1abrt_selinux(8) SELinux Policy abrt abrt_selinux(8)
2
6 abrt_selinux - Security Enhanced Linux Policy for the abrt processes
7
9 Security-Enhanced Linux secures the abrt processes via flexible manda‐
10 tory access control.
11 The abrt processes execute with the abrt_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15 For example:
17 ps -eZ | grep abrt_t
19
23 The abrt_t SELinux type can be entered via the abrt_exec_t file type.
24 The default entrypoint paths for the abrt_t domain are the following:
26 /usr/sbin/abrt-harvest.*, /usr/sbin/abrtd, /usr/sbin/abrt-dbus,
28 /usr/sbin/abrt-install-ccpp-hook
29
31 SELinux defines process types (domains) for each process running on the
32 system
33 You can see the context of a process using the -Z option to ps
35 Policy governs the access confined processes have to files. SELinux
37 abrt policy is very flexible allowing users to setup their abrt pro‐
38 cesses in as secure a method as possible.
39 The following process types are defined for abrt:
41 abrt_t, abrt_dump_oops_t, abrt_handle_event_t, abrt_helper_t, abrt_retrace_worker_t, abrt_retrace_coredump_t, abrt_watch_log_t, abrt_upload_watch_t
43 Note: semanage permissive -a abrt_t can be used to make the process
45 type abrt_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
51 SELinux policy is customizable based on least access required. abrt
52 policy is extremely flexible and has several booleans that allow you to
53 manipulate the policy and run abrt with the tightest access possible.
54 If you want to determine whether ABRT can run in the abrt_han‐
58 dle_event_t domain to handle ABRT event scripts, you must turn on the
59 abrt_handle_event boolean. Disabled by default.
60 setsebool -P abrt_handle_event 1
62 If you want to deny user domains applications to map a memory region as
66 both executable and writable, this is dangerous and the executable
67 should be reported in bugzilla, you must turn on the deny_execmem bool‐
68 ean. Enabled by default.
69 setsebool -P deny_execmem 1
71 If you want to allow all domains to execute in fips_mode, you must turn
75 on the fips_mode boolean. Enabled by default.
76 setsebool -P fips_mode 1
78
82 The SELinux process type abrt_t can manage files labeled with the fol‐
83 lowing file types. The paths listed are the default paths for these
84 file types. Note the processes UID still need to have DAC permissions.
85 abrt_var_log_t
87 /var/log/abrt-logger.*
89 cluster_conf_t
91 /etc/cluster(/.*)?
93 cluster_var_lib_t
95 /var/lib/pcsd(/.*)?
97 /var/lib/cluster(/.*)?
98 /var/lib/openais(/.*)?
99 /var/lib/pengine(/.*)?
100 /var/lib/corosync(/.*)?
101 /usr/lib/heartbeat(/.*)?
102 /var/lib/heartbeat(/.*)?
103 /var/lib/pacemaker(/.*)?
104 cluster_var_run_t
106 /var/run/crm(/.*)?
108 /var/run/cman_.*
109 /var/run/rsctmp(/.*)?
110 /var/run/aisexec.*
111 /var/run/heartbeat(/.*)?
112 /var/run/corosync-qnetd(/.*)?
113 /var/run/corosync-qdevice(/.*)?
114 /var/run/corosync.pid
115 /var/run/cpglockd.pid
116 /var/run/rgmanager.pid
117 /var/run/cluster/rgmanager.sk
118 kdump_crash_t
120 /var/crash(/.*)?
122 mail_home_rw_t
124 /root/Maildir(/.*)?
126 /root/.esmtp_queue(/.*)?
127 /var/lib/arpwatch/.esmtp_queue(/.*)?
128 /home/[^/]+/.maildir(/.*)?
129 /home/[^/]+/Maildir(/.*)?
130 /home/[^/]+/.esmtp_queue(/.*)?
131 rhsmcertd_var_run_t
133 /var/run/rhsm(/.*)?
135 root_t
137 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
139 /
140 /initrd
141 rpm_log_t
143 /var/log/hawkey.*
145 /var/log/up2date.*
146 /var/log/yum.log.*
147 rpm_var_cache_t
149 /var/cache/dnf(/.*)?
151 /var/cache/yum(/.*)?
152 /var/spool/up2date(/.*)?
153 /var/cache/PackageKit(/.*)?
154 rpm_var_run_t
156 /var/run/yum.*
158 /var/run/PackageKit(/.*)?
159 sysfs_t
161 /sys(/.*)?
163
166 SELinux requires files to have an extended attribute to define the file
167 type.
168 You can see the context of a file using the -Z option to ls
170 Policy governs the access confined processes have to these files.
172 SELinux abrt policy is very flexible allowing users to setup their abrt
173 processes in as secure a method as possible.
174 EQUIVALENCE DIRECTORIES
176 abrt policy stores data with multiple different file context types
179 under the /var/cache/abrt directory. If you would like to store the
180 data in a different directory you can use the semanage command to cre‐
181 ate an equivalence mapping. If you wanted to store this data under the
182 /srv directory you would execute the following command:
183 semanage fcontext -a -e /var/cache/abrt /srv/abrt
185 restorecon -R -v /srv/abrt
186 abrt policy stores data with multiple different file context types
188 under the /var/run/abrt directory. If you would like to store the data
189 in a different directory you can use the semanage command to create an
190 equivalence mapping. If you wanted to store this data under the /srv
191 directory you would execute the following command:
192 semanage fcontext -a -e /var/run/abrt /srv/abrt
194 restorecon -R -v /srv/abrt
195 abrt policy stores data with multiple different file context types
197 under the /var/spool/abrt directory. If you would like to store the
198 data in a different directory you can use the semanage command to cre‐
199 ate an equivalence mapping. If you wanted to store this data under the
200 /srv directory you would execute the following command:
201 semanage fcontext -a -e /var/spool/abrt /srv/abrt
203 restorecon -R -v /srv/abrt
204 STANDARD FILE CONTEXT
206 SELinux defines the file context types for the abrt, if you wanted to
208 store files with these types in a diffent paths, you need to execute
209 the semanage command to sepecify alternate labeling and then use
210 restorecon to put the labels on disk.
211 semanage fcontext -a -t abrt_upload_watch_tmp_t '/srv/myabrt_con‐
213 tent(/.*)?'
214 restorecon -R -v /srv/myabrt_content
215 Note: SELinux often uses regular expressions to specify labels that
217 match multiple files.
218 The following file types are defined for abrt:
220 abrt_dump_oops_exec_t
224 - Set files with the abrt_dump_oops_exec_t type, if you want to transi‐
226 tion an executable to the abrt_dump_oops_t domain.
227 Paths:
230 /usr/bin/abrt-dump-.*, /usr/bin/abrt-uefioops-oops,
231 /usr/libexec/abrt-hook-ccpp
232 abrt_etc_t
235 - Set files with the abrt_etc_t type, if you want to store abrt files
237 in the /etc directories.
238 abrt_exec_t
242 - Set files with the abrt_exec_t type, if you want to transition an
244 executable to the abrt_t domain.
245 Paths:
248 /usr/sbin/abrt-harvest.*, /usr/sbin/abrtd, /usr/sbin/abrt-dbus,
249 /usr/sbin/abrt-install-ccpp-hook
250 abrt_handle_event_exec_t
253 - Set files with the abrt_handle_event_exec_t type, if you want to
255 transition an executable to the abrt_handle_event_t domain.
256 abrt_helper_exec_t
260 - Set files with the abrt_helper_exec_t type, if you want to transition
262 an executable to the abrt_helper_t domain.
263 abrt_initrc_exec_t
267 - Set files with the abrt_initrc_exec_t type, if you want to transition
269 an executable to the abrt_initrc_t domain.
270 abrt_retrace_cache_t
274 - Set files with the abrt_retrace_cache_t type, if you want to store
276 the files under the /var/cache directory.
277 Paths:
280 /var/cache/abrt-retrace(/.*)?, /var/cache/retrace-server(/.*)?
281 abrt_retrace_coredump_exec_t
284 - Set files with the abrt_retrace_coredump_exec_t type, if you want to
286 transition an executable to the abrt_retrace_coredump_t domain.
287 abrt_retrace_spool_t
291 - Set files with the abrt_retrace_spool_t type, if you want to store
293 the abrt retrace files under the /var/spool directory.
294 Paths:
297 /var/spool/faf(/.*)?, /var/spool/abrt-retrace(/.*)?,
298 /var/spool/retrace-server(/.*)?
299 abrt_retrace_worker_exec_t
302 - Set files with the abrt_retrace_worker_exec_t type, if you want to
304 transition an executable to the abrt_retrace_worker_t domain.
305 Paths:
308 /usr/bin/abrt-retrace-worker, /usr/bin/retrace-server-worker
309 abrt_tmp_t
312 - Set files with the abrt_tmp_t type, if you want to store abrt tempo‐
314 rary files in the /tmp directories.
315 abrt_unit_file_t
319 - Set files with the abrt_unit_file_t type, if you want to treat the
321 files as abrt unit content.
322 abrt_upload_watch_exec_t
326 - Set files with the abrt_upload_watch_exec_t type, if you want to
328 transition an executable to the abrt_upload_watch_t domain.
329 abrt_upload_watch_tmp_t
333 - Set files with the abrt_upload_watch_tmp_t type, if you want to store
335 abrt upload watch temporary files in the /tmp directories.
336 abrt_var_cache_t
340 - Set files with the abrt_var_cache_t type, if you want to store the
342 files under the /var/cache directory.
343 Paths:
346 /var/tmp/abrt(/.*)?, /var/cache/abrt(/.*)?, /var/spool/abrt(/.*)?,
347 /var/spool/debug(/.*)?, /var/cache/abrt-di(/.*)?,
348 /var/spool/rhsm/debug(/.*)?
349 abrt_var_lib_t
352 - Set files with the abrt_var_lib_t type, if you want to store the abrt
354 files under the /var/lib directory.
355 abrt_var_log_t
359 - Set files with the abrt_var_log_t type, if you want to treat the data
361 as abrt var log data, usually stored under the /var/log directory.
362 abrt_var_run_t
366 - Set files with the abrt_var_run_t type, if you want to store the abrt
368 files under the /run or /var/run directory.
369 Paths:
372 /var/run/abrt(/.*)?, /var/run/abrtd?.lock, /var/run/abrtd?.socket,
373 /var/run/abrt.pid
374 abrt_watch_log_exec_t
377 - Set files with the abrt_watch_log_exec_t type, if you want to transi‐
379 tion an executable to the abrt_watch_log_t domain.
380 Note: File context can be temporarily modified with the chcon command.
384 If you want to permanently change the file context you need to use the
385 semanage fcontext command. This will modify the SELinux labeling data‐
386 base. You will need to use restorecon to apply the labels.
387
390 If you want to share files with multiple domains (Apache, FTP, rsync,
391 Samba), you can set a file context of public_content_t and public_con‐
392 tent_rw_t. These context allow any of the above domains to read the
393 content. If you want a particular domain to write to the public_con‐
394 tent_rw_t domain, you must set the appropriate boolean.
395 Allow abrt servers to read the /var/abrt directory by adding the pub‐
397 lic_content_t file type to the directory and by restoring the file
398 type.
399 semanage fcontext -a -t public_content_t "/var/abrt(/.*)?"
401 restorecon -F -R -v /var/abrt
402 Allow abrt servers to read and write /var/abrt/incoming by adding the
404 public_content_rw_t type to the directory and by restoring the file
405 type. You also need to turn on the abrt_anon_write boolean.
406 semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?"
408 restorecon -F -R -v /var/abrt/incoming
409 setsebool -P abrt_anon_write 1
410 If you want to allow ABRT to modify public files used for public file
413 transfer services., you must turn on the abrt_anon_write boolean.
414 setsebool -P abrt_anon_write 1
416
419 semanage fcontext can also be used to manipulate default file context
420 mappings.
421 semanage permissive can also be used to manipulate whether or not a
423 process type is permissive.
424 semanage module can also be used to enable/disable/install/remove pol‐
426 icy modules.
427 semanage boolean can also be used to manipulate the booleans
429 system-config-selinux is a GUI tool available to customize SELinux pol‐
432 icy settings.
433
436 This manual page was auto-generated using sepolicy manpage .
437
440 selinux(8), abrt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
441 setsebool(8), abrt_dump_oops_selinux(8), abrt_dump_oops_selinux(8),
442 abrt_handle_event_selinux(8), abrt_handle_event_selinux(8),
443 abrt_helper_selinux(8), abrt_helper_selinux(8), abrt_retrace_core‐
444 dump_selinux(8), abrt_retrace_coredump_selinux(8),
445 abrt_retrace_worker_selinux(8), abrt_retrace_worker_selinux(8),
446 abrt_upload_watch_selinux(8), abrt_upload_watch_selinux(8),
447 abrt_watch_log_selinux(8), abrt_watch_log_selinux(8)
448abrt 20-05-05 abrt_selinux(8)