1ipa_custodia_selinux(8)   SELinux Policy ipa_custodia  ipa_custodia_selinux(8)
2
3
4

NAME

6       ipa_custodia_selinux  - Security Enhanced Linux Policy for the ipa_cus‐
7       todia processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the ipa_custodia processes via flexible
11       mandatory access control.
12
13       The  ipa_custodia  processes  execute  with  the ipa_custodia_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep ipa_custodia_t
20
21
22

ENTRYPOINTS

24       The ipa_custodia_t SELinux type can be entered via the ldconfig_exec_t,
25       ipa_custodia_exec_t file types.
26
27       The default entrypoint paths for the ipa_custodia_t domain are the fol‐
28       lowing:
29
30       /sbin/sln,     /usr/sbin/sln,    /sbin/ldconfig,    /usr/sbin/ldconfig,
31       /usr/libexec/ipa/ipa-custodia
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       ipa_custodia policy is very flexible  allowing  users  to  setup  their
41       ipa_custodia processes in as secure a method as possible.
42
43       The following process types are defined for ipa_custodia:
44
45       ipa_custodia_t
46
47       Note:  semanage  permissive  -a  ipa_custodia_t can be used to make the
48       process type ipa_custodia_t permissive. SELinux does not deny access to
49       permissive  process  types,  but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       ipa_custodia policy is extremely flexible and has several booleans that
56       allow you to manipulate the policy and run ipa_custodia with the tight‐
57       est access possible.
58
59
60
61       If you want to allow all domains to execute in fips_mode, you must turn
62       on the fips_mode boolean. Enabled by default.
63
64       setsebool -P fips_mode 1
65
66
67

MANAGED FILES

69       The SELinux process type ipa_custodia_t can manage files  labeled  with
70       the  following  file types.  The paths listed are the default paths for
71       these file types.  Note the processes UID still need to have  DAC  per‐
72       missions.
73
74       cluster_conf_t
75
76            /etc/cluster(/.*)?
77
78       cluster_var_lib_t
79
80            /var/lib/pcsd(/.*)?
81            /var/lib/cluster(/.*)?
82            /var/lib/openais(/.*)?
83            /var/lib/pengine(/.*)?
84            /var/lib/corosync(/.*)?
85            /usr/lib/heartbeat(/.*)?
86            /var/lib/heartbeat(/.*)?
87            /var/lib/pacemaker(/.*)?
88
89       cluster_var_run_t
90
91            /var/run/crm(/.*)?
92            /var/run/cman_.*
93            /var/run/rsctmp(/.*)?
94            /var/run/aisexec.*
95            /var/run/heartbeat(/.*)?
96            /var/run/pcsd-ruby.socket
97            /var/run/corosync-qnetd(/.*)?
98            /var/run/corosync-qdevice(/.*)?
99            /var/run/corosync.pid
100            /var/run/cpglockd.pid
101            /var/run/rgmanager.pid
102            /var/run/cluster/rgmanager.sk
103
104       dirsrv_var_run_t
105
106            /var/run/slapd.*
107            /var/run/dirsrv(/.*)?
108
109       httpd_var_run_t
110
111            /var/run/wsgi.*
112            /var/run/mod_.*
113            /var/run/httpd.*
114            /var/run/nginx.*
115            /var/run/apache.*
116            /var/run/php-fpm(/.*)?
117            /var/run/fcgiwrap(/.*)?
118            /var/run/lighttpd(/.*)?
119            /var/lib/php/session(/.*)?
120            /var/lib/php/wsdlcache(/.*)?
121            /var/run/dirsrv/admin-serv.*
122            /var/opt/rh/rh-nginx18/run/nginx(/.*)?
123            /var/www/openshift/broker/httpd/run(/.*)?
124            /var/www/openshift/console/httpd/run(/.*)?
125            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
126            /var/run/thttpd.pid
127            /var/run/gcache_port
128            /var/run/cherokee.pid
129
130       ipa_custodia_log_t
131
132            /var/log/ipa-custodia.audit.log(/.*)?
133
134       ipa_custodia_tmp_t
135
136
137       pki_tomcat_cert_t
138
139            /var/lib/pki-ca/alias(/.*)?
140            /etc/pki/pki-tomcat/ca(/.*)?
141            /var/lib/pki-kra/alias(/.*)?
142            /var/lib/pki-tks/alias(/.*)?
143            /var/lib/pki-ocsp/alias(/.*)?
144            /etc/pki/pki-tomcat/alias(/.*)?
145            /var/lib/ipa/pki-ca/publish(/.*)?
146
147       pki_tomcat_etc_rw_t
148
149            /etc/pki-ca(/.*)?
150            /etc/pki-kra(/.*)?
151            /etc/pki-tks(/.*)?
152            /etc/pki-ocsp(/.*)?
153            /etc/pki/pki-tomcat(/.*)?
154            /etc/sysconfig/pki/tomcat(/.*)?
155
156       root_t
157
158            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
159            /
160            /initrd
161
162       systemd_passwd_var_run_t
163
164            /var/run/systemd/ask-password(/.*)?
165            /var/run/systemd/ask-password-block(/.*)?
166
167

FILE CONTEXTS

169       SELinux requires files to have an extended attribute to define the file
170       type.
171
172       You can see the context of a file using the -Z option to ls
173
174       Policy governs the access  confined  processes  have  to  these  files.
175       SELinux  ipa_custodia  policy  is very flexible allowing users to setup
176       their ipa_custodia processes in as secure a method as possible.
177
178       STANDARD FILE CONTEXT
179
180       SELinux defines the file context types for  the  ipa_custodia,  if  you
181       wanted  to store files with these types in a diffent paths, you need to
182       execute the semanage command to sepecify alternate  labeling  and  then
183       use restorecon to put the labels on disk.
184
185       semanage  fcontext  -a  -t ipa_custodia_tmp_t '/srv/myipa_custodia_con‐
186       tent(/.*)?'
187       restorecon -R -v /srv/myipa_custodia_content
188
189       Note: SELinux often uses regular expressions  to  specify  labels  that
190       match multiple files.
191
192       The following file types are defined for ipa_custodia:
193
194
195
196       ipa_custodia_dmldap_exec_t
197
198       -  Set  files  with the ipa_custodia_dmldap_exec_t type, if you want to
199       transition an executable to the ipa_custodia_dmldap_t domain.
200
201
202
203       ipa_custodia_exec_t
204
205       - Set files with the ipa_custodia_exec_t type, if you want  to  transi‐
206       tion an executable to the ipa_custodia_t domain.
207
208
209
210       ipa_custodia_log_t
211
212       -  Set files with the ipa_custodia_log_t type, if you want to treat the
213       data as ipa custodia log data, usually stored under the /var/log direc‐
214       tory.
215
216
217
218       ipa_custodia_pki_tomcat_exec_t
219
220       -  Set  files with the ipa_custodia_pki_tomcat_exec_t type, if you want
221       to transition an executable to the ipa_custodia_pki_tomcat_t domain.
222
223
224       Paths:
225            /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat,
226            /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
227
228
229       ipa_custodia_ra_agent_exec_t
230
231       -  Set files with the ipa_custodia_ra_agent_exec_t type, if you want to
232       transition an executable to the ipa_custodia_ra_agent_t domain.
233
234
235
236       ipa_custodia_tmp_t
237
238       - Set files with the ipa_custodia_tmp_t type, if you want to store  ipa
239       custodia temporary files in the /tmp directories.
240
241
242
243       Note:  File context can be temporarily modified with the chcon command.
244       If you want to permanently change the file context you need to use  the
245       semanage fcontext command.  This will modify the SELinux labeling data‐
246       base.  You will need to use restorecon to apply the labels.
247
248

COMMANDS

250       semanage fcontext can also be used to manipulate default  file  context
251       mappings.
252
253       semanage  permissive  can  also  be used to manipulate whether or not a
254       process type is permissive.
255
256       semanage module can also be used to enable/disable/install/remove  pol‐
257       icy modules.
258
259       semanage boolean can also be used to manipulate the booleans
260
261
262       system-config-selinux is a GUI tool available to customize SELinux pol‐
263       icy settings.
264
265

AUTHOR

267       This manual page was auto-generated using sepolicy manpage .
268
269

SEE ALSO

271       selinux(8), ipa_custodia(8), semanage(8), restorecon(8), chcon(1),  se‐
272       policy(8), setsebool(8)
273
274
275
276ipa_custodia                       21-06-09            ipa_custodia_selinux(8)
Impressum