanage fcontext -a -t public_content_rw_t "/var/glusterd/incom‐
404 ing(/.*)?"
405 restorecon -F -R -v /var/glusterd/incoming
406 setsebool -P glusterd_anon_write 1
407
408
409 If you want to allow glusterfsd to modify public files used for public
410 file transfer services. Files/Directories must be labeled public_con‐
411 tent_rw_t., you must turn on the gluster_anon_write boolean.
412
413 setsebool -P gluster_anon_write 1
414
415
417 semanage fcontext can also be used to manipulate default file context
418 mappings.
419
420 semanage permissive can also be used to manipulate whether or not a
421 process type is permissive.
422
423 semanage module can also be used to enable/disable/install/remove pol‐
424 icy modules.
425
426 semanage port can also be used to manipulate the port definitions
427
428 semanage boolean can also be used to manipulate the booleans
429
430
431 system-config-selinux is a GUI tool available to customize SELinux pol‐
432 icy settings.
433
434
436 This manual page was auto-generated using sepolicy manpage .
437
438
440 selinux(8), glusterd(8), semanage(8), restorecon(8), chcon(1), sepol‐
441 icy(8), setsebool(8)
442
443
444
445glusterd 19-10-08 glusterd_selinux(8)