1keystone_selinux(8) SELinux Policy keystone keystone_selinux(8)
2
3
4
6 keystone_selinux - Security Enhanced Linux Policy for the keystone pro‐
7 cesses
8
10 Security-Enhanced Linux secures the keystone processes via flexible
11 mandatory access control.
12
13 The keystone processes execute with the keystone_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep keystone_t
20
21
22
24 The keystone_t SELinux type can be entered via the keystone_exec_t file
25 type.
26
27 The default entrypoint paths for the keystone_t domain are the follow‐
28 ing:
29
30 /usr/bin/keystone-all
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 keystone policy is very flexible allowing users to setup their keystone
40 processes in as secure a method as possible.
41
42 The following process types are defined for keystone:
43
44 keystone_t, keystone_cgi_script_t
45
46 Note: semanage permissive -a keystone_t can be used to make the process
47 type keystone_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. key‐
54 stone policy is extremely flexible and has several booleans that allow
55 you to manipulate the policy and run keystone with the tightest access
56 possible.
57
58
59
60 If you want to allow all domains to execute in fips_mode, you must turn
61 on the fips_mode boolean. Enabled by default.
62
63 setsebool -P fips_mode 1
64
65
66
67 If you want to allow confined applications to run with kerberos, you
68 must turn on the kerberos_enabled boolean. Enabled by default.
69
70 setsebool -P kerberos_enabled 1
71
72
73
74 If you want to allow system to run with NIS, you must turn on the
75 nis_enabled boolean. Disabled by default.
76
77 setsebool -P nis_enabled 1
78
79
80
82 SELinux defines port types to represent TCP and UDP ports.
83
84 You can see the types associated with a port by using the following
85 command:
86
87 semanage port -l
88
89
90 Policy governs the access confined processes have to these ports.
91 SELinux keystone policy is very flexible allowing users to setup their
92 keystone processes in as secure a method as possible.
93
94 The following port types are defined for keystone:
95
96
97 keystone_port_t
98
99
100
101 Default Defined Ports:
102 tcp 35357
103 udp 35357
104
106 The SELinux process type keystone_t can manage files labeled with the
107 following file types. The paths listed are the default paths for these
108 file types. Note the processes UID still need to have DAC permissions.
109
110 cluster_conf_t
111
112 /etc/cluster(/.*)?
113
114 cluster_var_lib_t
115
116 /var/lib/pcsd(/.*)?
117 /var/lib/cluster(/.*)?
118 /var/lib/openais(/.*)?
119 /var/lib/pengine(/.*)?
120 /var/lib/corosync(/.*)?
121 /usr/lib/heartbeat(/.*)?
122 /var/lib/heartbeat(/.*)?
123 /var/lib/pacemaker(/.*)?
124
125 cluster_var_run_t
126
127 /var/run/crm(/.*)?
128 /var/run/cman_.*
129 /var/run/rsctmp(/.*)?
130 /var/run/aisexec.*
131 /var/run/heartbeat(/.*)?
132 /var/run/pcsd-ruby.socket
133 /var/run/corosync-qnetd(/.*)?
134 /var/run/corosync-qdevice(/.*)?
135 /var/run/corosync.pid
136 /var/run/cpglockd.pid
137 /var/run/rgmanager.pid
138 /var/run/cluster/rgmanager.sk
139
140 faillog_t
141
142 /var/log/btmp.*
143 /var/log/faillog.*
144 /var/log/tallylog.*
145 /var/run/faillock(/.*)?
146
147 keystone_tmp_t
148
149
150 keystone_var_lib_t
151
152 /var/lib/keystone(/.*)?
153
154 keystone_var_run_t
155
156 /var/run/keystone(/.*)?
157
158 krb5_host_rcache_t
159
160 /var/tmp/krb5_0.rcache2
161 /var/cache/krb5rcache(/.*)?
162 /var/tmp/nfs_0
163 /var/tmp/DNS_25
164 /var/tmp/host_0
165 /var/tmp/imap_0
166 /var/tmp/HTTP_23
167 /var/tmp/HTTP_48
168 /var/tmp/ldap_55
169 /var/tmp/ldap_487
170 /var/tmp/ldapmap1_0
171
172 lastlog_t
173
174 /var/log/lastlog.*
175
176 root_t
177
178 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
179 /
180 /initrd
181
182 security_t
183
184 /selinux
185
186
188 SELinux requires files to have an extended attribute to define the file
189 type.
190
191 You can see the context of a file using the -Z option to ls
192
193 Policy governs the access confined processes have to these files.
194 SELinux keystone policy is very flexible allowing users to setup their
195 keystone processes in as secure a method as possible.
196
197 STANDARD FILE CONTEXT
198
199 SELinux defines the file context types for the keystone, if you wanted
200 to store files with these types in a diffent paths, you need to execute
201 the semanage command to sepecify alternate labeling and then use re‐
202 storecon to put the labels on disk.
203
204 semanage fcontext -a -t keystone_cgi_ra_content_t '/srv/mykeystone_con‐
205 tent(/.*)?'
206 restorecon -R -v /srv/mykeystone_content
207
208 Note: SELinux often uses regular expressions to specify labels that
209 match multiple files.
210
211 The following file types are defined for keystone:
212
213
214
215 keystone_cgi_content_t
216
217 - Set files with the keystone_cgi_content_t type, if you want to treat
218 the files as keystone cgi content.
219
220
221
222 keystone_cgi_htaccess_t
223
224 - Set files with the keystone_cgi_htaccess_t type, if you want to treat
225 the file as a keystone cgi access file.
226
227
228
229 keystone_cgi_ra_content_t
230
231 - Set files with the keystone_cgi_ra_content_t type, if you want to
232 treat the files as keystone cgi read/append content.
233
234
235
236 keystone_cgi_rw_content_t
237
238 - Set files with the keystone_cgi_rw_content_t type, if you want to
239 treat the files as keystone cgi read/write content.
240
241
242
243 keystone_cgi_script_exec_t
244
245 - Set files with the keystone_cgi_script_exec_t type, if you want to
246 transition an executable to the keystone_cgi_script_t domain.
247
248
249
250 keystone_exec_t
251
252 - Set files with the keystone_exec_t type, if you want to transition an
253 executable to the keystone_t domain.
254
255
256
257 keystone_initrc_exec_t
258
259 - Set files with the keystone_initrc_exec_t type, if you want to tran‐
260 sition an executable to the keystone_initrc_t domain.
261
262
263
264 keystone_log_t
265
266 - Set files with the keystone_log_t type, if you want to treat the data
267 as keystone log data, usually stored under the /var/log directory.
268
269
270
271 keystone_tmp_t
272
273 - Set files with the keystone_tmp_t type, if you want to store keystone
274 temporary files in the /tmp directories.
275
276
277
278 keystone_unit_file_t
279
280 - Set files with the keystone_unit_file_t type, if you want to treat
281 the files as keystone unit content.
282
283
284
285 keystone_var_lib_t
286
287 - Set files with the keystone_var_lib_t type, if you want to store the
288 keystone files under the /var/lib directory.
289
290
291
292 keystone_var_run_t
293
294 - Set files with the keystone_var_run_t type, if you want to store the
295 keystone files under the /run or /var/run directory.
296
297
298
299 Note: File context can be temporarily modified with the chcon command.
300 If you want to permanently change the file context you need to use the
301 semanage fcontext command. This will modify the SELinux labeling data‐
302 base. You will need to use restorecon to apply the labels.
303
304
306 semanage fcontext can also be used to manipulate default file context
307 mappings.
308
309 semanage permissive can also be used to manipulate whether or not a
310 process type is permissive.
311
312 semanage module can also be used to enable/disable/install/remove pol‐
313 icy modules.
314
315 semanage port can also be used to manipulate the port definitions
316
317 semanage boolean can also be used to manipulate the booleans
318
319
320 system-config-selinux is a GUI tool available to customize SELinux pol‐
321 icy settings.
322
323
325 This manual page was auto-generated using sepolicy manpage .
326
327
329 selinux(8), keystone(8), semanage(8), restorecon(8), chcon(1), sepol‐
330 icy(8), setsebool(8), keystone_cgi_script_selinux(8), key‐
331 stone_cgi_script_selinux(8)
332
333
334
335keystone 21-06-09 keystone_selinux(8)