1glusterd_selinux(8) SELinux Policy glusterd glusterd_selinux(8)
2
6 glusterd_selinux - Security Enhanced Linux Policy for the glusterd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the glusterd processes via flexible
11 mandatory access control.
12 The glusterd processes execute with the glusterd_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16 For example:
18 ps -eZ | grep glusterd_t
20
24 The glusterd_t SELinux type can be entered via the glusterd_exec_t file
25 type.
26 The default entrypoint paths for the glusterd_t domain are the follow‐
28 ing:
29 /opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/libexec/glus‐
31 terfs/peer_eventsapi.py, /usr/libexec/glusterfs/events/glus‐
32 tereventsd.py, /usr/sbin/glusterfsd, /usr/sbin/glustereventsd,
33 /usr/sbin/gluster-eventsapi
34
36 SELinux defines process types (domains) for each process running on the
37 system
38 You can see the context of a process using the -Z option to ps
40 Policy governs the access confined processes have to files. SELinux
42 glusterd policy is very flexible allowing users to setup their glusterd
43 processes in as secure a method as possible.
44 The following process types are defined for glusterd:
46 glusterd_t
48 Note: semanage permissive -a glusterd_t can be used to make the process
50 type glusterd_t permissive. SELinux does not deny access to permissive
51 process types, but the AVC (SELinux denials) messages are still gener‐
52 ated.
53
56 SELinux policy is customizable based on least access required. glus‐
57 terd policy is extremely flexible and has several booleans that allow
58 you to manipulate the policy and run glusterd with the tightest access
59 possible.
60 If you want to allow glusterfsd to share any file/directory read only,
64 you must turn on the gluster_export_all_ro boolean. Disabled by
65 default.
66 setsebool -P gluster_export_all_ro 1
68 If you want to allow glusterfsd to share any file/directory read/write,
72 you must turn on the gluster_export_all_rw boolean. Enabled by default.
73 setsebool -P gluster_export_all_rw 1
75 If you want to allow glusterd_t domain to use executable memory, you
79 must turn on the gluster_use_execmem boolean. Disabled by default.
80 setsebool -P gluster_use_execmem 1
82 If you want to allow all domains to execute in fips_mode, you must turn
86 on the fips_mode boolean. Enabled by default.
87 setsebool -P fips_mode 1
89
93 SELinux defines port types to represent TCP and UDP ports.
94 You can see the types associated with a port by using the following
96 command:
97 semanage port -l
99 Policy governs the access confined processes have to these ports.
102 SELinux glusterd policy is very flexible allowing users to setup their
103 glusterd processes in as secure a method as possible.
104 The following port types are defined for glusterd:
106 gluster_port_t
109 Default Defined Ports:
113 tcp 38465-38469,24007-24027
114
116 The SELinux process type glusterd_t can manage files labeled with the
117 following file types. The paths listed are the default paths for these
118 file types. Note the processes UID still need to have DAC permissions.
119 cluster_conf_t
121 /etc/cluster(/.*)?
123 cluster_var_lib_t
125 /var/lib/pcsd(/.*)?
127 /var/lib/cluster(/.*)?
128 /var/lib/openais(/.*)?
129 /var/lib/pengine(/.*)?
130 /var/lib/corosync(/.*)?
131 /usr/lib/heartbeat(/.*)?
132 /var/lib/heartbeat(/.*)?
133 /var/lib/pacemaker(/.*)?
134 cluster_var_run_t
136 /var/run/crm(/.*)?
138 /var/run/cman_.*
139 /var/run/rsctmp(/.*)?
140 /var/run/aisexec.*
141 /var/run/heartbeat(/.*)?
142 /var/run/corosync-qnetd(/.*)?
143 /var/run/corosync-qdevice(/.*)?
144 /var/run/corosync.pid
145 /var/run/cpglockd.pid
146 /var/run/rgmanager.pid
147 /var/run/cluster/rgmanager.sk
148 glusterd_brick_t
150 glusterd_conf_t
153 /etc/glusterd(/.*)?
155 /etc/glusterfs(/.*)?
156 glusterd_log_t
158 /var/log/glusterfs(/.*)?
160 glusterd_tmpfs_t
162 glusterd_var_lib_t
165 /var/lib/glusterd(/.*)?
167 glusterd_var_run_t
169 /var/run/gluster(/.*)?
171 /var/run/glusterd.*
172 /var/run/glusterd.*
173 /var/run/glusterd(/.*)?
174 initrc_state_t
176 non_security_file_type
179 noxattrfs
182 all files on file systems which do not support extended attributes
184 root_t
186 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
188 /
189 /initrd
190 systemd_passwd_var_run_t
192 /var/run/systemd/ask-password(/.*)?
194 /var/run/systemd/ask-password-block(/.*)?
195 var_lib_nfs_t
197 /var/lib/nfs(/.*)?
199
202 SELinux requires files to have an extended attribute to define the file
203 type.
204 You can see the context of a file using the -Z option to ls
206 Policy governs the access confined processes have to these files.
208 SELinux glusterd policy is very flexible allowing users to setup their
209 glusterd processes in as secure a method as possible.
210 EQUIVALENCE DIRECTORIES
212 glusterd policy stores data with multiple different file context types
215 under the /var/run/gluster directory. If you would like to store the
216 data in a different directory you can use the semanage command to cre‐
217 ate an equivalence mapping. If you wanted to store this data under the
218 /srv directory you would execute the following command:
219 semanage fcontext -a -e /var/run/gluster /srv/gluster
221 restorecon -R -v /srv/gluster
222 STANDARD FILE CONTEXT
224 SELinux defines the file context types for the glusterd, if you wanted
226 to store files with these types in a diffent paths, you need to execute
227 the semanage command to sepecify alternate labeling and then use
228 restorecon to put the labels on disk.
229 semanage fcontext -a -t glusterd_brick_t '/srv/myglusterd_con‐
231 tent(/.*)?'
232 restorecon -R -v /srv/myglusterd_content
233 Note: SELinux often uses regular expressions to specify labels that
235 match multiple files.
236 The following file types are defined for glusterd:
238 glusterd_brick_t
242 - Set files with the glusterd_brick_t type, if you want to treat the
244 files as glusterd brick data.
245 glusterd_conf_t
249 - Set files with the glusterd_conf_t type, if you want to treat the
251 files as glusterd configuration data, usually stored under the /etc
252 directory.
253 Paths:
256 /etc/glusterd(/.*)?, /etc/glusterfs(/.*)?
257 glusterd_exec_t
260 - Set files with the glusterd_exec_t type, if you want to transition an
262 executable to the glusterd_t domain.
263 Paths:
266 /opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/libexec/glus‐
267 terfs/peer_eventsapi.py, /usr/libexec/glusterfs/events/glus‐
268 tereventsd.py, /usr/sbin/glusterfsd, /usr/sbin/glustereventsd,
269 /usr/sbin/gluster-eventsapi
270 glusterd_initrc_exec_t
273 - Set files with the glusterd_initrc_exec_t type, if you want to tran‐
275 sition an executable to the glusterd_initrc_t domain.
276 Paths:
279 /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd
280 glusterd_log_t
283 - Set files with the glusterd_log_t type, if you want to treat the data
285 as glusterd log data, usually stored under the /var/log directory.
286 glusterd_tmp_t
290 - Set files with the glusterd_tmp_t type, if you want to store glusterd
292 temporary files in the /tmp directories.
293 glusterd_tmpfs_t
297 - Set files with the glusterd_tmpfs_t type, if you want to store glus‐
299 terd files on a tmpfs file system.
300 glusterd_var_lib_t
304 - Set files with the glusterd_var_lib_t type, if you want to store the
306 glusterd files under the /var/lib directory.
307 glusterd_var_run_t
311 - Set files with the glusterd_var_run_t type, if you want to store the
313 glusterd files under the /run or /var/run directory.
314 Paths:
317 /var/run/gluster(/.*)?, /var/run/glusterd.*, /var/run/glusterd.*,
318 /var/run/glusterd(/.*)?
319 Note: File context can be temporarily modified with the chcon command.
322 If you want to permanently change the file context you need to use the
323 semanage fcontext command. This will modify the SELinux labeling data‐
324 base. You will need to use restorecon to apply the labels.
325
328 If you want to share files with multiple domains (Apache, FTP, rsync,
329 Samba), you can set a file context of public_content_t and public_con‐
330 tent_rw_t. These context allow any of the above domains to read the
331 content. If you want a particular domain to write to the public_con‐
332 tent_rw_t domain, you must set the appropriate boolean.
333 Allow glusterd servers to read the /var/glusterd directory by adding
335 the public_content_t file type to the directory and by restoring the
336 file type.
337 semanage fcontext -a -t public_content_t "/var/glusterd(/.*)?"
339 restorecon -F -R -v /var/glusterd
340 Allow glusterd servers to read and write /var/glusterd/incoming by
342 adding the public_content_rw_t type to the directory and by restoring
343 the file type. You also need to turn on the glusterd_anon_write bool‐
344 ean.
345 semanage fcontext -a -t public_content_rw_t "/var/glusterd/incom‐
347 ing(/.*)?"
348 restorecon -F -R -v /var/glusterd/incoming
349 setsebool -P glusterd_anon_write 1
350 If you want to allow glusterfsd to modify public files used for public
353 file transfer services. Files/Directories must be labeled public_con‐
354 tent_rw_t., you must turn on the gluster_anon_write boolean.
355 setsebool -P gluster_anon_write 1
357
360 semanage fcontext can also be used to manipulate default file context
361 mappings.
362 semanage permissive can also be used to manipulate whether or not a
364 process type is permissive.
365 semanage module can also be used to enable/disable/install/remove pol‐
367 icy modules.
368 semanage port can also be used to manipulate the port definitions
370 semanage boolean can also be used to manipulate the booleans
372 system-config-selinux is a GUI tool available to customize SELinux pol‐
375 icy settings.
376
379 This manual page was auto-generated using sepolicy manpage .
380
383 selinux(8), glusterd(8), semanage(8), restorecon(8), chcon(1), sepol‐
384 icy(8), setsebool(8)
385glusterd 21-03-26 glusterd_selinux(8)