1cobblerd_selinux(8) SELinux Policy cobblerd cobblerd_selinux(8)
2
3
4
6 cobblerd_selinux - Security Enhanced Linux Policy for the cobblerd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the cobblerd processes via flexible
11 mandatory access control.
12
13 The cobblerd processes execute with the cobblerd_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep cobblerd_t
20
21
22
24 The cobblerd_t SELinux type can be entered via the cobblerd_exec_t file
25 type.
26
27 The default entrypoint paths for the cobblerd_t domain are the follow‐
28 ing:
29
30 /usr/bin/cobblerd
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 cobblerd policy is very flexible allowing users to setup their cobblerd
40 processes in as secure a method as possible.
41
42 The following process types are defined for cobblerd:
43
44 cobblerd_t
45
46 Note: semanage permissive -a cobblerd_t can be used to make the process
47 type cobblerd_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. cob‐
54 blerd policy is extremely flexible and has several booleans that allow
55 you to manipulate the policy and run cobblerd with the tightest access
56 possible.
57
58
59
60 If you want to determine whether Cobbler can connect to the network
61 using TCP, you must turn on the cobbler_can_network_connect boolean.
62 Disabled by default.
63
64 setsebool -P cobbler_can_network_connect 1
65
66
67
68 If you want to determine whether Cobbler can access cifs file systems,
69 you must turn on the cobbler_use_cifs boolean. Disabled by default.
70
71 setsebool -P cobbler_use_cifs 1
72
73
74
75 If you want to determine whether Cobbler can access nfs file systems,
76 you must turn on the cobbler_use_nfs boolean. Disabled by default.
77
78 setsebool -P cobbler_use_nfs 1
79
80
81
82 If you want to allow users to resolve user passwd entries directly from
83 ldap rather then using a sssd server, you must turn on the authlo‐
84 gin_nsswitch_use_ldap boolean. Disabled by default.
85
86 setsebool -P authlogin_nsswitch_use_ldap 1
87
88
89
90 If you want to allow all domains to execute in fips_mode, you must turn
91 on the fips_mode boolean. Enabled by default.
92
93 setsebool -P fips_mode 1
94
95
96
97 If you want to allow confined applications to run with kerberos, you
98 must turn on the kerberos_enabled boolean. Enabled by default.
99
100 setsebool -P kerberos_enabled 1
101
102
103
104 If you want to allow system to run with NIS, you must turn on the
105 nis_enabled boolean. Disabled by default.
106
107 setsebool -P nis_enabled 1
108
109
110
111 If you want to allow confined applications to use nscd shared memory,
112 you must turn on the nscd_use_shm boolean. Disabled by default.
113
114 setsebool -P nscd_use_shm 1
115
116
117
119 SELinux defines port types to represent TCP and UDP ports.
120
121 You can see the types associated with a port by using the following
122 command:
123
124 semanage port -l
125
126
127 Policy governs the access confined processes have to these ports.
128 SELinux cobblerd policy is very flexible allowing users to setup their
129 cobblerd processes in as secure a method as possible.
130
131 The following port types are defined for cobblerd:
132
133
134 cobbler_port_t
135
136
137
138 Default Defined Ports:
139 tcp 25151
140
142 The SELinux process type cobblerd_t can manage files labeled with the
143 following file types. The paths listed are the default paths for these
144 file types. Note the processes UID still need to have DAC permissions.
145
146 cifs_t
147
148
149 cluster_conf_t
150
151 /etc/cluster(/.*)?
152
153 cluster_var_lib_t
154
155 /var/lib/pcsd(/.*)?
156 /var/lib/cluster(/.*)?
157 /var/lib/openais(/.*)?
158 /var/lib/pengine(/.*)?
159 /var/lib/corosync(/.*)?
160 /usr/lib/heartbeat(/.*)?
161 /var/lib/heartbeat(/.*)?
162 /var/lib/pacemaker(/.*)?
163
164 cluster_var_run_t
165
166 /var/run/crm(/.*)?
167 /var/run/cman_.*
168 /var/run/rsctmp(/.*)?
169 /var/run/aisexec.*
170 /var/run/heartbeat(/.*)?
171 /var/run/corosync-qnetd(/.*)?
172 /var/run/corosync-qdevice(/.*)?
173 /var/run/corosync.pid
174 /var/run/cpglockd.pid
175 /var/run/rgmanager.pid
176 /var/run/cluster/rgmanager.sk
177
178 cobbler_tmp_t
179
180
181 cobbler_var_lib_t
182
183 /var/lib/cobbler(/.*)?
184 /var/www/cobbler(/.*)?
185 /var/cache/cobbler(/.*)?
186 /var/lib/tftpboot/etc(/.*)?
187 /var/lib/tftpboot/ppc(/.*)?
188 /var/lib/tftpboot/boot(/.*)?
189 /var/lib/tftpboot/grub(/.*)?
190 /var/lib/tftpboot/s390x(/.*)?
191 /var/lib/tftpboot/images(/.*)?
192 /var/lib/tftpboot/aarch64(/.*)?
193 /var/lib/tftpboot/images2(/.*)?
194 /var/lib/tftpboot/pxelinux.cfg(/.*)?
195 /var/lib/tftpboot/yaboot
196 /var/lib/tftpboot/memdisk
197 /var/lib/tftpboot/menu.c32
198 /var/lib/tftpboot/pxelinux.0
199
200 dhcp_etc_t
201
202 /etc/dhcpc.*
203 /etc/dhcp3?(/.*)?
204 /etc/dhcpd(6)?.conf
205 /etc/dhcp3?/dhclient.*
206 /etc/dhclient.*conf
207 /etc/dhcp/dhcpd(6)?.conf
208 /etc/dhclient-script
209
210 dnsmasq_etc_t
211
212 /etc/dnsmasq.d(/.*)?
213 /etc/dnsmasq.conf
214
215 named_conf_t
216
217 /etc/rndc.*
218 /etc/unbound(/.*)?
219 /var/named/chroot(/.*)?
220 /etc/named.rfc1912.zones
221 /var/named/chroot/etc/named.rfc1912.zones
222 /etc/named.conf
223 /var/named/named.ca
224 /etc/named.root.hints
225 /var/named/chroot/etc/named.conf
226 /etc/named.caching-nameserver.conf
227 /var/named/chroot/var/named/named.ca
228 /var/named/chroot/etc/named.root.hints
229 /var/named/chroot/etc/named.caching-nameserver.conf
230
231 named_zone_t
232
233 /var/named(/.*)?
234 /var/named/chroot/var/named(/.*)?
235
236 net_conf_t
237
238 /etc/hosts[^/]*
239 /etc/yp.conf.*
240 /etc/denyhosts.*
241 /etc/hosts.deny.*
242 /etc/resolv.conf.*
243 /etc/.resolv.conf.*
244 /etc/resolv-secure.conf.*
245 /var/run/cloud-init(/.*)?
246 /var/run/systemd/network(/.*)?
247 /etc/sysconfig/networking(/.*)?
248 /etc/sysconfig/network-scripts(/.*)?
249 /etc/sysconfig/network-scripts/.*resolv.conf
250 /var/run/NetworkManager/resolv.conf.*
251 /etc/ethers
252 /etc/ntp.conf
253 /var/run/systemd/resolve/resolv.conf
254 /var/run/systemd/resolve/stub-resolv.conf
255
256 nfs_t
257
258
259 public_content_rw_t
260
261 /var/spool/abrt-upload(/.*)?
262
263 root_t
264
265 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
266 /
267 /initrd
268
269 rsync_etc_t
270
271 /etc/rsyncd.conf
272
273 systemd_passwd_var_run_t
274
275 /var/run/systemd/ask-password(/.*)?
276 /var/run/systemd/ask-password-block(/.*)?
277
278 tftpd_etc_t
279
280 /etc/(x)?inetd.d/tftp
281
282
284 SELinux requires files to have an extended attribute to define the file
285 type.
286
287 You can see the context of a file using the -Z option to ls
288
289 Policy governs the access confined processes have to these files.
290 SELinux cobblerd policy is very flexible allowing users to setup their
291 cobblerd processes in as secure a method as possible.
292
293 The following file types are defined for cobblerd:
294
295
296
297 cobblerd_exec_t
298
299 - Set files with the cobblerd_exec_t type, if you want to transition an
300 executable to the cobblerd_t domain.
301
302
303
304 cobblerd_initrc_exec_t
305
306 - Set files with the cobblerd_initrc_exec_t type, if you want to tran‐
307 sition an executable to the cobblerd_initrc_t domain.
308
309
310
311 Note: File context can be temporarily modified with the chcon command.
312 If you want to permanently change the file context you need to use the
313 semanage fcontext command. This will modify the SELinux labeling data‐
314 base. You will need to use restorecon to apply the labels.
315
316
318 If you want to share files with multiple domains (Apache, FTP, rsync,
319 Samba), you can set a file context of public_content_t and public_con‐
320 tent_rw_t. These context allow any of the above domains to read the
321 content. If you want a particular domain to write to the public_con‐
322 tent_rw_t domain, you must set the appropriate boolean.
323
324 Allow cobblerd servers to read the /var/cobblerd directory by adding
325 the public_content_t file type to the directory and by restoring the
326 file type.
327
328 semanage fcontext -a -t public_content_t "/var/cobblerd(/.*)?"
329 restorecon -F -R -v /var/cobblerd
330
331 Allow cobblerd servers to read and write /var/cobblerd/incoming by
332 adding the public_content_rw_t type to the directory and by restoring
333 the file type. You also need to turn on the cobblerd_anon_write bool‐
334 ean.
335
336 semanage fcontext -a -t public_content_rw_t "/var/cobblerd/incom‐
337 ing(/.*)?"
338 restorecon -F -R -v /var/cobblerd/incoming
339 setsebool -P cobblerd_anon_write 1
340
341
342 If you want to determine whether Cobbler can modify public files used
343 for public file transfer services., you must turn on the cob‐
344 bler_anon_write boolean.
345
346 setsebool -P cobbler_anon_write 1
347
348
350 semanage fcontext can also be used to manipulate default file context
351 mappings.
352
353 semanage permissive can also be used to manipulate whether or not a
354 process type is permissive.
355
356 semanage module can also be used to enable/disable/install/remove pol‐
357 icy modules.
358
359 semanage port can also be used to manipulate the port definitions
360
361 semanage boolean can also be used to manipulate the booleans
362
363
364 system-config-selinux is a GUI tool available to customize SELinux pol‐
365 icy settings.
366
367
369 This manual page was auto-generated using sepolicy manpage .
370
371
373 selinux(8), cobblerd(8), semanage(8), restorecon(8), chcon(1), sepol‐
374 icy(8), setsebool(8)
375
376
377
378cobblerd 19-06-18 cobblerd_selinux(8)