1webalizer_selinux(8) SELinux Policy webalizer webalizer_selinux(8)
2
3
4
6 webalizer_selinux - Security Enhanced Linux Policy for the webalizer
7 processes
8
10 Security-Enhanced Linux secures the webalizer processes via flexible
11 mandatory access control.
12
13 The webalizer processes execute with the webalizer_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep webalizer_t
20
21
22
24 The webalizer_t SELinux type can be entered via the webalizer_exec_t
25 file type.
26
27 The default entrypoint paths for the webalizer_t domain are the follow‐
28 ing:
29
30 /usr/bin/awffull, /usr/bin/webalizer, /usr/bin/webazolver
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 webalizer policy is very flexible allowing users to setup their webal‐
40 izer processes in as secure a method as possible.
41
42 The following process types are defined for webalizer:
43
44 webalizer_t, webalizer_script_t
45
46 Note: semanage permissive -a webalizer_t can be used to make the
47 process type webalizer_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required. webal‐
54 izer policy is extremely flexible and has several booleans that allow
55 you to manipulate the policy and run webalizer with the tightest access
56 possible.
57
58
59
60 If you want to allow all domains to execute in fips_mode, you must turn
61 on the fips_mode boolean. Enabled by default.
62
63 setsebool -P fips_mode 1
64
65
66
68 The SELinux process type webalizer_t can manage files labeled with the
69 following file types. The paths listed are the default paths for these
70 file types. Note the processes UID still need to have DAC permissions.
71
72 anon_inodefs_t
73
74
75 httpd_sys_content_t
76
77 /srv/([^/]*/)?www(/.*)?
78 /var/www(/.*)?
79 /etc/htdig(/.*)?
80 /srv/gallery2(/.*)?
81 /var/lib/trac(/.*)?
82 /var/lib/htdig(/.*)?
83 /var/www/icons(/.*)?
84 /usr/share/glpi(/.*)?
85 /usr/share/htdig(/.*)?
86 /usr/share/drupal.*
87 /usr/share/z-push(/.*)?
88 /var/www/svn/conf(/.*)?
89 /usr/share/icecast(/.*)?
90 /var/lib/cacti/rra(/.*)?
91 /usr/share/ntop/html(/.*)?
92 /usr/share/nginx/html(/.*)?
93 /usr/share/doc/ghc/html(/.*)?
94 /usr/share/openca/htdocs(/.*)?
95 /usr/share/selinux-policy[^/]*/html(/.*)?
96
97 webalizer_rw_content_t
98
99 /var/www/usage(/.*)?
100
101 webalizer_var_lib_t
102
103 /var/lib/webalizer(/.*)?
104
105
107 SELinux requires files to have an extended attribute to define the file
108 type.
109
110 You can see the context of a file using the -Z option to ls
111
112 Policy governs the access confined processes have to these files.
113 SELinux webalizer policy is very flexible allowing users to setup their
114 webalizer processes in as secure a method as possible.
115
116 STANDARD FILE CONTEXT
117
118 SELinux defines the file context types for the webalizer, if you wanted
119 to store files with these types in a diffent paths, you need to execute
120 the semanage command to sepecify alternate labeling and then use
121 restorecon to put the labels on disk.
122
123 semanage fcontext -a -t webalizer_ra_content_t '/srv/mywebalizer_con‐
124 tent(/.*)?'
125 restorecon -R -v /srv/mywebalizer_content
126
127 Note: SELinux often uses regular expressions to specify labels that
128 match multiple files.
129
130 The following file types are defined for webalizer:
131
132
133
134 webalizer_content_t
135
136 - Set files with the webalizer_content_t type, if you want to treat the
137 files as webalizer content.
138
139
140
141 webalizer_etc_t
142
143 - Set files with the webalizer_etc_t type, if you want to store webal‐
144 izer files in the /etc directories.
145
146
147
148 webalizer_exec_t
149
150 - Set files with the webalizer_exec_t type, if you want to transition
151 an executable to the webalizer_t domain.
152
153
154 Paths:
155 /usr/bin/awffull, /usr/bin/webalizer, /usr/bin/webazolver
156
157
158 webalizer_htaccess_t
159
160 - Set files with the webalizer_htaccess_t type, if you want to treat
161 the file as a webalizer access file.
162
163
164
165 webalizer_ra_content_t
166
167 - Set files with the webalizer_ra_content_t type, if you want to treat
168 the files as webalizer read/append content.
169
170
171
172 webalizer_rw_content_t
173
174 - Set files with the webalizer_rw_content_t type, if you want to treat
175 the files as webalizer read/write content.
176
177
178
179 webalizer_script_exec_t
180
181 - Set files with the webalizer_script_exec_t type, if you want to tran‐
182 sition an executable to the webalizer_script_t domain.
183
184
185
186 webalizer_tmp_t
187
188 - Set files with the webalizer_tmp_t type, if you want to store webal‐
189 izer temporary files in the /tmp directories.
190
191
192
193 webalizer_usage_t
194
195 - Set files with the webalizer_usage_t type, if you want to treat the
196 files as webalizer usage data.
197
198
199
200 webalizer_var_lib_t
201
202 - Set files with the webalizer_var_lib_t type, if you want to store the
203 webalizer files under the /var/lib directory.
204
205
206
207 webalizer_write_t
208
209 - Set files with the webalizer_write_t type, if you want to treat the
210 files as webalizer read/write content.
211
212
213
214 Note: File context can be temporarily modified with the chcon command.
215 If you want to permanently change the file context you need to use the
216 semanage fcontext command. This will modify the SELinux labeling data‐
217 base. You will need to use restorecon to apply the labels.
218
219
221 semanage fcontext can also be used to manipulate default file context
222 mappings.
223
224 semanage permissive can also be used to manipulate whether or not a
225 process type is permissive.
226
227 semanage module can also be used to enable/disable/install/remove pol‐
228 icy modules.
229
230 semanage boolean can also be used to manipulate the booleans
231
232
233 system-config-selinux is a GUI tool available to customize SELinux pol‐
234 icy settings.
235
236
238 This manual page was auto-generated using sepolicy manpage .
239
240
242 selinux(8), webalizer(8), semanage(8), restorecon(8), chcon(1), sepol‐
243 icy(8), setsebool(8), webalizer_script_selinux(8), webal‐
244 izer_script_selinux(8)
245
246
247
248webalizer 21-03-26 webalizer_selinux(8)