1firewalld_selinux(8) SELinux Policy firewalld firewalld_selinux(8)
2
3
4
6 firewalld_selinux - Security Enhanced Linux Policy for the firewalld
7 processes
8
10 Security-Enhanced Linux secures the firewalld processes via flexible
11 mandatory access control.
12
13 The firewalld processes execute with the firewalld_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep firewalld_t
20
21
22
24 The firewalld_t SELinux type can be entered via the firewalld_exec_t
25 file type.
26
27 The default entrypoint paths for the firewalld_t domain are the follow‐
28 ing:
29
30 /usr/sbin/firewalld
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 firewalld policy is very flexible allowing users to setup their fire‐
40 walld processes in as secure a method as possible.
41
42 The following process types are defined for firewalld:
43
44 firewalld_t
45
46 Note: semanage permissive -a firewalld_t can be used to make the
47 process type firewalld_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required. fire‐
54 walld policy is extremely flexible and has several booleans that allow
55 you to manipulate the policy and run firewalld with the tightest access
56 possible.
57
58
59
60 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63
64 setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Enabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
89 If you want to allow confined applications to use nscd shared memory,
90 you must turn on the nscd_use_shm boolean. Disabled by default.
91
92 setsebool -P nscd_use_shm 1
93
94
95
97 The SELinux process type firewalld_t can manage files labeled with the
98 following file types. The paths listed are the default paths for these
99 file types. Note the processes UID still need to have DAC permissions.
100
101 cluster_conf_t
102
103 /etc/cluster(/.*)?
104
105 cluster_var_lib_t
106
107 /var/lib/pcsd(/.*)?
108 /var/lib/cluster(/.*)?
109 /var/lib/openais(/.*)?
110 /var/lib/pengine(/.*)?
111 /var/lib/corosync(/.*)?
112 /usr/lib/heartbeat(/.*)?
113 /var/lib/heartbeat(/.*)?
114 /var/lib/pacemaker(/.*)?
115
116 cluster_var_run_t
117
118 /var/run/crm(/.*)?
119 /var/run/cman_.*
120 /var/run/rsctmp(/.*)?
121 /var/run/aisexec.*
122 /var/run/heartbeat(/.*)?
123 /var/run/corosync-qnetd(/.*)?
124 /var/run/corosync-qdevice(/.*)?
125 /var/run/corosync.pid
126 /var/run/cpglockd.pid
127 /var/run/rgmanager.pid
128 /var/run/cluster/rgmanager.sk
129
130 firewalld_etc_rw_t
131
132 /etc/firewalld(/.*)?
133
134 firewalld_tmp_t
135
136
137 firewalld_tmpfs_t
138
139
140 firewalld_var_run_t
141
142 /var/run/firewalld(/.*)?
143 /var/run/firewalld.pid
144
145 net_conf_t
146
147 /etc/hosts[^/]*
148 /etc/yp.conf.*
149 /etc/denyhosts.*
150 /etc/hosts.deny.*
151 /etc/resolv.conf.*
152 /etc/.resolv.conf.*
153 /etc/resolv-secure.conf.*
154 /var/run/cloud-init(/.*)?
155 /var/run/systemd/network(/.*)?
156 /etc/sysconfig/networking(/.*)?
157 /etc/sysconfig/network-scripts(/.*)?
158 /etc/sysconfig/network-scripts/.*resolv.conf
159 /var/run/NetworkManager/resolv.conf.*
160 /etc/ethers
161 /etc/ntp.conf
162 /var/run/systemd/resolve/resolv.conf
163 /var/run/systemd/resolve/stub-resolv.conf
164
165 root_t
166
167 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
168 /
169 /initrd
170
171
173 SELinux requires files to have an extended attribute to define the file
174 type.
175
176 You can see the context of a file using the -Z option to ls
177
178 Policy governs the access confined processes have to these files.
179 SELinux firewalld policy is very flexible allowing users to setup their
180 firewalld processes in as secure a method as possible.
181
182 EQUIVALENCE DIRECTORIES
183
184
185 firewalld policy stores data with multiple different file context types
186 under the /var/run/firewalld directory. If you would like to store the
187 data in a different directory you can use the semanage command to cre‐
188 ate an equivalence mapping. If you wanted to store this data under the
189 /srv dirctory you would execute the following command:
190
191 semanage fcontext -a -e /var/run/firewalld /srv/firewalld
192 restorecon -R -v /srv/firewalld
193
194 STANDARD FILE CONTEXT
195
196 SELinux defines the file context types for the firewalld, if you wanted
197 to store files with these types in a diffent paths, you need to execute
198 the semanage command to sepecify alternate labeling and then use
199 restorecon to put the labels on disk.
200
201 semanage fcontext -a -t firewalld_unit_file_t '/srv/myfirewalld_con‐
202 tent(/.*)?'
203 restorecon -R -v /srv/myfirewalld_content
204
205 Note: SELinux often uses regular expressions to specify labels that
206 match multiple files.
207
208 The following file types are defined for firewalld:
209
210
211
212 firewalld_etc_rw_t
213
214 - Set files with the firewalld_etc_rw_t type, if you want to treat the
215 files as firewalld etc read/write content.
216
217
218
219 firewalld_exec_t
220
221 - Set files with the firewalld_exec_t type, if you want to transition
222 an executable to the firewalld_t domain.
223
224
225
226 firewalld_initrc_exec_t
227
228 - Set files with the firewalld_initrc_exec_t type, if you want to tran‐
229 sition an executable to the firewalld_initrc_t domain.
230
231
232
233 firewalld_tmp_t
234
235 - Set files with the firewalld_tmp_t type, if you want to store fire‐
236 walld temporary files in the /tmp directories.
237
238
239
240 firewalld_tmpfs_t
241
242 - Set files with the firewalld_tmpfs_t type, if you want to store fire‐
243 walld files on a tmpfs file system.
244
245
246
247 firewalld_unit_file_t
248
249 - Set files with the firewalld_unit_file_t type, if you want to treat
250 the files as firewalld unit content.
251
252
253
254 firewalld_var_log_t
255
256 - Set files with the firewalld_var_log_t type, if you want to treat the
257 data as firewalld var log data, usually stored under the /var/log
258 directory.
259
260
261
262 firewalld_var_run_t
263
264 - Set files with the firewalld_var_run_t type, if you want to store the
265 firewalld files under the /run or /var/run directory.
266
267
268 Paths:
269 /var/run/firewalld(/.*)?, /var/run/firewalld.pid
270
271
272 Note: File context can be temporarily modified with the chcon command.
273 If you want to permanently change the file context you need to use the
274 semanage fcontext command. This will modify the SELinux labeling data‐
275 base. You will need to use restorecon to apply the labels.
276
277
279 semanage fcontext can also be used to manipulate default file context
280 mappings.
281
282 semanage permissive can also be used to manipulate whether or not a
283 process type is permissive.
284
285 semanage module can also be used to enable/disable/install/remove pol‐
286 icy modules.
287
288 semanage boolean can also be used to manipulate the booleans
289
290
291 system-config-selinux is a GUI tool available to customize SELinux pol‐
292 icy settings.
293
294
296 This manual page was auto-generated using sepolicy manpage .
297
298
300 selinux(8), firewalld(8), semanage(8), restorecon(8), chcon(1), sepol‐
301 icy(8), setsebool(8)
302
303
304
305firewalld 19-06-18 firewalld_selinux(8)