1glusterd_selinux(8) SELinux Policy glusterd glusterd_selinux(8)
2
6 glusterd_selinux - Security Enhanced Linux Policy for the glusterd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the glusterd processes via flexible
11 mandatory access control.
12 The glusterd processes execute with the glusterd_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16 For example:
18 ps -eZ | grep glusterd_t
20
24 The glusterd_t SELinux type can be entered via the glusterd_exec_t file
25 type.
26 The default entrypoint paths for the glusterd_t domain are the follow‐
28 ing:
29 /opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/libexec/glus‐
31 terfs/peer_eventsapi.py, /usr/libexec/glusterfs/events/glus‐
32 tereventsd.py, /usr/sbin/glusterfsd, /usr/sbin/glustereventsd,
33 /usr/sbin/gluster-eventsapi
34
36 SELinux defines process types (domains) for each process running on the
37 system
38 You can see the context of a process using the -Z option to ps
40 Policy governs the access confined processes have to files. SELinux
42 glusterd policy is very flexible allowing users to setup their glusterd
43 processes in as secure a method as possible.
44 The following process types are defined for glusterd:
46 glusterd_t
48 Note: semanage permissive -a glusterd_t can be used to make the process
50 type glusterd_t permissive. SELinux does not deny access to permissive
51 process types, but the AVC (SELinux denials) messages are still gener‐
52 ated.
53
56 SELinux policy is customizable based on least access required. glus‐
57 terd policy is extremely flexible and has several booleans that allow
58 you to manipulate the policy and run glusterd with the tightest access
59 possible.
60 If you want to allow glusterfsd to share any file/directory read only,
64 you must turn on the gluster_export_all_ro boolean. Disabled by
65 default.
66 setsebool -P gluster_export_all_ro 1
68 If you want to allow glusterfsd to share any file/directory read/write,
72 you must turn on the gluster_export_all_rw boolean. Enabled by default.
73 setsebool -P gluster_export_all_rw 1
75 If you want to allow glusterd_t domain to use executable memory, you
79 must turn on the gluster_use_execmem boolean. Disabled by default.
80 setsebool -P gluster_use_execmem 1
82 If you want to allow users to resolve user passwd entries directly from
86 ldap rather then using a sssd server, you must turn on the authlo‐
87 gin_nsswitch_use_ldap boolean. Disabled by default.
88 setsebool -P authlogin_nsswitch_use_ldap 1
90 If you want to allow all domains to execute in fips_mode, you must turn
94 on the fips_mode boolean. Enabled by default.
95 setsebool -P fips_mode 1
97 If you want to allow confined applications to run with kerberos, you
101 must turn on the kerberos_enabled boolean. Enabled by default.
102 setsebool -P kerberos_enabled 1
104 If you want to allow system to run with NIS, you must turn on the
108 nis_enabled boolean. Disabled by default.
109 setsebool -P nis_enabled 1
111 If you want to allow confined applications to use nscd shared memory,
115 you must turn on the nscd_use_shm boolean. Disabled by default.
116 setsebool -P nscd_use_shm 1
118
122 SELinux defines port types to represent TCP and UDP ports.
123 You can see the types associated with a port by using the following
125 command:
126 semanage port -l
128 Policy governs the access confined processes have to these ports.
131 SELinux glusterd policy is very flexible allowing users to setup their
132 glusterd processes in as secure a method as possible.
133 The following port types are defined for glusterd:
135 gluster_port_t
138 Default Defined Ports:
142 tcp 38465-38469,24007-24027
143
145 The SELinux process type glusterd_t can manage files labeled with the
146 following file types. The paths listed are the default paths for these
147 file types. Note the processes UID still need to have DAC permissions.
148 cluster_conf_t
150 /etc/cluster(/.*)?
152 cluster_var_lib_t
154 /var/lib/pcsd(/.*)?
156 /var/lib/cluster(/.*)?
157 /var/lib/openais(/.*)?
158 /var/lib/pengine(/.*)?
159 /var/lib/corosync(/.*)?
160 /usr/lib/heartbeat(/.*)?
161 /var/lib/heartbeat(/.*)?
162 /var/lib/pacemaker(/.*)?
163 cluster_var_run_t
165 /var/run/crm(/.*)?
167 /var/run/cman_.*
168 /var/run/rsctmp(/.*)?
169 /var/run/aisexec.*
170 /var/run/heartbeat(/.*)?
171 /var/run/corosync-qnetd(/.*)?
172 /var/run/corosync-qdevice(/.*)?
173 /var/run/corosync.pid
174 /var/run/cpglockd.pid
175 /var/run/rgmanager.pid
176 /var/run/cluster/rgmanager.sk
177 glusterd_brick_t
179 glusterd_conf_t
182 /etc/glusterd(/.*)?
184 /etc/glusterfs(/.*)?
185 glusterd_log_t
187 /var/log/ganesha.log
189 /var/log/ganesha(/.*)?
190 /var/log/glusterfs(/.*)?
191 /var/log/ganesha-gfapi.log
192 glusterd_tmp_t
194 glusterd_tmpfs_t
197 glusterd_var_lib_t
200 /var/lib/glusterd(/.*)?
202 glusterd_var_run_t
204 /var/run/gluster(/.*)?
206 /var/run/glusterd.*
207 /var/run/glusterd.*
208 /var/run/glusterd(/.*)?
209 initrc_state_t
211 initrc_tmp_t
214 non_security_file_type
217 noxattrfs
220 all files on file systems which do not support extended attributes
222 public_content_rw_t
224 /var/spool/abrt-upload(/.*)?
226 root_t
228 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
230 /
231 /initrd
232 samba_etc_t
234 /etc/samba(/.*)?
236 systemd_passwd_var_run_t
238 /var/run/systemd/ask-password(/.*)?
240 /var/run/systemd/ask-password-block(/.*)?
241 user_tmp_t
243 /dev/shm/mono.*
245 /var/run/user(/.*)?
246 /tmp/.ICE-unix(/.*)?
247 /tmp/.X11-unix(/.*)?
248 /dev/shm/pulse-shm.*
249 /tmp/.X0-lock
250 /tmp/hsperfdata_root
251 /var/tmp/hsperfdata_root
252 /home/[^/]+/tmp
253 /home/[^/]+/.tmp
254 /tmp/gconfd-[^/]+
255 var_lib_nfs_t
257 /var/lib/nfs(/.*)?
259
262 SELinux requires files to have an extended attribute to define the file
263 type.
264 You can see the context of a file using the -Z option to ls
266 Policy governs the access confined processes have to these files.
268 SELinux glusterd policy is very flexible allowing users to setup their
269 glusterd processes in as secure a method as possible.
270 EQUIVALENCE DIRECTORIES
272 glusterd policy stores data with multiple different file context types
275 under the /var/log/ganesha directory. If you would like to store the
276 data in a different directory you can use the semanage command to cre‐
277 ate an equivalence mapping. If you wanted to store this data under the
278 /srv dirctory you would execute the following command:
279 semanage fcontext -a -e /var/log/ganesha /srv/ganesha
281 restorecon -R -v /srv/ganesha
282 glusterd policy stores data with multiple different file context types
284 under the /var/run/gluster directory. If you would like to store the
285 data in a different directory you can use the semanage command to cre‐
286 ate an equivalence mapping. If you wanted to store this data under the
287 /srv dirctory you would execute the following command:
288 semanage fcontext -a -e /var/run/gluster /srv/gluster
290 restorecon -R -v /srv/gluster
291 STANDARD FILE CONTEXT
293 SELinux defines the file context types for the glusterd, if you wanted
295 to store files with these types in a diffent paths, you need to execute
296 the semanage command to sepecify alternate labeling and then use
297 restorecon to put the labels on disk.
298 semanage fcontext -a -t glusterd_brick_t '/srv/myglusterd_con‐
300 tent(/.*)?'
301 restorecon -R -v /srv/myglusterd_content
302 Note: SELinux often uses regular expressions to specify labels that
304 match multiple files.
305 The following file types are defined for glusterd:
307 glusterd_brick_t
311 - Set files with the glusterd_brick_t type, if you want to treat the
313 files as glusterd brick data.
314 glusterd_conf_t
318 - Set files with the glusterd_conf_t type, if you want to treat the
320 files as glusterd configuration data, usually stored under the /etc
321 directory.
322 Paths:
325 /etc/glusterd(/.*)?, /etc/glusterfs(/.*)?
326 glusterd_exec_t
329 - Set files with the glusterd_exec_t type, if you want to transition an
331 executable to the glusterd_t domain.
332 Paths:
335 /opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/libexec/glus‐
336 terfs/peer_eventsapi.py, /usr/libexec/glusterfs/events/glus‐
337 tereventsd.py, /usr/sbin/glusterfsd, /usr/sbin/glustereventsd,
338 /usr/sbin/gluster-eventsapi
339 glusterd_initrc_exec_t
342 - Set files with the glusterd_initrc_exec_t type, if you want to tran‐
344 sition an executable to the glusterd_initrc_t domain.
345 Paths:
348 /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd
349 glusterd_log_t
352 - Set files with the glusterd_log_t type, if you want to treat the data
354 as glusterd log data, usually stored under the /var/log directory.
355 Paths:
358 /var/log/ganesha.log, /var/log/ganesha(/.*)?, /var/log/glus‐
359 terfs(/.*)?, /var/log/ganesha-gfapi.log
360 glusterd_tmp_t
363 - Set files with the glusterd_tmp_t type, if you want to store glusterd
365 temporary files in the /tmp directories.
366 glusterd_tmpfs_t
370 - Set files with the glusterd_tmpfs_t type, if you want to store glus‐
372 terd files on a tmpfs file system.
373 glusterd_var_lib_t
377 - Set files with the glusterd_var_lib_t type, if you want to store the
379 glusterd files under the /var/lib directory.
380 glusterd_var_run_t
384 - Set files with the glusterd_var_run_t type, if you want to store the
386 glusterd files under the /run or /var/run directory.
387 Paths:
390 /var/run/gluster(/.*)?, /var/run/glusterd.*, /var/run/glusterd.*,
391 /var/run/glusterd(/.*)?
392 Note: File context can be temporarily modified with the chcon command.
395 If you want to permanently change the file context you need to use the
396 semanage fcontext command. This will modify the SELinux labeling data‐
397 base. You will need to use restorecon to apply the labels.
398
401 If you want to share files with multiple domains (Apache, FTP, rsync,
402 Samba), you can set a file context of public_content_t and public_con‐
403 tent_rw_t. These context allow any of the above domains to read the
404 content. If you want a particular domain to write to the public_con‐
405 tent_rw_t domain, you must set the appropriate boolean.
406 Allow glusterd servers to read the /var/glusterd directory by adding
408 the public_content_t file type to the directory and by restoring the
409 file type.
410 semanage fcontext -a -t public_content_t "/var/glusterd(/.*)?"
412 restorecon -F -R -v /var/glusterd
413 Allow glusterd servers to read and write /var/glusterd/incoming by
415 adding the public_content_rw_t type to the directory and by restoring
416 the file type. You also need to turn on the glusterd_anon_write bool‐
417 ean.
418 semanage fcontext -a -t public_content_rw_t "/var/glusterd/incom‐
420 ing(/.*)?"
421 restorecon -F -R -v /var/glusterd/incoming
422 setsebool -P glusterd_anon_write 1
423 If you want to allow glusterfsd to modify public files used for public
426 file transfer services. Files/Directories must be labeled public_con‐
427 tent_rw_t., you must turn on the gluster_anon_write boolean.
428 setsebool -P gluster_anon_write 1
430
433 semanage fcontext can also be used to manipulate default file context
434 mappings.
435 semanage permissive can also be used to manipulate whether or not a
437 process type is permissive.
438 semanage module can also be used to enable/disable/install/remove pol‐
440 icy modules.
441 semanage port can also be used to manipulate the port definitions
443 semanage boolean can also be used to manipulate the booleans
445 system-config-selinux is a GUI tool available to customize SELinux pol‐
448 icy settings.
449
452 This manual page was auto-generated using sepolicy manpage .
453
456 selinux(8), glusterd(8), semanage(8), restorecon(8), chcon(1), sepol‐
457 icy(8), setsebool(8)
458glusterd 19-05-30 glusterd_selinux(8)