1neutron_selinux(8) SELinux Policy neutron neutron_selinux(8)
2
3
4
6 neutron_selinux - Security Enhanced Linux Policy for the neutron pro‐
7 cesses
8
10 Security-Enhanced Linux secures the neutron processes via flexible
11 mandatory access control.
12
13 The neutron processes execute with the neutron_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep neutron_t
20
21
22
24 The neutron_t SELinux type can be entered via the neutron_exec_t file
25 type.
26
27 The default entrypoint paths for the neutron_t domain are the follow‐
28 ing:
29
30 /usr/bin/neutron-server, /usr/bin/quantum-server, /usr/bin/neutron-
31 l3-agent, /usr/bin/neutron-rootwrap, /usr/bin/quantum-l3-agent,
32 /usr/bin/neutron-ryu-agent, /usr/bin/quantum-ryu-agent, /usr/bin/neu‐
33 tron-dhcp-agent, /usr/bin/quantum-dhcp-agent, /usr/bin/neutron-lbaas-
34 agent, /usr/bin/neutron-ovs-cleanup, /usr/bin/quantum-ovs-cleanup,
35 /usr/bin/neutron-netns-cleanup, /usr/bin/neutron-metadata-agent,
36 /usr/bin/neutron-linuxbridge-agent, /usr/bin/neutron-ns-metadata-proxy,
37 /usr/bin/neutron-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent,
38 /usr/bin/quantum-openvswitch-agent
39
41 SELinux defines process types (domains) for each process running on the
42 system
43
44 You can see the context of a process using the -Z option to ps
45
46 Policy governs the access confined processes have to files. SELinux
47 neutron policy is very flexible allowing users to setup their neutron
48 processes in as secure a method as possible.
49
50 The following process types are defined for neutron:
51
52 neutron_t
53
54 Note: semanage permissive -a neutron_t can be used to make the process
55 type neutron_t permissive. SELinux does not deny access to permissive
56 process types, but the AVC (SELinux denials) messages are still gener‐
57 ated.
58
59
61 SELinux policy is customizable based on least access required. neutron
62 policy is extremely flexible and has several booleans that allow you to
63 manipulate the policy and run neutron with the tightest access possi‐
64 ble.
65
66
67
68 If you want to determine whether neutron can connect to all TCP ports,
69 you must turn on the neutron_can_network boolean. Disabled by default.
70
71 setsebool -P neutron_can_network 1
72
73
74
75 If you want to allow all domains to execute in fips_mode, you must turn
76 on the fips_mode boolean. Enabled by default.
77
78 setsebool -P fips_mode 1
79
80
81
82 If you want to allow confined applications to run with kerberos, you
83 must turn on the kerberos_enabled boolean. Enabled by default.
84
85 setsebool -P kerberos_enabled 1
86
87
88
89 If you want to allow system to run with NIS, you must turn on the
90 nis_enabled boolean. Disabled by default.
91
92 setsebool -P nis_enabled 1
93
94
95
97 SELinux defines port types to represent TCP and UDP ports.
98
99 You can see the types associated with a port by using the following
100 command:
101
102 semanage port -l
103
104
105 Policy governs the access confined processes have to these ports.
106 SELinux neutron policy is very flexible allowing users to setup their
107 neutron processes in as secure a method as possible.
108
109 The following port types are defined for neutron:
110
111
112 neutron_port_t
113
114
115
116 Default Defined Ports:
117 tcp 8775,9696,9697
118
120 The SELinux process type neutron_t can manage files labeled with the
121 following file types. The paths listed are the default paths for these
122 file types. Note the processes UID still need to have DAC permissions.
123
124 cluster_conf_t
125
126 /etc/cluster(/.*)?
127
128 cluster_var_lib_t
129
130 /var/lib/pcsd(/.*)?
131 /var/lib/cluster(/.*)?
132 /var/lib/openais(/.*)?
133 /var/lib/pengine(/.*)?
134 /var/lib/corosync(/.*)?
135 /usr/lib/heartbeat(/.*)?
136 /var/lib/heartbeat(/.*)?
137 /var/lib/pacemaker(/.*)?
138
139 cluster_var_run_t
140
141 /var/run/crm(/.*)?
142 /var/run/cman_.*
143 /var/run/rsctmp(/.*)?
144 /var/run/aisexec.*
145 /var/run/heartbeat(/.*)?
146 /var/run/pcsd-ruby.socket
147 /var/run/corosync-qnetd(/.*)?
148 /var/run/corosync-qdevice(/.*)?
149 /var/run/corosync.pid
150 /var/run/cpglockd.pid
151 /var/run/rgmanager.pid
152 /var/run/cluster/rgmanager.sk
153
154 faillog_t
155
156 /var/log/btmp.*
157 /var/log/faillog.*
158 /var/log/tallylog.*
159 /var/run/faillock(/.*)?
160
161 ifconfig_var_run_t
162
163 /var/run/netns
164
165 initrc_var_run_t
166
167 /var/run/utmp
168 /var/run/random-seed
169 /var/run/runlevel.dir
170 /var/run/setmixer_flag
171
172 krb5_host_rcache_t
173
174 /var/tmp/krb5_0.rcache2
175 /var/cache/krb5rcache(/.*)?
176 /var/tmp/nfs_0
177 /var/tmp/DNS_25
178 /var/tmp/host_0
179 /var/tmp/imap_0
180 /var/tmp/HTTP_23
181 /var/tmp/HTTP_48
182 /var/tmp/ldap_55
183 /var/tmp/ldap_487
184 /var/tmp/ldapmap1_0
185
186 krb5_keytab_t
187
188 /var/kerberos/krb5(/.*)?
189 /etc/krb5.keytab
190 /etc/krb5kdc/kadm5.keytab
191 /var/kerberos/krb5kdc/kadm5.keytab
192
193 lastlog_t
194
195 /var/log/lastlog.*
196
197 neutron_tmp_t
198
199
200 neutron_var_lib_t
201
202 /var/lib/neutron(/.*)?
203 /var/lib/quantum(/.*)?
204
205 neutron_var_run_t
206
207 /var/run/neutron(/.*)?
208 /var/run/quantum(/.*)?
209
210 root_t
211
212 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
213 /
214 /initrd
215
216 security_t
217
218 /selinux
219
220
222 SELinux requires files to have an extended attribute to define the file
223 type.
224
225 You can see the context of a file using the -Z option to ls
226
227 Policy governs the access confined processes have to these files.
228 SELinux neutron policy is very flexible allowing users to setup their
229 neutron processes in as secure a method as possible.
230
231 STANDARD FILE CONTEXT
232
233 SELinux defines the file context types for the neutron, if you wanted
234 to store files with these types in a diffent paths, you need to execute
235 the semanage command to sepecify alternate labeling and then use re‐
236 storecon to put the labels on disk.
237
238 semanage fcontext -a -t neutron_unit_file_t '/srv/myneutron_con‐
239 tent(/.*)?'
240 restorecon -R -v /srv/myneutron_content
241
242 Note: SELinux often uses regular expressions to specify labels that
243 match multiple files.
244
245 The following file types are defined for neutron:
246
247
248
249 neutron_exec_t
250
251 - Set files with the neutron_exec_t type, if you want to transition an
252 executable to the neutron_t domain.
253
254
255 Paths:
256 /usr/bin/neutron-server, /usr/bin/quantum-server, /usr/bin/neu‐
257 tron-l3-agent, /usr/bin/neutron-rootwrap, /usr/bin/quantum-
258 l3-agent, /usr/bin/neutron-ryu-agent, /usr/bin/quantum-ryu-agent,
259 /usr/bin/neutron-dhcp-agent, /usr/bin/quantum-dhcp-agent,
260 /usr/bin/neutron-lbaas-agent, /usr/bin/neutron-ovs-cleanup,
261 /usr/bin/quantum-ovs-cleanup, /usr/bin/neutron-netns-cleanup,
262 /usr/bin/neutron-metadata-agent, /usr/bin/neutron-linuxbridge-
263 agent, /usr/bin/neutron-ns-metadata-proxy, /usr/bin/neutron-open‐
264 vswitch-agent, /usr/bin/quantum-linuxbridge-agent, /usr/bin/quan‐
265 tum-openvswitch-agent
266
267
268 neutron_initrc_exec_t
269
270 - Set files with the neutron_initrc_exec_t type, if you want to transi‐
271 tion an executable to the neutron_initrc_t domain.
272
273
274 Paths:
275 /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*
276
277
278 neutron_log_t
279
280 - Set files with the neutron_log_t type, if you want to treat the data
281 as neutron log data, usually stored under the /var/log directory.
282
283
284 Paths:
285 /var/log/neutron(/.*)?, /var/log/quantum(/.*)?
286
287
288 neutron_tmp_t
289
290 - Set files with the neutron_tmp_t type, if you want to store neutron
291 temporary files in the /tmp directories.
292
293
294
295 neutron_unit_file_t
296
297 - Set files with the neutron_unit_file_t type, if you want to treat the
298 files as neutron unit content.
299
300
301 Paths:
302 /usr/lib/systemd/system/neutron.*, /usr/lib/systemd/system/quan‐
303 tum.*
304
305
306 neutron_var_lib_t
307
308 - Set files with the neutron_var_lib_t type, if you want to store the
309 neutron files under the /var/lib directory.
310
311
312 Paths:
313 /var/lib/neutron(/.*)?, /var/lib/quantum(/.*)?
314
315
316 neutron_var_run_t
317
318 - Set files with the neutron_var_run_t type, if you want to store the
319 neutron files under the /run or /var/run directory.
320
321
322 Paths:
323 /var/run/neutron(/.*)?, /var/run/quantum(/.*)?
324
325
326 Note: File context can be temporarily modified with the chcon command.
327 If you want to permanently change the file context you need to use the
328 semanage fcontext command. This will modify the SELinux labeling data‐
329 base. You will need to use restorecon to apply the labels.
330
331
333 semanage fcontext can also be used to manipulate default file context
334 mappings.
335
336 semanage permissive can also be used to manipulate whether or not a
337 process type is permissive.
338
339 semanage module can also be used to enable/disable/install/remove pol‐
340 icy modules.
341
342 semanage port can also be used to manipulate the port definitions
343
344 semanage boolean can also be used to manipulate the booleans
345
346
347 system-config-selinux is a GUI tool available to customize SELinux pol‐
348 icy settings.
349
350
352 This manual page was auto-generated using sepolicy manpage .
353
354
356 selinux(8), neutron(8), semanage(8), restorecon(8), chcon(1), sepol‐
357 icy(8), setsebool(8)
358
359
360
361neutron 21-06-09 neutron_selinux(8)