1pki_tomcat_selinux(8) SELinux Policy pki_tomcat pki_tomcat_selinux(8)
2
3
4
6 pki_tomcat_selinux - Security Enhanced Linux Policy for the pki_tomcat
7 processes
8
10 Security-Enhanced Linux secures the pki_tomcat processes via flexible
11 mandatory access control.
12
13 The pki_tomcat processes execute with the pki_tomcat_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep pki_tomcat_t
20
21
22
24 The pki_tomcat_t SELinux type can be entered via the pki_tomcat_exec_t
25 file type.
26
27 The default entrypoint paths for the pki_tomcat_t domain are the fol‐
28 lowing:
29
30 /usr/bin/pkidaemon
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 pki_tomcat policy is very flexible allowing users to setup their
40 pki_tomcat processes in as secure a method as possible.
41
42 The following process types are defined for pki_tomcat:
43
44 pki_tomcat_t, pki_tomcat_script_t
45
46 Note: semanage permissive -a pki_tomcat_t can be used to make the
47 process type pki_tomcat_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required.
54 pki_tomcat policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run pki_tomcat with the tightest
56 access possible.
57
58
59
60 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63
64 setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Enabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
89 If you want to allow confined applications to use nscd shared memory,
90 you must turn on the nscd_use_shm boolean. Enabled by default.
91
92 setsebool -P nscd_use_shm 1
93
94
95
96 If you want to allow tomcat to use executable memory and executable
97 stack, you must turn on the tomcat_use_execmem boolean. Disabled by
98 default.
99
100 setsebool -P tomcat_use_execmem 1
101
102
103
105 The SELinux process type pki_tomcat_t can manage files labeled with the
106 following file types. The paths listed are the default paths for these
107 file types. Note the processes UID still need to have DAC permissions.
108
109 cluster_conf_t
110
111 /etc/cluster(/.*)?
112
113 cluster_var_lib_t
114
115 /var/lib/pcsd(/.*)?
116 /var/lib/cluster(/.*)?
117 /var/lib/openais(/.*)?
118 /var/lib/pengine(/.*)?
119 /var/lib/corosync(/.*)?
120 /usr/lib/heartbeat(/.*)?
121 /var/lib/heartbeat(/.*)?
122 /var/lib/pacemaker(/.*)?
123
124 cluster_var_run_t
125
126 /var/run/crm(/.*)?
127 /var/run/cman_.*
128 /var/run/rsctmp(/.*)?
129 /var/run/aisexec.*
130 /var/run/heartbeat(/.*)?
131 /var/run/corosync-qnetd(/.*)?
132 /var/run/corosync-qdevice(/.*)?
133 /var/run/corosync.pid
134 /var/run/cpglockd.pid
135 /var/run/rgmanager.pid
136 /var/run/cluster/rgmanager.sk
137
138 dirsrv_var_lib_t
139
140 /var/lib/dirsrv(/.*)?
141
142 pki_common_t
143
144 /opt/nfast(/.*)?
145
146 pki_tomcat_cache_t
147
148
149 pki_tomcat_cert_t
150
151 /var/lib/pki-ca/alias(/.*)?
152 /etc/pki/pki-tomcat/ca(/.*)?
153 /var/lib/pki-kra/alias(/.*)?
154 /var/lib/pki-tks/alias(/.*)?
155 /var/lib/pki-ocsp/alias(/.*)?
156 /etc/pki/pki-tomcat/alias(/.*)?
157 /var/lib/ipa/pki-ca/publish(/.*)?
158
159 pki_tomcat_etc_rw_t
160
161 /etc/pki-ca(/.*)?
162 /etc/pki-kra(/.*)?
163 /etc/pki-tks(/.*)?
164 /etc/pki-ocsp(/.*)?
165 /etc/pki/pki-tomcat(/.*)?
166 /etc/sysconfig/pki/tomcat(/.*)?
167
168 pki_tomcat_lock_t
169
170 /var/lock/subsys/pkidaemon
171
172 pki_tomcat_log_t
173
174 /var/log/pki-ca(/.*)?
175 /var/log/pki-kra(/.*)?
176 /var/log/pki-tks(/.*)?
177 /var/log/pki-ocsp(/.*)?
178 /var/log/pki/pki-tomcat(/.*)?
179
180 pki_tomcat_tmp_t
181
182
183 pki_tomcat_var_lib_t
184
185 /var/lib/pki-ca(/.*)?
186 /var/lib/pki-kra(/.*)?
187 /var/lib/pki-tks(/.*)?
188 /var/lib/pki-ocsp(/.*)?
189 /var/lib/pki/pki-tomcat(/.*)?
190
191 pki_tomcat_var_run_t
192
193 /var/run/pki-ca.pid
194 /var/run/pki-kra.pid
195 /var/run/pki-tks.pid
196 /var/run/pki-ocsp.pid
197 /var/run/pki/tomcat(/.*)?
198
199 root_t
200
201 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
202 /
203 /initrd
204
205 user_tmp_t
206
207 /dev/shm/mono.*
208 /var/run/user(/.*)?
209 /tmp/.ICE-unix(/.*)?
210 /tmp/.X11-unix(/.*)?
211 /dev/shm/pulse-shm.*
212 /tmp/.X0-lock
213 /tmp/hsperfdata_root
214 /var/tmp/hsperfdata_root
215 /home/[^/]+/tmp
216 /home/[^/]+/.tmp
217 /tmp/gconfd-[^/]+
218
219 usr_t
220
221 /opt/.*
222 /usr/.*
223 /emul/.*
224 /export(/.*)?
225 /ostree(/.*)?
226 /usr/doc(/.*)?/lib(/.*)?
227 /usr/inclu.e(/.*)?
228 /usr/share/rpm(/.*)?
229 /usr/share/doc(/.*)?/README.*
230 /usr/lib/modules(/.*)/vmlinuz
231 /usr/lib/modules(/.*)/initramfs.img
232 /usr/lib/sysimage(/.*)?
233 /usr/lib/ostree-boot(/.*)?
234 /opt
235 /usr
236 /emul
237
238
240 SELinux requires files to have an extended attribute to define the file
241 type.
242
243 You can see the context of a file using the -Z option to ls
244
245 Policy governs the access confined processes have to these files.
246 SELinux pki_tomcat policy is very flexible allowing users to setup
247 their pki_tomcat processes in as secure a method as possible.
248
249 EQUIVALENCE DIRECTORIES
250
251
252 pki_tomcat policy stores data with multiple different file context
253 types under the /var/lib/pki-ca directory. If you would like to store
254 the data in a different directory you can use the semanage command to
255 create an equivalence mapping. If you wanted to store this data under
256 the /srv dirctory you would execute the following command:
257
258 semanage fcontext -a -e /var/lib/pki-ca /srv/pki-ca
259 restorecon -R -v /srv/pki-ca
260
261 pki_tomcat policy stores data with multiple different file context
262 types under the /var/lib/pki-kra directory. If you would like to store
263 the data in a different directory you can use the semanage command to
264 create an equivalence mapping. If you wanted to store this data under
265 the /srv dirctory you would execute the following command:
266
267 semanage fcontext -a -e /var/lib/pki-kra /srv/pki-kra
268 restorecon -R -v /srv/pki-kra
269
270 pki_tomcat policy stores data with multiple different file context
271 types under the /var/lib/pki-ocsp directory. If you would like to
272 store the data in a different directory you can use the semanage com‐
273 mand to create an equivalence mapping. If you wanted to store this
274 data under the /srv dirctory you would execute the following command:
275
276 semanage fcontext -a -e /var/lib/pki-ocsp /srv/pki-ocsp
277 restorecon -R -v /srv/pki-ocsp
278
279 pki_tomcat policy stores data with multiple different file context
280 types under the /var/lib/pki-tks directory. If you would like to store
281 the data in a different directory you can use the semanage command to
282 create an equivalence mapping. If you wanted to store this data under
283 the /srv dirctory you would execute the following command:
284
285 semanage fcontext -a -e /var/lib/pki-tks /srv/pki-tks
286 restorecon -R -v /srv/pki-tks
287
288 STANDARD FILE CONTEXT
289
290 SELinux defines the file context types for the pki_tomcat, if you
291 wanted to store files with these types in a diffent paths, you need to
292 execute the semanage command to sepecify alternate labeling and then
293 use restorecon to put the labels on disk.
294
295 semanage fcontext -a -t pki_tomcat_lock_t '/srv/mypki_tomcat_con‐
296 tent(/.*)?'
297 restorecon -R -v /srv/mypki_tomcat_content
298
299 Note: SELinux often uses regular expressions to specify labels that
300 match multiple files.
301
302 The following file types are defined for pki_tomcat:
303
304
305
306 pki_tomcat_cache_t
307
308 - Set files with the pki_tomcat_cache_t type, if you want to store the
309 files under the /var/cache directory.
310
311
312
313 pki_tomcat_cert_t
314
315 - Set files with the pki_tomcat_cert_t type, if you want to treat the
316 files as pki tomcat certificate data.
317
318
319 Paths:
320 /var/lib/pki-ca/alias(/.*)?, /etc/pki/pki-tomcat/ca(/.*)?,
321 /var/lib/pki-kra/alias(/.*)?, /var/lib/pki-tks/alias(/.*)?,
322 /var/lib/pki-ocsp/alias(/.*)?, /etc/pki/pki-tomcat/alias(/.*)?,
323 /var/lib/ipa/pki-ca/publish(/.*)?
324
325
326 pki_tomcat_etc_rw_t
327
328 - Set files with the pki_tomcat_etc_rw_t type, if you want to treat the
329 files as pki tomcat etc read/write content.
330
331
332 Paths:
333 /etc/pki-ca(/.*)?, /etc/pki-kra(/.*)?, /etc/pki-tks(/.*)?,
334 /etc/pki-ocsp(/.*)?, /etc/pki/pki-tomcat(/.*)?, /etc/syscon‐
335 fig/pki/tomcat(/.*)?
336
337
338 pki_tomcat_exec_t
339
340 - Set files with the pki_tomcat_exec_t type, if you want to transition
341 an executable to the pki_tomcat_t domain.
342
343
344
345 pki_tomcat_lock_t
346
347 - Set files with the pki_tomcat_lock_t type, if you want to treat the
348 files as pki tomcat lock data, stored under the /var/lock directory
349
350
351
352 pki_tomcat_log_t
353
354 - Set files with the pki_tomcat_log_t type, if you want to treat the
355 data as pki tomcat log data, usually stored under the /var/log direc‐
356 tory.
357
358
359 Paths:
360 /var/log/pki-ca(/.*)?, /var/log/pki-kra(/.*)?, /var/log/pki-
361 tks(/.*)?, /var/log/pki-ocsp(/.*)?, /var/log/pki/pki-tomcat(/.*)?
362
363
364 pki_tomcat_tmp_t
365
366 - Set files with the pki_tomcat_tmp_t type, if you want to store pki
367 tomcat temporary files in the /tmp directories.
368
369
370
371 pki_tomcat_unit_file_t
372
373 - Set files with the pki_tomcat_unit_file_t type, if you want to treat
374 the files as pki tomcat unit content.
375
376
377
378 pki_tomcat_var_lib_t
379
380 - Set files with the pki_tomcat_var_lib_t type, if you want to store
381 the pki tomcat files under the /var/lib directory.
382
383
384 Paths:
385 /var/lib/pki-ca(/.*)?, /var/lib/pki-kra(/.*)?, /var/lib/pki-
386 tks(/.*)?, /var/lib/pki-ocsp(/.*)?, /var/lib/pki/pki-tomcat(/.*)?
387
388
389 pki_tomcat_var_run_t
390
391 - Set files with the pki_tomcat_var_run_t type, if you want to store
392 the pki tomcat files under the /run or /var/run directory.
393
394
395 Paths:
396 /var/run/pki-ca.pid, /var/run/pki-kra.pid, /var/run/pki-tks.pid,
397 /var/run/pki-ocsp.pid, /var/run/pki/tomcat(/.*)?
398
399
400 Note: File context can be temporarily modified with the chcon command.
401 If you want to permanently change the file context you need to use the
402 semanage fcontext command. This will modify the SELinux labeling data‐
403 base. You will need to use restorecon to apply the labels.
404
405
407 semanage fcontext can also be used to manipulate default file context
408 mappings.
409
410 semanage permissive can also be used to manipulate whether or not a
411 process type is permissive.
412
413 semanage module can also be used to enable/disable/install/remove pol‐
414 icy modules.
415
416 semanage boolean can also be used to manipulate the booleans
417
418
419 system-config-selinux is a GUI tool available to customize SELinux pol‐
420 icy settings.
421
422
424 This manual page was auto-generated using sepolicy manpage .
425
426
428 selinux(8), pki_tomcat(8), semanage(8), restorecon(8), chcon(1), sepol‐
429 icy(8), setsebool(8), pki_tomcat_script_selinux(8), pki_tom‐
430 cat_script_selinux(8)
431
432
433
434pki_tomcat 19-10-08 pki_tomcat_selinux(8)