openshift_selinux(8)

1openshift_selinux(8)       SELinux Policy openshift       openshift_selinux(8)
2
3
4

NAME

6       openshift_selinux  -  Security  Enhanced Linux Policy for the openshift
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the openshift  processes  via  flexible
11       mandatory access control.
12
13       The  openshift processes execute with the openshift_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openshift_t
20
21
22

PROCESS TYPES

24       SELinux defines process types (domains) for each process running on the
25       system
26
27       You can see the context of a process using the -Z option to ps
28
29       Policy governs the access confined processes have  to  files.   SELinux
30       openshift  policy  is very flexible allowing users to setup their open‐
31       shift processes in as secure a method as possible.
32
33       The following process types are defined for openshift:
34
35       openshift_initrc_t, openshift_cgroup_read_t, openshift_net_read_t, openshift_cron_t, openshift_t, openshift_app_t, openshift_script_t, openshift_domain_t
36
37       Note: semanage permissive -a  openshift_t  can  be  used  to  make  the
38       process  type  openshift_t  permissive. SELinux does not deny access to
39       permissive process types, but the AVC (SELinux  denials)  messages  are
40       still generated.
41
42

MCS Constrained

44       The  SELinux  process  type openshift_t is an MCS (Multi Category Secu‐
45       rity) constrained type.  Sometimes this separation is  referred  to  as
46       sVirt.  These types are usually used for securing multi-tenant environ‐
47       ments, such as virtualization, containers or separation of users.   The
48       tools used to launch MCS types, pick out a different MCS label for each
49       process group.
50
51       For example one process might be  launched  with  openshift_t:s0:c1,c2,
52       and  another  process  launched  with openshift_t:s0:c3,c4. The SELinux
53       kernel only allows these processes can only write  to  content  with  a
54       matching  MCS  label,  or a MCS Label of s0. A process running with the
55       MCS level of s0:c1,c2 is not allowed to write to content with  the  MCS
56       label of s0:c3,c4
57
58

BOOLEANS

60       SELinux  policy  is customizable based on least access required.  open‐
61       shift policy is extremely flexible and has several booleans that  allow
62       you to manipulate the policy and run openshift with the tightest access
63       possible.
64
65
66
67       If you want to allow users to resolve user passwd entries directly from
68       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
69       gin_nsswitch_use_ldap boolean. Disabled by default.
70
71       setsebool -P authlogin_nsswitch_use_ldap 1
72
73
74
75       If you want to deny any process from ptracing or  debugging  any  other
76       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
77       default.
78
79       setsebool -P deny_ptrace 1
80
81
82
83       If you want to allow all domains to execute in fips_mode, you must turn
84       on the fips_mode boolean. Enabled by default.
85
86       setsebool -P fips_mode 1
87
88
89
90       If  you  want  to allow confined applications to run with kerberos, you
91       must turn on the kerberos_enabled boolean. Enabled by default.
92
93       setsebool -P kerberos_enabled 1
94
95
96
97       If you want to allow system to run with  NIS,  you  must  turn  on  the
98       nis_enabled boolean. Disabled by default.
99
100       setsebool -P nis_enabled 1
101
102
103
104       If  you  want to allow confined applications to use nscd shared memory,
105       you must turn on the nscd_use_shm boolean. Disabled by default.
106
107       setsebool -P nscd_use_shm 1
108
109
110

PORT TYPES

112       SELinux defines port types to represent TCP and UDP ports.
113
114       You can see the types associated with a port  by  using  the  following
115       command:
116
117       semanage port -l
118
119
120       Policy  governs  the  access  confined  processes  have to these ports.
121       SELinux openshift policy is very flexible allowing users to setup their
122       openshift processes in as secure a method as possible.
123
124       The following port types are defined for openshift:
125
126
127       openshift_port_t
128
129
130
131       MANAGED FILES
132
133              The  SELinux  process  type openshift_t can manage files labeled
134              with the following file types.  The paths listed are the default
135              paths  for  these file types.  Note the processes UID still need
136              to have DAC permissions.
137
138              anon_inodefs_t
139
140
141              hugetlbfs_t
142
143                   /dev/hugepages
144                   /usr/lib/udev/devices/hugepages
145
146              nfs_t
147
148
149              openshift_file_type
150
151
152              openshift_rw_file_t
153
154                   /var/lib/openshift/.*/data(/.*)?
155                   /var/lib/stickshift/.*/data(/.*)?
156
157              openshift_tmp_t
158
159                   /var/lib/openshift/.*/.tmp(/.*)?
160                   /var/lib/openshift/.*/.sandbox(/.*)?
161                   /var/lib/stickshift/.*/.tmp(/.*)?
162                   /var/lib/stickshift/.*/.sandbox(/.*)?
163
164              openshift_tmpfs_t
165
166
167              postfix_spool_t
168
169                   /var/spool/postfix.*
170                   /var/spool/postfix/defer(/.*)?
171                   /var/spool/postfix/flush(/.*)?
172                   /var/spool/postfix/deferred(/.*)?
173                   /var/spool/postfix/maildrop(/.*)?
174
175              security_t
176
177                   /selinux
178
179

FILE CONTEXTS

181       SELinux requires files to have an extended attribute to define the file
182       type.
183
184       You can see the context of a file using the -Z option to ls
185
186       Policy  governs  the  access  confined  processes  have to these files.
187       SELinux openshift policy is very flexible allowing users to setup their
188       openshift processes in as secure a method as possible.
189
190       EQUIVALENCE DIRECTORIES
191
192
193       openshift policy stores data with multiple different file context types
194       under the /var/lib/openshift directory.  If you would like to store the
195       data  in a different directory you can use the semanage command to cre‐
196       ate an equivalence mapping.  If you wanted to store this data under the
197       /srv dirctory you would execute the following command:
198
199       semanage fcontext -a -e /var/lib/openshift /srv/openshift
200       restorecon -R -v /srv/openshift
201
202       openshift policy stores data with multiple different file context types
203       under the /var/lib/stickshift directory.  If you would  like  to  store
204       the  data  in a different directory you can use the semanage command to
205       create an equivalence mapping.  If you wanted to store this data  under
206       the /srv dirctory you would execute the following command:
207
208       semanage fcontext -a -e /var/lib/stickshift /srv/stickshift
209       restorecon -R -v /srv/stickshift
210
211       STANDARD FILE CONTEXT
212
213       SELinux defines the file context types for the openshift, if you wanted
214       to store files with these types in a diffent paths, you need to execute
215       the  semanage  command  to  sepecify  alternate  labeling  and then use
216       restorecon to put the labels on disk.
217
218       semanage fcontext -a -t  openshift_domain_tmp_t  '/srv/myopenshift_con‐
219       tent(/.*)?'
220       restorecon -R -v /srv/myopenshift_content
221
222       Note:  SELinux  often  uses  regular expressions to specify labels that
223       match multiple files.
224
225       The following file types are defined for openshift:
226
227
228
229       openshift_cgroup_read_exec_t
230
231       - Set files with the openshift_cgroup_read_exec_t type, if you want  to
232       transition an executable to the openshift_cgroup_read_t domain.
233
234
235
236       openshift_cgroup_read_tmp_t
237
238       -  Set  files with the openshift_cgroup_read_tmp_t type, if you want to
239       store openshift cgroup read temporary files in the /tmp directories.
240
241
242
243       openshift_content_t
244
245       - Set files with the openshift_content_t type, if you want to treat the
246       files as openshift content.
247
248
249
250       openshift_cron_exec_t
251
252       - Set files with the openshift_cron_exec_t type, if you want to transi‐
253       tion an executable to the openshift_cron_t domain.
254
255
256
257       openshift_cron_tmp_t
258
259       - Set files with the openshift_cron_tmp_t type, if you  want  to  store
260       openshift cron temporary files in the /tmp directories.
261
262
263
264       openshift_domain_tmp_t
265
266       -  Set files with the openshift_domain_tmp_t type, if you want to store
267       openshift domain temporary files in the /tmp directories.
268
269
270
271       openshift_htaccess_t
272
273       - Set files with the openshift_htaccess_t type, if you  want  to  treat
274       the file as a openshift access file.
275
276
277
278       openshift_initrc_exec_t
279
280       - Set files with the openshift_initrc_exec_t type, if you want to tran‐
281       sition an executable to the openshift_initrc_t domain.
282
283
284       Paths:
285            /usr/s?bin/mcollectived,             /usr/s?bin/(oo|rhc)-restorer,
286            /usr/s?bin/oo-admin-ctl-gears,  /usr/s?bin/(oo|rhc)-restorer-wrap‐
287            per.sh, /etc/rc.d/init.d/libra, /etc/rc.d/init.d/mcollective
288
289
290       openshift_initrc_tmp_t
291
292       - Set files with the openshift_initrc_tmp_t type, if you want to  store
293       openshift initrc temporary files in the /tmp directories.
294
295
296
297       openshift_log_t
298
299       -  Set  files  with  the openshift_log_t type, if you want to treat the
300       data as openshift log data, usually stored under  the  /var/log  direc‐
301       tory.
302
303
304       Paths:
305            /var/log/openshift(/.*)?, /var/log/mcollective.log.*
306
307
308       openshift_net_read_exec_t
309
310       -  Set  files  with  the openshift_net_read_exec_t type, if you want to
311       transition an executable to the openshift_net_read_t domain.
312
313
314
315       openshift_ra_content_t
316
317       - Set files with the openshift_ra_content_t type, if you want to  treat
318       the files as openshift read/append content.
319
320
321
322       openshift_rw_content_t
323
324       -  Set files with the openshift_rw_content_t type, if you want to treat
325       the files as openshift read/write content.
326
327
328
329       openshift_rw_file_t
330
331       - Set files with the openshift_rw_file_t type, if you want to treat the
332       files as openshift rw content.
333
334
335       Paths:
336            /var/lib/openshift/.*/data(/.*)?,                  /var/lib/stick‐
337            shift/.*/data(/.*)?
338
339
340       openshift_script_exec_t
341
342       - Set files with the openshift_script_exec_t type, if you want to tran‐
343       sition an executable to the openshift_script_t domain.
344
345
346
347       openshift_tmp_t
348
349       -  Set  files with the openshift_tmp_t type, if you want to store open‐
350       shift temporary files in the /tmp directories.
351
352
353       Paths:
354            /var/lib/openshift/.*/.tmp(/.*)?,     /var/lib/openshift/.*/.sand‐
355            box(/.*)?,    /var/lib/stickshift/.*/.tmp(/.*)?,   /var/lib/stick‐
356            shift/.*/.sandbox(/.*)?
357
358
359       openshift_tmpfs_t
360
361       - Set files with the openshift_tmpfs_t type, if you want to store open‐
362       shift files on a tmpfs file system.
363
364
365
366       openshift_var_lib_t
367
368       - Set files with the openshift_var_lib_t type, if you want to store the
369       openshift files under the /var/lib directory.
370
371
372       Paths:
373            /var/lib/openshift(/.*)?, /var/lib/stickshift(/.*)?, /var/lib/con‐
374            tainers/home(/.*)?
375
376
377       openshift_var_run_t
378
379       - Set files with the openshift_var_run_t type, if you want to store the
380       openshift files under the /run or /var/run directory.
381
382
383       Paths:
384            /var/run/openshift(/.*)?, /var/run/stickshift(/.*)?
385
386
387       Note: File context can be temporarily modified with the chcon  command.
388       If  you want to permanently change the file context you need to use the
389       semanage fcontext command.  This will modify the SELinux labeling data‐
390       base.  You will need to use restorecon to apply the labels.
391
392

COMMANDS

394       semanage  fcontext  can also be used to manipulate default file context
395       mappings.
396
397       semanage permissive can also be used to manipulate  whether  or  not  a
398       process type is permissive.
399
400       semanage  module can also be used to enable/disable/install/remove pol‐
401       icy modules.
402
403       semanage port can also be used to manipulate the port definitions
404
405       semanage boolean can also be used to manipulate the booleans
406
407
408       system-config-selinux is a GUI tool available to customize SELinux pol‐
409       icy settings.
410
411

AUTHOR

413       This manual page was auto-generated using sepolicy manpage .
414
415