1neutron_selinux(8) SELinux Policy neutron neutron_selinux(8)
2
3
4
6 neutron_selinux - Security Enhanced Linux Policy for the neutron pro‐
7 cesses
8
10 Security-Enhanced Linux secures the neutron processes via flexible
11 mandatory access control.
12
13 The neutron processes execute with the neutron_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep neutron_t
20
21
22
24 The neutron_t SELinux type can be entered via the neutron_exec_t file
25 type.
26
27 The default entrypoint paths for the neutron_t domain are the follow‐
28 ing:
29
30 /usr/bin/neutron-server, /usr/bin/quantum-server, /usr/bin/neutron-
31 l3-agent, /usr/bin/neutron-rootwrap, /usr/bin/quantum-l3-agent,
32 /usr/bin/neutron-ryu-agent, /usr/bin/quantum-ryu-agent, /usr/bin/neu‐
33 tron-dhcp-agent, /usr/bin/quantum-dhcp-agent, /usr/bin/neutron-lbaas-
34 agent, /usr/bin/neutron-ovs-cleanup, /usr/bin/quantum-ovs-cleanup,
35 /usr/bin/neutron-netns-cleanup, /usr/bin/neutron-metadata-agent,
36 /usr/bin/neutron-linuxbridge-agent, /usr/bin/neutron-ns-metadata-proxy,
37 /usr/bin/neutron-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent,
38 /usr/bin/quantum-openvswitch-agent
39
41 SELinux defines process types (domains) for each process running on the
42 system
43
44 You can see the context of a process using the -Z option to ps
45
46 Policy governs the access confined processes have to files. SELinux
47 neutron policy is very flexible allowing users to setup their neutron
48 processes in as secure a method as possible.
49
50 The following process types are defined for neutron:
51
52 neutron_t
53
54 Note: semanage permissive -a neutron_t can be used to make the process
55 type neutron_t permissive. SELinux does not deny access to permissive
56 process types, but the AVC (SELinux denials) messages are still gener‐
57 ated.
58
59
61 SELinux policy is customizable based on least access required. neutron
62 policy is extremely flexible and has several booleans that allow you to
63 manipulate the policy and run neutron with the tightest access possi‐
64 ble.
65
66
67
68 If you want to determine whether neutron can connect to all TCP ports,
69 you must turn on the neutron_can_network boolean. Disabled by default.
70
71 setsebool -P neutron_can_network 1
72
73
74
75 If you want to allow all domains to execute in fips_mode, you must turn
76 on the fips_mode boolean. Enabled by default.
77
78 setsebool -P fips_mode 1
79
80
81
82 If you want to allow confined applications to run with kerberos, you
83 must turn on the kerberos_enabled boolean. Disabled by default.
84
85 setsebool -P kerberos_enabled 1
86
87
88
89 If you want to allow system to run with NIS, you must turn on the
90 nis_enabled boolean. Disabled by default.
91
92 setsebool -P nis_enabled 1
93
94
95
97 SELinux defines port types to represent TCP and UDP ports.
98
99 You can see the types associated with a port by using the following
100 command:
101
102 semanage port -l
103
104
105 Policy governs the access confined processes have to these ports.
106 SELinux neutron policy is very flexible allowing users to setup their
107 neutron processes in as secure a method as possible.
108
109 The following port types are defined for neutron:
110
111
112 neutron_port_t
113
114
115
116 Default Defined Ports:
117 tcp 8775,9696,9697
118
120 The SELinux process type neutron_t can manage files labeled with the
121 following file types. The paths listed are the default paths for these
122 file types. Note the processes UID still need to have DAC permissions.
123
124 cluster_conf_t
125
126 /etc/cluster(/.*)?
127
128 cluster_var_lib_t
129
130 /var/lib/pcsd(/.*)?
131 /var/lib/cluster(/.*)?
132 /var/lib/openais(/.*)?
133 /var/lib/pengine(/.*)?
134 /var/lib/corosync(/.*)?
135 /usr/lib/heartbeat(/.*)?
136 /var/lib/heartbeat(/.*)?
137 /var/lib/pacemaker(/.*)?
138
139 cluster_var_run_t
140
141 /var/run/crm(/.*)?
142 /var/run/cman_.*
143 /var/run/rsctmp(/.*)?
144 /var/run/aisexec.*
145 /var/run/heartbeat(/.*)?
146 /var/run/corosync-qnetd(/.*)?
147 /var/run/corosync-qdevice(/.*)?
148 /var/run/corosync.pid
149 /var/run/cpglockd.pid
150 /var/run/rgmanager.pid
151 /var/run/cluster/rgmanager.sk
152
153 faillog_t
154
155 /var/log/btmp.*
156 /var/log/faillog.*
157 /var/log/tallylog.*
158 /var/run/faillock(/.*)?
159
160 ifconfig_var_run_t
161
162 /var/run/netns(/.*)?
163
164 initrc_var_run_t
165
166 /var/run/utmp
167 /var/run/random-seed
168 /var/run/runlevel.dir
169 /var/run/setmixer_flag
170
171 krb5_keytab_t
172
173 /var/kerberos/krb5(/.*)?
174 /etc/krb5.keytab
175 /etc/krb5kdc/kadm5.keytab
176 /var/kerberos/krb5kdc/kadm5.keytab
177
178 lastlog_t
179
180 /var/log/lastlog.*
181
182 neutron_var_lib_t
183
184 /var/lib/neutron(/.*)?
185 /var/lib/quantum(/.*)?
186
187 neutron_var_run_t
188
189 /var/run/neutron(/.*)?
190 /var/run/quantum(/.*)?
191
192 root_t
193
194 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
195 /
196 /initrd
197
198 security_t
199
200 /selinux
201
202
204 SELinux requires files to have an extended attribute to define the file
205 type.
206
207 You can see the context of a file using the -Z option to ls
208
209 Policy governs the access confined processes have to these files.
210 SELinux neutron policy is very flexible allowing users to setup their
211 neutron processes in as secure a method as possible.
212
213 STANDARD FILE CONTEXT
214
215 SELinux defines the file context types for the neutron, if you wanted
216 to store files with these types in a diffent paths, you need to execute
217 the semanage command to sepecify alternate labeling and then use
218 restorecon to put the labels on disk.
219
220 semanage fcontext -a -t neutron_unit_file_t '/srv/myneutron_con‐
221 tent(/.*)?'
222 restorecon -R -v /srv/myneutron_content
223
224 Note: SELinux often uses regular expressions to specify labels that
225 match multiple files.
226
227 The following file types are defined for neutron:
228
229
230
231 neutron_exec_t
232
233 - Set files with the neutron_exec_t type, if you want to transition an
234 executable to the neutron_t domain.
235
236
237 Paths:
238 /usr/bin/neutron-server, /usr/bin/quantum-server, /usr/bin/neu‐
239 tron-l3-agent, /usr/bin/neutron-rootwrap, /usr/bin/quantum-
240 l3-agent, /usr/bin/neutron-ryu-agent, /usr/bin/quantum-ryu-agent,
241 /usr/bin/neutron-dhcp-agent, /usr/bin/quantum-dhcp-agent,
242 /usr/bin/neutron-lbaas-agent, /usr/bin/neutron-ovs-cleanup,
243 /usr/bin/quantum-ovs-cleanup, /usr/bin/neutron-netns-cleanup,
244 /usr/bin/neutron-metadata-agent, /usr/bin/neutron-linuxbridge-
245 agent, /usr/bin/neutron-ns-metadata-proxy, /usr/bin/neutron-open‐
246 vswitch-agent, /usr/bin/quantum-linuxbridge-agent, /usr/bin/quan‐
247 tum-openvswitch-agent
248
249
250 neutron_initrc_exec_t
251
252 - Set files with the neutron_initrc_exec_t type, if you want to transi‐
253 tion an executable to the neutron_initrc_t domain.
254
255
256 Paths:
257 /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*
258
259
260 neutron_log_t
261
262 - Set files with the neutron_log_t type, if you want to treat the data
263 as neutron log data, usually stored under the /var/log directory.
264
265
266 Paths:
267 /var/log/neutron(/.*)?, /var/log/quantum(/.*)?
268
269
270 neutron_tmp_t
271
272 - Set files with the neutron_tmp_t type, if you want to store neutron
273 temporary files in the /tmp directories.
274
275
276
277 neutron_unit_file_t
278
279 - Set files with the neutron_unit_file_t type, if you want to treat the
280 files as neutron unit content.
281
282
283 Paths:
284 /usr/lib/systemd/system/neutron.*, /usr/lib/systemd/system/quan‐
285 tum.*
286
287
288 neutron_var_lib_t
289
290 - Set files with the neutron_var_lib_t type, if you want to store the
291 neutron files under the /var/lib directory.
292
293
294 Paths:
295 /var/lib/neutron(/.*)?, /var/lib/quantum(/.*)?
296
297
298 neutron_var_run_t
299
300 - Set files with the neutron_var_run_t type, if you want to store the
301 neutron files under the /run or /var/run directory.
302
303
304 Paths:
305 /var/run/neutron(/.*)?, /var/run/quantum(/.*)?
306
307
308 Note: File context can be temporarily modified with the chcon command.
309 If you want to permanently change the file context you need to use the
310 semanage fcontext command. This will modify the SELinux labeling data‐
311 base. You will need to use restorecon to apply the labels.
312
313
315 semanage fcontext can also be used to manipulate default file context
316 mappings.
317
318 semanage permissive can also be used to manipulate whether or not a
319 process type is permissive.
320
321 semanage module can also be used to enable/disable/install/remove pol‐
322 icy modules.
323
324 semanage port can also be used to manipulate the port definitions
325
326 semanage boolean can also be used to manipulate the booleans
327
328
329 system-config-selinux is a GUI tool available to customize SELinux pol‐
330 icy settings.
331
332
334 This manual page was auto-generated using sepolicy manpage .
335
336
338 selinux(8), neutron(8), semanage(8), restorecon(8), chcon(1), sepol‐
339 icy(8), setsebool(8)
340
341
342
343neutron 20-05-05 neutron_selinux(8)