1abrt_selinux(8) SELinux Policy abrt abrt_selinux(8)
2
3
4
6 abrt_selinux - Security Enhanced Linux Policy for the abrt processes
7
9 Security-Enhanced Linux secures the abrt processes via flexible manda‐
10 tory access control.
11
12 The abrt processes execute with the abrt_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep abrt_t
19
20
21
23 The abrt_t SELinux type can be entered via the abrt_exec_t file type.
24
25 The default entrypoint paths for the abrt_t domain are the following:
26
27 /usr/sbin/abrt-harvest.*, /usr/sbin/abrtd, /usr/sbin/abrt-dbus,
28 /usr/sbin/abrt-install-ccpp-hook
29
31 SELinux defines process types (domains) for each process running on the
32 system
33
34 You can see the context of a process using the -Z option to ps
35
36 Policy governs the access confined processes have to files. SELinux
37 abrt policy is very flexible allowing users to setup their abrt pro‐
38 cesses in as secure a method as possible.
39
40 The following process types are defined for abrt:
41
42 abrt_t, abrt_dump_oops_t, abrt_handle_event_t, abrt_helper_t, abrt_retrace_worker_t, abrt_retrace_coredump_t, abrt_watch_log_t, abrt_upload_watch_t
43
44 Note: semanage permissive -a abrt_t can be used to make the process
45 type abrt_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
49
51 SELinux policy is customizable based on least access required. abrt
52 policy is extremely flexible and has several booleans that allow you to
53 manipulate the policy and run abrt with the tightest access possible.
54
55
56
57 If you want to determine whether ABRT can run in the abrt_han‐
58 dle_event_t domain to handle ABRT event scripts, you must turn on the
59 abrt_handle_event boolean. Disabled by default.
60
61 setsebool -P abrt_handle_event 1
62
63
64
65 If you want to deny user domains applications to map a memory region as
66 both executable and writable, this is dangerous and the executable
67 should be reported in bugzilla, you must turn on the deny_execmem bool‐
68 ean. Enabled by default.
69
70 setsebool -P deny_execmem 1
71
72
73
74 If you want to allow all domains to execute in fips_mode, you must turn
75 on the fips_mode boolean. Enabled by default.
76
77 setsebool -P fips_mode 1
78
79
80
82 The SELinux process type abrt_t can manage files labeled with the fol‐
83 lowing file types. The paths listed are the default paths for these
84 file types. Note the processes UID still need to have DAC permissions.
85
86 abrt_tmp_t
87
88
89 abrt_upload_watch_tmp_t
90
91
92 abrt_var_cache_t
93
94 /var/tmp/abrt(/.*)?
95 /var/cache/abrt(/.*)?
96 /var/spool/abrt(/.*)?
97 /var/spool/debug(/.*)?
98 /var/cache/abrt-di(/.*)?
99 /var/spool/rhsm/debug(/.*)?
100
101 abrt_var_log_t
102
103 /var/log/abrt-logger.*
104
105 cluster_conf_t
106
107 /etc/cluster(/.*)?
108
109 cluster_var_lib_t
110
111 /var/lib/pcsd(/.*)?
112 /var/lib/cluster(/.*)?
113 /var/lib/openais(/.*)?
114 /var/lib/pengine(/.*)?
115 /var/lib/corosync(/.*)?
116 /usr/lib/heartbeat(/.*)?
117 /var/lib/heartbeat(/.*)?
118 /var/lib/pacemaker(/.*)?
119
120 cluster_var_run_t
121
122 /var/run/crm(/.*)?
123 /var/run/cman_.*
124 /var/run/rsctmp(/.*)?
125 /var/run/aisexec.*
126 /var/run/heartbeat(/.*)?
127 /var/run/pcsd-ruby.socket
128 /var/run/corosync-qnetd(/.*)?
129 /var/run/corosync-qdevice(/.*)?
130 /var/run/corosync.pid
131 /var/run/cpglockd.pid
132 /var/run/rgmanager.pid
133 /var/run/cluster/rgmanager.sk
134
135 kdump_crash_t
136
137 /var/crash(/.*)?
138
139 krb5_host_rcache_t
140
141 /var/tmp/krb5_0.rcache2
142 /var/cache/krb5rcache(/.*)?
143 /var/tmp/nfs_0
144 /var/tmp/DNS_25
145 /var/tmp/host_0
146 /var/tmp/imap_0
147 /var/tmp/HTTP_23
148 /var/tmp/HTTP_48
149 /var/tmp/ldap_55
150 /var/tmp/ldap_487
151 /var/tmp/ldapmap1_0
152
153 mail_home_rw_t
154
155 /root/Maildir(/.*)?
156 /root/.esmtp_queue(/.*)?
157 /var/lib/arpwatch/.esmtp_queue(/.*)?
158 /home/[^/]+/.maildir(/.*)?
159 /home/[^/]+/Maildir(/.*)?
160 /home/[^/]+/.esmtp_queue(/.*)?
161
162 rhsmcertd_var_run_t
163
164 /var/run/rhsm(/.*)?
165
166 root_t
167
168 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
169 /
170 /initrd
171
172 rpm_log_t
173
174 /var/log/dnf.log.*
175 /var/log/dnf.rpm.log.*
176 /var/log/dnf.librepo.log.*
177 /var/log/hawkey.*
178 /var/log/up2date.*
179 /var/log/yum.log.*
180
181 rpm_var_cache_t
182
183 /var/cache/dnf(/.*)?
184 /var/cache/yum(/.*)?
185 /var/spool/up2date(/.*)?
186 /var/cache/PackageKit(/.*)?
187
188 rpm_var_run_t
189
190 /var/run/yum.*
191 /var/run/PackageKit(/.*)?
192
193 sysfs_t
194
195 /sys(/.*)?
196
197
199 SELinux requires files to have an extended attribute to define the file
200 type.
201
202 You can see the context of a file using the -Z option to ls
203
204 Policy governs the access confined processes have to these files.
205 SELinux abrt policy is very flexible allowing users to setup their abrt
206 processes in as secure a method as possible.
207
208 EQUIVALENCE DIRECTORIES
209
210
211 abrt policy stores data with multiple different file context types un‐
212 der the /var/cache/abrt directory. If you would like to store the data
213 in a different directory you can use the semanage command to create an
214 equivalence mapping. If you wanted to store this data under the /srv
215 directory you would execute the following command:
216
217 semanage fcontext -a -e /var/cache/abrt /srv/abrt
218 restorecon -R -v /srv/abrt
219
220 abrt policy stores data with multiple different file context types un‐
221 der the /var/run/abrt directory. If you would like to store the data
222 in a different directory you can use the semanage command to create an
223 equivalence mapping. If you wanted to store this data under the /srv
224 directory you would execute the following command:
225
226 semanage fcontext -a -e /var/run/abrt /srv/abrt
227 restorecon -R -v /srv/abrt
228
229 abrt policy stores data with multiple different file context types un‐
230 der the /var/spool/abrt directory. If you would like to store the data
231 in a different directory you can use the semanage command to create an
232 equivalence mapping. If you wanted to store this data under the /srv
233 directory you would execute the following command:
234
235 semanage fcontext -a -e /var/spool/abrt /srv/abrt
236 restorecon -R -v /srv/abrt
237
238 STANDARD FILE CONTEXT
239
240 SELinux defines the file context types for the abrt, if you wanted to
241 store files with these types in a diffent paths, you need to execute
242 the semanage command to sepecify alternate labeling and then use re‐
243 storecon to put the labels on disk.
244
245 semanage fcontext -a -t abrt_upload_watch_tmp_t '/srv/myabrt_con‐
246 tent(/.*)?'
247 restorecon -R -v /srv/myabrt_content
248
249 Note: SELinux often uses regular expressions to specify labels that
250 match multiple files.
251
252 The following file types are defined for abrt:
253
254
255
256 abrt_dump_oops_exec_t
257
258 - Set files with the abrt_dump_oops_exec_t type, if you want to transi‐
259 tion an executable to the abrt_dump_oops_t domain.
260
261
262 Paths:
263 /usr/bin/abrt-dump-.*, /usr/bin/abrt-uefioops-oops,
264 /usr/libexec/abrt-hook-ccpp
265
266
267 abrt_etc_t
268
269 - Set files with the abrt_etc_t type, if you want to store abrt files
270 in the /etc directories.
271
272
273
274 abrt_exec_t
275
276 - Set files with the abrt_exec_t type, if you want to transition an ex‐
277 ecutable to the abrt_t domain.
278
279
280 Paths:
281 /usr/sbin/abrt-harvest.*, /usr/sbin/abrtd, /usr/sbin/abrt-dbus,
282 /usr/sbin/abrt-install-ccpp-hook
283
284
285 abrt_handle_event_exec_t
286
287 - Set files with the abrt_handle_event_exec_t type, if you want to
288 transition an executable to the abrt_handle_event_t domain.
289
290
291
292 abrt_helper_exec_t
293
294 - Set files with the abrt_helper_exec_t type, if you want to transition
295 an executable to the abrt_helper_t domain.
296
297
298
299 abrt_initrc_exec_t
300
301 - Set files with the abrt_initrc_exec_t type, if you want to transition
302 an executable to the abrt_initrc_t domain.
303
304
305
306 abrt_retrace_cache_t
307
308 - Set files with the abrt_retrace_cache_t type, if you want to store
309 the files under the /var/cache directory.
310
311
312 Paths:
313 /var/cache/abrt-retrace(/.*)?, /var/cache/retrace-server(/.*)?
314
315
316 abrt_retrace_coredump_exec_t
317
318 - Set files with the abrt_retrace_coredump_exec_t type, if you want to
319 transition an executable to the abrt_retrace_coredump_t domain.
320
321
322
323 abrt_retrace_spool_t
324
325 - Set files with the abrt_retrace_spool_t type, if you want to store
326 the abrt retrace files under the /var/spool directory.
327
328
329 Paths:
330 /var/spool/faf(/.*)?, /var/spool/abrt-retrace(/.*)?,
331 /var/spool/retrace-server(/.*)?
332
333
334 abrt_retrace_worker_exec_t
335
336 - Set files with the abrt_retrace_worker_exec_t type, if you want to
337 transition an executable to the abrt_retrace_worker_t domain.
338
339
340 Paths:
341 /usr/bin/abrt-retrace-worker, /usr/bin/retrace-server-worker
342
343
344 abrt_tmp_t
345
346 - Set files with the abrt_tmp_t type, if you want to store abrt tempo‐
347 rary files in the /tmp directories.
348
349
350
351 abrt_unit_file_t
352
353 - Set files with the abrt_unit_file_t type, if you want to treat the
354 files as abrt unit content.
355
356
357
358 abrt_upload_watch_exec_t
359
360 - Set files with the abrt_upload_watch_exec_t type, if you want to
361 transition an executable to the abrt_upload_watch_t domain.
362
363
364
365 abrt_upload_watch_tmp_t
366
367 - Set files with the abrt_upload_watch_tmp_t type, if you want to store
368 abrt upload watch temporary files in the /tmp directories.
369
370
371
372 abrt_var_cache_t
373
374 - Set files with the abrt_var_cache_t type, if you want to store the
375 files under the /var/cache directory.
376
377
378 Paths:
379 /var/tmp/abrt(/.*)?, /var/cache/abrt(/.*)?, /var/spool/abrt(/.*)?,
380 /var/spool/debug(/.*)?, /var/cache/abrt-di(/.*)?,
381 /var/spool/rhsm/debug(/.*)?
382
383
384 abrt_var_lib_t
385
386 - Set files with the abrt_var_lib_t type, if you want to store the abrt
387 files under the /var/lib directory.
388
389
390
391 abrt_var_log_t
392
393 - Set files with the abrt_var_log_t type, if you want to treat the data
394 as abrt var log data, usually stored under the /var/log directory.
395
396
397
398 abrt_var_run_t
399
400 - Set files with the abrt_var_run_t type, if you want to store the abrt
401 files under the /run or /var/run directory.
402
403
404 Paths:
405 /var/run/abrt(/.*)?, /var/run/abrtd?.lock, /var/run/abrtd?.socket,
406 /var/run/abrt.pid
407
408
409 abrt_watch_log_exec_t
410
411 - Set files with the abrt_watch_log_exec_t type, if you want to transi‐
412 tion an executable to the abrt_watch_log_t domain.
413
414
415
416 Note: File context can be temporarily modified with the chcon command.
417 If you want to permanently change the file context you need to use the
418 semanage fcontext command. This will modify the SELinux labeling data‐
419 base. You will need to use restorecon to apply the labels.
420
421
423 If you want to share files with multiple domains (Apache, FTP, rsync,
424 Samba), you can set a file context of public_content_t and public_con‐
425 tent_rw_t. These context allow any of the above domains to read the
426 content. If you want a particular domain to write to the public_con‐
427 tent_rw_t domain, you must set the appropriate boolean.
428
429 Allow abrt servers to read the /var/abrt directory by adding the pub‐
430 lic_content_t file type to the directory and by restoring the file
431 type.
432
433 semanage fcontext -a -t public_content_t "/var/abrt(/.*)?"
434 restorecon -F -R -v /var/abrt
435
436 Allow abrt servers to read and write /var/abrt/incoming by adding the
437 public_content_rw_t type to the directory and by restoring the file
438 type. You also need to turn on the abrt_anon_write boolean.
439
440 semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?"
441 restorecon -F -R -v /var/abrt/incoming
442 setsebool -P abrt_anon_write 1
443
444
445 If you want to allow ABRT to modify public files used for public file
446 transfer services., you must turn on the abrt_anon_write boolean.
447
448 setsebool -P abrt_anon_write 1
449
450
452 semanage fcontext can also be used to manipulate default file context
453 mappings.
454
455 semanage permissive can also be used to manipulate whether or not a
456 process type is permissive.
457
458 semanage module can also be used to enable/disable/install/remove pol‐
459 icy modules.
460
461 semanage boolean can also be used to manipulate the booleans
462
463
464 system-config-selinux is a GUI tool available to customize SELinux pol‐
465 icy settings.
466
467
469 This manual page was auto-generated using sepolicy manpage .
470
471
473 selinux(8), abrt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
474 setsebool(8), abrt_dump_oops_selinux(8), abrt_dump_oops_selinux(8),
475 abrt_handle_event_selinux(8), abrt_handle_event_selinux(8),
476 abrt_helper_selinux(8), abrt_helper_selinux(8), abrt_retrace_core‐
477 dump_selinux(8), abrt_retrace_coredump_selinux(8), abrt_re‐
478 trace_worker_selinux(8), abrt_retrace_worker_selinux(8), abrt_up‐
479 load_watch_selinux(8), abrt_upload_watch_selinux(8),
480 abrt_watch_log_selinux(8), abrt_watch_log_selinux(8)
481
482
483
484abrt 21-06-09 abrt_selinux(8)