1openshift_app_selinux(8) SELinux Policy openshift_app openshift_app_selinux(8)
2
3
4

NAME

6       openshift_app_selinux  -  Security  Enhanced Linux Policy for the open‐
7       shift_app processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the openshift_app processes via  flexi‐
11       ble mandatory access control.
12
13       The  openshift_app  processes  execute with the openshift_app_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openshift_app_t
20
21
22

PROCESS TYPES

24       SELinux defines process types (domains) for each process running on the
25       system
26
27       You can see the context of a process using the -Z option to ps
28
29       Policy governs the access confined processes have  to  files.   SELinux
30       openshift_app  policy  is  very  flexible allowing users to setup their
31       openshift_app processes in as secure a method as possible.
32
33       The following process types are defined for openshift_app:
34
35       openshift_app_t
36
37       Note: semanage permissive -a openshift_app_t can be used  to  make  the
38       process  type  openshift_app_t permissive. SELinux does not deny access
39       to permissive process types, but the AVC (SELinux denials) messages are
40       still generated.
41
42

MCS Constrained

44       The  SELinux  process  type  openshift_app_t  is an MCS (Multi Category
45       Security) constrained type.  Sometimes this separation is  referred  to
46       as  sVirt. These types are usually used for securing multi-tenant envi‐
47       ronments, such as virtualization, containers or  separation  of  users.
48       The  tools used to launch MCS types, pick out a different MCS label for
49       each process group.
50
51       For   example   one   process   might   be    launched    with    open‐
52       shift_app_t:s0:c1,c2,   and   another   process   launched  with  open‐
53       shift_app_t:s0:c3,c4. The SELinux kernel only  allows  these  processes
54       can  only write to content with a matching MCS label, or a MCS Label of
55       s0. A process running with the MCS level of s0:c1,c2 is not allowed  to
56       write to content with the MCS label of s0:c3,c4
57
58

BOOLEANS

60       SELinux  policy  is customizable based on least access required.  open‐
61       shift_app policy is extremely flexible and has  several  booleans  that
62       allow  you  to  manipulate  the  policy  and run openshift_app with the
63       tightest access possible.
64
65
66
67       If you want to allow users to resolve user passwd entries directly from
68       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
69       gin_nsswitch_use_ldap boolean. Disabled by default.
70
71       setsebool -P authlogin_nsswitch_use_ldap 1
72
73
74
75       If you want to deny any process from ptracing or  debugging  any  other
76       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
77       default.
78
79       setsebool -P deny_ptrace 1
80
81
82
83       If you want to allow all domains to execute in fips_mode, you must turn
84       on the fips_mode boolean. Enabled by default.
85
86       setsebool -P fips_mode 1
87
88
89
90       If  you  want  to allow confined applications to run with kerberos, you
91       must turn on the kerberos_enabled boolean. Enabled by default.
92
93       setsebool -P kerberos_enabled 1
94
95
96
97       If you want to allow system to run with  NIS,  you  must  turn  on  the
98       nis_enabled boolean. Disabled by default.
99
100       setsebool -P nis_enabled 1
101
102
103
104       If  you  want to allow confined applications to use nscd shared memory,
105       you must turn on the nscd_use_shm boolean. Disabled by default.
106
107       setsebool -P nscd_use_shm 1
108
109
110

MANAGED FILES

112       The SELinux process type openshift_app_t can manage files labeled  with
113       the  following  file types.  The paths listed are the default paths for
114       these file types.  Note the processes UID still need to have  DAC  per‐
115       missions.
116
117       anon_inodefs_t
118
119
120       hugetlbfs_t
121
122            /dev/hugepages
123            /usr/lib/udev/devices/hugepages
124
125       nfs_t
126
127
128       openshift_rw_file_t
129
130            /var/lib/openshift/.*/data(/.*)?
131            /var/lib/stickshift/.*/data(/.*)?
132
133       openshift_tmp_t
134
135            /var/lib/openshift/.*/.tmp(/.*)?
136            /var/lib/openshift/.*/.sandbox(/.*)?
137            /var/lib/stickshift/.*/.tmp(/.*)?
138            /var/lib/stickshift/.*/.sandbox(/.*)?
139
140       openshift_tmpfs_t
141
142
143       security_t
144
145            /selinux
146
147

COMMANDS

149       semanage  fcontext  can also be used to manipulate default file context
150       mappings.
151
152       semanage permissive can also be used to manipulate  whether  or  not  a
153       process type is permissive.
154
155       semanage  module can also be used to enable/disable/install/remove pol‐
156       icy modules.
157
158       semanage boolean can also be used to manipulate the booleans
159
160
161       system-config-selinux is a GUI tool available to customize SELinux pol‐
162       icy settings.
163
164

AUTHOR

166       This manual page was auto-generated using sepolicy manpage .
167
168

SEE ALSO

170       selinux(8),  openshift_app(8),  semanage(8),  restorecon(8),  chcon(1),
171       sepolicy(8), setsebool(8)
172
173
174
175openshift_app                      19-06-18           openshift_app_selinux(8)
Impressum