1openshift_selinux(8) SELinux Policy openshift openshift_selinux(8)
2
3
4
6 openshift_selinux - Security Enhanced Linux Policy for the openshift
7 processes
8
10 Security-Enhanced Linux secures the openshift processes via flexible
11 mandatory access control.
12
13 The openshift processes execute with the openshift_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep openshift_t
20
21
22
24 The openshift_t SELinux type can be entered via the crontab_exec_t,
25 user_cron_spool_t file types.
26
27 The default entrypoint paths for the openshift_t domain are the follow‐
28 ing:
29
30 /usr/bin/(f)?crontab, /usr/bin/at, /usr/sbin/fcronsighup,
31 /usr/libexec/fcronsighup, /var/spool/at(/.*)?, /var/spool/cron,
32 /var/spool/cron/[^/]+
33
35 SELinux defines process types (domains) for each process running on the
36 system
37
38 You can see the context of a process using the -Z option to ps
39
40 Policy governs the access confined processes have to files. SELinux
41 openshift policy is very flexible allowing users to setup their open‐
42 shift processes in as secure a method as possible.
43
44 The following process types are defined for openshift:
45
46 openshift_initrc_t, openshift_cgroup_read_t, openshift_net_read_t, openshift_cron_t, openshift_t, openshift_app_t, openshift_script_t
47
48 Note: semanage permissive -a openshift_t can be used to make the
49 process type openshift_t permissive. SELinux does not deny access to
50 permissive process types, but the AVC (SELinux denials) messages are
51 still generated.
52
53
55 The SELinux process type openshift_t is an MCS (Multi Category Secu‐
56 rity) constrained type. Sometimes this separation is referred to as
57 sVirt. These types are usually used for securing multi-tenant environ‐
58 ments, such as virtualization, containers or separation of users. The
59 tools used to launch MCS types, pick out a different MCS label for each
60 process group.
61
62 For example one process might be launched with openshift_t:s0:c1,c2,
63 and another process launched with openshift_t:s0:c3,c4. The SELinux
64 kernel only allows these processes can only write to content with a
65 matching MCS label, or a MCS Label of s0. A process running with the
66 MCS level of s0:c1,c2 is not allowed to write to content with the MCS
67 label of s0:c3,c4
68
69
71 SELinux policy is customizable based on least access required. open‐
72 shift policy is extremely flexible and has several booleans that allow
73 you to manipulate the policy and run openshift with the tightest access
74 possible.
75
76
77
78 If you want to allow users to resolve user passwd entries directly from
79 ldap rather then using a sssd server, you must turn on the authlo‐
80 gin_nsswitch_use_ldap boolean. Disabled by default.
81
82 setsebool -P authlogin_nsswitch_use_ldap 1
83
84
85
86 If you want to determine whether crond can execute jobs in the user
87 domain as opposed to the the generic cronjob domain, you must turn on
88 the cron_userdomain_transition boolean. Enabled by default.
89
90 setsebool -P cron_userdomain_transition 1
91
92
93
94 If you want to deny any process from ptracing or debugging any other
95 processes, you must turn on the deny_ptrace boolean. Enabled by
96 default.
97
98 setsebool -P deny_ptrace 1
99
100
101
102 If you want to allow all domains to execute in fips_mode, you must turn
103 on the fips_mode boolean. Enabled by default.
104
105 setsebool -P fips_mode 1
106
107
108
109 If you want to allow confined applications to run with kerberos, you
110 must turn on the kerberos_enabled boolean. Disabled by default.
111
112 setsebool -P kerberos_enabled 1
113
114
115
116 If you want to allow system to run with NIS, you must turn on the
117 nis_enabled boolean. Disabled by default.
118
119 setsebool -P nis_enabled 1
120
121
122
123 If you want to allow confined applications to use nscd shared memory,
124 you must turn on the nscd_use_shm boolean. Disabled by default.
125
126 setsebool -P nscd_use_shm 1
127
128
129
131 SELinux defines port types to represent TCP and UDP ports.
132
133 You can see the types associated with a port by using the following
134 command:
135
136 semanage port -l
137
138
139 Policy governs the access confined processes have to these ports.
140 SELinux openshift policy is very flexible allowing users to setup their
141 openshift processes in as secure a method as possible.
142
143 The following port types are defined for openshift:
144
145
146 openshift_port_t
147
148
149
150 MANAGED FILES
151
152 The SELinux process type openshift_t can manage files labeled
153 with the following file types. The paths listed are the default
154 paths for these file types. Note the processes UID still need
155 to have DAC permissions.
156
157 anon_inodefs_t
158
159
160 cgroup_t
161
162 /sys/fs/cgroup
163
164 faillog_t
165
166 /var/log/btmp.*
167 /var/log/faillog.*
168 /var/log/tallylog.*
169 /var/run/faillock(/.*)?
170
171 hugetlbfs_t
172
173 /dev/hugepages
174 /usr/lib/udev/devices/hugepages
175
176 nfs_t
177
178
179 openshift_file_type
180
181
182 openshift_rw_file_t
183
184 /var/lib/openshift/.*/data(/.*)?
185 /var/lib/stickshift/.*/data(/.*)?
186
187 openshift_tmp_t
188
189 /var/lib/openshift/.*/.tmp(/.*)?
190 /var/lib/openshift/.*/.sandbox(/.*)?
191 /var/lib/stickshift/.*/.tmp(/.*)?
192 /var/lib/stickshift/.*/.sandbox(/.*)?
193
194 openshift_tmpfs_t
195
196
197 postfix_spool_t
198
199 /var/spool/postfix.*
200 /var/spool/postfix/defer(/.*)?
201 /var/spool/postfix/flush(/.*)?
202 /var/spool/postfix/deferred(/.*)?
203 /var/spool/postfix/maildrop(/.*)?
204
205 security_t
206
207 /selinux
208
209 user_cron_spool_t
210
211 /var/spool/at(/.*)?
212 /var/spool/cron
213 /var/spool/cron/[^/]+
214
215 user_tmp_t
216
217 /dev/shm/mono.*
218 /var/run/user(/.*)?
219 /tmp/.ICE-unix(/.*)?
220 /tmp/.X11-unix(/.*)?
221 /dev/shm/pulse-shm.*
222 /tmp/.X0-lock
223 /tmp/hsperfdata_root
224 /var/tmp/hsperfdata_root
225 /home/[^/]+/tmp
226 /home/[^/]+/.tmp
227 /tmp/gconfd-[^/]+
228
229 var_auth_t
230
231 /var/ace(/.*)?
232 /var/rsa(/.*)?
233 /var/lib/abl(/.*)?
234 /var/lib/rsa(/.*)?
235 /var/lib/pam_ssh(/.*)?
236 /var/run/pam_ssh(/.*)?
237 /var/lib/pam_shield(/.*)?
238 /var/opt/quest/vas/vasd(/.*)?
239 /var/lib/google-authenticator(/.*)?
240
241
243 SELinux requires files to have an extended attribute to define the file
244 type.
245
246 You can see the context of a file using the -Z option to ls
247
248 Policy governs the access confined processes have to these files.
249 SELinux openshift policy is very flexible allowing users to setup their
250 openshift processes in as secure a method as possible.
251
252 EQUIVALENCE DIRECTORIES
253
254
255 openshift policy stores data with multiple different file context types
256 under the /var/lib/openshift directory. If you would like to store the
257 data in a different directory you can use the semanage command to cre‐
258 ate an equivalence mapping. If you wanted to store this data under the
259 /srv dirctory you would execute the following command:
260
261 semanage fcontext -a -e /var/lib/openshift /srv/openshift
262 restorecon -R -v /srv/openshift
263
264 openshift policy stores data with multiple different file context types
265 under the /var/lib/stickshift directory. If you would like to store
266 the data in a different directory you can use the semanage command to
267 create an equivalence mapping. If you wanted to store this data under
268 the /srv dirctory you would execute the following command:
269
270 semanage fcontext -a -e /var/lib/stickshift /srv/stickshift
271 restorecon -R -v /srv/stickshift
272
273 STANDARD FILE CONTEXT
274
275 SELinux defines the file context types for the openshift, if you wanted
276 to store files with these types in a diffent paths, you need to execute
277 the semanage command to sepecify alternate labeling and then use
278 restorecon to put the labels on disk.
279
280 semanage fcontext -a -t openshift_ra_content_t '/srv/myopenshift_con‐
281 tent(/.*)?'
282 restorecon -R -v /srv/myopenshift_content
283
284 Note: SELinux often uses regular expressions to specify labels that
285 match multiple files.
286
287 The following file types are defined for openshift:
288
289
290
291 openshift_app_tmp_t
292
293 - Set files with the openshift_app_tmp_t type, if you want to store
294 openshift app temporary files in the /tmp directories.
295
296
297
298 openshift_cgroup_read_exec_t
299
300 - Set files with the openshift_cgroup_read_exec_t type, if you want to
301 transition an executable to the openshift_cgroup_read_t domain.
302
303
304
305 openshift_cgroup_read_tmp_t
306
307 - Set files with the openshift_cgroup_read_tmp_t type, if you want to
308 store openshift cgroup read temporary files in the /tmp directories.
309
310
311
312 openshift_content_t
313
314 - Set files with the openshift_content_t type, if you want to treat the
315 files as openshift content.
316
317
318
319 openshift_cron_exec_t
320
321 - Set files with the openshift_cron_exec_t type, if you want to transi‐
322 tion an executable to the openshift_cron_t domain.
323
324
325
326 openshift_cron_tmp_t
327
328 - Set files with the openshift_cron_tmp_t type, if you want to store
329 openshift cron temporary files in the /tmp directories.
330
331
332
333 openshift_htaccess_t
334
335 - Set files with the openshift_htaccess_t type, if you want to treat
336 the file as a openshift access file.
337
338
339
340 openshift_initrc_exec_t
341
342 - Set files with the openshift_initrc_exec_t type, if you want to tran‐
343 sition an executable to the openshift_initrc_t domain.
344
345
346 Paths:
347 /usr/s?bin/mcollectived, /usr/s?bin/(oo|rhc)-restorer,
348 /usr/s?bin/oo-admin-ctl-gears, /usr/s?bin/(oo|rhc)-restorer-wrap‐
349 per.sh, /etc/rc.d/init.d/libra, /etc/rc.d/init.d/mcollective
350
351
352 openshift_initrc_tmp_t
353
354 - Set files with the openshift_initrc_tmp_t type, if you want to store
355 openshift initrc temporary files in the /tmp directories.
356
357
358
359 openshift_log_t
360
361 - Set files with the openshift_log_t type, if you want to treat the
362 data as openshift log data, usually stored under the /var/log direc‐
363 tory.
364
365
366 Paths:
367 /var/log/openshift(/.*)?, /var/log/mcollective.log.*
368
369
370 openshift_net_read_exec_t
371
372 - Set files with the openshift_net_read_exec_t type, if you want to
373 transition an executable to the openshift_net_read_t domain.
374
375
376
377 openshift_ra_content_t
378
379 - Set files with the openshift_ra_content_t type, if you want to treat
380 the files as openshift read/append content.
381
382
383
384 openshift_rw_content_t
385
386 - Set files with the openshift_rw_content_t type, if you want to treat
387 the files as openshift read/write content.
388
389
390
391 openshift_rw_file_t
392
393 - Set files with the openshift_rw_file_t type, if you want to treat the
394 files as openshift rw content.
395
396
397 Paths:
398 /var/lib/openshift/.*/data(/.*)?, /var/lib/stick‐
399 shift/.*/data(/.*)?
400
401
402 openshift_script_exec_t
403
404 - Set files with the openshift_script_exec_t type, if you want to tran‐
405 sition an executable to the openshift_script_t domain.
406
407
408
409 openshift_tmp_t
410
411 - Set files with the openshift_tmp_t type, if you want to store open‐
412 shift temporary files in the /tmp directories.
413
414
415 Paths:
416 /var/lib/openshift/.*/.tmp(/.*)?, /var/lib/openshift/.*/.sand‐
417 box(/.*)?, /var/lib/stickshift/.*/.tmp(/.*)?, /var/lib/stick‐
418 shift/.*/.sandbox(/.*)?
419
420
421 openshift_tmpfs_t
422
423 - Set files with the openshift_tmpfs_t type, if you want to store open‐
424 shift files on a tmpfs file system.
425
426
427
428 openshift_var_lib_t
429
430 - Set files with the openshift_var_lib_t type, if you want to store the
431 openshift files under the /var/lib directory.
432
433
434 Paths:
435 /var/lib/openshift(/.*)?, /var/lib/stickshift(/.*)?, /var/lib/con‐
436 tainers/home(/.*)?
437
438
439 openshift_var_run_t
440
441 - Set files with the openshift_var_run_t type, if you want to store the
442 openshift files under the /run or /var/run directory.
443
444
445 Paths:
446 /var/run/openshift(/.*)?, /var/run/stickshift(/.*)?
447
448
449 Note: File context can be temporarily modified with the chcon command.
450 If you want to permanently change the file context you need to use the
451 semanage fcontext command. This will modify the SELinux labeling data‐
452 base. You will need to use restorecon to apply the labels.
453
454
456 semanage fcontext can also be used to manipulate default file context
457 mappings.
458
459 semanage permissive can also be used to manipulate whether or not a
460 process type is permissive.
461
462 semanage module can also be used to enable/disable/install/remove pol‐
463 icy modules.
464
465 semanage port can also be used to manipulate the port definitions
466
467 semanage boolean can also be used to manipulate the booleans
468
469
470 system-config-selinux is a GUI tool available to customize SELinux pol‐
471 icy settings.
472
473
475 This manual page was auto-generated using sepolicy manpage .
476
477
479 selinux(8), openshift(8), semanage(8), restorecon(8), chcon(1), sepol‐
480 icy(8), setsebool(8), openshift_app_selinux(8), open‐
481 shift_app_selinux(8), openshift_cgroup_read_selinux(8), open‐
482 shift_cgroup_read_selinux(8), openshift_cron_selinux(8), open‐
483 shift_cron_selinux(8), openshift_initrc_selinux(8), openshift_ini‐
484 trc_selinux(8), openshift_net_read_selinux(8), open‐
485 shift_net_read_selinux(8), openshift_script_selinux(8), open‐
486 shift_script_selinux(8)
487
488
489
490openshift 19-12-02 openshift_selinux(8)