1ricci_modcluster_selinux(S8E)Linux Policy ricci_modclusrtiecrci_modcluster_selinux(8)
2
3
4

NAME

6       ricci_modcluster_selinux  -  Security  Enhanced  Linux  Policy  for the
7       ricci_modcluster processes
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  ricci_modcluster  processes  via
11       flexible mandatory access control.
12
13       The  ricci_modcluster  processes  execute  with  the ricci_modcluster_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep ricci_modcluster_t
20
21
22

ENTRYPOINTS

24       The  ricci_modcluster_t  SELinux type can be entered via the ricci_mod‐
25       cluster_exec_t file type.
26
27       The default entrypoint paths for the ricci_modcluster_t domain are  the
28       following:
29
30       /usr/libexec/modcluster
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       ricci_modcluster  policy is very flexible allowing users to setup their
40       ricci_modcluster processes in as secure a method as possible.
41
42       The following process types are defined for ricci_modcluster:
43
44       ricci_modcluster_t, ricci_modclusterd_t
45
46       Note: semanage permissive -a ricci_modcluster_t can be used to make the
47       process  type  ricci_modcluster_t  permissive.  SELinux  does  not deny
48       access to permissive process types, but the AVC (SELinux denials)  mes‐
49       sages are still generated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       ricci_modcluster policy is extremely flexible and has several  booleans
55       that  allow  you to manipulate the policy and run ricci_modcluster with
56       the tightest access possible.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Enabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88
89       If  you  want to allow confined applications to use nscd shared memory,
90       you must turn on the nscd_use_shm boolean. Disabled by default.
91
92       setsebool -P nscd_use_shm 1
93
94
95

PORT TYPES

97       SELinux defines port types to represent TCP and UDP ports.
98
99       You can see the types associated with a port  by  using  the  following
100       command:
101
102       semanage port -l
103
104
105       Policy  governs  the  access  confined  processes  have to these ports.
106       SELinux ricci_modcluster policy is very flexible allowing users to set‐
107       up their ricci_modcluster processes in as secure a method as possible.
108
109       The following port types are defined for ricci_modcluster:
110
111
112       ricci_modcluster_port_t
113
114
115
116       Default Defined Ports:
117                 tcp 16851
118                 udp 16851
119

MANAGED FILES

121       The  SELinux  process  type ricci_modcluster_t can manage files labeled
122       with the following file types.  The paths listed are the default  paths
123       for  these  file  types.  Note the processes UID still need to have DAC
124       permissions.
125
126       cluster_conf_t
127
128            /etc/cluster(/.*)?
129
130       systemd_passwd_var_run_t
131
132            /var/run/systemd/ask-password(/.*)?
133            /var/run/systemd/ask-password-block(/.*)?
134
135

FILE CONTEXTS

137       SELinux requires files to have an extended attribute to define the file
138       type.
139
140       You can see the context of a file using the -Z option to ls
141
142       Policy  governs  the  access  confined  processes  have to these files.
143       SELinux ricci_modcluster policy is very flexible allowing users to set‐
144       up their ricci_modcluster processes in as secure a method as possible.
145
146       STANDARD FILE CONTEXT
147
148       SELinux defines the file context types for the ricci_modcluster, if you
149       wanted to store files with these types in a diffent paths, you need  to
150       execute  the  semanage  command to sepecify alternate labeling and then
151       use restorecon to put the labels on disk.
152
153       semanage fcontext -a  -t  ricci_modclusterd_tmpfs_t  '/srv/myricci_mod‐
154       cluster_content(/.*)?'
155       restorecon -R -v /srv/myricci_modcluster_content
156
157       Note:  SELinux  often  uses  regular expressions to specify labels that
158       match multiple files.
159
160       The following file types are defined for ricci_modcluster:
161
162
163
164       ricci_modcluster_exec_t
165
166       - Set files with the ricci_modcluster_exec_t type, if you want to tran‐
167       sition an executable to the ricci_modcluster_t domain.
168
169
170
171       ricci_modcluster_var_lib_t
172
173       -  Set  files  with the ricci_modcluster_var_lib_t type, if you want to
174       store the ricci modcluster files under the /var/lib directory.
175
176
177
178       ricci_modcluster_var_log_t
179
180       - Set files with the ricci_modcluster_var_log_t type, if  you  want  to
181       treat  the  data as ricci modcluster var log data, usually stored under
182       the /var/log directory.
183
184
185
186       ricci_modcluster_var_run_t
187
188       - Set files with the ricci_modcluster_var_run_t type, if  you  want  to
189       store the ricci modcluster files under the /run or /var/run directory.
190
191
192       Paths:
193            /var/run/clumond.sock, /var/run/modclusterd.pid
194
195
196       ricci_modclusterd_exec_t
197
198       -  Set  files  with  the  ricci_modclusterd_exec_t type, if you want to
199       transition an executable to the ricci_modclusterd_t domain.
200
201
202
203       ricci_modclusterd_tmpfs_t
204
205       - Set files with the ricci_modclusterd_tmpfs_t type,  if  you  want  to
206       store ricci modclusterd files on a tmpfs file system.
207
208
209
210       Note:  File context can be temporarily modified with the chcon command.
211       If you want to permanently change the file context you need to use  the
212       semanage fcontext command.  This will modify the SELinux labeling data‐
213       base.  You will need to use restorecon to apply the labels.
214
215

COMMANDS

217       semanage fcontext can also be used to manipulate default  file  context
218       mappings.
219
220       semanage  permissive  can  also  be used to manipulate whether or not a
221       process type is permissive.
222
223       semanage module can also be used to enable/disable/install/remove  pol‐
224       icy modules.
225
226       semanage port can also be used to manipulate the port definitions
227
228       semanage boolean can also be used to manipulate the booleans
229
230
231       system-config-selinux is a GUI tool available to customize SELinux pol‐
232       icy settings.
233
234

AUTHOR

236       This manual page was auto-generated using sepolicy manpage .
237
238

SEE ALSO

240       selinux(8), ricci_modcluster(8), semanage(8), restorecon(8),  chcon(1),
241       sepolicy(8), setsebool(8)
242
243
244
245ricci_modcluster                   19-06-18        ricci_modcluster_selinux(8)
Impressum