1smokeping_selinux(8) SELinux Policy smokeping smokeping_selinux(8)
2
3
4
6 smokeping_selinux - Security Enhanced Linux Policy for the smokeping
7 processes
8
10 Security-Enhanced Linux secures the smokeping processes via flexible
11 mandatory access control.
12
13 The smokeping processes execute with the smokeping_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep smokeping_t
20
21
22
24 The smokeping_t SELinux type can be entered via the smokeping_exec_t
25 file type.
26
27 The default entrypoint paths for the smokeping_t domain are the follow‐
28 ing:
29
30 /usr/sbin/smokeping
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 smokeping policy is very flexible allowing users to setup their
40 smokeping processes in as secure a method as possible.
41
42 The following process types are defined for smokeping:
43
44 smokeping_t, smokeping_cgi_script_t
45
46 Note: semanage permissive -a smokeping_t can be used to make the
47 process type smokeping_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required.
54 smokeping policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run smokeping with the tightest
56 access possible.
57
58
59
60 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63
64 setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Enabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
89 If you want to allow confined applications to use nscd shared memory,
90 you must turn on the nscd_use_shm boolean. Enabled by default.
91
92 setsebool -P nscd_use_shm 1
93
94
95
97 The SELinux process type smokeping_t can manage files labeled with the
98 following file types. The paths listed are the default paths for these
99 file types. Note the processes UID still need to have DAC permissions.
100
101 cluster_conf_t
102
103 /etc/cluster(/.*)?
104
105 cluster_var_lib_t
106
107 /var/lib/pcsd(/.*)?
108 /var/lib/cluster(/.*)?
109 /var/lib/openais(/.*)?
110 /var/lib/pengine(/.*)?
111 /var/lib/corosync(/.*)?
112 /usr/lib/heartbeat(/.*)?
113 /var/lib/heartbeat(/.*)?
114 /var/lib/pacemaker(/.*)?
115
116 cluster_var_run_t
117
118 /var/run/crm(/.*)?
119 /var/run/cman_.*
120 /var/run/rsctmp(/.*)?
121 /var/run/aisexec.*
122 /var/run/heartbeat(/.*)?
123 /var/run/corosync-qnetd(/.*)?
124 /var/run/corosync-qdevice(/.*)?
125 /var/run/corosync.pid
126 /var/run/cpglockd.pid
127 /var/run/rgmanager.pid
128 /var/run/cluster/rgmanager.sk
129
130 root_t
131
132 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
133 /
134 /initrd
135
136 smokeping_var_lib_t
137
138 /var/lib/smokeping(/.*)?
139
140 smokeping_var_run_t
141
142 /var/run/smokeping(/.*)?
143
144
146 SELinux requires files to have an extended attribute to define the file
147 type.
148
149 You can see the context of a file using the -Z option to ls
150
151 Policy governs the access confined processes have to these files.
152 SELinux smokeping policy is very flexible allowing users to setup their
153 smokeping processes in as secure a method as possible.
154
155 STANDARD FILE CONTEXT
156
157 SELinux defines the file context types for the smokeping, if you wanted
158 to store files with these types in a diffent paths, you need to execute
159 the semanage command to sepecify alternate labeling and then use
160 restorecon to put the labels on disk.
161
162 semanage fcontext -a -t smokeping_cgi_ra_content_t
163 '/srv/mysmokeping_content(/.*)?'
164 restorecon -R -v /srv/mysmokeping_content
165
166 Note: SELinux often uses regular expressions to specify labels that
167 match multiple files.
168
169 The following file types are defined for smokeping:
170
171
172
173 smokeping_cgi_content_t
174
175 - Set files with the smokeping_cgi_content_t type, if you want to treat
176 the files as smokeping cgi content.
177
178
179
180 smokeping_cgi_htaccess_t
181
182 - Set files with the smokeping_cgi_htaccess_t type, if you want to
183 treat the file as a smokeping cgi access file.
184
185
186
187 smokeping_cgi_ra_content_t
188
189 - Set files with the smokeping_cgi_ra_content_t type, if you want to
190 treat the files as smokeping cgi read/append content.
191
192
193
194 smokeping_cgi_rw_content_t
195
196 - Set files with the smokeping_cgi_rw_content_t type, if you want to
197 treat the files as smokeping cgi read/write content.
198
199
200
201 smokeping_cgi_script_exec_t
202
203 - Set files with the smokeping_cgi_script_exec_t type, if you want to
204 transition an executable to the smokeping_cgi_script_t domain.
205
206
207
208 smokeping_exec_t
209
210 - Set files with the smokeping_exec_t type, if you want to transition
211 an executable to the smokeping_t domain.
212
213
214
215 smokeping_initrc_exec_t
216
217 - Set files with the smokeping_initrc_exec_t type, if you want to tran‐
218 sition an executable to the smokeping_initrc_t domain.
219
220
221
222 smokeping_var_lib_t
223
224 - Set files with the smokeping_var_lib_t type, if you want to store the
225 smokeping files under the /var/lib directory.
226
227
228
229 smokeping_var_run_t
230
231 - Set files with the smokeping_var_run_t type, if you want to store the
232 smokeping files under the /run or /var/run directory.
233
234
235
236 Note: File context can be temporarily modified with the chcon command.
237 If you want to permanently change the file context you need to use the
238 semanage fcontext command. This will modify the SELinux labeling data‐
239 base. You will need to use restorecon to apply the labels.
240
241
243 semanage fcontext can also be used to manipulate default file context
244 mappings.
245
246 semanage permissive can also be used to manipulate whether or not a
247 process type is permissive.
248
249 semanage module can also be used to enable/disable/install/remove pol‐
250 icy modules.
251
252 semanage boolean can also be used to manipulate the booleans
253
254
255 system-config-selinux is a GUI tool available to customize SELinux pol‐
256 icy settings.
257
258
260 This manual page was auto-generated using sepolicy manpage .
261
262
264 selinux(8), smokeping(8), semanage(8), restorecon(8), chcon(1), sepol‐
265 icy(8), setsebool(8), smokeping_cgi_script_selinux(8),
266 smokeping_cgi_script_selinux(8)
267
268
269
270smokeping 19-10-08 smokeping_selinux(8)