1FIREWALLD.LOCKDOWN(5)    firewalld.lockdown-whitelist    FIREWALLD.LOCKDOWN(5)
2
3
4

NAME

6       firewalld.lockdown-whitelist - firewalld lockdown whitelist
7       configuration file
8

SYNOPSIS

10       /etc/firewalld/lockdown-whitelists.xml
11
12
13

DESCRIPTION

15       The firewalld lockdown-whitelist configuration file contains the
16       selinux contexts, commands, users and user ids that are white-listed
17       when firewalld lockdown feature is enabled (see firewalld.conf(5) and
18       firewall-cmd(1)).
19
20       This example configuration file shows the structure of an
21       lockdown-whitelist file:
22
23           <?xml version="1.0" encoding="utf-8"?>
24           <whitelist>
25             <selinux context="selinuxcontext"/>
26             <command name="commandline[*]"/>
27             <user {name="username|id="userid"}/>
28           </whitelist>
29
30
31

OPTIONS

33       The config can contain these tags and attributes. Some of them are
34       mandatory, others optional.
35
36   whitelist
37       The mandatory whitelist start and end tag defines the
38       lockdown-whitelist. This tag can only be used once in a
39       lockdown-whitelist configuration file. There are no attributes for
40       this.
41
42   selinux
43       Is an optional empty-element tag and can be used several times to have
44       more than one selinux contexts entries. A selinux entry has exactly one
45       attribute:
46
47       context="string"
48           The context is the security (SELinux) context of a running
49           application or service.
50
51           To get the context of a running application use ps -e --context and
52           search for the application that should be white-listed.
53
54           Warning: If the context of an application is unconfined, then this
55           will open access for more than the desired application.
56
57   command
58       Is an optional empty-element tag and can be used several times to have
59       more than one command entry. A command entry has exactly one attribute:
60
61       name="string"
62           The command string is a complete command line including path and
63           also attributes.
64
65           If a command entry ends with an asterisk '*', then all command
66           lines starting with the command will match. If the '*' is not there
67           the absolute command inclusive arguments must match.
68
69           Commands for user root and others is not always the same, the used
70           path depends on the use of the PATH environment variable.
71
72   user
73       Is an optional empty-element tag and can be used several times to
74       white-list more than one user. A user entry has exactly one attribute
75       of these:
76
77       name="string"
78           The user with the name string will be white-listed.
79
80       id="integer"
81           The user with the id userid will be white-listed.
82

SEE ALSO

84       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
85       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
86       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
87       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
88       firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
89       firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
90

NOTES

92       firewalld home page:
93           http://firewalld.org
94
95       More documentation with examples:
96           http://fedoraproject.org/wiki/FirewallD
97

AUTHORS

99       Thomas Woerner <twoerner@redhat.com>
100           Developer
101
102       Jiri Popelka <jpopelka@redhat.com>
103           Developer
104
105       Eric Garver <eric@garver.life>
106           Developer
107
108
109
110firewalld 0.9.3                                          FIREWALLD.LOCKDOWN(5)
Impressum