1pegasus_selinux(8) SELinux Policy pegasus pegasus_selinux(8)
2
3
4
6 pegasus_selinux - Security Enhanced Linux Policy for the pegasus pro‐
7 cesses
8
10 Security-Enhanced Linux secures the pegasus processes via flexible
11 mandatory access control.
12
13 The pegasus processes execute with the pegasus_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep pegasus_t
20
21
22
24 The pegasus_t SELinux type can be entered via the pegasus_exec_t file
25 type.
26
27 The default entrypoint paths for the pegasus_t domain are the follow‐
28 ing:
29
30 /usr/sbin/cimserver, /usr/sbin/init_repository
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 pegasus policy is very flexible allowing users to setup their pegasus
40 processes in as secure a method as possible.
41
42 The following process types are defined for pegasus:
43
44 pegasus_t, pegasus_openlmi_admin_t, pegasus_openlmi_account_t, pegasus_openlmi_logicalfile_t, pegasus_openlmi_services_t, pegasus_openlmi_storage_t, pegasus_openlmi_system_t, pegasus_openlmi_unconfined_t
45
46 Note: semanage permissive -a pegasus_t can be used to make the process
47 type pegasus_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. pegasus
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run pegasus with the tightest access possi‐
56 ble.
57
58
59
60 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63
64 setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Enabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
89 If you want to allow confined applications to use nscd shared memory,
90 you must turn on the nscd_use_shm boolean. Enabled by default.
91
92 setsebool -P nscd_use_shm 1
93
94
95
97 SELinux defines port types to represent TCP and UDP ports.
98
99 You can see the types associated with a port by using the following
100 command:
101
102 semanage port -l
103
104
105 Policy governs the access confined processes have to these ports.
106 SELinux pegasus policy is very flexible allowing users to setup their
107 pegasus processes in as secure a method as possible.
108
109 The following port types are defined for pegasus:
110
111
112 pegasus_http_port_t
113
114
115
116 Default Defined Ports:
117 tcp 5988
118
119
120 pegasus_https_port_t
121
122
123
124 Default Defined Ports:
125 tcp 5989
126
128 The SELinux process type pegasus_t can manage files labeled with the
129 following file types. The paths listed are the default paths for these
130 file types. Note the processes UID still need to have DAC permissions.
131
132 cluster_conf_t
133
134 /etc/cluster(/.*)?
135
136 cluster_var_lib_t
137
138 /var/lib/pcsd(/.*)?
139 /var/lib/cluster(/.*)?
140 /var/lib/openais(/.*)?
141 /var/lib/pengine(/.*)?
142 /var/lib/corosync(/.*)?
143 /usr/lib/heartbeat(/.*)?
144 /var/lib/heartbeat(/.*)?
145 /var/lib/pacemaker(/.*)?
146
147 cluster_var_run_t
148
149 /var/run/crm(/.*)?
150 /var/run/cman_.*
151 /var/run/rsctmp(/.*)?
152 /var/run/aisexec.*
153 /var/run/heartbeat(/.*)?
154 /var/run/corosync-qnetd(/.*)?
155 /var/run/corosync-qdevice(/.*)?
156 /var/run/corosync.pid
157 /var/run/cpglockd.pid
158 /var/run/rgmanager.pid
159 /var/run/cluster/rgmanager.sk
160
161 faillog_t
162
163 /var/log/btmp.*
164 /var/log/faillog.*
165 /var/log/tallylog.*
166 /var/run/faillock(/.*)?
167
168 initrc_var_run_t
169
170 /var/run/utmp
171 /var/run/random-seed
172 /var/run/runlevel.dir
173 /var/run/setmixer_flag
174
175 krb5_host_rcache_t
176
177 /var/cache/krb5rcache(/.*)?
178 /var/tmp/nfs_0
179 /var/tmp/DNS_25
180 /var/tmp/host_0
181 /var/tmp/imap_0
182 /var/tmp/HTTP_23
183 /var/tmp/HTTP_48
184 /var/tmp/ldap_55
185 /var/tmp/ldap_487
186 /var/tmp/ldapmap1_0
187
188 krb5_keytab_t
189
190 /etc/krb5.keytab
191 /etc/krb5kdc/kadm5.keytab
192 /var/kerberos/krb5kdc/kadm5.keytab
193
194 pegasus_cache_t
195
196
197 pegasus_data_t
198
199 /var/lib/Pegasus(/.*)?
200 /etc/Pegasus/pegasus_current.conf
201 /etc/Pegasus/cimserver_current.conf
202
203 pegasus_tmp_t
204
205
206 pegasus_var_run_t
207
208 /var/run/tog-pegasus(/.*)?
209
210 root_t
211
212 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
213 /
214 /initrd
215
216 samba_etc_t
217
218 /etc/samba(/.*)?
219
220 sysfs_t
221
222 /sys(/.*)?
223
224 virt_etc_rw_t
225
226 /etc/xen/[^/]*
227 /etc/xen/.*/.*
228 /etc/libvirt/[^/]*
229 /etc/libvirt/.*/.*
230
231 virt_etc_t
232
233 /etc/xen/[^/]*
234 /etc/libvirt/[^/]*
235 /etc/xen
236 /etc/libvirt
237
238
240 SELinux requires files to have an extended attribute to define the file
241 type.
242
243 You can see the context of a file using the -Z option to ls
244
245 Policy governs the access confined processes have to these files.
246 SELinux pegasus policy is very flexible allowing users to setup their
247 pegasus processes in as secure a method as possible.
248
249 STANDARD FILE CONTEXT
250
251 SELinux defines the file context types for the pegasus, if you wanted
252 to store files with these types in a diffent paths, you need to execute
253 the semanage command to sepecify alternate labeling and then use
254 restorecon to put the labels on disk.
255
256 semanage fcontext -a -t pegasus_openlmi_storage_var_run_t '/srv/mypega‐
257 sus_content(/.*)?'
258 restorecon -R -v /srv/mypegasus_content
259
260 Note: SELinux often uses regular expressions to specify labels that
261 match multiple files.
262
263 The following file types are defined for pegasus:
264
265
266
267 pegasus_cache_t
268
269 - Set files with the pegasus_cache_t type, if you want to store the
270 files under the /var/cache directory.
271
272
273
274 pegasus_conf_t
275
276 - Set files with the pegasus_conf_t type, if you want to treat the
277 files as pegasus configuration data, usually stored under the /etc
278 directory.
279
280
281
282 pegasus_data_t
283
284 - Set files with the pegasus_data_t type, if you want to treat the
285 files as pegasus content.
286
287
288 Paths:
289 /var/lib/Pegasus(/.*)?, /etc/Pegasus/pegasus_current.conf,
290 /etc/Pegasus/cimserver_current.conf
291
292
293 pegasus_exec_t
294
295 - Set files with the pegasus_exec_t type, if you want to transition an
296 executable to the pegasus_t domain.
297
298
299 Paths:
300 /usr/sbin/cimserver, /usr/sbin/init_repository
301
302
303 pegasus_mof_t
304
305 - Set files with the pegasus_mof_t type, if you want to treat the files
306 as pegasus mof data.
307
308
309
310 pegasus_openlmi_account_exec_t
311
312 - Set files with the pegasus_openlmi_account_exec_t type, if you want
313 to transition an executable to the pegasus_openlmi_account_t domain.
314
315
316
317 pegasus_openlmi_admin_exec_t
318
319 - Set files with the pegasus_openlmi_admin_exec_t type, if you want to
320 transition an executable to the pegasus_openlmi_admin_t domain.
321
322
323 Paths:
324 /usr/libexec/pegasus/cmpiLMI_Service-cimprovagt,
325 /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt
326
327
328 pegasus_openlmi_logicalfile_exec_t
329
330 - Set files with the pegasus_openlmi_logicalfile_exec_t type, if you
331 want to transition an executable to the pegasus_openlmi_logicalfile_t
332 domain.
333
334
335
336 pegasus_openlmi_services_exec_t
337
338 - Set files with the pegasus_openlmi_services_exec_t type, if you want
339 to transition an executable to the pegasus_openlmi_services_t domain.
340
341
342
343 pegasus_openlmi_storage_exec_t
344
345 - Set files with the pegasus_openlmi_storage_exec_t type, if you want
346 to transition an executable to the pegasus_openlmi_storage_t domain.
347
348
349 Paths:
350 /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt,
351 /usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt
352
353
354 pegasus_openlmi_storage_lib_t
355
356 - Set files with the pegasus_openlmi_storage_lib_t type, if you want to
357 treat the files as pegasus openlmi storage lib data.
358
359
360
361 pegasus_openlmi_storage_tmp_t
362
363 - Set files with the pegasus_openlmi_storage_tmp_t type, if you want to
364 store pegasus openlmi storage temporary files in the /tmp directories.
365
366
367
368 pegasus_openlmi_storage_var_run_t
369
370 - Set files with the pegasus_openlmi_storage_var_run_t type, if you
371 want to store the pegasus openlmi storage files under the /run or
372 /var/run directory.
373
374
375
376 pegasus_openlmi_system_exec_t
377
378 - Set files with the pegasus_openlmi_system_exec_t type, if you want to
379 transition an executable to the pegasus_openlmi_system_t domain.
380
381
382 Paths:
383 /usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt, /usr/libexec/pega‐
384 sus/cmpiLMI_Networking-cimprovagt, /usr/libexec/pega‐
385 sus/cmpiLMI_PowerManagement-cimprovagt
386
387
388 pegasus_openlmi_unconfined_exec_t
389
390 - Set files with the pegasus_openlmi_unconfined_exec_t type, if you
391 want to transition an executable to the pegasus_openlmi_unconfined_t
392 domain.
393
394
395
396 pegasus_tmp_t
397
398 - Set files with the pegasus_tmp_t type, if you want to store pegasus
399 temporary files in the /tmp directories.
400
401
402
403 pegasus_var_run_t
404
405 - Set files with the pegasus_var_run_t type, if you want to store the
406 pegasus files under the /run or /var/run directory.
407
408
409
410 Note: File context can be temporarily modified with the chcon command.
411 If you want to permanently change the file context you need to use the
412 semanage fcontext command. This will modify the SELinux labeling data‐
413 base. You will need to use restorecon to apply the labels.
414
415
417 semanage fcontext can also be used to manipulate default file context
418 mappings.
419
420 semanage permissive can also be used to manipulate whether or not a
421 process type is permissive.
422
423 semanage module can also be used to enable/disable/install/remove pol‐
424 icy modules.
425
426 semanage port can also be used to manipulate the port definitions
427
428 semanage boolean can also be used to manipulate the booleans
429
430
431 system-config-selinux is a GUI tool available to customize SELinux pol‐
432 icy settings.
433
434
436 This manual page was auto-generated using sepolicy manpage .
437
438
440 selinux(8), pegasus(8), semanage(8), restorecon(8), chcon(1), sepol‐
441 icy(8), setsebool(8), pegasus_openlmi_account_selinux(8), pega‐
442 sus_openlmi_account_selinux(8), pegasus_openlmi_admin_selinux(8), pega‐
443 sus_openlmi_admin_selinux(8), pegasus_openlmi_logicalfile_selinux(8),
444 pegasus_openlmi_logicalfile_selinux(8), pegasus_openlmi_ser‐
445 vices_selinux(8), pegasus_openlmi_services_selinux(8), pega‐
446 sus_openlmi_storage_selinux(8), pegasus_openlmi_storage_selinux(8),
447 pegasus_openlmi_system_selinux(8), pegasus_openlmi_system_selinux(8),
448 pegasus_openlmi_unconfined_selinux(8), pegasus_openlmi_uncon‐
449 fined_selinux(8)
450
451
452
453pegasus 19-10-08 pegasus_selinux(8)