neutron_selinux(8)

1neutron_selinux(8)          SELinux Policy neutron          neutron_selinux(8)
2
3
4

NAME

6       neutron_selinux  -  Security Enhanced Linux Policy for the neutron pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  neutron  processes  via  flexible
11       mandatory access control.
12
13       The  neutron processes execute with the neutron_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep neutron_t
20
21
22

ENTRYPOINTS

24       The  neutron_t  SELinux type can be entered via the neutron_exec_t file
25       type.
26
27       The default entrypoint paths for the neutron_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/neutron-server,   /usr/bin/quantum-server,   /usr/bin/neutron-
31       l3-agent,     /usr/bin/neutron-rootwrap,     /usr/bin/quantum-l3-agent,
32       /usr/bin/neutron-ryu-agent,  /usr/bin/quantum-ryu-agent,  /usr/bin/neu‐
33       tron-dhcp-agent,  /usr/bin/quantum-dhcp-agent,  /usr/bin/neutron-lbaas-
34       agent,    /usr/bin/neutron-ovs-cleanup,   /usr/bin/quantum-ovs-cleanup,
35       /usr/bin/neutron-netns-cleanup,        /usr/bin/neutron-metadata-agent,
36       /usr/bin/neutron-linuxbridge-agent, /usr/bin/neutron-ns-metadata-proxy,
37       /usr/bin/neutron-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent,
38       /usr/bin/quantum-openvswitch-agent
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       neutron  policy  is very flexible allowing users to setup their neutron
48       processes in as secure a method as possible.
49
50       The following process types are defined for neutron:
51
52       neutron_t
53
54       Note: semanage permissive -a neutron_t can be used to make the  process
55       type  neutron_t  permissive. SELinux does not deny access to permissive
56       process types, but the AVC (SELinux denials) messages are still  gener‐
57       ated.
58
59

BOOLEANS

61       SELinux policy is customizable based on least access required.  neutron
62       policy is extremely flexible and has several booleans that allow you to
63       manipulate  the  policy and run neutron with the tightest access possi‐
64       ble.
65
66
67
68       If you want to determine whether neutron can connect to all TCP  ports,
69       you must turn on the neutron_can_network boolean. Disabled by default.
70
71       setsebool -P neutron_can_network 1
72
73
74
75       If you want to allow users to resolve user passwd entries directly from
76       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
77       gin_nsswitch_use_ldap boolean. Disabled by default.
78
79       setsebool -P authlogin_nsswitch_use_ldap 1
80
81
82
83       If you want to allow all domains to execute in fips_mode, you must turn
84       on the fips_mode boolean. Enabled by default.
85
86       setsebool -P fips_mode 1
87
88
89
90       If you want to allow confined applications to run  with  kerberos,  you
91       must turn on the kerberos_enabled boolean. Disabled by default.
92
93       setsebool -P kerberos_enabled 1
94
95
96
97       If  you  want  to  allow  system  to run with NIS, you must turn on the
98       nis_enabled boolean. Disabled by default.
99
100       setsebool -P nis_enabled 1
101
102
103
104       If you want to allow confined applications to use nscd  shared  memory,
105       you must turn on the nscd_use_shm boolean. Disabled by default.
106
107       setsebool -P nscd_use_shm 1
108
109
110

PORT TYPES

112       SELinux defines port types to represent TCP and UDP ports.
113
114       You  can  see  the  types associated with a port by using the following
115       command:
116
117       semanage port -l
118
119
120       Policy governs the access  confined  processes  have  to  these  ports.
121       SELinux  neutron  policy is very flexible allowing users to setup their
122       neutron processes in as secure a method as possible.
123
124       The following port types are defined for neutron:
125
126
127       neutron_port_t
128
129
130
131       Default Defined Ports:
132                 tcp 8775,9696,9697
133

MANAGED FILES

135       The SELinux process type neutron_t can manage files  labeled  with  the
136       following file types.  The paths listed are the default paths for these
137       file types.  Note the processes UID still need to have DAC permissions.
138
139       cluster_conf_t
140
141            /etc/cluster(/.*)?
142
143       cluster_var_lib_t
144
145            /var/lib/pcsd(/.*)?
146            /var/lib/cluster(/.*)?
147            /var/lib/openais(/.*)?
148            /var/lib/pengine(/.*)?
149            /var/lib/corosync(/.*)?
150            /usr/lib/heartbeat(/.*)?
151            /var/lib/heartbeat(/.*)?
152            /var/lib/pacemaker(/.*)?
153
154       cluster_var_run_t
155
156            /var/run/crm(/.*)?
157            /var/run/cman_.*
158            /var/run/rsctmp(/.*)?
159            /var/run/aisexec.*
160            /var/run/heartbeat(/.*)?
161            /var/run/corosync-qnetd(/.*)?
162            /var/run/corosync-qdevice(/.*)?
163            /var/run/corosync.pid
164            /var/run/cpglockd.pid
165            /var/run/rgmanager.pid
166            /var/run/cluster/rgmanager.sk
167
168       faillog_t
169
170            /var/log/btmp.*
171            /var/log/faillog.*
172            /var/log/tallylog.*
173            /var/run/faillock(/.*)?
174
175       ifconfig_var_run_t
176
177            /var/run/netns(/.*)?
178
179       initrc_var_run_t
180
181            /var/run/utmp
182            /var/run/random-seed
183            /var/run/runlevel.dir
184            /var/run/setmixer_flag
185
186       krb5_host_rcache_t
187
188            /var/cache/krb5rcache(/.*)?
189            /var/tmp/nfs_0
190            /var/tmp/DNS_25
191            /var/tmp/host_0
192            /var/tmp/imap_0
193            /var/tmp/HTTP_23
194            /var/tmp/HTTP_48
195            /var/tmp/ldap_55
196            /var/tmp/ldap_487
197            /var/tmp/ldapmap1_0
198
199       krb5_keytab_t
200
201            /var/kerberos/krb5(/.*)?
202            /etc/krb5.keytab
203            /etc/krb5kdc/kadm5.keytab
204            /var/kerberos/krb5kdc/kadm5.keytab
205
206       lastlog_t
207
208            /var/log/lastlog.*
209
210       neutron_tmp_t
211
212
213       neutron_var_lib_t
214
215            /var/lib/neutron(/.*)?
216            /var/lib/quantum(/.*)?
217
218       neutron_var_run_t
219
220            /var/run/neutron(/.*)?
221            /var/run/quantum(/.*)?
222
223       root_t
224
225            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
226            /
227            /initrd
228
229       security_t
230
231            /selinux
232
233

FILE CONTEXTS

235       SELinux requires files to have an extended attribute to define the file
236       type.
237
238       You can see the context of a file using the -Z option to ls
239
240       Policy  governs  the  access  confined  processes  have to these files.
241       SELinux neutron policy is very flexible allowing users to  setup  their
242       neutron processes in as secure a method as possible.
243
244       STANDARD FILE CONTEXT
245
246       SELinux  defines  the file context types for the neutron, if you wanted
247       to store files with these types in a diffent paths, you need to execute
248       the  semanage  command  to  sepecify  alternate  labeling  and then use
249       restorecon to put the labels on disk.
250
251       semanage  fcontext  -a  -t   neutron_unit_file_t   '/srv/myneutron_con‐
252       tent(/.*)?'
253       restorecon -R -v /srv/myneutron_content
254
255       Note:  SELinux  often  uses  regular expressions to specify labels that
256       match multiple files.
257
258       The following file types are defined for neutron:
259
260
261
262       neutron_exec_t
263
264       - Set files with the neutron_exec_t type, if you want to transition  an
265       executable to the neutron_t domain.
266
267
268       Paths:
269            /usr/bin/neutron-server,   /usr/bin/quantum-server,  /usr/bin/neu‐
270            tron-l3-agent,    /usr/bin/neutron-rootwrap,     /usr/bin/quantum-
271            l3-agent,  /usr/bin/neutron-ryu-agent, /usr/bin/quantum-ryu-agent,
272            /usr/bin/neutron-dhcp-agent,          /usr/bin/quantum-dhcp-agent,
273            /usr/bin/neutron-lbaas-agent,        /usr/bin/neutron-ovs-cleanup,
274            /usr/bin/quantum-ovs-cleanup,      /usr/bin/neutron-netns-cleanup,
275            /usr/bin/neutron-metadata-agent,     /usr/bin/neutron-linuxbridge-
276            agent, /usr/bin/neutron-ns-metadata-proxy,  /usr/bin/neutron-open‐
277            vswitch-agent,  /usr/bin/quantum-linuxbridge-agent, /usr/bin/quan‐
278            tum-openvswitch-agent
279
280
281       neutron_initrc_exec_t
282
283       - Set files with the neutron_initrc_exec_t type, if you want to transi‐
284       tion an executable to the neutron_initrc_t domain.
285
286
287       Paths:
288            /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*
289
290
291       neutron_log_t
292
293       -  Set files with the neutron_log_t type, if you want to treat the data
294       as neutron log data, usually stored under the /var/log directory.
295
296
297       Paths:
298            /var/log/neutron(/.*)?, /var/log/quantum(/.*)?
299
300
301       neutron_tmp_t
302
303       - Set files with the neutron_tmp_t type, if you want to  store  neutron
304       temporary files in the /tmp directories.
305
306
307
308       neutron_unit_file_t
309
310       - Set files with the neutron_unit_file_t type, if you want to treat the
311       files as neutron unit content.
312
313
314       Paths:
315            /usr/lib/systemd/system/neutron.*,   /usr/lib/systemd/system/quan‐
316            tum.*
317
318
319       neutron_var_lib_t
320
321       -  Set  files with the neutron_var_lib_t type, if you want to store the
322       neutron files under the /var/lib directory.
323
324
325       Paths:
326            /var/lib/neutron(/.*)?, /var/lib/quantum(/.*)?
327
328
329       neutron_var_run_t
330
331       - Set files with the neutron_var_run_t type, if you want to  store  the
332       neutron files under the /run or /var/run directory.
333
334
335       Paths:
336            /var/run/neutron(/.*)?, /var/run/quantum(/.*)?
337
338
339       Note:  File context can be temporarily modified with the chcon command.
340       If you want to permanently change the file context you need to use  the
341       semanage fcontext command.  This will modify the SELinux labeling data‐
342       base.  You will need to use restorecon to apply the labels.
343
344

COMMANDS

346       semanage fcontext can also be used to manipulate default  file  context
347       mappings.
348
349       semanage  permissive  can  also  be used to manipulate whether or not a
350       process type is permissive.
351
352       semanage module can also be used to enable/disable/install/remove  pol‐
353       icy modules.
354
355       semanage port can also be used to manipulate the port definitions
356
357       semanage boolean can also be used to manipulate the booleans
358
359
360       system-config-selinux is a GUI tool available to customize SELinux pol‐
361       icy settings.
362
363

AUTHOR

365       This manual page was auto-generated using sepolicy manpage .
366
367