1keystone_selinux(8) SELinux Policy keystone keystone_selinux(8)
2
3
4
6 keystone_selinux - Security Enhanced Linux Policy for the keystone pro‐
7 cesses
8
10 Security-Enhanced Linux secures the keystone processes via flexible
11 mandatory access control.
12
13 The keystone processes execute with the keystone_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep keystone_t
20
21
22
24 The keystone_t SELinux type can be entered via the keystone_exec_t file
25 type.
26
27 The default entrypoint paths for the keystone_t domain are the follow‐
28 ing:
29
30 /usr/bin/keystone-all
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 keystone policy is very flexible allowing users to setup their keystone
40 processes in as secure a method as possible.
41
42 The following process types are defined for keystone:
43
44 keystone_t, keystone_cgi_script_t
45
46 Note: semanage permissive -a keystone_t can be used to make the process
47 type keystone_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. key‐
54 stone policy is extremely flexible and has several booleans that allow
55 you to manipulate the policy and run keystone with the tightest access
56 possible.
57
58
59
60 If you want to allow all domains to execute in fips_mode, you must turn
61 on the fips_mode boolean. Enabled by default.
62
63 setsebool -P fips_mode 1
64
65
66
67 If you want to allow confined applications to run with kerberos, you
68 must turn on the kerberos_enabled boolean. Disabled by default.
69
70 setsebool -P kerberos_enabled 1
71
72
73
74 If you want to allow system to run with NIS, you must turn on the
75 nis_enabled boolean. Disabled by default.
76
77 setsebool -P nis_enabled 1
78
79
80
82 SELinux defines port types to represent TCP and UDP ports.
83
84 You can see the types associated with a port by using the following
85 command:
86
87 semanage port -l
88
89
90 Policy governs the access confined processes have to these ports.
91 SELinux keystone policy is very flexible allowing users to setup their
92 keystone processes in as secure a method as possible.
93
94 The following port types are defined for keystone:
95
96
97 keystone_port_t
98
99
100
101 Default Defined Ports:
102 tcp 35357
103 udp 35357
104
106 The SELinux process type keystone_t can manage files labeled with the
107 following file types. The paths listed are the default paths for these
108 file types. Note the processes UID still need to have DAC permissions.
109
110 cluster_conf_t
111
112 /etc/cluster(/.*)?
113
114 cluster_var_lib_t
115
116 /var/lib/pcsd(/.*)?
117 /var/lib/cluster(/.*)?
118 /var/lib/openais(/.*)?
119 /var/lib/pengine(/.*)?
120 /var/lib/corosync(/.*)?
121 /usr/lib/heartbeat(/.*)?
122 /var/lib/heartbeat(/.*)?
123 /var/lib/pacemaker(/.*)?
124
125 cluster_var_run_t
126
127 /var/run/crm(/.*)?
128 /var/run/cman_.*
129 /var/run/rsctmp(/.*)?
130 /var/run/aisexec.*
131 /var/run/heartbeat(/.*)?
132 /var/run/corosync-qnetd(/.*)?
133 /var/run/corosync-qdevice(/.*)?
134 /var/run/corosync.pid
135 /var/run/cpglockd.pid
136 /var/run/rgmanager.pid
137 /var/run/cluster/rgmanager.sk
138
139 faillog_t
140
141 /var/log/btmp.*
142 /var/log/faillog.*
143 /var/log/tallylog.*
144 /var/run/faillock(/.*)?
145
146 keystone_var_lib_t
147
148 /var/lib/keystone(/.*)?
149
150 keystone_var_run_t
151
152 /var/run/keystone(/.*)?
153
154 lastlog_t
155
156 /var/log/lastlog.*
157
158 root_t
159
160 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
161 /
162 /initrd
163
164 security_t
165
166 /selinux
167
168
170 SELinux requires files to have an extended attribute to define the file
171 type.
172
173 You can see the context of a file using the -Z option to ls
174
175 Policy governs the access confined processes have to these files.
176 SELinux keystone policy is very flexible allowing users to setup their
177 keystone processes in as secure a method as possible.
178
179 STANDARD FILE CONTEXT
180
181 SELinux defines the file context types for the keystone, if you wanted
182 to store files with these types in a diffent paths, you need to execute
183 the semanage command to sepecify alternate labeling and then use
184 restorecon to put the labels on disk.
185
186 semanage fcontext -a -t keystone_cgi_ra_content_t '/srv/mykeystone_con‐
187 tent(/.*)?'
188 restorecon -R -v /srv/mykeystone_content
189
190 Note: SELinux often uses regular expressions to specify labels that
191 match multiple files.
192
193 The following file types are defined for keystone:
194
195
196
197 keystone_cgi_content_t
198
199 - Set files with the keystone_cgi_content_t type, if you want to treat
200 the files as keystone cgi content.
201
202
203
204 keystone_cgi_htaccess_t
205
206 - Set files with the keystone_cgi_htaccess_t type, if you want to treat
207 the file as a keystone cgi access file.
208
209
210
211 keystone_cgi_ra_content_t
212
213 - Set files with the keystone_cgi_ra_content_t type, if you want to
214 treat the files as keystone cgi read/append content.
215
216
217
218 keystone_cgi_rw_content_t
219
220 - Set files with the keystone_cgi_rw_content_t type, if you want to
221 treat the files as keystone cgi read/write content.
222
223
224
225 keystone_cgi_script_exec_t
226
227 - Set files with the keystone_cgi_script_exec_t type, if you want to
228 transition an executable to the keystone_cgi_script_t domain.
229
230
231
232 keystone_exec_t
233
234 - Set files with the keystone_exec_t type, if you want to transition an
235 executable to the keystone_t domain.
236
237
238
239 keystone_initrc_exec_t
240
241 - Set files with the keystone_initrc_exec_t type, if you want to tran‐
242 sition an executable to the keystone_initrc_t domain.
243
244
245
246 keystone_log_t
247
248 - Set files with the keystone_log_t type, if you want to treat the data
249 as keystone log data, usually stored under the /var/log directory.
250
251
252
253 keystone_tmp_t
254
255 - Set files with the keystone_tmp_t type, if you want to store keystone
256 temporary files in the /tmp directories.
257
258
259
260 keystone_unit_file_t
261
262 - Set files with the keystone_unit_file_t type, if you want to treat
263 the files as keystone unit content.
264
265
266
267 keystone_var_lib_t
268
269 - Set files with the keystone_var_lib_t type, if you want to store the
270 keystone files under the /var/lib directory.
271
272
273
274 keystone_var_run_t
275
276 - Set files with the keystone_var_run_t type, if you want to store the
277 keystone files under the /run or /var/run directory.
278
279
280
281 Note: File context can be temporarily modified with the chcon command.
282 If you want to permanently change the file context you need to use the
283 semanage fcontext command. This will modify the SELinux labeling data‐
284 base. You will need to use restorecon to apply the labels.
285
286
288 semanage fcontext can also be used to manipulate default file context
289 mappings.
290
291 semanage permissive can also be used to manipulate whether or not a
292 process type is permissive.
293
294 semanage module can also be used to enable/disable/install/remove pol‐
295 icy modules.
296
297 semanage port can also be used to manipulate the port definitions
298
299 semanage boolean can also be used to manipulate the booleans
300
301
302 system-config-selinux is a GUI tool available to customize SELinux pol‐
303 icy settings.
304
305
307 This manual page was auto-generated using sepolicy manpage .
308
309
311 selinux(8), keystone(8), semanage(8), restorecon(8), chcon(1), sepol‐
312 icy(8), setsebool(8), keystone_cgi_script_selinux(8), key‐
313 stone_cgi_script_selinux(8)
314
315
316
317keystone 21-03-26 keystone_selinux(8)