1passenger_selinux(8)       SELinux Policy passenger       passenger_selinux(8)
2
3
4

NAME

6       passenger_selinux  -  Security  Enhanced Linux Policy for the passenger
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the passenger  processes  via  flexible
11       mandatory access control.
12
13       The  passenger processes execute with the passenger_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep passenger_t
20
21
22

ENTRYPOINTS

24       The  passenger_t  SELinux  type can be entered via the passenger_exec_t
25       file type.
26
27       The default entrypoint paths for the passenger_t domain are the follow‐
28       ing:
29
30       /usr/share/.*/gems/.*/helper-scripts/prespawn, /usr/lib/gems/.*/Passen‐
31       ger.*,                /usr/lib/gems/.*/ApplicationPoolServerExecutable,
32       /usr/share/gems/.*/Passenger.*,         /usr/share/gems/.*/Application‐
33       PoolServerExecutable
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       passenger policy is very flexible allowing users to setup their passen‐
43       ger processes in as secure a method as possible.
44
45       The following process types are defined for passenger:
46
47       passenger_t
48
49       Note:  semanage  permissive  -a  passenger_t  can  be  used to make the
50       process type passenger_t permissive. SELinux does not  deny  access  to
51       permissive  process  types,  but the AVC (SELinux denials) messages are
52       still generated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access required.  passen‐
57       ger  policy  is  extremely flexible and has several booleans that allow
58       you to manipulate the policy and run passenger with the tightest access
59       possible.
60
61
62
63       If you want to allow all domains to execute in fips_mode, you must turn
64       on the fips_mode boolean. Enabled by default.
65
66       setsebool -P fips_mode 1
67
68
69
70       If you want to allow Apache to run in stickshift mode,  not  transition
71       to  passenger,  you  must  turn  on  the  httpd_run_stickshift boolean.
72       Enabled by default.
73
74       setsebool -P httpd_run_stickshift 1
75
76
77

MANAGED FILES

79       The SELinux process type passenger_t can manage files labeled with  the
80       following file types.  The paths listed are the default paths for these
81       file types.  Note the processes UID still need to have DAC permissions.
82
83       passenger_log_t
84
85            /var/log/passenger.*
86
87       passenger_var_lib_t
88
89            /var/lib/passenger(/.*)?
90
91       passenger_var_run_t
92
93            /var/run/passenger(/.*)?
94
95       puppet_var_lib_t
96
97            /var/lib/puppet(/.*)?
98
99

FILE CONTEXTS

101       SELinux requires files to have an extended attribute to define the file
102       type.
103
104       You can see the context of a file using the -Z option to ls
105
106       Policy  governs  the  access  confined  processes  have to these files.
107       SELinux passenger policy is very flexible allowing users to setup their
108       passenger processes in as secure a method as possible.
109
110       STANDARD FILE CONTEXT
111
112       SELinux defines the file context types for the passenger, if you wanted
113       to store files with these types in a diffent paths, you need to execute
114       the  semanage  command  to  sepecify  alternate  labeling  and then use
115       restorecon to put the labels on disk.
116
117       semanage  fcontext  -a  -t  passenger_var_run_t  '/srv/mypassenger_con‐
118       tent(/.*)?'
119       restorecon -R -v /srv/mypassenger_content
120
121       Note:  SELinux  often  uses  regular expressions to specify labels that
122       match multiple files.
123
124       The following file types are defined for passenger:
125
126
127
128       passenger_exec_t
129
130       - Set files with the passenger_exec_t type, if you want  to  transition
131       an executable to the passenger_t domain.
132
133
134       Paths:
135            /usr/share/.*/gems/.*/helper-scripts/prespawn,
136            /usr/lib/gems/.*/Passenger.*,        /usr/lib/gems/.*/Application‐
137            PoolServerExecutable,              /usr/share/gems/.*/Passenger.*,
138            /usr/share/gems/.*/ApplicationPoolServerExecutable
139
140
141       passenger_log_t
142
143       - Set files with the passenger_log_t type, if you  want  to  treat  the
144       data  as  passenger  log data, usually stored under the /var/log direc‐
145       tory.
146
147
148
149       passenger_tmp_t
150
151       - Set files with the passenger_tmp_t type, if you want to store passen‐
152       ger temporary files in the /tmp directories.
153
154
155
156       passenger_var_lib_t
157
158       - Set files with the passenger_var_lib_t type, if you want to store the
159       passenger files under the /var/lib directory.
160
161
162
163       passenger_var_run_t
164
165       - Set files with the passenger_var_run_t type, if you want to store the
166       passenger files under the /run or /var/run directory.
167
168
169
170       Note:  File context can be temporarily modified with the chcon command.
171       If you want to permanently change the file context you need to use  the
172       semanage fcontext command.  This will modify the SELinux labeling data‐
173       base.  You will need to use restorecon to apply the labels.
174
175

COMMANDS

177       semanage fcontext can also be used to manipulate default  file  context
178       mappings.
179
180       semanage  permissive  can  also  be used to manipulate whether or not a
181       process type is permissive.
182
183       semanage module can also be used to enable/disable/install/remove  pol‐
184       icy modules.
185
186       semanage boolean can also be used to manipulate the booleans
187
188
189       system-config-selinux is a GUI tool available to customize SELinux pol‐
190       icy settings.
191
192

AUTHOR

194       This manual page was auto-generated using sepolicy manpage .
195
196

SEE ALSO

198       selinux(8), passenger(8), semanage(8), restorecon(8), chcon(1),  sepol‐
199       icy(8), setsebool(8)
200
201
202
203passenger                          20-05-05               passenger_selinux(8)
Impressum