1ccs_selinux(8) SELinux Policy ccs ccs_selinux(8)
2
6 ccs_selinux - Security Enhanced Linux Policy for the ccs processes
7
9 Security-Enhanced Linux secures the ccs processes via flexible manda‐
10 tory access control.
11 The ccs processes execute with the ccs_t SELinux type. You can check if
13 you have these processes running by executing the ps command with the
14 -Z qualifier.
15 For example:
17 ps -eZ | grep ccs_t
19
23 The ccs_t SELinux type can be entered via the ccs_exec_t file type.
24 The default entrypoint paths for the ccs_t domain are the following:
26 /sbin/ccsd, /usr/sbin/ccsd
28
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux
36 ccs policy is very flexible allowing users to setup their ccs processes
37 in as secure a method as possible.
38 The following process types are defined for ccs:
40 ccs_t
42 Note: semanage permissive -a ccs_t can be used to make the process type
44 ccs_t permissive. SELinux does not deny access to permissive process
45 types, but the AVC (SELinux denials) messages are still generated.
46
49 SELinux policy is customizable based on least access required. ccs
50 policy is extremely flexible and has several booleans that allow you to
51 manipulate the policy and run ccs with the tightest access possible.
52 If you want to allow all domains to execute in fips_mode, you must turn
56 on the fips_mode boolean. Enabled by default.
57 setsebool -P fips_mode 1
59 If you want to allow confined applications to use nscd shared memory,
63 you must turn on the nscd_use_shm boolean. Disabled by default.
64 setsebool -P nscd_use_shm 1
66
70 The SELinux process type ccs_t can manage files labeled with the fol‐
71 lowing file types. The paths listed are the default paths for these
72 file types. Note the processes UID still need to have DAC permissions.
73 ccs_tmpfs_t
75 ccs_var_lib_t
78 /var/lib/cluster/((ccs)|(ccsd)).*
80 ccs_var_run_t
82 /var/run/cluster/((ccs)|(ccsd)).pid
84 /var/run/cluster/((ccs)|(ccsd)).sock
85 cluster_conf_t
87 /etc/cluster(/.*)?
89 cluster_var_lib_t
91 /var/lib/pcsd(/.*)?
93 /var/lib/cluster(/.*)?
94 /var/lib/openais(/.*)?
95 /var/lib/pengine(/.*)?
96 /var/lib/corosync(/.*)?
97 /usr/lib/heartbeat(/.*)?
98 /var/lib/heartbeat(/.*)?
99 /var/lib/pacemaker(/.*)?
100 cluster_var_run_t
102 /var/run/crm(/.*)?
104 /var/run/cman_.*
105 /var/run/rsctmp(/.*)?
106 /var/run/aisexec.*
107 /var/run/heartbeat(/.*)?
108 /var/run/corosync-qnetd(/.*)?
109 /var/run/corosync-qdevice(/.*)?
110 /var/run/corosync.pid
111 /var/run/cpglockd.pid
112 /var/run/rgmanager.pid
113 /var/run/cluster/rgmanager.sk
114 qpidd_tmpfs_t
116 root_t
119 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
121 /
122 /initrd
123 unlabeled_t
125
129 SELinux requires files to have an extended attribute to define the file
130 type.
131 You can see the context of a file using the -Z option to ls
133 Policy governs the access confined processes have to these files.
135 SELinux ccs policy is very flexible allowing users to setup their ccs
136 processes in as secure a method as possible.
137 STANDARD FILE CONTEXT
139 SELinux defines the file context types for the ccs, if you wanted to
141 store files with these types in a diffent paths, you need to execute
142 the semanage command to sepecify alternate labeling and then use
143 restorecon to put the labels on disk.
144 semanage fcontext -a -t ccs_var_run_t '/srv/myccs_content(/.*)?'
146 restorecon -R -v /srv/myccs_content
147 Note: SELinux often uses regular expressions to specify labels that
149 match multiple files.
150 The following file types are defined for ccs:
152 ccs_exec_t
156 - Set files with the ccs_exec_t type, if you want to transition an exe‐
158 cutable to the ccs_t domain.
159 Paths:
162 /sbin/ccsd, /usr/sbin/ccsd
163 ccs_initrc_exec_t
166 - Set files with the ccs_initrc_exec_t type, if you want to transition
168 an executable to the ccs_initrc_t domain.
169 ccs_tmp_t
173 - Set files with the ccs_tmp_t type, if you want to store ccs temporary
175 files in the /tmp directories.
176 ccs_tmpfs_t
180 - Set files with the ccs_tmpfs_t type, if you want to store ccs files
182 on a tmpfs file system.
183 ccs_var_lib_t
187 - Set files with the ccs_var_lib_t type, if you want to store the ccs
189 files under the /var/lib directory.
190 ccs_var_log_t
194 - Set files with the ccs_var_log_t type, if you want to treat the data
196 as ccs var log data, usually stored under the /var/log directory.
197 ccs_var_run_t
201 - Set files with the ccs_var_run_t type, if you want to store the ccs
203 files under the /run or /var/run directory.
204 Paths:
207 /var/run/cluster/((ccs)|(ccsd)).pid, /var/run/clus‐
208 ter/((ccs)|(ccsd)).sock
209 Note: File context can be temporarily modified with the chcon command.
212 If you want to permanently change the file context you need to use the
213 semanage fcontext command. This will modify the SELinux labeling data‐
214 base. You will need to use restorecon to apply the labels.
215
218 semanage fcontext can also be used to manipulate default file context
219 mappings.
220 semanage permissive can also be used to manipulate whether or not a
222 process type is permissive.
223 semanage module can also be used to enable/disable/install/remove pol‐
225 icy modules.
226 semanage boolean can also be used to manipulate the booleans
228 system-config-selinux is a GUI tool available to customize SELinux pol‐
231 icy settings.
232
235 This manual page was auto-generated using sepolicy manpage .
236
239 selinux(8), ccs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
240 setsebool(8)
241ccs 20-05-05 ccs_selinux(8)