1fenced_selinux(8)            SELinux Policy fenced           fenced_selinux(8)
2
3
4

NAME

6       fenced_selinux  -  Security  Enhanced  Linux Policy for the fenced pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  fenced  processes  via  flexible
11       mandatory access control.
12
13       The  fenced  processes  execute with the fenced_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep fenced_t
20
21
22

ENTRYPOINTS

24       The  fenced_t  SELinux  type  can be entered via the fenced_exec_t file
25       type.
26
27       The default entrypoint paths for the fenced_t domain are the following:
28
29       /usr/sbin/fenced,      /usr/sbin/fence_node,      /usr/sbin/fence_tool,
30       /usr/sbin/fence_virtd,    /usr/sbin/fence_sanlockd,    /usr/share/clus‐
31       ter/fence_scsi_check,             /usr/share/cluster/fence_mpath_check,
32       /usr/share/cluster/fence_scsi_check.pl,       /usr/lib/systemd/systemd-
33       fence_sanlockd,         /usr/share/cluster/fence_scsi_check_hardreboot,
34       /usr/share/cluster/fence_mpath_check_hardreboot
35

PROCESS TYPES

37       SELinux defines process types (domains) for each process running on the
38       system
39
40       You can see the context of a process using the -Z option to ps
41
42       Policy governs the access confined processes have  to  files.   SELinux
43       fenced  policy  is  very  flexible allowing users to setup their fenced
44       processes in as secure a method as possible.
45
46       The following process types are defined for fenced:
47
48       fenced_t
49
50       Note: semanage permissive -a fenced_t can be used to make  the  process
51       type  fenced_t  permissive.  SELinux does not deny access to permissive
52       process types, but the AVC (SELinux denials) messages are still  gener‐
53       ated.
54
55

BOOLEANS

57       SELinux  policy is customizable based on least access required.  fenced
58       policy is extremely flexible and has several booleans that allow you to
59       manipulate the policy and run fenced with the tightest access possible.
60
61
62
63       If you want to determine whether fenced can connect to the TCP network,
64       you must turn on the fenced_can_network_connect  boolean.  Disabled  by
65       default.
66
67       setsebool -P fenced_can_network_connect 1
68
69
70
71       If  you  want to determine whether fenced can use ssh, you must turn on
72       the fenced_can_ssh boolean. Disabled by default.
73
74       setsebool -P fenced_can_ssh 1
75
76
77
78       If you want to allow users to resolve user passwd entries directly from
79       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
80       gin_nsswitch_use_ldap boolean. Disabled by default.
81
82       setsebool -P authlogin_nsswitch_use_ldap 1
83
84
85
86       If you want to allow cluster administrative cluster  domains  memcheck-
87       amd64-   to   use  executable  memory,  you  must  turn  on  the  clus‐
88       ter_use_execmem boolean. Disabled by default.
89
90       setsebool -P cluster_use_execmem 1
91
92
93
94       If you want to allow all domains to execute in fips_mode, you must turn
95       on the fips_mode boolean. Enabled by default.
96
97       setsebool -P fips_mode 1
98
99
100
101       If  you  want  to allow confined applications to run with kerberos, you
102       must turn on the kerberos_enabled boolean. Disabled by default.
103
104       setsebool -P kerberos_enabled 1
105
106
107
108       If you want to allow system to run with  NIS,  you  must  turn  on  the
109       nis_enabled boolean. Disabled by default.
110
111       setsebool -P nis_enabled 1
112
113
114
115       If  you  want to allow confined applications to use nscd shared memory,
116       you must turn on the nscd_use_shm boolean. Disabled by default.
117
118       setsebool -P nscd_use_shm 1
119
120
121

MANAGED FILES

123       The SELinux process type fenced_t can manage  files  labeled  with  the
124       following file types.  The paths listed are the default paths for these
125       file types.  Note the processes UID still need to have DAC permissions.
126
127       cluster_conf_t
128
129            /etc/cluster(/.*)?
130
131       cluster_log
132
133
134       cluster_tmpfs_t
135
136
137       cluster_var_lib_t
138
139            /var/lib/pcsd(/.*)?
140            /var/lib/cluster(/.*)?
141            /var/lib/openais(/.*)?
142            /var/lib/pengine(/.*)?
143            /var/lib/corosync(/.*)?
144            /usr/lib/heartbeat(/.*)?
145            /var/lib/heartbeat(/.*)?
146            /var/lib/pacemaker(/.*)?
147
148       cluster_var_run_t
149
150            /var/run/crm(/.*)?
151            /var/run/cman_.*
152            /var/run/rsctmp(/.*)?
153            /var/run/aisexec.*
154            /var/run/heartbeat(/.*)?
155            /var/run/corosync-qnetd(/.*)?
156            /var/run/corosync-qdevice(/.*)?
157            /var/run/corosync.pid
158            /var/run/cpglockd.pid
159            /var/run/rgmanager.pid
160            /var/run/cluster/rgmanager.sk
161
162       fenced_lock_t
163
164            /var/lock/fence_manual.lock
165
166       fenced_tmp_t
167
168
169       fenced_tmpfs_t
170
171
172       fenced_var_run_t
173
174            /var/run/fence.*
175            /var/run/cluster/fence_scsi.*
176            /var/run/cluster/mpath.devices
177            /var/run/cluster/fenced_override
178
179       root_t
180
181            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
182            /
183            /initrd
184
185       snmpd_var_lib_t
186
187            /var/agentx(/.*)?
188            /var/net-snmp(/.*)
189            /var/lib/snmp(/.*)?
190            /var/net-snmp(/.*)?
191            /var/lib/net-snmp(/.*)?
192            /var/spool/snmptt(/.*)?
193            /usr/share/snmp/mibs/.index
194
195

FILE CONTEXTS

197       SELinux requires files to have an extended attribute to define the file
198       type.
199
200       You can see the context of a file using the -Z option to ls
201
202       Policy  governs  the  access  confined  processes  have to these files.
203       SELinux fenced policy is very flexible allowing users  to  setup  their
204       fenced processes in as secure a method as possible.
205
206       STANDARD FILE CONTEXT
207
208       SELinux defines the file context types for the fenced, if you wanted to
209       store files with these types in a diffent paths, you  need  to  execute
210       the  semanage  command  to  sepecify  alternate  labeling  and then use
211       restorecon to put the labels on disk.
212
213       semanage fcontext -a -t fenced_tmp_t '/srv/myfenced_content(/.*)?'
214       restorecon -R -v /srv/myfenced_content
215
216       Note: SELinux often uses regular expressions  to  specify  labels  that
217       match multiple files.
218
219       The following file types are defined for fenced:
220
221
222
223       fenced_exec_t
224
225       -  Set  files with the fenced_exec_t type, if you want to transition an
226       executable to the fenced_t domain.
227
228
229       Paths:
230            /usr/sbin/fenced,   /usr/sbin/fence_node,    /usr/sbin/fence_tool,
231            /usr/sbin/fence_virtd,  /usr/sbin/fence_sanlockd, /usr/share/clus‐
232            ter/fence_scsi_check,        /usr/share/cluster/fence_mpath_check,
233            /usr/share/cluster/fence_scsi_check.pl,  /usr/lib/systemd/systemd-
234            fence_sanlockd,    /usr/share/cluster/fence_scsi_check_hardreboot,
235            /usr/share/cluster/fence_mpath_check_hardreboot
236
237
238       fenced_lock_t
239
240       - Set files with the fenced_lock_t type, if you want to treat the files
241       as fenced lock data, stored under the /var/lock directory
242
243
244
245       fenced_tmp_t
246
247       - Set files with the fenced_tmp_t type, if you  want  to  store  fenced
248       temporary files in the /tmp directories.
249
250
251
252       fenced_tmpfs_t
253
254       -  Set  files with the fenced_tmpfs_t type, if you want to store fenced
255       files on a tmpfs file system.
256
257
258
259       fenced_var_log_t
260
261       - Set files with the fenced_var_log_t type, if you want  to  treat  the
262       data  as  fenced var log data, usually stored under the /var/log direc‐
263       tory.
264
265
266
267       fenced_var_run_t
268
269       - Set files with the fenced_var_run_t type, if you want  to  store  the
270       fenced files under the /run or /var/run directory.
271
272
273       Paths:
274            /var/run/fence.*,   /var/run/cluster/fence_scsi.*,  /var/run/clus‐
275            ter/mpath.devices, /var/run/cluster/fenced_override
276
277
278       Note: File context can be temporarily modified with the chcon  command.
279       If  you want to permanently change the file context you need to use the
280       semanage fcontext command.  This will modify the SELinux labeling data‐
281       base.  You will need to use restorecon to apply the labels.
282
283

COMMANDS

285       semanage  fcontext  can also be used to manipulate default file context
286       mappings.
287
288       semanage permissive can also be used to manipulate  whether  or  not  a
289       process type is permissive.
290
291       semanage  module can also be used to enable/disable/install/remove pol‐
292       icy modules.
293
294       semanage boolean can also be used to manipulate the booleans
295
296
297       system-config-selinux is a GUI tool available to customize SELinux pol‐
298       icy settings.
299
300

AUTHOR

302       This manual page was auto-generated using sepolicy manpage .
303
304

SEE ALSO

306       selinux(8),  fenced(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
307       icy(8), setsebool(8)
308
309
310
311fenced                             19-12-02                  fenced_selinux(8)
Impressum