1dirsrv_selinux(8)            SELinux Policy dirsrv           dirsrv_selinux(8)
2
3
4

NAME

6       dirsrv_selinux  -  Security  Enhanced  Linux Policy for the dirsrv pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  dirsrv  processes  via  flexible
11       mandatory access control.
12
13       The  dirsrv  processes  execute with the dirsrv_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep dirsrv_t
20
21
22

ENTRYPOINTS

24       The  dirsrv_t  SELinux  type  can be entered via the dirsrv_exec_t file
25       type.
26
27       The default entrypoint paths for the dirsrv_t domain are the following:
28
29       /usr/sbin/ns-slapd
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       dirsrv policy is very flexible allowing users  to  setup  their  dirsrv
39       processes in as secure a method as possible.
40
41       The following process types are defined for dirsrv:
42
43       dirsrv_t, dirsrv_snmp_t, dirsrvadmin_t, dirsrvadmin_unconfined_script_t, dirsrvadmin_script_t
44
45       Note:  semanage  permissive -a dirsrv_t can be used to make the process
46       type dirsrv_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   dirsrv
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run dirsrv with the tightest access possible.
55
56
57
58       If you want to allow users to resolve user passwd entries directly from
59       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
60       gin_nsswitch_use_ldap boolean. Disabled by default.
61
62       setsebool -P authlogin_nsswitch_use_ldap 1
63
64
65
66       If you want to allow all domains to execute in fips_mode, you must turn
67       on the fips_mode boolean. Enabled by default.
68
69       setsebool -P fips_mode 1
70
71
72
73       If  you  want  to allow confined applications to run with kerberos, you
74       must turn on the kerberos_enabled boolean. Disabled by default.
75
76       setsebool -P kerberos_enabled 1
77
78
79
80       If you want to allow system to run with  NIS,  you  must  turn  on  the
81       nis_enabled boolean. Disabled by default.
82
83       setsebool -P nis_enabled 1
84
85
86
87       If  you  want to allow confined applications to use nscd shared memory,
88       you must turn on the nscd_use_shm boolean. Disabled by default.
89
90       setsebool -P nscd_use_shm 1
91
92
93

MANAGED FILES

95       The SELinux process type dirsrv_t can manage  files  labeled  with  the
96       following file types.  The paths listed are the default paths for these
97       file types.  Note the processes UID still need to have DAC permissions.
98
99       cluster_conf_t
100
101            /etc/cluster(/.*)?
102
103       cluster_var_lib_t
104
105            /var/lib/pcsd(/.*)?
106            /var/lib/cluster(/.*)?
107            /var/lib/openais(/.*)?
108            /var/lib/pengine(/.*)?
109            /var/lib/corosync(/.*)?
110            /usr/lib/heartbeat(/.*)?
111            /var/lib/heartbeat(/.*)?
112            /var/lib/pacemaker(/.*)?
113
114       cluster_var_run_t
115
116            /var/run/crm(/.*)?
117            /var/run/cman_.*
118            /var/run/rsctmp(/.*)?
119            /var/run/aisexec.*
120            /var/run/heartbeat(/.*)?
121            /var/run/corosync-qnetd(/.*)?
122            /var/run/corosync-qdevice(/.*)?
123            /var/run/corosync.pid
124            /var/run/cpglockd.pid
125            /var/run/rgmanager.pid
126            /var/run/cluster/rgmanager.sk
127
128       dirsrv_config_t
129
130            /etc/dirsrv(/.*)?
131
132       dirsrv_tmp_t
133
134
135       dirsrv_tmpfs_t
136
137            /dev/shm/dirsrv(/.*)?
138
139       dirsrv_var_lib_t
140
141            /var/lib/dirsrv(/.*)?
142
143       dirsrv_var_lock_t
144
145            /var/lock/dirsrv(/.*)?
146
147       dirsrv_var_log_t
148
149            /var/log/dirsrv(/.*)?
150
151       dirsrv_var_run_t
152
153            /var/run/slapd.*
154            /var/run/dirsrv(/.*)?
155
156       faillog_t
157
158            /var/log/btmp.*
159            /var/log/faillog.*
160            /var/log/tallylog.*
161            /var/run/faillock(/.*)?
162
163       krb5_host_rcache_t
164
165            /var/cache/krb5rcache(/.*)?
166            /var/tmp/nfs_0
167            /var/tmp/DNS_25
168            /var/tmp/host_0
169            /var/tmp/imap_0
170            /var/tmp/HTTP_23
171            /var/tmp/HTTP_48
172            /var/tmp/ldap_55
173            /var/tmp/ldap_487
174            /var/tmp/ldapmap1_0
175
176       lastlog_t
177
178            /var/log/lastlog.*
179
180       root_t
181
182            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
183            /
184            /initrd
185
186       security_t
187
188            /selinux
189
190       systemd_passwd_var_run_t
191
192            /var/run/systemd/ask-password(/.*)?
193            /var/run/systemd/ask-password-block(/.*)?
194
195

FILE CONTEXTS

197       SELinux requires files to have an extended attribute to define the file
198       type.
199
200       You can see the context of a file using the -Z option to ls
201
202       Policy  governs  the  access  confined  processes  have to these files.
203       SELinux dirsrv policy is very flexible allowing users  to  setup  their
204       dirsrv processes in as secure a method as possible.
205
206       EQUIVALENCE DIRECTORIES
207
208
209       dirsrv  policy  stores  data with multiple different file context types
210       under the /var/log/dirsrv directory.  If you would like  to  store  the
211       data  in a different directory you can use the semanage command to cre‐
212       ate an equivalence mapping.  If you wanted to store this data under the
213       /srv dirctory you would execute the following command:
214
215       semanage fcontext -a -e /var/log/dirsrv /srv/dirsrv
216       restorecon -R -v /srv/dirsrv
217
218       STANDARD FILE CONTEXT
219
220       SELinux defines the file context types for the dirsrv, if you wanted to
221       store files with these types in a diffent paths, you  need  to  execute
222       the  semanage  command  to  sepecify  alternate  labeling  and then use
223       restorecon to put the labels on disk.
224
225       semanage fcontext -a  -t  dirsrvadmin_ra_content_t  '/srv/mydirsrv_con‐
226       tent(/.*)?'
227       restorecon -R -v /srv/mydirsrv_content
228
229       Note:  SELinux  often  uses  regular expressions to specify labels that
230       match multiple files.
231
232       The following file types are defined for dirsrv:
233
234
235
236       dirsrv_config_t
237
238       - Set files with the dirsrv_config_t type, if you  want  to  treat  the
239       files  as  dirsrv  configuration  data,  usually  stored under the /etc
240       directory.
241
242
243
244       dirsrv_exec_t
245
246       - Set files with the dirsrv_exec_t type, if you want to  transition  an
247       executable to the dirsrv_t domain.
248
249
250
251       dirsrv_share_t
252
253       -  Set  files  with  the  dirsrv_share_t type, if you want to treat the
254       files as dirsrv share data.
255
256
257
258       dirsrv_snmp_exec_t
259
260       - Set files with the dirsrv_snmp_exec_t type, if you want to transition
261       an executable to the dirsrv_snmp_t domain.
262
263
264       Paths:
265            /usr/sbin/ldap-agent, /usr/sbin/ldap-agent-bin
266
267
268       dirsrv_snmp_var_log_t
269
270       -  Set  files with the dirsrv_snmp_var_log_t type, if you want to treat
271       the data as dirsrv snmp var log data, usually stored under the /var/log
272       directory.
273
274
275
276       dirsrv_snmp_var_run_t
277
278       -  Set  files with the dirsrv_snmp_var_run_t type, if you want to store
279       the dirsrv snmp files under the /run or /var/run directory.
280
281
282
283       dirsrv_tmp_t
284
285       - Set files with the dirsrv_tmp_t type, if you  want  to  store  dirsrv
286       temporary files in the /tmp directories.
287
288
289
290       dirsrv_tmpfs_t
291
292       -  Set  files with the dirsrv_tmpfs_t type, if you want to store dirsrv
293       files on a tmpfs file system.
294
295
296
297       dirsrv_var_lib_t
298
299       - Set files with the dirsrv_var_lib_t type, if you want  to  store  the
300       dirsrv files under the /var/lib directory.
301
302
303
304       dirsrv_var_lock_t
305
306       -  Set  files with the dirsrv_var_lock_t type, if you want to treat the
307       files as dirsrv var lock data, stored under the /var/lock directory
308
309
310
311       dirsrv_var_log_t
312
313       - Set files with the dirsrv_var_log_t type, if you want  to  treat  the
314       data  as  dirsrv var log data, usually stored under the /var/log direc‐
315       tory.
316
317
318
319       dirsrv_var_run_t
320
321       - Set files with the dirsrv_var_run_t type, if you want  to  store  the
322       dirsrv files under the /run or /var/run directory.
323
324
325       Paths:
326            /var/run/slapd.*, /var/run/dirsrv(/.*)?
327
328
329       dirsrvadmin_config_t
330
331       -  Set  files  with the dirsrvadmin_config_t type, if you want to treat
332       the files as dirsrvadmin configuration data, usually stored  under  the
333       /etc directory.
334
335
336       Paths:
337            /etc/dirsrv/dsgw(/.*)?, /etc/dirsrv/admin-serv(/.*)?
338
339
340       dirsrvadmin_content_t
341
342       -  Set  files with the dirsrvadmin_content_t type, if you want to treat
343       the files as dirsrvadmin content.
344
345
346
347       dirsrvadmin_exec_t
348
349       - Set files with the dirsrvadmin_exec_t type, if you want to transition
350       an executable to the dirsrvadmin_t domain.
351
352
353       Paths:
354            /usr/sbin/stop-ds-admin,                 /usr/sbin/start-ds-admin,
355            /usr/sbin/restart-ds-admin
356
357
358       dirsrvadmin_htaccess_t
359
360       - Set files with the dirsrvadmin_htaccess_t type, if you want to  treat
361       the file as a dirsrvadmin access file.
362
363
364
365       dirsrvadmin_lock_t
366
367       -  Set files with the dirsrvadmin_lock_t type, if you want to treat the
368       files as dirsrvadmin lock data, stored under the /var/lock directory
369
370
371
372       dirsrvadmin_ra_content_t
373
374       - Set files with the dirsrvadmin_ra_content_t  type,  if  you  want  to
375       treat the files as dirsrvadmin read/append content.
376
377
378
379       dirsrvadmin_rw_content_t
380
381       -  Set  files  with  the  dirsrvadmin_rw_content_t type, if you want to
382       treat the files as dirsrvadmin read/write content.
383
384
385
386       dirsrvadmin_script_exec_t
387
388       - Set files with the dirsrvadmin_script_exec_t type,  if  you  want  to
389       transition an executable to the dirsrvadmin_script_t domain.
390
391
392       Paths:
393            /usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)?
394
395
396       dirsrvadmin_tmp_t
397
398       -  Set  files  with  the  dirsrvadmin_tmp_t  type, if you want to store
399       dirsrvadmin temporary files in the /tmp directories.
400
401
402
403       dirsrvadmin_unconfined_script_exec_t
404
405       - Set files with the dirsrvadmin_unconfined_script_exec_t type, if  you
406       want to transition an executable to the dirsrvadmin_unconfined_script_t
407       domain.
408
409
410       Paths:
411            /usr/lib/dirsrv/cgi-bin/ds_create,            /usr/lib/dirsrv/cgi-
412            bin/ds_remove
413
414
415       dirsrvadmin_unit_file_t
416
417       - Set files with the dirsrvadmin_unit_file_t type, if you want to treat
418       the files as dirsrvadmin unit content.
419
420
421
422       Note: File context can be temporarily modified with the chcon  command.
423       If  you want to permanently change the file context you need to use the
424       semanage fcontext command.  This will modify the SELinux labeling data‐
425       base.  You will need to use restorecon to apply the labels.
426
427

COMMANDS

429       semanage  fcontext  can also be used to manipulate default file context
430       mappings.
431
432       semanage permissive can also be used to manipulate  whether  or  not  a
433       process type is permissive.
434
435       semanage  module can also be used to enable/disable/install/remove pol‐
436       icy modules.
437
438       semanage boolean can also be used to manipulate the booleans
439
440
441       system-config-selinux is a GUI tool available to customize SELinux pol‐
442       icy settings.
443
444

AUTHOR

446       This manual page was auto-generated using sepolicy manpage .
447
448

SEE ALSO

450       selinux(8),  dirsrv(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
451       icy(8), setsebool(8), dirsrv_snmp_selinux(8), dirsrv_snmp_selinux(8)
452
453
454
455dirsrv                             19-12-02                  dirsrv_selinux(8)
Impressum