1ipa_custodia_selinux(8)   SELinux Policy ipa_custodia  ipa_custodia_selinux(8)
2
3
4

NAME

6       ipa_custodia_selinux  - Security Enhanced Linux Policy for the ipa_cus‐
7       todia processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the ipa_custodia processes via flexible
11       mandatory access control.
12
13       The  ipa_custodia  processes  execute  with  the ipa_custodia_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep ipa_custodia_t
20
21
22

ENTRYPOINTS

24       The ipa_custodia_t SELinux type can be entered via the ldconfig_exec_t,
25       ipa_custodia_exec_t file types.
26
27       The default entrypoint paths for the ipa_custodia_t domain are the fol‐
28       lowing:
29
30       /sbin/sln,     /usr/sbin/sln,    /sbin/ldconfig,    /usr/sbin/ldconfig,
31       /usr/libexec/ipa/ipa-custodia
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       ipa_custodia policy is very flexible  allowing  users  to  setup  their
41       ipa_custodia processes in as secure a method as possible.
42
43       The following process types are defined for ipa_custodia:
44
45       ipa_custodia_t
46
47       Note:  semanage  permissive  -a  ipa_custodia_t can be used to make the
48       process type ipa_custodia_t permissive. SELinux does not deny access to
49       permissive  process  types,  but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       ipa_custodia policy is extremely flexible and has several booleans that
56       allow you to manipulate the policy and run ipa_custodia with the tight‐
57       est access possible.
58
59
60
61       If you want to allow all domains to execute in fips_mode, you must turn
62       on the fips_mode boolean. Enabled by default.
63
64       setsebool -P fips_mode 1
65
66
67

MANAGED FILES

69       The SELinux process type ipa_custodia_t can manage files  labeled  with
70       the  following  file types.  The paths listed are the default paths for
71       these file types.  Note the processes UID still need to have  DAC  per‐
72       missions.
73
74       cluster_conf_t
75
76            /etc/cluster(/.*)?
77
78       cluster_var_lib_t
79
80            /var/lib/pcsd(/.*)?
81            /var/lib/cluster(/.*)?
82            /var/lib/openais(/.*)?
83            /var/lib/pengine(/.*)?
84            /var/lib/corosync(/.*)?
85            /usr/lib/heartbeat(/.*)?
86            /var/lib/heartbeat(/.*)?
87            /var/lib/pacemaker(/.*)?
88
89       cluster_var_run_t
90
91            /var/run/crm(/.*)?
92            /var/run/cman_.*
93            /var/run/rsctmp(/.*)?
94            /var/run/aisexec.*
95            /var/run/heartbeat(/.*)?
96            /var/run/corosync-qnetd(/.*)?
97            /var/run/corosync-qdevice(/.*)?
98            /var/run/corosync.pid
99            /var/run/cpglockd.pid
100            /var/run/rgmanager.pid
101            /var/run/cluster/rgmanager.sk
102
103       dirsrv_var_run_t
104
105            /var/run/slapd.*
106            /var/run/dirsrv(/.*)?
107
108       httpd_var_run_t
109
110            /var/run/wsgi.*
111            /var/run/mod_.*
112            /var/run/httpd.*
113            /var/run/nginx.*
114            /var/run/apache.*
115            /var/run/php-fpm(/.*)?
116            /var/run/fcgiwrap(/.*)?
117            /var/run/lighttpd(/.*)?
118            /var/lib/php/session(/.*)?
119            /var/lib/php/wsdlcache(/.*)?
120            /var/run/dirsrv/admin-serv.*
121            /var/opt/rh/rh-nginx18/run/nginx(/.*)?
122            /var/www/openshift/broker/httpd/run(/.*)?
123            /var/www/openshift/console/httpd/run(/.*)?
124            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
125            /var/run/thttpd.pid
126            /var/run/gcache_port
127            /var/run/cherokee.pid
128
129       ipa_custodia_log_t
130
131            /var/log/ipa-custodia.audit.log(/.*)?
132
133       pki_tomcat_cert_t
134
135            /var/lib/pki-ca/alias(/.*)?
136            /etc/pki/pki-tomcat/ca(/.*)?
137            /var/lib/pki-kra/alias(/.*)?
138            /var/lib/pki-tks/alias(/.*)?
139            /var/lib/pki-ocsp/alias(/.*)?
140            /etc/pki/pki-tomcat/alias(/.*)?
141            /var/lib/ipa/pki-ca/publish(/.*)?
142
143       pki_tomcat_etc_rw_t
144
145            /etc/pki-ca(/.*)?
146            /etc/pki-kra(/.*)?
147            /etc/pki-tks(/.*)?
148            /etc/pki-ocsp(/.*)?
149            /etc/pki/pki-tomcat(/.*)?
150            /etc/sysconfig/pki/tomcat(/.*)?
151
152       root_t
153
154            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
155            /
156            /initrd
157
158       systemd_passwd_var_run_t
159
160            /var/run/systemd/ask-password(/.*)?
161            /var/run/systemd/ask-password-block(/.*)?
162
163

FILE CONTEXTS

165       SELinux requires files to have an extended attribute to define the file
166       type.
167
168       You can see the context of a file using the -Z option to ls
169
170       Policy governs the access  confined  processes  have  to  these  files.
171       SELinux  ipa_custodia  policy  is very flexible allowing users to setup
172       their ipa_custodia processes in as secure a method as possible.
173
174       STANDARD FILE CONTEXT
175
176       SELinux defines the file context types for  the  ipa_custodia,  if  you
177       wanted  to store files with these types in a diffent paths, you need to
178       execute the semanage command to sepecify alternate  labeling  and  then
179       use restorecon to put the labels on disk.
180
181       semanage  fcontext  -a  -t ipa_custodia_tmp_t '/srv/myipa_custodia_con‐
182       tent(/.*)?'
183       restorecon -R -v /srv/myipa_custodia_content
184
185       Note: SELinux often uses regular expressions  to  specify  labels  that
186       match multiple files.
187
188       The following file types are defined for ipa_custodia:
189
190
191
192       ipa_custodia_dmldap_exec_t
193
194       -  Set  files  with the ipa_custodia_dmldap_exec_t type, if you want to
195       transition an executable to the ipa_custodia_dmldap_t domain.
196
197
198
199       ipa_custodia_exec_t
200
201       - Set files with the ipa_custodia_exec_t type, if you want  to  transi‐
202       tion an executable to the ipa_custodia_t domain.
203
204
205
206       ipa_custodia_log_t
207
208       -  Set files with the ipa_custodia_log_t type, if you want to treat the
209       data as ipa custodia log data, usually stored under the /var/log direc‐
210       tory.
211
212
213
214       ipa_custodia_pki_tomcat_exec_t
215
216       -  Set  files with the ipa_custodia_pki_tomcat_exec_t type, if you want
217       to transition an executable to the ipa_custodia_pki_tomcat_t domain.
218
219
220       Paths:
221            /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat,
222            /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
223
224
225       ipa_custodia_ra_agent_exec_t
226
227       -  Set files with the ipa_custodia_ra_agent_exec_t type, if you want to
228       transition an executable to the ipa_custodia_ra_agent_t domain.
229
230
231
232       ipa_custodia_tmp_t
233
234       - Set files with the ipa_custodia_tmp_t type, if you want to store  ipa
235       custodia temporary files in the /tmp directories.
236
237
238
239       Note:  File context can be temporarily modified with the chcon command.
240       If you want to permanently change the file context you need to use  the
241       semanage fcontext command.  This will modify the SELinux labeling data‐
242       base.  You will need to use restorecon to apply the labels.
243
244

COMMANDS

246       semanage fcontext can also be used to manipulate default  file  context
247       mappings.
248
249       semanage  permissive  can  also  be used to manipulate whether or not a
250       process type is permissive.
251
252       semanage module can also be used to enable/disable/install/remove  pol‐
253       icy modules.
254
255       semanage boolean can also be used to manipulate the booleans
256
257
258       system-config-selinux is a GUI tool available to customize SELinux pol‐
259       icy settings.
260
261

AUTHOR

263       This manual page was auto-generated using sepolicy manpage .
264
265

SEE ALSO

267       selinux(8),  ipa_custodia(8),  semanage(8),  restorecon(8),   chcon(1),
268       sepolicy(8), setsebool(8)
269
270
271
272ipa_custodia                       20-05-05            ipa_custodia_selinux(8)
Impressum