1iscsid_selinux(8) SELinux Policy iscsid iscsid_selinux(8)
2
3
4
6 iscsid_selinux - Security Enhanced Linux Policy for the iscsid pro‐
7 cesses
8
10 Security-Enhanced Linux secures the iscsid processes via flexible
11 mandatory access control.
12
13 The iscsid processes execute with the iscsid_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep iscsid_t
20
21
22
24 The iscsid_t SELinux type can be entered via the iscsid_exec_t file
25 type.
26
27 The default entrypoint paths for the iscsid_t domain are the following:
28
29 /sbin/iscsid, /sbin/iscsiuio, /usr/sbin/iscsid, /usr/sbin/iscsiadm,
30 /usr/sbin/iscsiuio
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 iscsid policy is very flexible allowing users to setup their iscsid
40 processes in as secure a method as possible.
41
42 The following process types are defined for iscsid:
43
44 iscsid_t
45
46 Note: semanage permissive -a iscsid_t can be used to make the process
47 type iscsid_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. iscsid
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run iscsid with the tightest access possible.
56
57
58
59 If you want to allow users to resolve user passwd entries directly from
60 ldap rather then using a sssd server, you must turn on the authlo‐
61 gin_nsswitch_use_ldap boolean. Disabled by default.
62
63 setsebool -P authlogin_nsswitch_use_ldap 1
64
65
66
67 If you want to allow all domains to execute in fips_mode, you must turn
68 on the fips_mode boolean. Enabled by default.
69
70 setsebool -P fips_mode 1
71
72
73
74 If you want to allow confined applications to run with kerberos, you
75 must turn on the kerberos_enabled boolean. Enabled by default.
76
77 setsebool -P kerberos_enabled 1
78
79
80
81 If you want to allow system to run with NIS, you must turn on the
82 nis_enabled boolean. Disabled by default.
83
84 setsebool -P nis_enabled 1
85
86
87
88 If you want to allow confined applications to use nscd shared memory,
89 you must turn on the nscd_use_shm boolean. Disabled by default.
90
91 setsebool -P nscd_use_shm 1
92
93
94
95 If you want to disable kernel module loading, you must turn on the
96 secure_mode_insmod boolean. Enabled by default.
97
98 setsebool -P secure_mode_insmod 1
99
100
101
103 SELinux defines port types to represent TCP and UDP ports.
104
105 You can see the types associated with a port by using the following
106 command:
107
108 semanage port -l
109
110
111 Policy governs the access confined processes have to these ports.
112 SELinux iscsid policy is very flexible allowing users to setup their
113 iscsid processes in as secure a method as possible.
114
115 The following port types are defined for iscsid:
116
117
118 iscsi_port_t
119
120
121
122 Default Defined Ports:
123 tcp 3260
124
126 The SELinux process type iscsid_t can manage files labeled with the
127 following file types. The paths listed are the default paths for these
128 file types. Note the processes UID still need to have DAC permissions.
129
130 cluster_conf_t
131
132 /etc/cluster(/.*)?
133
134 cluster_var_lib_t
135
136 /var/lib/pcsd(/.*)?
137 /var/lib/cluster(/.*)?
138 /var/lib/openais(/.*)?
139 /var/lib/pengine(/.*)?
140 /var/lib/corosync(/.*)?
141 /usr/lib/heartbeat(/.*)?
142 /var/lib/heartbeat(/.*)?
143 /var/lib/pacemaker(/.*)?
144
145 cluster_var_run_t
146
147 /var/run/crm(/.*)?
148 /var/run/cman_.*
149 /var/run/rsctmp(/.*)?
150 /var/run/aisexec.*
151 /var/run/heartbeat(/.*)?
152 /var/run/corosync-qnetd(/.*)?
153 /var/run/corosync-qdevice(/.*)?
154 /var/run/corosync.pid
155 /var/run/cpglockd.pid
156 /var/run/rgmanager.pid
157 /var/run/cluster/rgmanager.sk
158
159 iscsi_lock_t
160
161 /var/lock/iscsi(/.*)?
162
163 iscsi_tmp_t
164
165
166 iscsi_var_lib_t
167
168 /var/lib/iscsi(/.*)?
169
170 iscsi_var_run_t
171
172 /var/run/iscsid.pid
173 /var/run/iscsiuio.pid
174
175 root_t
176
177 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
178 /
179 /initrd
180
181 sysfs_t
182
183 /sys(/.*)?
184
185 systemd_passwd_var_run_t
186
187 /var/run/systemd/ask-password(/.*)?
188 /var/run/systemd/ask-password-block(/.*)?
189
190
192 SELinux requires files to have an extended attribute to define the file
193 type.
194
195 You can see the context of a file using the -Z option to ls
196
197 Policy governs the access confined processes have to these files.
198 SELinux iscsid policy is very flexible allowing users to setup their
199 iscsid processes in as secure a method as possible.
200
201 The following file types are defined for iscsid:
202
203
204
205 iscsid_exec_t
206
207 - Set files with the iscsid_exec_t type, if you want to transition an
208 executable to the iscsid_t domain.
209
210
211 Paths:
212 /sbin/iscsid, /sbin/iscsiuio, /usr/sbin/iscsid, /usr/sbin/iscsi‐
213 adm, /usr/sbin/iscsiuio
214
215
216 Note: File context can be temporarily modified with the chcon command.
217 If you want to permanently change the file context you need to use the
218 semanage fcontext command. This will modify the SELinux labeling data‐
219 base. You will need to use restorecon to apply the labels.
220
221
223 semanage fcontext can also be used to manipulate default file context
224 mappings.
225
226 semanage permissive can also be used to manipulate whether or not a
227 process type is permissive.
228
229 semanage module can also be used to enable/disable/install/remove pol‐
230 icy modules.
231
232 semanage port can also be used to manipulate the port definitions
233
234 semanage boolean can also be used to manipulate the booleans
235
236
237 system-config-selinux is a GUI tool available to customize SELinux pol‐
238 icy settings.
239
240
242 This manual page was auto-generated using sepolicy manpage .
243
244
246 selinux(8), iscsid(8), semanage(8), restorecon(8), chcon(1), sepol‐
247 icy(8), setsebool(8)
248
249
250
251iscsid 19-06-18 iscsid_selinux(8)