1neutron_selinux(8) SELinux Policy neutron neutron_selinux(8)
2
3
4
6 neutron_selinux - Security Enhanced Linux Policy for the neutron pro‐
7 cesses
8
10 Security-Enhanced Linux secures the neutron processes via flexible
11 mandatory access control.
12
13 The neutron processes execute with the neutron_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep neutron_t
20
21
22
24 The neutron_t SELinux type can be entered via the neutron_exec_t file
25 type.
26
27 The default entrypoint paths for the neutron_t domain are the follow‐
28 ing:
29
30 /usr/bin/neutron-server, /usr/bin/quantum-server, /usr/bin/neutron-
31 l3-agent, /usr/bin/neutron-rootwrap, /usr/bin/quantum-l3-agent,
32 /usr/bin/neutron-ryu-agent, /usr/bin/quantum-ryu-agent, /usr/bin/neu‐
33 tron-dhcp-agent, /usr/bin/quantum-dhcp-agent, /usr/bin/neutron-lbaas-
34 agent, /usr/bin/neutron-ovs-cleanup, /usr/bin/quantum-ovs-cleanup,
35 /usr/bin/neutron-netns-cleanup, /usr/bin/neutron-metadata-agent,
36 /usr/bin/neutron-linuxbridge-agent, /usr/bin/neutron-ns-metadata-proxy,
37 /usr/bin/neutron-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent,
38 /usr/bin/quantum-openvswitch-agent
39
41 SELinux defines process types (domains) for each process running on the
42 system
43
44 You can see the context of a process using the -Z option to ps
45
46 Policy governs the access confined processes have to files. SELinux
47 neutron policy is very flexible allowing users to setup their neutron
48 processes in as secure a method as possible.
49
50 The following process types are defined for neutron:
51
52 neutron_t
53
54 Note: semanage permissive -a neutron_t can be used to make the process
55 type neutron_t permissive. SELinux does not deny access to permissive
56 process types, but the AVC (SELinux denials) messages are still gener‐
57 ated.
58
59
61 SELinux policy is customizable based on least access required. neutron
62 policy is extremely flexible and has several booleans that allow you to
63 manipulate the policy and run neutron with the tightest access possi‐
64 ble.
65
66
67
68 If you want to determine whether neutron can connect to all TCP ports,
69 you must turn on the neutron_can_network boolean. Disabled by default.
70
71 setsebool -P neutron_can_network 1
72
73
74
75 If you want to allow users to resolve user passwd entries directly from
76 ldap rather then using a sssd server, you must turn on the authlo‐
77 gin_nsswitch_use_ldap boolean. Disabled by default.
78
79 setsebool -P authlogin_nsswitch_use_ldap 1
80
81
82
83 If you want to allow all domains to execute in fips_mode, you must turn
84 on the fips_mode boolean. Enabled by default.
85
86 setsebool -P fips_mode 1
87
88
89
90 If you want to allow confined applications to run with kerberos, you
91 must turn on the kerberos_enabled boolean. Enabled by default.
92
93 setsebool -P kerberos_enabled 1
94
95
96
97 If you want to allow system to run with NIS, you must turn on the
98 nis_enabled boolean. Disabled by default.
99
100 setsebool -P nis_enabled 1
101
102
103
104 If you want to allow confined applications to use nscd shared memory,
105 you must turn on the nscd_use_shm boolean. Disabled by default.
106
107 setsebool -P nscd_use_shm 1
108
109
110
112 SELinux defines port types to represent TCP and UDP ports.
113
114 You can see the types associated with a port by using the following
115 command:
116
117 semanage port -l
118
119
120 Policy governs the access confined processes have to these ports.
121 SELinux neutron policy is very flexible allowing users to setup their
122 neutron processes in as secure a method as possible.
123
124 The following port types are defined for neutron:
125
126
127 neutron_port_t
128
129
130
131 Default Defined Ports:
132 tcp 8775,9696,9697
133
135 The SELinux process type neutron_t can manage files labeled with the
136 following file types. The paths listed are the default paths for these
137 file types. Note the processes UID still need to have DAC permissions.
138
139 cluster_conf_t
140
141 /etc/cluster(/.*)?
142
143 cluster_var_lib_t
144
145 /var/lib/pcsd(/.*)?
146 /var/lib/cluster(/.*)?
147 /var/lib/openais(/.*)?
148 /var/lib/pengine(/.*)?
149 /var/lib/corosync(/.*)?
150 /usr/lib/heartbeat(/.*)?
151 /var/lib/heartbeat(/.*)?
152 /var/lib/pacemaker(/.*)?
153
154 cluster_var_run_t
155
156 /var/run/crm(/.*)?
157 /var/run/cman_.*
158 /var/run/rsctmp(/.*)?
159 /var/run/aisexec.*
160 /var/run/heartbeat(/.*)?
161 /var/run/corosync-qnetd(/.*)?
162 /var/run/corosync-qdevice(/.*)?
163 /var/run/corosync.pid
164 /var/run/cpglockd.pid
165 /var/run/rgmanager.pid
166 /var/run/cluster/rgmanager.sk
167
168 faillog_t
169
170 /var/log/btmp.*
171 /var/log/faillog.*
172 /var/log/tallylog.*
173 /var/run/faillock(/.*)?
174
175 ifconfig_var_run_t
176
177 /var/run/netns(/.*)?
178
179 initrc_var_run_t
180
181 /var/run/utmp
182 /var/run/random-seed
183 /var/run/runlevel.dir
184 /var/run/setmixer_flag
185
186 krb5_host_rcache_t
187
188 /var/cache/krb5rcache(/.*)?
189 /var/tmp/nfs_0
190 /var/tmp/DNS_25
191 /var/tmp/host_0
192 /var/tmp/imap_0
193 /var/tmp/HTTP_23
194 /var/tmp/HTTP_48
195 /var/tmp/ldap_55
196 /var/tmp/ldap_487
197 /var/tmp/ldapmap1_0
198
199 krb5_keytab_t
200
201 /etc/krb5.keytab
202 /etc/krb5kdc/kadm5.keytab
203 /var/kerberos/krb5kdc/kadm5.keytab
204
205 lastlog_t
206
207 /var/log/lastlog.*
208
209 neutron_tmp_t
210
211
212 neutron_var_lib_t
213
214 /var/lib/neutron(/.*)?
215 /var/lib/quantum(/.*)?
216
217 neutron_var_run_t
218
219 /var/run/neutron(/.*)?
220 /var/run/quantum(/.*)?
221
222 root_t
223
224 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
225 /
226 /initrd
227
228 security_t
229
230 /selinux
231
232
234 SELinux requires files to have an extended attribute to define the file
235 type.
236
237 You can see the context of a file using the -Z option to ls
238
239 Policy governs the access confined processes have to these files.
240 SELinux neutron policy is very flexible allowing users to setup their
241 neutron processes in as secure a method as possible.
242
243 STANDARD FILE CONTEXT
244
245 SELinux defines the file context types for the neutron, if you wanted
246 to store files with these types in a diffent paths, you need to execute
247 the semanage command to sepecify alternate labeling and then use
248 restorecon to put the labels on disk.
249
250 semanage fcontext -a -t neutron_unit_file_t '/srv/myneutron_con‐
251 tent(/.*)?'
252 restorecon -R -v /srv/myneutron_content
253
254 Note: SELinux often uses regular expressions to specify labels that
255 match multiple files.
256
257 The following file types are defined for neutron:
258
259
260
261 neutron_exec_t
262
263 - Set files with the neutron_exec_t type, if you want to transition an
264 executable to the neutron_t domain.
265
266
267 Paths:
268 /usr/bin/neutron-server, /usr/bin/quantum-server, /usr/bin/neu‐
269 tron-l3-agent, /usr/bin/neutron-rootwrap, /usr/bin/quantum-
270 l3-agent, /usr/bin/neutron-ryu-agent, /usr/bin/quantum-ryu-agent,
271 /usr/bin/neutron-dhcp-agent, /usr/bin/quantum-dhcp-agent,
272 /usr/bin/neutron-lbaas-agent, /usr/bin/neutron-ovs-cleanup,
273 /usr/bin/quantum-ovs-cleanup, /usr/bin/neutron-netns-cleanup,
274 /usr/bin/neutron-metadata-agent, /usr/bin/neutron-linuxbridge-
275 agent, /usr/bin/neutron-ns-metadata-proxy, /usr/bin/neutron-open‐
276 vswitch-agent, /usr/bin/quantum-linuxbridge-agent, /usr/bin/quan‐
277 tum-openvswitch-agent
278
279
280 neutron_initrc_exec_t
281
282 - Set files with the neutron_initrc_exec_t type, if you want to transi‐
283 tion an executable to the neutron_initrc_t domain.
284
285
286 Paths:
287 /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*
288
289
290 neutron_log_t
291
292 - Set files with the neutron_log_t type, if you want to treat the data
293 as neutron log data, usually stored under the /var/log directory.
294
295
296 Paths:
297 /var/log/neutron(/.*)?, /var/log/quantum(/.*)?
298
299
300 neutron_tmp_t
301
302 - Set files with the neutron_tmp_t type, if you want to store neutron
303 temporary files in the /tmp directories.
304
305
306
307 neutron_unit_file_t
308
309 - Set files with the neutron_unit_file_t type, if you want to treat the
310 files as neutron unit content.
311
312
313 Paths:
314 /usr/lib/systemd/system/neutron.*, /usr/lib/systemd/system/quan‐
315 tum.*
316
317
318 neutron_var_lib_t
319
320 - Set files with the neutron_var_lib_t type, if you want to store the
321 neutron files under the /var/lib directory.
322
323
324 Paths:
325 /var/lib/neutron(/.*)?, /var/lib/quantum(/.*)?
326
327
328 neutron_var_run_t
329
330 - Set files with the neutron_var_run_t type, if you want to store the
331 neutron files under the /run or /var/run directory.
332
333
334 Paths:
335 /var/run/neutron(/.*)?, /var/run/quantum(/.*)?
336
337
338 Note: File context can be temporarily modified with the chcon command.
339 If you want to permanently change the file context you need to use the
340 semanage fcontext command. This will modify the SELinux labeling data‐
341 base. You will need to use restorecon to apply the labels.
342
343
345 semanage fcontext can also be used to manipulate default file context
346 mappings.
347
348 semanage permissive can also be used to manipulate whether or not a
349 process type is permissive.
350
351 semanage module can also be used to enable/disable/install/remove pol‐
352 icy modules.
353
354 semanage port can also be used to manipulate the port definitions
355
356 semanage boolean can also be used to manipulate the booleans
357
358
359 system-config-selinux is a GUI tool available to customize SELinux pol‐
360 icy settings.
361
362
364 This manual page was auto-generated using sepolicy manpage .
365
366
368 selinux(8), neutron(8), semanage(8), restorecon(8), chcon(1), sepol‐
369 icy(8), setsebool(8)
370
371
372
373neutron 19-05-30 neutron_selinux(8)