1webalizer_selinux(8) SELinux Policy webalizer webalizer_selinux(8)
2
3
4
6 webalizer_selinux - Security Enhanced Linux Policy for the webalizer
7 processes
8
10 Security-Enhanced Linux secures the webalizer processes via flexible
11 mandatory access control.
12
13 The webalizer processes execute with the webalizer_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep webalizer_t
20
21
22
24 The webalizer_t SELinux type can be entered via the webalizer_exec_t
25 file type.
26
27 The default entrypoint paths for the webalizer_t domain are the follow‐
28 ing:
29
30 /usr/bin/awffull, /usr/bin/webalizer, /usr/bin/webazolver
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 webalizer policy is very flexible allowing users to setup their webal‐
40 izer processes in as secure a method as possible.
41
42 The following process types are defined for webalizer:
43
44 webalizer_t, webalizer_script_t
45
46 Note: semanage permissive -a webalizer_t can be used to make the
47 process type webalizer_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required. webal‐
54 izer policy is extremely flexible and has several booleans that allow
55 you to manipulate the policy and run webalizer with the tightest access
56 possible.
57
58
59
60 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63
64 setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Enabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
89 If you want to allow confined applications to use nscd shared memory,
90 you must turn on the nscd_use_shm boolean. Enabled by default.
91
92 setsebool -P nscd_use_shm 1
93
94
95
97 The SELinux process type webalizer_t can manage files labeled with the
98 following file types. The paths listed are the default paths for these
99 file types. Note the processes UID still need to have DAC permissions.
100
101 anon_inodefs_t
102
103
104 httpd_sys_content_t
105
106 /srv/([^/]*/)?www(/.*)?
107 /var/www(/.*)?
108 /etc/htdig(/.*)?
109 /srv/gallery2(/.*)?
110 /var/lib/trac(/.*)?
111 /var/lib/htdig(/.*)?
112 /var/www/icons(/.*)?
113 /usr/share/glpi(/.*)?
114 /usr/share/htdig(/.*)?
115 /usr/share/drupal.*
116 /usr/share/z-push(/.*)?
117 /var/www/svn/conf(/.*)?
118 /usr/share/icecast(/.*)?
119 /var/lib/cacti/rra(/.*)?
120 /usr/share/ntop/html(/.*)?
121 /usr/share/nginx/html(/.*)?
122 /usr/share/doc/ghc/html(/.*)?
123 /usr/share/openca/htdocs(/.*)?
124 /usr/share/selinux-policy[^/]*/html(/.*)?
125
126 webalizer_tmp_t
127
128
129 webalizer_var_lib_t
130
131 /var/lib/webalizer(/.*)?
132
133
135 SELinux requires files to have an extended attribute to define the file
136 type.
137
138 You can see the context of a file using the -Z option to ls
139
140 Policy governs the access confined processes have to these files.
141 SELinux webalizer policy is very flexible allowing users to setup their
142 webalizer processes in as secure a method as possible.
143
144 STANDARD FILE CONTEXT
145
146 SELinux defines the file context types for the webalizer, if you wanted
147 to store files with these types in a diffent paths, you need to execute
148 the semanage command to sepecify alternate labeling and then use
149 restorecon to put the labels on disk.
150
151 semanage fcontext -a -t webalizer_ra_content_t '/srv/mywebalizer_con‐
152 tent(/.*)?'
153 restorecon -R -v /srv/mywebalizer_content
154
155 Note: SELinux often uses regular expressions to specify labels that
156 match multiple files.
157
158 The following file types are defined for webalizer:
159
160
161
162 webalizer_content_t
163
164 - Set files with the webalizer_content_t type, if you want to treat the
165 files as webalizer content.
166
167
168
169 webalizer_etc_t
170
171 - Set files with the webalizer_etc_t type, if you want to store webal‐
172 izer files in the /etc directories.
173
174
175
176 webalizer_exec_t
177
178 - Set files with the webalizer_exec_t type, if you want to transition
179 an executable to the webalizer_t domain.
180
181
182 Paths:
183 /usr/bin/awffull, /usr/bin/webalizer, /usr/bin/webazolver
184
185
186 webalizer_htaccess_t
187
188 - Set files with the webalizer_htaccess_t type, if you want to treat
189 the file as a webalizer access file.
190
191
192
193 webalizer_ra_content_t
194
195 - Set files with the webalizer_ra_content_t type, if you want to treat
196 the files as webalizer read/append content.
197
198
199
200 webalizer_rw_content_t
201
202 - Set files with the webalizer_rw_content_t type, if you want to treat
203 the files as webalizer read/write content.
204
205
206
207 webalizer_script_exec_t
208
209 - Set files with the webalizer_script_exec_t type, if you want to tran‐
210 sition an executable to the webalizer_script_t domain.
211
212
213
214 webalizer_tmp_t
215
216 - Set files with the webalizer_tmp_t type, if you want to store webal‐
217 izer temporary files in the /tmp directories.
218
219
220
221 webalizer_usage_t
222
223 - Set files with the webalizer_usage_t type, if you want to treat the
224 files as webalizer usage data.
225
226
227
228 webalizer_var_lib_t
229
230 - Set files with the webalizer_var_lib_t type, if you want to store the
231 webalizer files under the /var/lib directory.
232
233
234
235 webalizer_write_t
236
237 - Set files with the webalizer_write_t type, if you want to treat the
238 files as webalizer read/write content.
239
240
241
242 Note: File context can be temporarily modified with the chcon command.
243 If you want to permanently change the file context you need to use the
244 semanage fcontext command. This will modify the SELinux labeling data‐
245 base. You will need to use restorecon to apply the labels.
246
247
249 semanage fcontext can also be used to manipulate default file context
250 mappings.
251
252 semanage permissive can also be used to manipulate whether or not a
253 process type is permissive.
254
255 semanage module can also be used to enable/disable/install/remove pol‐
256 icy modules.
257
258 semanage boolean can also be used to manipulate the booleans
259
260
261 system-config-selinux is a GUI tool available to customize SELinux pol‐
262 icy settings.
263
264
266 This manual page was auto-generated using sepolicy manpage .
267
268
270 selinux(8), webalizer(8), semanage(8), restorecon(8), chcon(1), sepol‐
271 icy(8), setsebool(8), webalizer_script_selinux(8), webal‐
272 izer_script_selinux(8)
273
274
275
276webalizer 19-10-08 webalizer_selinux(8)