neutron_selinux(8)

1neutron_selinux(8)          SELinux Policy neutron          neutron_selinux(8)
2
3
4

NAME

6       neutron_selinux  -  Security Enhanced Linux Policy for the neutron pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  neutron  processes  via  flexible
11       mandatory access control.
12
13       The  neutron processes execute with the neutron_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep neutron_t
20
21
22

ENTRYPOINTS

24       The  neutron_t  SELinux type can be entered via the neutron_exec_t file
25       type.
26
27       The default entrypoint paths for the neutron_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/neutron-server,   /usr/bin/quantum-server,   /usr/bin/neutron-
31       l3-agent,     /usr/bin/neutron-rootwrap,     /usr/bin/quantum-l3-agent,
32       /usr/bin/neutron-ryu-agent,  /usr/bin/quantum-ryu-agent,  /usr/bin/neu‐
33       tron-dhcp-agent,  /usr/bin/quantum-dhcp-agent,  /usr/bin/neutron-lbaas-
34       agent,    /usr/bin/neutron-ovs-cleanup,   /usr/bin/quantum-ovs-cleanup,
35       /usr/bin/neutron-netns-cleanup,        /usr/bin/neutron-metadata-agent,
36       /usr/bin/neutron-linuxbridge-agent, /usr/bin/neutron-ns-metadata-proxy,
37       /usr/bin/neutron-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent,
38       /usr/bin/quantum-openvswitch-agent
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       neutron  policy  is very flexible allowing users to setup their neutron
48       processes in as secure a method as possible.
49
50       The following process types are defined for neutron:
51
52       neutron_t
53
54       Note: semanage permissive -a neutron_t can be used to make the  process
55       type  neutron_t  permissive. SELinux does not deny access to permissive
56       process types, but the AVC (SELinux denials) messages are still  gener‐
57       ated.
58
59

BOOLEANS

61       SELinux policy is customizable based on least access required.  neutron
62       policy is extremely flexible and has several booleans that allow you to
63       manipulate  the  policy and run neutron with the tightest access possi‐
64       ble.
65
66
67
68       If you want to determine whether neutron can connect to all TCP  ports,
69       you must turn on the neutron_can_network boolean. Disabled by default.
70
71       setsebool -P neutron_can_network 1
72
73
74
75       If you want to allow users to resolve user passwd entries directly from
76       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
77       gin_nsswitch_use_ldap boolean. Disabled by default.
78
79       setsebool -P authlogin_nsswitch_use_ldap 1
80
81
82
83       If you want to allow all domains to execute in fips_mode, you must turn
84       on the fips_mode boolean. Enabled by default.
85
86       setsebool -P fips_mode 1
87
88
89
90       If you want to allow confined applications to run  with  kerberos,  you
91       must turn on the kerberos_enabled boolean. Enabled by default.
92
93       setsebool -P kerberos_enabled 1
94
95
96
97       If  you  want  to  allow  system  to run with NIS, you must turn on the
98       nis_enabled boolean. Disabled by default.
99
100       setsebool -P nis_enabled 1
101
102
103
104       If you want to allow confined applications to use nscd  shared  memory,
105       you must turn on the nscd_use_shm boolean. Enabled by default.
106
107       setsebool -P nscd_use_shm 1
108
109
110

PORT TYPES

112       SELinux defines port types to represent TCP and UDP ports.
113
114       You  can  see  the  types associated with a port by using the following
115       command:
116
117       semanage port -l
118
119
120       Policy governs the access  confined  processes  have  to  these  ports.
121       SELinux  neutron  policy is very flexible allowing users to setup their
122       neutron processes in as secure a method as possible.
123
124       The following port types are defined for neutron:
125
126
127       neutron_port_t
128
129
130
131       Default Defined Ports:
132                 tcp 8775,9696,9697
133

MANAGED FILES

135       The SELinux process type neutron_t can manage files  labeled  with  the
136       following file types.  The paths listed are the default paths for these
137       file types.  Note the processes UID still need to have DAC permissions.
138
139       cluster_conf_t
140
141            /etc/cluster(/.*)?
142
143       cluster_var_lib_t
144
145            /var/lib/pcsd(/.*)?
146            /var/lib/cluster(/.*)?
147            /var/lib/openais(/.*)?
148            /var/lib/pengine(/.*)?
149            /var/lib/corosync(/.*)?
150            /usr/lib/heartbeat(/.*)?
151            /var/lib/heartbeat(/.*)?
152            /var/lib/pacemaker(/.*)?
153
154       cluster_var_run_t
155
156            /var/run/crm(/.*)?
157            /var/run/cman_.*
158            /var/run/rsctmp(/.*)?
159            /var/run/aisexec.*
160            /var/run/heartbeat(/.*)?
161            /var/run/corosync-qnetd(/.*)?
162            /var/run/corosync-qdevice(/.*)?
163            /var/run/corosync.pid
164            /var/run/cpglockd.pid
165            /var/run/rgmanager.pid
166            /var/run/cluster/rgmanager.sk
167
168       faillog_t
169
170            /var/log/btmp.*
171            /var/log/faillog.*
172            /var/log/tallylog.*
173            /var/run/faillock(/.*)?
174
175       ifconfig_var_run_t
176
177            /var/run/netns(/.*)?
178
179       initrc_var_run_t
180
181            /var/run/utmp
182            /var/run/random-seed
183            /var/run/runlevel.dir
184            /var/run/setmixer_flag
185
186       krb5_host_rcache_t
187
188            /var/cache/krb5rcache(/.*)?
189            /var/tmp/nfs_0
190            /var/tmp/DNS_25
191            /var/tmp/host_0
192            /var/tmp/imap_0
193            /var/tmp/HTTP_23
194            /var/tmp/HTTP_48
195            /var/tmp/ldap_55
196            /var/tmp/ldap_487
197            /var/tmp/ldapmap1_0
198
199       krb5_keytab_t
200
201            /etc/krb5.keytab
202            /etc/krb5kdc/kadm5.keytab
203            /var/kerberos/krb5kdc/kadm5.keytab
204
205       lastlog_t
206
207            /var/log/lastlog.*
208
209       neutron_tmp_t
210
211
212       neutron_var_lib_t
213
214            /var/lib/neutron(/.*)?
215            /var/lib/quantum(/.*)?
216
217       neutron_var_run_t
218
219            /var/run/neutron(/.*)?
220            /var/run/quantum(/.*)?
221
222       root_t
223
224            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
225            /
226            /initrd
227
228       security_t
229
230            /selinux
231
232

FILE CONTEXTS

234       SELinux requires files to have an extended attribute to define the file
235       type.
236
237       You can see the context of a file using the -Z option to ls
238
239       Policy  governs  the  access  confined  processes  have to these files.
240       SELinux neutron policy is very flexible allowing users to  setup  their
241       neutron processes in as secure a method as possible.
242
243       STANDARD FILE CONTEXT
244
245       SELinux  defines  the file context types for the neutron, if you wanted
246       to store files with these types in a diffent paths, you need to execute
247       the  semanage  command  to  sepecify  alternate  labeling  and then use
248       restorecon to put the labels on disk.
249
250       semanage  fcontext  -a  -t   neutron_unit_file_t   '/srv/myneutron_con‐
251       tent(/.*)?'
252       restorecon -R -v /srv/myneutron_content
253
254       Note:  SELinux  often  uses  regular expressions to specify labels that
255       match multiple files.
256
257       The following file types are defined for neutron:
258
259
260
261       neutron_exec_t
262
263       - Set files with the neutron_exec_t type, if you want to transition  an
264       executable to the neutron_t domain.
265
266
267       Paths:
268            /usr/bin/neutron-server,   /usr/bin/quantum-server,  /usr/bin/neu‐
269            tron-l3-agent,    /usr/bin/neutron-rootwrap,     /usr/bin/quantum-
270            l3-agent,  /usr/bin/neutron-ryu-agent, /usr/bin/quantum-ryu-agent,
271            /usr/bin/neutron-dhcp-agent,          /usr/bin/quantum-dhcp-agent,
272            /usr/bin/neutron-lbaas-agent,        /usr/bin/neutron-ovs-cleanup,
273            /usr/bin/quantum-ovs-cleanup,      /usr/bin/neutron-netns-cleanup,
274            /usr/bin/neutron-metadata-agent,     /usr/bin/neutron-linuxbridge-
275            agent, /usr/bin/neutron-ns-metadata-proxy,  /usr/bin/neutron-open‐
276            vswitch-agent,  /usr/bin/quantum-linuxbridge-agent, /usr/bin/quan‐
277            tum-openvswitch-agent
278
279
280       neutron_initrc_exec_t
281
282       - Set files with the neutron_initrc_exec_t type, if you want to transi‐
283       tion an executable to the neutron_initrc_t domain.
284
285
286       Paths:
287            /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*
288
289
290       neutron_log_t
291
292       -  Set files with the neutron_log_t type, if you want to treat the data
293       as neutron log data, usually stored under the /var/log directory.
294
295
296       Paths:
297            /var/log/neutron(/.*)?, /var/log/quantum(/.*)?
298
299
300       neutron_tmp_t
301
302       - Set files with the neutron_tmp_t type, if you want to  store  neutron
303       temporary files in the /tmp directories.
304
305
306
307       neutron_unit_file_t
308
309       - Set files with the neutron_unit_file_t type, if you want to treat the
310       files as neutron unit content.
311
312
313       Paths:
314            /usr/lib/systemd/system/neutron.*,   /usr/lib/systemd/system/quan‐
315            tum.*
316
317
318       neutron_var_lib_t
319
320       -  Set  files with the neutron_var_lib_t type, if you want to store the
321       neutron files under the /var/lib directory.
322
323
324       Paths:
325            /var/lib/neutron(/.*)?, /var/lib/quantum(/.*)?
326
327
328       neutron_var_run_t
329
330       - Set files with the neutron_var_run_t type, if you want to  store  the
331       neutron files under the /run or /var/run directory.
332
333
334       Paths:
335            /var/run/neutron(/.*)?, /var/run/quantum(/.*)?
336
337
338       Note:  File context can be temporarily modified with the chcon command.
339       If you want to permanently change the file context you need to use  the
340       semanage fcontext command.  This will modify the SELinux labeling data‐
341       base.  You will need to use restorecon to apply the labels.
342
343

COMMANDS

345       semanage fcontext can also be used to manipulate default  file  context
346       mappings.
347
348       semanage  permissive  can  also  be used to manipulate whether or not a
349       process type is permissive.
350
351       semanage module can also be used to enable/disable/install/remove  pol‐
352       icy modules.
353
354       semanage port can also be used to manipulate the port definitions
355
356       semanage boolean can also be used to manipulate the booleans
357
358
359       system-config-selinux is a GUI tool available to customize SELinux pol‐
360       icy settings.
361
362

AUTHOR

364       This manual page was auto-generated using sepolicy manpage .
365
366