abrt_upload_watch_selinux(8)

1abrt_upload_watch_selinuSxE(L8i)nux Policy abrt_upload_waabtrcth_upload_watch_selinux(8)
2
3
4

NAME

6       abrt_upload_watch_selinux  -  Security  Enhanced  Linux  Policy for the
7       abrt_upload_watch processes
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  abrt_upload_watch  processes  via
11       flexible mandatory access control.
12
13       The  abrt_upload_watch  processes  execute with the abrt_upload_watch_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep abrt_upload_watch_t
20
21
22

ENTRYPOINTS

24       The   abrt_upload_watch_t   SELinux   type   can  be  entered  via  the
25       abrt_upload_watch_exec_t file type.
26
27       The default entrypoint paths for the abrt_upload_watch_t domain are the
28       following:
29
30       /usr/sbin/abrt-upload-watch
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       abrt_upload_watch policy is very flexible allowing users to setup their
40       abrt_upload_watch processes in as secure a method as possible.
41
42       The following process types are defined for abrt_upload_watch:
43
44       abrt_upload_watch_t
45
46       Note: semanage permissive -a abrt_upload_watch_t can be  used  to  make
47       the  process type abrt_upload_watch_t permissive. SELinux does not deny
48       access to permissive process types, but the AVC (SELinux denials)  mes‐
49       sages are still generated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       abrt_upload_watch policy is extremely flexible and has several booleans
55       that  allow you to manipulate the policy and run abrt_upload_watch with
56       the tightest access possible.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66

MANAGED FILES

68       The  SELinux  process type abrt_upload_watch_t can manage files labeled
69       with the following file types.  The paths listed are the default  paths
70       for  these  file  types.  Note the processes UID still need to have DAC
71       permissions.
72
73       cluster_conf_t
74
75            /etc/cluster(/.*)?
76
77       cluster_var_lib_t
78
79            /var/lib/pcsd(/.*)?
80            /var/lib/cluster(/.*)?
81            /var/lib/openais(/.*)?
82            /var/lib/pengine(/.*)?
83            /var/lib/corosync(/.*)?
84            /usr/lib/heartbeat(/.*)?
85            /var/lib/heartbeat(/.*)?
86            /var/lib/pacemaker(/.*)?
87
88       cluster_var_run_t
89
90            /var/run/crm(/.*)?
91            /var/run/cman_.*
92            /var/run/rsctmp(/.*)?
93            /var/run/aisexec.*
94            /var/run/heartbeat(/.*)?
95            /var/run/corosync-qnetd(/.*)?
96            /var/run/corosync-qdevice(/.*)?
97            /var/run/corosync.pid
98            /var/run/cpglockd.pid
99            /var/run/rgmanager.pid
100            /var/run/cluster/rgmanager.sk
101
102       public_content_rw_t
103
104            /var/spool/abrt-upload(/.*)?
105
106       root_t
107
108            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
109            /
110            /initrd
111
112

FILE CONTEXTS

114       SELinux requires files to have an extended attribute to define the file
115       type.
116
117       You can see the context of a file using the -Z option to ls
118
119       Policy  governs  the  access  confined  processes  have to these files.
120       SELinux abrt_upload_watch policy is very  flexible  allowing  users  to
121       setup their abrt_upload_watch processes in as secure a method as possi‐
122       ble.
123
124       STANDARD FILE CONTEXT
125
126       SELinux defines the file context types for  the  abrt_upload_watch,  if
127       you wanted to store files with these types in a diffent paths, you need
128       to execute the semanage command to sepecify alternate labeling and then
129       use restorecon to put the labels on disk.
130
131       semanage       fcontext       -a       -t       abrt_upload_watch_tmp_t
132       '/srv/myabrt_upload_watch_content(/.*)?'
133       restorecon -R -v /srv/myabrt_upload_watch_content
134
135       Note: SELinux often uses regular expressions  to  specify  labels  that
136       match multiple files.
137
138       The following file types are defined for abrt_upload_watch:
139
140
141
142       abrt_upload_watch_exec_t
143
144       -  Set  files  with  the  abrt_upload_watch_exec_t type, if you want to
145       transition an executable to the abrt_upload_watch_t domain.
146
147
148
149       abrt_upload_watch_tmp_t
150
151       - Set files with the abrt_upload_watch_tmp_t type, if you want to store
152       abrt upload watch temporary files in the /tmp directories.
153
154
155
156       Note:  File context can be temporarily modified with the chcon command.
157       If you want to permanently change the file context you need to use  the
158       semanage fcontext command.  This will modify the SELinux labeling data‐
159       base.  You will need to use restorecon to apply the labels.
160
161

SHARING FILES

163       If you want to share files with multiple domains (Apache,  FTP,  rsync,
164       Samba),  you can set a file context of public_content_t and public_con‐
165       tent_rw_t.  These context allow any of the above domains  to  read  the
166       content.   If  you want a particular domain to write to the public_con‐
167       tent_rw_t domain, you must set the appropriate boolean.
168
169       Allow abrt_upload_watch  servers  to  read  the  /var/abrt_upload_watch
170       directory by adding the public_content_t file type to the directory and
171       by restoring the file type.
172
173       semanage fcontext -a -t public_content_t "/var/abrt_upload_watch(/.*)?"
174       restorecon -F -R -v /var/abrt_upload_watch
175
176       Allow    abrt_upload_watch    servers     to     read     and     write
177       /var/abrt_upload_watch/incoming  by adding the public_content_rw_t type
178       to the directory and by restoring the file type.  You also need to turn
179       on the abrt_upload_watch_anon_write boolean.
180
181       semanage        fcontext        -a        -t        public_content_rw_t
182       "/var/abrt_upload_watch/incoming(/.*)?"
183       restorecon -F -R -v /var/abrt_upload_watch/incoming
184       setsebool -P abrt_upload_watch_anon_write 1
185
186
187       If you want to determine whether abrt-handle-upload can  modify  public
188       files  used  for  public  file  transfer  services  in /var/spool/abrt-
189       upload/., you must turn on the abrt_upload_watch_anon_write boolean.
190
191       setsebool -P abrt_upload_watch_anon_write 1
192
193

COMMANDS

195       semanage fcontext can also be used to manipulate default  file  context
196       mappings.
197
198       semanage  permissive  can  also  be used to manipulate whether or not a
199       process type is permissive.
200
201       semanage module can also be used to enable/disable/install/remove  pol‐
202       icy modules.
203
204       semanage boolean can also be used to manipulate the booleans
205
206
207       system-config-selinux is a GUI tool available to customize SELinux pol‐
208       icy settings.
209
210

AUTHOR

212       This manual page was auto-generated using sepolicy manpage .
213
214