1pki_tomcat_selinux(8)      SELinux Policy pki_tomcat     pki_tomcat_selinux(8)
2
3
4

NAME

6       pki_tomcat_selinux  - Security Enhanced Linux Policy for the pki_tomcat
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the pki_tomcat processes  via  flexible
11       mandatory access control.
12
13       The  pki_tomcat  processes  execute with the pki_tomcat_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pki_tomcat_t
20
21
22

ENTRYPOINTS

24       The  pki_tomcat_t SELinux type can be entered via the pki_tomcat_exec_t
25       file type.
26
27       The default entrypoint paths for the pki_tomcat_t domain are  the  fol‐
28       lowing:
29
30       /usr/bin/pkidaemon
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       pki_tomcat  policy  is  very  flexible  allowing  users  to setup their
40       pki_tomcat processes in as secure a method as possible.
41
42       The following process types are defined for pki_tomcat:
43
44       pki_tomcat_t, pki_tomcat_script_t
45
46       Note: semanage permissive -a pki_tomcat_t  can  be  used  to  make  the
47       process  type  pki_tomcat_t permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       pki_tomcat policy is extremely flexible and has several  booleans  that
55       allow you to manipulate the policy and run pki_tomcat with the tightest
56       access possible.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Enabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88
89       If  you  want to allow confined applications to use nscd shared memory,
90       you must turn on the nscd_use_shm boolean. Enabled by default.
91
92       setsebool -P nscd_use_shm 1
93
94
95
96       If you want to allow tomcat to use  executable  memory  and  executable
97       stack,  you  must  turn  on the tomcat_use_execmem boolean. Disabled by
98       default.
99
100       setsebool -P tomcat_use_execmem 1
101
102
103

MANAGED FILES

105       The SELinux process type pki_tomcat_t can manage files labeled with the
106       following file types.  The paths listed are the default paths for these
107       file types.  Note the processes UID still need to have DAC permissions.
108
109       cluster_conf_t
110
111            /etc/cluster(/.*)?
112
113       cluster_var_lib_t
114
115            /var/lib/pcsd(/.*)?
116            /var/lib/cluster(/.*)?
117            /var/lib/openais(/.*)?
118            /var/lib/pengine(/.*)?
119            /var/lib/corosync(/.*)?
120            /usr/lib/heartbeat(/.*)?
121            /var/lib/heartbeat(/.*)?
122            /var/lib/pacemaker(/.*)?
123
124       cluster_var_run_t
125
126            /var/run/crm(/.*)?
127            /var/run/cman_.*
128            /var/run/rsctmp(/.*)?
129            /var/run/aisexec.*
130            /var/run/heartbeat(/.*)?
131            /var/run/corosync-qnetd(/.*)?
132            /var/run/corosync-qdevice(/.*)?
133            /var/run/corosync.pid
134            /var/run/cpglockd.pid
135            /var/run/rgmanager.pid
136            /var/run/cluster/rgmanager.sk
137
138       dirsrv_var_lib_t
139
140            /var/lib/dirsrv(/.*)?
141
142       pki_common_t
143
144            /opt/nfast(/.*)?
145
146       pki_tomcat_cache_t
147
148
149       pki_tomcat_cert_t
150
151            /var/lib/pki-ca/alias(/.*)?
152            /etc/pki/pki-tomcat/ca(/.*)?
153            /var/lib/pki-kra/alias(/.*)?
154            /var/lib/pki-tks/alias(/.*)?
155            /var/lib/pki-ocsp/alias(/.*)?
156            /etc/pki/pki-tomcat/alias(/.*)?
157            /var/lib/ipa/pki-ca/publish(/.*)?
158
159       pki_tomcat_etc_rw_t
160
161            /etc/pki-ca(/.*)?
162            /etc/pki-kra(/.*)?
163            /etc/pki-tks(/.*)?
164            /etc/pki-ocsp(/.*)?
165            /etc/pki/pki-tomcat(/.*)?
166            /etc/sysconfig/pki/tomcat(/.*)?
167
168       pki_tomcat_lock_t
169
170            /var/lock/subsys/pkidaemon
171
172       pki_tomcat_log_t
173
174            /var/log/pki-ca(/.*)?
175            /var/log/pki-kra(/.*)?
176            /var/log/pki-tks(/.*)?
177            /var/log/pki-ocsp(/.*)?
178            /var/log/pki/pki-tomcat(/.*)?
179
180       pki_tomcat_tmp_t
181
182
183       pki_tomcat_var_lib_t
184
185            /var/lib/pki-ca(/.*)?
186            /var/lib/pki-kra(/.*)?
187            /var/lib/pki-tks(/.*)?
188            /var/lib/pki-ocsp(/.*)?
189            /var/lib/pki/pki-tomcat(/.*)?
190
191       pki_tomcat_var_run_t
192
193            /var/run/pki-ca.pid
194            /var/run/pki-kra.pid
195            /var/run/pki-tks.pid
196            /var/run/pki-ocsp.pid
197            /var/run/pki/tomcat(/.*)?
198
199       root_t
200
201            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
202            /
203            /initrd
204
205       user_tmp_t
206
207            /dev/shm/mono.*
208            /var/run/user(/.*)?
209            /tmp/.ICE-unix(/.*)?
210            /tmp/.X11-unix(/.*)?
211            /dev/shm/pulse-shm.*
212            /tmp/.X0-lock
213            /tmp/hsperfdata_root
214            /var/tmp/hsperfdata_root
215            /home/[^/]+/tmp
216            /home/[^/]+/.tmp
217            /tmp/gconfd-[^/]+
218
219       usr_t
220
221            /opt/.*
222            /usr/.*
223            /emul/.*
224            /export(/.*)?
225            /ostree(/.*)?
226            /usr/doc(/.*)?/lib(/.*)?
227            /usr/inclu.e(/.*)?
228            /usr/share/rpm(/.*)?
229            /usr/share/doc(/.*)?/README.*
230            /usr/lib/modules(/.*)/vmlinuz
231            /usr/lib/modules(/.*)/initramfs.img
232            /usr/lib/sysimage(/.*)?
233            /usr/lib/ostree-boot(/.*)?
234            /opt
235            /usr
236            /emul
237
238

FILE CONTEXTS

240       SELinux requires files to have an extended attribute to define the file
241       type.
242
243       You can see the context of a file using the -Z option to ls
244
245       Policy  governs  the  access  confined  processes  have to these files.
246       SELinux pki_tomcat policy is very  flexible  allowing  users  to  setup
247       their pki_tomcat processes in as secure a method as possible.
248
249       EQUIVALENCE DIRECTORIES
250
251
252       pki_tomcat  policy  stores  data  with  multiple different file context
253       types under the /var/lib/pki-ca directory.  If you would like to  store
254       the  data  in a different directory you can use the semanage command to
255       create an equivalence mapping.  If you wanted to store this data  under
256       the /srv dirctory you would execute the following command:
257
258       semanage fcontext -a -e /var/lib/pki-ca /srv/pki-ca
259       restorecon -R -v /srv/pki-ca
260
261       pki_tomcat  policy  stores  data  with  multiple different file context
262       types under the /var/lib/pki-kra directory.  If you would like to store
263       the  data  in a different directory you can use the semanage command to
264       create an equivalence mapping.  If you wanted to store this data  under
265       the /srv dirctory you would execute the following command:
266
267       semanage fcontext -a -e /var/lib/pki-kra /srv/pki-kra
268       restorecon -R -v /srv/pki-kra
269
270       pki_tomcat  policy  stores  data  with  multiple different file context
271       types under the /var/lib/pki-ocsp directory.   If  you  would  like  to
272       store  the  data in a different directory you can use the semanage com‐
273       mand to create an equivalence mapping.  If you  wanted  to  store  this
274       data under the /srv dirctory you would execute the following command:
275
276       semanage fcontext -a -e /var/lib/pki-ocsp /srv/pki-ocsp
277       restorecon -R -v /srv/pki-ocsp
278
279       pki_tomcat  policy  stores  data  with  multiple different file context
280       types under the /var/lib/pki-tks directory.  If you would like to store
281       the  data  in a different directory you can use the semanage command to
282       create an equivalence mapping.  If you wanted to store this data  under
283       the /srv dirctory you would execute the following command:
284
285       semanage fcontext -a -e /var/lib/pki-tks /srv/pki-tks
286       restorecon -R -v /srv/pki-tks
287
288       STANDARD FILE CONTEXT
289
290       SELinux  defines  the  file  context  types  for the pki_tomcat, if you
291       wanted to store files with these types in a diffent paths, you need  to
292       execute  the  semanage  command to sepecify alternate labeling and then
293       use restorecon to put the labels on disk.
294
295       semanage  fcontext  -a  -t  pki_tomcat_lock_t   '/srv/mypki_tomcat_con‐
296       tent(/.*)?'
297       restorecon -R -v /srv/mypki_tomcat_content
298
299       Note:  SELinux  often  uses  regular expressions to specify labels that
300       match multiple files.
301
302       The following file types are defined for pki_tomcat:
303
304
305
306       pki_tomcat_cache_t
307
308       - Set files with the pki_tomcat_cache_t type, if you want to store  the
309       files under the /var/cache directory.
310
311
312
313       pki_tomcat_cert_t
314
315       -  Set  files with the pki_tomcat_cert_t type, if you want to treat the
316       files as pki tomcat certificate data.
317
318
319       Paths:
320            /var/lib/pki-ca/alias(/.*)?,         /etc/pki/pki-tomcat/ca(/.*)?,
321            /var/lib/pki-kra/alias(/.*)?,        /var/lib/pki-tks/alias(/.*)?,
322            /var/lib/pki-ocsp/alias(/.*)?,    /etc/pki/pki-tomcat/alias(/.*)?,
323            /var/lib/ipa/pki-ca/publish(/.*)?
324
325
326       pki_tomcat_etc_rw_t
327
328       - Set files with the pki_tomcat_etc_rw_t type, if you want to treat the
329       files as pki tomcat etc read/write content.
330
331
332       Paths:
333            /etc/pki-ca(/.*)?,     /etc/pki-kra(/.*)?,     /etc/pki-tks(/.*)?,
334            /etc/pki-ocsp(/.*)?,    /etc/pki/pki-tomcat(/.*)?,    /etc/syscon‐
335            fig/pki/tomcat(/.*)?
336
337
338       pki_tomcat_exec_t
339
340       - Set files with the pki_tomcat_exec_t type, if you want to  transition
341       an executable to the pki_tomcat_t domain.
342
343
344
345       pki_tomcat_lock_t
346
347       -  Set  files with the pki_tomcat_lock_t type, if you want to treat the
348       files as pki tomcat lock data, stored under the /var/lock directory
349
350
351
352       pki_tomcat_log_t
353
354       - Set files with the pki_tomcat_log_t type, if you want  to  treat  the
355       data  as  pki tomcat log data, usually stored under the /var/log direc‐
356       tory.
357
358
359       Paths:
360            /var/log/pki-ca(/.*)?,    /var/log/pki-kra(/.*)?,    /var/log/pki-
361            tks(/.*)?, /var/log/pki-ocsp(/.*)?, /var/log/pki/pki-tomcat(/.*)?
362
363
364       pki_tomcat_tmp_t
365
366       -  Set  files  with the pki_tomcat_tmp_t type, if you want to store pki
367       tomcat temporary files in the /tmp directories.
368
369
370
371       pki_tomcat_unit_file_t
372
373       - Set files with the pki_tomcat_unit_file_t type, if you want to  treat
374       the files as pki tomcat unit content.
375
376
377
378       pki_tomcat_var_lib_t
379
380       -  Set  files  with the pki_tomcat_var_lib_t type, if you want to store
381       the pki tomcat files under the /var/lib directory.
382
383
384       Paths:
385            /var/lib/pki-ca(/.*)?,    /var/lib/pki-kra(/.*)?,    /var/lib/pki-
386            tks(/.*)?, /var/lib/pki-ocsp(/.*)?, /var/lib/pki/pki-tomcat(/.*)?
387
388
389       pki_tomcat_var_run_t
390
391       -  Set  files  with the pki_tomcat_var_run_t type, if you want to store
392       the pki tomcat files under the /run or /var/run directory.
393
394
395       Paths:
396            /var/run/pki-ca.pid,  /var/run/pki-kra.pid,  /var/run/pki-tks.pid,
397            /var/run/pki-ocsp.pid, /var/run/pki/tomcat(/.*)?
398
399
400       Note:  File context can be temporarily modified with the chcon command.
401       If you want to permanently change the file context you need to use  the
402       semanage fcontext command.  This will modify the SELinux labeling data‐
403       base.  You will need to use restorecon to apply the labels.
404
405

COMMANDS

407       semanage fcontext can also be used to manipulate default  file  context
408       mappings.
409
410       semanage  permissive  can  also  be used to manipulate whether or not a
411       process type is permissive.
412
413       semanage module can also be used to enable/disable/install/remove  pol‐
414       icy modules.
415
416       semanage boolean can also be used to manipulate the booleans
417
418
419       system-config-selinux is a GUI tool available to customize SELinux pol‐
420       icy settings.
421
422

AUTHOR

424       This manual page was auto-generated using sepolicy manpage .
425
426

SEE ALSO

428       selinux(8), pki_tomcat(8), semanage(8), restorecon(8), chcon(1), sepol‐
429       icy(8),     setsebool(8),     pki_tomcat_script_selinux(8),    pki_tom‐
430       cat_script_selinux(8)
431
432
433
434pki_tomcat                         19-10-08              pki_tomcat_selinux(8)
Impressum