1ricci_selinux(8) SELinux Policy ricci ricci_selinux(8)
2
3
4
6 ricci_selinux - Security Enhanced Linux Policy for the ricci processes
7
9 Security-Enhanced Linux secures the ricci processes via flexible manda‐
10 tory access control.
11
12 The ricci processes execute with the ricci_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep ricci_t
19
20
21
23 The ricci_t SELinux type can be entered via the usr_t, ricci_exec_t,
24 bin_t file types.
25
26 The default entrypoint paths for the ricci_t domain are the following:
27
28 All executables with the default executable label, usually stored in
29 /usr/bin and /usr/sbin. /opt/.*, /usr/.*, /emul/.*, /export(/.*)?,
30 /ostree(/.*)?, /usr/doc(/.*)?/lib(/.*)?, /usr/inclu.e(/.*)?,
31 /usr/share/rpm(/.*)?, /usr/share/doc(/.*)?/README.*, /usr/lib/mod‐
32 ules(/.*)/vmlinuz, /usr/lib/modules(/.*)/initramfs.img, /usr/lib/sysim‐
33 age(/.*)?, /usr/lib/ostree-boot(/.*)?, /opt, /usr, /emul,
34 /usr/sbin/ricci
35
37 SELinux defines process types (domains) for each process running on the
38 system
39
40 You can see the context of a process using the -Z option to ps
41
42 Policy governs the access confined processes have to files. SELinux
43 ricci policy is very flexible allowing users to setup their ricci pro‐
44 cesses in as secure a method as possible.
45
46 The following process types are defined for ricci:
47
48 ricci_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_modlog_t, ricci_modrpm_t, ricci_modservice_t, ricci_modstorage_t
49
50 Note: semanage permissive -a ricci_t can be used to make the process
51 type ricci_t permissive. SELinux does not deny access to permissive
52 process types, but the AVC (SELinux denials) messages are still gener‐
53 ated.
54
55
57 SELinux policy is customizable based on least access required. ricci
58 policy is extremely flexible and has several booleans that allow you to
59 manipulate the policy and run ricci with the tightest access possible.
60
61
62
63 If you want to allow all domains to execute in fips_mode, you must turn
64 on the fips_mode boolean. Enabled by default.
65
66 setsebool -P fips_mode 1
67
68
69
71 SELinux defines port types to represent TCP and UDP ports.
72
73 You can see the types associated with a port by using the following
74 command:
75
76 semanage port -l
77
78
79 Policy governs the access confined processes have to these ports.
80 SELinux ricci policy is very flexible allowing users to setup their
81 ricci processes in as secure a method as possible.
82
83 The following port types are defined for ricci:
84
85
86 ricci_modcluster_port_t
87
88
89
90 Default Defined Ports:
91 tcp 16851
92 udp 16851
93
94
95 ricci_port_t
96
97
98
99 Default Defined Ports:
100 tcp 11111
101 udp 11111
102
104 The SELinux process type ricci_t can manage files labeled with the fol‐
105 lowing file types. The paths listed are the default paths for these
106 file types. Note the processes UID still need to have DAC permissions.
107
108 cluster_conf_t
109
110 /etc/cluster(/.*)?
111
112 cluster_var_lib_t
113
114 /var/lib/pcsd(/.*)?
115 /var/lib/cluster(/.*)?
116 /var/lib/openais(/.*)?
117 /var/lib/pengine(/.*)?
118 /var/lib/corosync(/.*)?
119 /usr/lib/heartbeat(/.*)?
120 /var/lib/heartbeat(/.*)?
121 /var/lib/pacemaker(/.*)?
122
123 cluster_var_run_t
124
125 /var/run/crm(/.*)?
126 /var/run/cman_.*
127 /var/run/rsctmp(/.*)?
128 /var/run/aisexec.*
129 /var/run/heartbeat(/.*)?
130 /var/run/corosync-qnetd(/.*)?
131 /var/run/corosync-qdevice(/.*)?
132 /var/run/corosync.pid
133 /var/run/cpglockd.pid
134 /var/run/rgmanager.pid
135 /var/run/cluster/rgmanager.sk
136
137 faillog_t
138
139 /var/log/btmp.*
140 /var/log/faillog.*
141 /var/log/tallylog.*
142 /var/run/faillock(/.*)?
143
144 ricci_var_lib_t
145
146 /var/lib/ricci(/.*)?
147
148 ricci_var_run_t
149
150 /var/run/ricci.pid
151
152 root_t
153
154 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
155 /
156 /initrd
157
158 systemd_passwd_var_run_t
159
160 /var/run/systemd/ask-password(/.*)?
161 /var/run/systemd/ask-password-block(/.*)?
162
163
165 SELinux requires files to have an extended attribute to define the file
166 type.
167
168 You can see the context of a file using the -Z option to ls
169
170 Policy governs the access confined processes have to these files.
171 SELinux ricci policy is very flexible allowing users to setup their
172 ricci processes in as secure a method as possible.
173
174 STANDARD FILE CONTEXT
175
176 SELinux defines the file context types for the ricci, if you wanted to
177 store files with these types in a diffent paths, you need to execute
178 the semanage command to sepecify alternate labeling and then use
179 restorecon to put the labels on disk.
180
181 semanage fcontext -a -t ricci_modstorage_lock_t '/srv/myricci_con‐
182 tent(/.*)?'
183 restorecon -R -v /srv/myricci_content
184
185 Note: SELinux often uses regular expressions to specify labels that
186 match multiple files.
187
188 The following file types are defined for ricci:
189
190
191
192 ricci_exec_t
193
194 - Set files with the ricci_exec_t type, if you want to transition an
195 executable to the ricci_t domain.
196
197
198
199 ricci_initrc_exec_t
200
201 - Set files with the ricci_initrc_exec_t type, if you want to transi‐
202 tion an executable to the ricci_initrc_t domain.
203
204
205
206 ricci_modcluster_exec_t
207
208 - Set files with the ricci_modcluster_exec_t type, if you want to tran‐
209 sition an executable to the ricci_modcluster_t domain.
210
211
212
213 ricci_modcluster_var_lib_t
214
215 - Set files with the ricci_modcluster_var_lib_t type, if you want to
216 store the ricci modcluster files under the /var/lib directory.
217
218
219
220 ricci_modcluster_var_log_t
221
222 - Set files with the ricci_modcluster_var_log_t type, if you want to
223 treat the data as ricci modcluster var log data, usually stored under
224 the /var/log directory.
225
226
227
228 ricci_modcluster_var_run_t
229
230 - Set files with the ricci_modcluster_var_run_t type, if you want to
231 store the ricci modcluster files under the /run or /var/run directory.
232
233
234 Paths:
235 /var/run/clumond.sock, /var/run/modclusterd.pid
236
237
238 ricci_modclusterd_exec_t
239
240 - Set files with the ricci_modclusterd_exec_t type, if you want to
241 transition an executable to the ricci_modclusterd_t domain.
242
243
244
245 ricci_modclusterd_tmpfs_t
246
247 - Set files with the ricci_modclusterd_tmpfs_t type, if you want to
248 store ricci modclusterd files on a tmpfs file system.
249
250
251
252 ricci_modlog_exec_t
253
254 - Set files with the ricci_modlog_exec_t type, if you want to transi‐
255 tion an executable to the ricci_modlog_t domain.
256
257
258
259 ricci_modrpm_exec_t
260
261 - Set files with the ricci_modrpm_exec_t type, if you want to transi‐
262 tion an executable to the ricci_modrpm_t domain.
263
264
265
266 ricci_modservice_exec_t
267
268 - Set files with the ricci_modservice_exec_t type, if you want to tran‐
269 sition an executable to the ricci_modservice_t domain.
270
271
272
273 ricci_modstorage_exec_t
274
275 - Set files with the ricci_modstorage_exec_t type, if you want to tran‐
276 sition an executable to the ricci_modstorage_t domain.
277
278
279
280 ricci_modstorage_lock_t
281
282 - Set files with the ricci_modstorage_lock_t type, if you want to treat
283 the files as ricci modstorage lock data, stored under the /var/lock
284 directory
285
286
287
288 ricci_tmp_t
289
290 - Set files with the ricci_tmp_t type, if you want to store ricci tem‐
291 porary files in the /tmp directories.
292
293
294
295 ricci_var_lib_t
296
297 - Set files with the ricci_var_lib_t type, if you want to store the
298 ricci files under the /var/lib directory.
299
300
301
302 ricci_var_log_t
303
304 - Set files with the ricci_var_log_t type, if you want to treat the
305 data as ricci var log data, usually stored under the /var/log direc‐
306 tory.
307
308
309
310 ricci_var_run_t
311
312 - Set files with the ricci_var_run_t type, if you want to store the
313 ricci files under the /run or /var/run directory.
314
315
316
317 Note: File context can be temporarily modified with the chcon command.
318 If you want to permanently change the file context you need to use the
319 semanage fcontext command. This will modify the SELinux labeling data‐
320 base. You will need to use restorecon to apply the labels.
321
322
324 semanage fcontext can also be used to manipulate default file context
325 mappings.
326
327 semanage permissive can also be used to manipulate whether or not a
328 process type is permissive.
329
330 semanage module can also be used to enable/disable/install/remove pol‐
331 icy modules.
332
333 semanage port can also be used to manipulate the port definitions
334
335 semanage boolean can also be used to manipulate the booleans
336
337
338 system-config-selinux is a GUI tool available to customize SELinux pol‐
339 icy settings.
340
341
343 This manual page was auto-generated using sepolicy manpage .
344
345
347 selinux(8), ricci(8), semanage(8), restorecon(8), chcon(1), sepol‐
348 icy(8), setsebool(8), ricci_modcluster_selinux(8), ricci_modclus‐
349 ter_selinux(8), ricci_modclusterd_selinux(8), ricci_modclus‐
350 terd_selinux(8), ricci_modlog_selinux(8), ricci_modlog_selinux(8),
351 ricci_modrpm_selinux(8), ricci_modrpm_selinux(8), ricci_modser‐
352 vice_selinux(8), ricci_modservice_selinux(8), ricci_modstor‐
353 age_selinux(8), ricci_modstorage_selinux(8)
354
355
356
357ricci 20-05-05 ricci_selinux(8)