1glusterd_selinux(8)         SELinux Policy glusterd        glusterd_selinux(8)
2
3
4

NAME

6       glusterd_selinux - Security Enhanced Linux Policy for the glusterd pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  glusterd  processes  via  flexible
11       mandatory access control.
12
13       The  glusterd  processes  execute with the glusterd_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep glusterd_t
20
21
22

ENTRYPOINTS

24       The glusterd_t SELinux type can be entered via the glusterd_exec_t file
25       type.
26
27       The default entrypoint paths for the glusterd_t domain are the  follow‐
28       ing:
29
30       /opt/glusterfs/[^/]+/sbin/glusterfsd,                /usr/libexec/glus‐
31       terfs/peer_eventsapi.py,            /usr/libexec/glusterfs/events/glus‐
32       tereventsd.py,      /usr/sbin/glusterfsd,     /usr/sbin/glustereventsd,
33       /usr/sbin/gluster-eventsapi
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       glusterd policy is very flexible allowing users to setup their glusterd
43       processes in as secure a method as possible.
44
45       The following process types are defined for glusterd:
46
47       glusterd_t
48
49       Note: semanage permissive -a glusterd_t can be used to make the process
50       type glusterd_t permissive. SELinux does not deny access to  permissive
51       process  types, but the AVC (SELinux denials) messages are still gener‐
52       ated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access  required.   glus‐
57       terd  policy  is extremely flexible and has several booleans that allow
58       you to manipulate the policy and run glusterd with the tightest  access
59       possible.
60
61
62
63       If  you want to allow glusterfsd to share any file/directory read only,
64       you  must  turn  on  the  gluster_export_all_ro  boolean.  Disabled  by
65       default.
66
67       setsebool -P gluster_export_all_ro 1
68
69
70
71       If you want to allow glusterfsd to share any file/directory read/write,
72       you must turn on the gluster_export_all_rw boolean. Enabled by default.
73
74       setsebool -P gluster_export_all_rw 1
75
76
77
78       If you want to allow glusterd_t domain to use  executable  memory,  you
79       must turn on the gluster_use_execmem boolean. Disabled by default.
80
81       setsebool -P gluster_use_execmem 1
82
83
84
85       If you want to allow users to resolve user passwd entries directly from
86       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
87       gin_nsswitch_use_ldap boolean. Disabled by default.
88
89       setsebool -P authlogin_nsswitch_use_ldap 1
90
91
92
93       If you want to allow all domains to execute in fips_mode, you must turn
94       on the fips_mode boolean. Enabled by default.
95
96       setsebool -P fips_mode 1
97
98
99
100       If you want to allow confined applications to run  with  kerberos,  you
101       must turn on the kerberos_enabled boolean. Enabled by default.
102
103       setsebool -P kerberos_enabled 1
104
105
106
107       If  you  want  to  allow  system  to run with NIS, you must turn on the
108       nis_enabled boolean. Disabled by default.
109
110       setsebool -P nis_enabled 1
111
112
113
114       If you want to allow confined applications to use nscd  shared  memory,
115       you must turn on the nscd_use_shm boolean. Enabled by default.
116
117       setsebool -P nscd_use_shm 1
118
119
120

PORT TYPES

122       SELinux defines port types to represent TCP and UDP ports.
123
124       You  can  see  the  types associated with a port by using the following
125       command:
126
127       semanage port -l
128
129
130       Policy governs the access  confined  processes  have  to  these  ports.
131       SELinux  glusterd policy is very flexible allowing users to setup their
132       glusterd processes in as secure a method as possible.
133
134       The following port types are defined for glusterd:
135
136
137       gluster_port_t
138
139
140
141       Default Defined Ports:
142                 tcp 38465-38469,24007-24027
143

MANAGED FILES

145       The SELinux process type glusterd_t can manage files labeled  with  the
146       following file types.  The paths listed are the default paths for these
147       file types.  Note the processes UID still need to have DAC permissions.
148
149       cluster_conf_t
150
151            /etc/cluster(/.*)?
152
153       cluster_var_lib_t
154
155            /var/lib/pcsd(/.*)?
156            /var/lib/cluster(/.*)?
157            /var/lib/openais(/.*)?
158            /var/lib/pengine(/.*)?
159            /var/lib/corosync(/.*)?
160            /usr/lib/heartbeat(/.*)?
161            /var/lib/heartbeat(/.*)?
162            /var/lib/pacemaker(/.*)?
163
164       cluster_var_run_t
165
166            /var/run/crm(/.*)?
167            /var/run/cman_.*
168            /var/run/rsctmp(/.*)?
169            /var/run/aisexec.*
170            /var/run/heartbeat(/.*)?
171            /var/run/corosync-qnetd(/.*)?
172            /var/run/corosync-qdevice(/.*)?
173            /var/run/corosync.pid
174            /var/run/cpglockd.pid
175            /var/run/rgmanager.pid
176            /var/run/cluster/rgmanager.sk
177
178       glusterd_brick_t
179
180
181       glusterd_conf_t
182
183            /etc/glusterd(/.*)?
184            /etc/glusterfs(/.*)?
185
186       glusterd_log_t
187
188            /var/log/glusterfs(/.*)?
189
190       glusterd_tmp_t
191
192
193       glusterd_tmpfs_t
194
195
196       glusterd_var_lib_t
197
198            /var/lib/glusterd(/.*)?
199
200       glusterd_var_run_t
201
202            /var/run/gluster(/.*)?
203            /var/run/glusterd.*
204            /var/run/glusterd.*
205            /var/run/glusterd(/.*)?
206
207       initrc_state_t
208
209
210       initrc_tmp_t
211
212
213       non_security_file_type
214
215
216       noxattrfs
217
218            all files on file systems which do not support extended attributes
219
220       public_content_rw_t
221
222            /var/spool/abrt-upload(/.*)?
223
224       root_t
225
226            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
227            /
228            /initrd
229
230       samba_etc_t
231
232            /etc/samba(/.*)?
233
234       systemd_passwd_var_run_t
235
236            /var/run/systemd/ask-password(/.*)?
237            /var/run/systemd/ask-password-block(/.*)?
238
239       user_tmp_t
240
241            /dev/shm/mono.*
242            /var/run/user(/.*)?
243            /tmp/.ICE-unix(/.*)?
244            /tmp/.X11-unix(/.*)?
245            /dev/shm/pulse-shm.*
246            /tmp/.X0-lock
247            /tmp/hsperfdata_root
248            /var/tmp/hsperfdata_root
249            /home/[^/]+/tmp
250            /home/[^/]+/.tmp
251            /tmp/gconfd-[^/]+
252
253       var_lib_nfs_t
254
255            /var/lib/nfs(/.*)?
256
257

FILE CONTEXTS

259       SELinux requires files to have an extended attribute to define the file
260       type.
261
262       You can see the context of a file using the -Z option to ls
263
264       Policy  governs  the  access  confined  processes  have to these files.
265       SELinux glusterd policy is very flexible allowing users to setup  their
266       glusterd processes in as secure a method as possible.
267
268       EQUIVALENCE DIRECTORIES
269
270
271       glusterd  policy stores data with multiple different file context types
272       under the /var/run/gluster directory.  If you would like to  store  the
273       data  in a different directory you can use the semanage command to cre‐
274       ate an equivalence mapping.  If you wanted to store this data under the
275       /srv dirctory you would execute the following command:
276
277       semanage fcontext -a -e /var/run/gluster /srv/gluster
278       restorecon -R -v /srv/gluster
279
280       STANDARD FILE CONTEXT
281
282       SELinux  defines the file context types for the glusterd, if you wanted
283       to store files with these types in a diffent paths, you need to execute
284       the  semanage  command  to  sepecify  alternate  labeling  and then use
285       restorecon to put the labels on disk.
286
287       semanage  fcontext   -a   -t   glusterd_brick_t   '/srv/myglusterd_con‐
288       tent(/.*)?'
289       restorecon -R -v /srv/myglusterd_content
290
291       Note:  SELinux  often  uses  regular expressions to specify labels that
292       match multiple files.
293
294       The following file types are defined for glusterd:
295
296
297
298       glusterd_brick_t
299
300       - Set files with the glusterd_brick_t type, if you want  to  treat  the
301       files as glusterd brick data.
302
303
304
305       glusterd_conf_t
306
307       -  Set  files  with  the glusterd_conf_t type, if you want to treat the
308       files as glusterd configuration data, usually  stored  under  the  /etc
309       directory.
310
311
312       Paths:
313            /etc/glusterd(/.*)?, /etc/glusterfs(/.*)?
314
315
316       glusterd_exec_t
317
318       - Set files with the glusterd_exec_t type, if you want to transition an
319       executable to the glusterd_t domain.
320
321
322       Paths:
323            /opt/glusterfs/[^/]+/sbin/glusterfsd,           /usr/libexec/glus‐
324            terfs/peer_eventsapi.py,       /usr/libexec/glusterfs/events/glus‐
325            tereventsd.py,   /usr/sbin/glusterfsd,   /usr/sbin/glustereventsd,
326            /usr/sbin/gluster-eventsapi
327
328
329       glusterd_initrc_exec_t
330
331       -  Set files with the glusterd_initrc_exec_t type, if you want to tran‐
332       sition an executable to the glusterd_initrc_t domain.
333
334
335       Paths:
336            /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd
337
338
339       glusterd_log_t
340
341       - Set files with the glusterd_log_t type, if you want to treat the data
342       as glusterd log data, usually stored under the /var/log directory.
343
344
345
346       glusterd_tmp_t
347
348       - Set files with the glusterd_tmp_t type, if you want to store glusterd
349       temporary files in the /tmp directories.
350
351
352
353       glusterd_tmpfs_t
354
355       - Set files with the glusterd_tmpfs_t type, if you want to store  glus‐
356       terd files on a tmpfs file system.
357
358
359
360       glusterd_var_lib_t
361
362       -  Set files with the glusterd_var_lib_t type, if you want to store the
363       glusterd files under the /var/lib directory.
364
365
366
367       glusterd_var_run_t
368
369       - Set files with the glusterd_var_run_t type, if you want to store  the
370       glusterd files under the /run or /var/run directory.
371
372
373       Paths:
374            /var/run/gluster(/.*)?,  /var/run/glusterd.*, /var/run/glusterd.*,
375            /var/run/glusterd(/.*)?
376
377
378       Note: File context can be temporarily modified with the chcon  command.
379       If  you want to permanently change the file context you need to use the
380       semanage fcontext command.  This will modify the SELinux labeling data‐
381       base.  You will need to use restorecon to apply the labels.
382
383

SHARING FILES

385       If  you  want to share files with multiple domains (Apache, FTP, rsync,
386       Samba), you can set a file context of public_content_t and  public_con‐
387       tent_rw_t.   These  context  allow any of the above domains to read the
388       content.  If you want a particular domain to write to  the  public_con‐
389       tent_rw_t domain, you must set the appropriate boolean.
390
391       Allow  glusterd  servers  to read the /var/glusterd directory by adding
392       the public_content_t file type to the directory and  by  restoring  the
393       file type.
394
395       semanage fcontext -a -t public_content_t "/var/glusterd(/.*)?"
396       restorecon -F -R -v /var/glusterd
397
398       Allow  glusterd  servers  to  read  and write /var/glusterd/incoming by
399       adding the public_content_rw_t type to the directory and  by  restoring
400       the  file type.  You also need to turn on the glusterd_anon_write bool‐
401       ean.
402
403       semanage  fcontext  -a  -t  public_content_rw_t   "/var/glusterd/incom‐
404       ing(/.*)?"
405       restorecon -F -R -v /var/glusterd/incoming
406       setsebool -P glusterd_anon_write 1
407
408
409       If  you want to allow glusterfsd to modify public files used for public
410       file transfer services.  Files/Directories must be labeled  public_con‐
411       tent_rw_t., you must turn on the gluster_anon_write boolean.
412
413       setsebool -P gluster_anon_write 1
414
415

COMMANDS

417       semanage  fcontext  can also be used to manipulate default file context
418       mappings.
419
420       semanage permissive can also be used to manipulate  whether  or  not  a
421       process type is permissive.
422
423       semanage  module can also be used to enable/disable/install/remove pol‐
424       icy modules.
425
426       semanage port can also be used to manipulate the port definitions
427
428       semanage boolean can also be used to manipulate the booleans
429
430
431       system-config-selinux is a GUI tool available to customize SELinux pol‐
432       icy settings.
433
434

AUTHOR

436       This manual page was auto-generated using sepolicy manpage .
437
438

SEE ALSO

440       selinux(8),  glusterd(8),  semanage(8), restorecon(8), chcon(1), sepol‐
441       icy(8), setsebool(8)
442
443
444
445glusterd                           19-10-08                glusterd_selinux(8)
Impressum