openshift_selinux(8)

1openshift_selinux(8)       SELinux Policy openshift       openshift_selinux(8)
2
3
4

NAME

6       openshift_selinux  -  Security  Enhanced Linux Policy for the openshift
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the openshift  processes  via  flexible
11       mandatory access control.
12
13       The  openshift processes execute with the openshift_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openshift_t
20
21
22

ENTRYPOINTS

24       The  openshift_t  SELinux  type  can be entered via the crontab_exec_t,
25       user_cron_spool_t file types.
26
27       The default entrypoint paths for the openshift_t domain are the follow‐
28       ing:
29
30       /usr/bin/(f)?crontab,        /usr/bin/at,        /usr/sbin/fcronsighup,
31       /usr/libexec/fcronsighup,     /var/spool/at(/.*)?,     /var/spool/cron,
32       /var/spool/cron/[^/]+
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       openshift  policy  is very flexible allowing users to setup their open‐
42       shift processes in as secure a method as possible.
43
44       The following process types are defined for openshift:
45
46       openshift_initrc_t, openshift_cgroup_read_t, openshift_net_read_t, openshift_cron_t, openshift_t, openshift_app_t, openshift_script_t
47
48       Note: semanage permissive -a  openshift_t  can  be  used  to  make  the
49       process  type  openshift_t  permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

MCS Constrained

55       The  SELinux  process  type openshift_t is an MCS (Multi Category Secu‐
56       rity) constrained type.  Sometimes this separation is  referred  to  as
57       sVirt.  These types are usually used for securing multi-tenant environ‐
58       ments, such as virtualization, containers or separation of users.   The
59       tools used to launch MCS types, pick out a different MCS label for each
60       process group.
61
62       For example one process might be  launched  with  openshift_t:s0:c1,c2,
63       and  another  process  launched  with openshift_t:s0:c3,c4. The SELinux
64       kernel only allows these processes can only write  to  content  with  a
65       matching  MCS  label,  or a MCS Label of s0. A process running with the
66       MCS level of s0:c1,c2 is not allowed to write to content with  the  MCS
67       label of s0:c3,c4
68
69

BOOLEANS

71       SELinux  policy  is customizable based on least access required.  open‐
72       shift policy is extremely flexible and has several booleans that  allow
73       you to manipulate the policy and run openshift with the tightest access
74       possible.
75
76
77
78       If you want to allow users to resolve user passwd entries directly from
79       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
80       gin_nsswitch_use_ldap boolean. Disabled by default.
81
82       setsebool -P authlogin_nsswitch_use_ldap 1
83
84
85
86       If you want to determine whether crond can execute  jobs  in  the  user
87       domain  as  opposed to the the generic cronjob domain, you must turn on
88       the cron_userdomain_transition boolean. Enabled by default.
89
90       setsebool -P cron_userdomain_transition 1
91
92
93
94       If you want to deny any process from ptracing or  debugging  any  other
95       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
96       default.
97
98       setsebool -P deny_ptrace 1
99
100
101
102       If you want to allow all domains to execute in fips_mode, you must turn
103       on the fips_mode boolean. Enabled by default.
104
105       setsebool -P fips_mode 1
106
107
108
109       If  you  want  to allow confined applications to run with kerberos, you
110       must turn on the kerberos_enabled boolean. Disabled by default.
111
112       setsebool -P kerberos_enabled 1
113
114
115
116       If you want to allow system to run with  NIS,  you  must  turn  on  the
117       nis_enabled boolean. Disabled by default.
118
119       setsebool -P nis_enabled 1
120
121
122
123       If  you  want to allow confined applications to use nscd shared memory,
124       you must turn on the nscd_use_shm boolean. Disabled by default.
125
126       setsebool -P nscd_use_shm 1
127
128
129

PORT TYPES

131       SELinux defines port types to represent TCP and UDP ports.
132
133       You can see the types associated with a port  by  using  the  following
134       command:
135
136       semanage port -l
137
138
139       Policy  governs  the  access  confined  processes  have to these ports.
140       SELinux openshift policy is very flexible allowing users to setup their
141       openshift processes in as secure a method as possible.
142
143       The following port types are defined for openshift:
144
145
146       openshift_port_t
147
148
149
150       MANAGED FILES
151
152              The  SELinux  process  type openshift_t can manage files labeled
153              with the following file types.  The paths listed are the default
154              paths  for  these file types.  Note the processes UID still need
155              to have DAC permissions.
156
157              anon_inodefs_t
158
159
160              cgroup_t
161
162                   /sys/fs/cgroup
163
164              faillog_t
165
166                   /var/log/btmp.*
167                   /var/log/faillog.*
168                   /var/log/tallylog.*
169                   /var/run/faillock(/.*)?
170
171              hugetlbfs_t
172
173                   /dev/hugepages
174                   /usr/lib/udev/devices/hugepages
175
176              nfs_t
177
178
179              openshift_file_type
180
181
182              openshift_rw_file_t
183
184                   /var/lib/openshift/.*/data(/.*)?
185                   /var/lib/stickshift/.*/data(/.*)?
186
187              openshift_tmp_t
188
189                   /var/lib/openshift/.*/.tmp(/.*)?
190                   /var/lib/openshift/.*/.sandbox(/.*)?
191                   /var/lib/stickshift/.*/.tmp(/.*)?
192                   /var/lib/stickshift/.*/.sandbox(/.*)?
193
194              openshift_tmpfs_t
195
196
197              postfix_spool_t
198
199                   /var/spool/postfix.*
200                   /var/spool/postfix/defer(/.*)?
201                   /var/spool/postfix/flush(/.*)?
202                   /var/spool/postfix/deferred(/.*)?
203                   /var/spool/postfix/maildrop(/.*)?
204
205              security_t
206
207                   /selinux
208
209              user_cron_spool_t
210
211                   /var/spool/at(/.*)?
212                   /var/spool/cron
213                   /var/spool/cron/[^/]+
214
215              user_tmp_t
216
217                   /dev/shm/mono.*
218                   /var/run/user(/.*)?
219                   /tmp/.ICE-unix(/.*)?
220                   /tmp/.X11-unix(/.*)?
221                   /dev/shm/pulse-shm.*
222                   /tmp/.X0-lock
223                   /tmp/hsperfdata_root
224                   /var/tmp/hsperfdata_root
225                   /home/[^/]+/tmp
226                   /home/[^/]+/.tmp
227                   /tmp/gconfd-[^/]+
228
229              var_auth_t
230
231                   /var/ace(/.*)?
232                   /var/rsa(/.*)?
233                   /var/lib/abl(/.*)?
234                   /var/lib/rsa(/.*)?
235                   /var/lib/pam_ssh(/.*)?
236                   /var/run/pam_ssh(/.*)?
237                   /var/lib/pam_shield(/.*)?
238                   /var/opt/quest/vas/vasd(/.*)?
239                   /var/lib/google-authenticator(/.*)?
240
241

FILE CONTEXTS

243       SELinux requires files to have an extended attribute to define the file
244       type.
245
246       You can see the context of a file using the -Z option to ls
247
248       Policy  governs  the  access  confined  processes  have to these files.
249       SELinux openshift policy is very flexible allowing users to setup their
250       openshift processes in as secure a method as possible.
251
252       EQUIVALENCE DIRECTORIES
253
254
255       openshift policy stores data with multiple different file context types
256       under the /var/lib/openshift directory.  If you would like to store the
257       data  in a different directory you can use the semanage command to cre‐
258       ate an equivalence mapping.  If you wanted to store this data under the
259       /srv dirctory you would execute the following command:
260
261       semanage fcontext -a -e /var/lib/openshift /srv/openshift
262       restorecon -R -v /srv/openshift
263
264       openshift policy stores data with multiple different file context types
265       under the /var/lib/stickshift directory.  If you would  like  to  store
266       the  data  in a different directory you can use the semanage command to
267       create an equivalence mapping.  If you wanted to store this data  under
268       the /srv dirctory you would execute the following command:
269
270       semanage fcontext -a -e /var/lib/stickshift /srv/stickshift
271       restorecon -R -v /srv/stickshift
272
273       STANDARD FILE CONTEXT
274
275       SELinux defines the file context types for the openshift, if you wanted
276       to store files with these types in a diffent paths, you need to execute
277       the  semanage  command  to  sepecify  alternate  labeling  and then use
278       restorecon to put the labels on disk.
279
280       semanage fcontext -a -t  openshift_ra_content_t  '/srv/myopenshift_con‐
281       tent(/.*)?'
282       restorecon -R -v /srv/myopenshift_content
283
284       Note:  SELinux  often  uses  regular expressions to specify labels that
285       match multiple files.
286
287       The following file types are defined for openshift:
288
289
290
291       openshift_app_tmp_t
292
293       - Set files with the openshift_app_tmp_t type, if  you  want  to  store
294       openshift app temporary files in the /tmp directories.
295
296
297
298       openshift_cgroup_read_exec_t
299
300       -  Set files with the openshift_cgroup_read_exec_t type, if you want to
301       transition an executable to the openshift_cgroup_read_t domain.
302
303
304
305       openshift_cgroup_read_tmp_t
306
307       - Set files with the openshift_cgroup_read_tmp_t type, if you  want  to
308       store openshift cgroup read temporary files in the /tmp directories.
309
310
311
312       openshift_content_t
313
314       - Set files with the openshift_content_t type, if you want to treat the
315       files as openshift content.
316
317
318
319       openshift_cron_exec_t
320
321       - Set files with the openshift_cron_exec_t type, if you want to transi‐
322       tion an executable to the openshift_cron_t domain.
323
324
325
326       openshift_cron_tmp_t
327
328       -  Set  files  with the openshift_cron_tmp_t type, if you want to store
329       openshift cron temporary files in the /tmp directories.
330
331
332
333       openshift_htaccess_t
334
335       - Set files with the openshift_htaccess_t type, if you  want  to  treat
336       the file as a openshift access file.
337
338
339
340       openshift_initrc_exec_t
341
342       - Set files with the openshift_initrc_exec_t type, if you want to tran‐
343       sition an executable to the openshift_initrc_t domain.
344
345
346       Paths:
347            /usr/s?bin/mcollectived,             /usr/s?bin/(oo|rhc)-restorer,
348            /usr/s?bin/oo-admin-ctl-gears,  /usr/s?bin/(oo|rhc)-restorer-wrap‐
349            per.sh, /etc/rc.d/init.d/libra, /etc/rc.d/init.d/mcollective
350
351
352       openshift_initrc_tmp_t
353
354       - Set files with the openshift_initrc_tmp_t type, if you want to  store
355       openshift initrc temporary files in the /tmp directories.
356
357
358
359       openshift_log_t
360
361       -  Set  files  with  the openshift_log_t type, if you want to treat the
362       data as openshift log data, usually stored under  the  /var/log  direc‐
363       tory.
364
365
366       Paths:
367            /var/log/openshift(/.*)?, /var/log/mcollective.log.*
368
369
370       openshift_net_read_exec_t
371
372       -  Set  files  with  the openshift_net_read_exec_t type, if you want to
373       transition an executable to the openshift_net_read_t domain.
374
375
376
377       openshift_ra_content_t
378
379       - Set files with the openshift_ra_content_t type, if you want to  treat
380       the files as openshift read/append content.
381
382
383
384       openshift_rw_content_t
385
386       -  Set files with the openshift_rw_content_t type, if you want to treat
387       the files as openshift read/write content.
388
389
390
391       openshift_rw_file_t
392
393       - Set files with the openshift_rw_file_t type, if you want to treat the
394       files as openshift rw content.
395
396
397       Paths:
398            /var/lib/openshift/.*/data(/.*)?,                  /var/lib/stick‐
399            shift/.*/data(/.*)?
400
401
402       openshift_script_exec_t
403
404       - Set files with the openshift_script_exec_t type, if you want to tran‐
405       sition an executable to the openshift_script_t domain.
406
407
408
409       openshift_tmp_t
410
411       -  Set  files with the openshift_tmp_t type, if you want to store open‐
412       shift temporary files in the /tmp directories.
413
414
415       Paths:
416            /var/lib/openshift/.*/.tmp(/.*)?,     /var/lib/openshift/.*/.sand‐
417            box(/.*)?,    /var/lib/stickshift/.*/.tmp(/.*)?,   /var/lib/stick‐
418            shift/.*/.sandbox(/.*)?
419
420
421       openshift_tmpfs_t
422
423       - Set files with the openshift_tmpfs_t type, if you want to store open‐
424       shift files on a tmpfs file system.
425
426
427
428       openshift_var_lib_t
429
430       - Set files with the openshift_var_lib_t type, if you want to store the
431       openshift files under the /var/lib directory.
432
433
434       Paths:
435            /var/lib/openshift(/.*)?, /var/lib/stickshift(/.*)?, /var/lib/con‐
436            tainers/home(/.*)?
437
438
439       openshift_var_run_t
440
441       - Set files with the openshift_var_run_t type, if you want to store the
442       openshift files under the /run or /var/run directory.
443
444
445       Paths:
446            /var/run/openshift(/.*)?, /var/run/stickshift(/.*)?
447
448
449       Note: File context can be temporarily modified with the chcon  command.
450       If  you want to permanently change the file context you need to use the
451       semanage fcontext command.  This will modify the SELinux labeling data‐
452       base.  You will need to use restorecon to apply the labels.
453
454

COMMANDS

456       semanage  fcontext  can also be used to manipulate default file context
457       mappings.
458
459       semanage permissive can also be used to manipulate  whether  or  not  a
460       process type is permissive.
461
462       semanage  module can also be used to enable/disable/install/remove pol‐
463       icy modules.
464
465       semanage port can also be used to manipulate the port definitions
466
467       semanage boolean can also be used to manipulate the booleans
468
469
470       system-config-selinux is a GUI tool available to customize SELinux pol‐
471       icy settings.
472
473

AUTHOR

475       This manual page was auto-generated using sepolicy manpage .
476
477