1pki_ra_selinux(8)            SELinux Policy pki_ra           pki_ra_selinux(8)
2
3
4

NAME

6       pki_ra_selinux  -  Security  Enhanced  Linux Policy for the pki_ra pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  pki_ra  processes  via  flexible
11       mandatory access control.
12
13       The  pki_ra  processes  execute with the pki_ra_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pki_ra_t
20
21
22

ENTRYPOINTS

24       The  pki_ra_t  SELinux  type  can be entered via the pki_ra_exec_t file
25       type.
26
27       The default entrypoint paths for the pki_ra_t domain are the following:
28
29       /var/lib/pki-ra/pki-ra
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       pki_ra policy is very flexible allowing users  to  setup  their  pki_ra
39       processes in as secure a method as possible.
40
41       The following process types are defined for pki_ra:
42
43       pki_ra_t
44
45       Note:  semanage  permissive -a pki_ra_t can be used to make the process
46       type pki_ra_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   pki_ra
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run pki_ra with the tightest access possible.
55
56
57
58       If you want to allow users to resolve user passwd entries directly from
59       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
60       gin_nsswitch_use_ldap boolean. Disabled by default.
61
62       setsebool -P authlogin_nsswitch_use_ldap 1
63
64
65
66       If you want to allow all domains to execute in fips_mode, you must turn
67       on the fips_mode boolean. Enabled by default.
68
69       setsebool -P fips_mode 1
70
71
72
73       If  you  want  to allow confined applications to run with kerberos, you
74       must turn on the kerberos_enabled boolean. Disabled by default.
75
76       setsebool -P kerberos_enabled 1
77
78
79
80       If you want to allow system to run with  NIS,  you  must  turn  on  the
81       nis_enabled boolean. Disabled by default.
82
83       setsebool -P nis_enabled 1
84
85
86
87       If  you  want to allow confined applications to use nscd shared memory,
88       you must turn on the nscd_use_shm boolean. Disabled by default.
89
90       setsebool -P nscd_use_shm 1
91
92
93

PORT TYPES

95       SELinux defines port types to represent TCP and UDP ports.
96
97       You can see the types associated with a port  by  using  the  following
98       command:
99
100       semanage port -l
101
102
103       Policy  governs  the  access  confined  processes  have to these ports.
104       SELinux pki_ra policy is very flexible allowing users  to  setup  their
105       pki_ra processes in as secure a method as possible.
106
107       The following port types are defined for pki_ra:
108
109
110       pki_ra_port_t
111
112
113
114       Default Defined Ports:
115                 tcp 12888-12889
116

MANAGED FILES

118       The  SELinux  process  type  pki_ra_t can manage files labeled with the
119       following file types.  The paths listed are the default paths for these
120       file types.  Note the processes UID still need to have DAC permissions.
121
122       cluster_conf_t
123
124            /etc/cluster(/.*)?
125
126       cluster_var_lib_t
127
128            /var/lib/pcsd(/.*)?
129            /var/lib/cluster(/.*)?
130            /var/lib/openais(/.*)?
131            /var/lib/pengine(/.*)?
132            /var/lib/corosync(/.*)?
133            /usr/lib/heartbeat(/.*)?
134            /var/lib/heartbeat(/.*)?
135            /var/lib/pacemaker(/.*)?
136
137       cluster_var_run_t
138
139            /var/run/crm(/.*)?
140            /var/run/cman_.*
141            /var/run/rsctmp(/.*)?
142            /var/run/aisexec.*
143            /var/run/heartbeat(/.*)?
144            /var/run/corosync-qnetd(/.*)?
145            /var/run/corosync-qdevice(/.*)?
146            /var/run/corosync.pid
147            /var/run/cpglockd.pid
148            /var/run/rgmanager.pid
149            /var/run/cluster/rgmanager.sk
150
151       mail_spool_t
152
153            /var/mail(/.*)?
154            /var/spool/imap(/.*)?
155            /var/spool/mail(/.*)?
156            /var/spool/smtpd(/.*)?
157
158       mqueue_spool_t
159
160            /var/spool/(client)?mqueue(/.*)?
161            /var/spool/mqueue.in(/.*)?
162
163       pki_common_t
164
165            /opt/nfast(/.*)?
166
167       pki_ra_etc_rw_t
168
169            /etc/pki-ra(/.*)?
170            /etc/sysconfig/pki/ra(/.*)?
171
172       pki_ra_lock_t
173
174
175       pki_ra_log_t
176
177            /var/log/pki-ra(/.*)?
178
179       pki_ra_tmp_t
180
181
182       pki_ra_var_lib_t
183
184            /var/lib/pki-ra(/.*)?
185
186       pki_ra_var_run_t
187
188            /var/run/pki/ra(/.*)?
189
190       root_t
191
192            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
193            /
194            /initrd
195
196

FILE CONTEXTS

198       SELinux requires files to have an extended attribute to define the file
199       type.
200
201       You can see the context of a file using the -Z option to ls
202
203       Policy governs the access  confined  processes  have  to  these  files.
204       SELinux  pki_ra  policy  is very flexible allowing users to setup their
205       pki_ra processes in as secure a method as possible.
206
207       EQUIVALENCE DIRECTORIES
208
209
210       pki_ra policy stores data with multiple different  file  context  types
211       under  the  /var/lib/pki-ra  directory.  If you would like to store the
212       data in a different directory you can use the semanage command to  cre‐
213       ate an equivalence mapping.  If you wanted to store this data under the
214       /srv dirctory you would execute the following command:
215
216       semanage fcontext -a -e /var/lib/pki-ra /srv/pki-ra
217       restorecon -R -v /srv/pki-ra
218
219       STANDARD FILE CONTEXT
220
221       SELinux defines the file context types for the pki_ra, if you wanted to
222       store  files  with  these types in a diffent paths, you need to execute
223       the semanage command  to  sepecify  alternate  labeling  and  then  use
224       restorecon to put the labels on disk.
225
226       semanage fcontext -a -t pki_ra_tmp_t '/srv/mypki_ra_content(/.*)?'
227       restorecon -R -v /srv/mypki_ra_content
228
229       Note:  SELinux  often  uses  regular expressions to specify labels that
230       match multiple files.
231
232       The following file types are defined for pki_ra:
233
234
235
236       pki_ra_etc_rw_t
237
238       - Set files with the pki_ra_etc_rw_t type, if you  want  to  treat  the
239       files as pki ra etc read/write content.
240
241
242       Paths:
243            /etc/pki-ra(/.*)?, /etc/sysconfig/pki/ra(/.*)?
244
245
246       pki_ra_exec_t
247
248       -  Set  files with the pki_ra_exec_t type, if you want to transition an
249       executable to the pki_ra_t domain.
250
251
252
253       pki_ra_lock_t
254
255       - Set files with the pki_ra_lock_t type, if you want to treat the files
256       as pki ra lock data, stored under the /var/lock directory
257
258
259
260       pki_ra_log_t
261
262       -  Set  files with the pki_ra_log_t type, if you want to treat the data
263       as pki ra log data, usually stored under the /var/log directory.
264
265
266
267       pki_ra_script_exec_t
268
269       - Set files with the pki_ra_script_exec_t type, if you want to  transi‐
270       tion an executable to the pki_ra_script_t domain.
271
272
273
274       pki_ra_tmp_t
275
276       -  Set  files  with  the pki_ra_tmp_t type, if you want to store pki ra
277       temporary files in the /tmp directories.
278
279
280
281       pki_ra_tomcat_exec_t
282
283       - Set files with the pki_ra_tomcat_exec_t type, if you want to  transi‐
284       tion an executable to the pki_ra_tomcat_t domain.
285
286
287
288       pki_ra_var_lib_t
289
290       -  Set  files  with the pki_ra_var_lib_t type, if you want to store the
291       pki ra files under the /var/lib directory.
292
293
294
295       pki_ra_var_run_t
296
297       - Set files with the pki_ra_var_run_t type, if you want  to  store  the
298       pki ra files under the /run or /var/run directory.
299
300
301
302       Note:  File context can be temporarily modified with the chcon command.
303       If you want to permanently change the file context you need to use  the
304       semanage fcontext command.  This will modify the SELinux labeling data‐
305       base.  You will need to use restorecon to apply the labels.
306
307

COMMANDS

309       semanage fcontext can also be used to manipulate default  file  context
310       mappings.
311
312       semanage  permissive  can  also  be used to manipulate whether or not a
313       process type is permissive.
314
315       semanage module can also be used to enable/disable/install/remove  pol‐
316       icy modules.
317
318       semanage port can also be used to manipulate the port definitions
319
320       semanage boolean can also be used to manipulate the booleans
321
322
323       system-config-selinux is a GUI tool available to customize SELinux pol‐
324       icy settings.
325
326

AUTHOR

328       This manual page was auto-generated using sepolicy manpage .
329
330

SEE ALSO

332       selinux(8), pki_ra(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
333       icy(8), setsebool(8)
334
335
336
337pki_ra                             19-12-02                  pki_ra_selinux(8)
Impressum