1pki_ra_selinux(8)            SELinux Policy pki_ra           pki_ra_selinux(8)
2
3
4

NAME

6       pki_ra_selinux  -  Security  Enhanced  Linux Policy for the pki_ra pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  pki_ra  processes  via  flexible
11       mandatory access control.
12
13       The  pki_ra  processes  execute with the pki_ra_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pki_ra_t
20
21
22

ENTRYPOINTS

24       The  pki_ra_t  SELinux  type  can be entered via the pki_ra_exec_t file
25       type.
26
27       The default entrypoint paths for the pki_ra_t domain are the following:
28
29       /var/lib/pki-ra/pki-ra
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       pki_ra policy is very flexible allowing users  to  setup  their  pki_ra
39       processes in as secure a method as possible.
40
41       The following process types are defined for pki_ra:
42
43       pki_ra_t
44
45       Note:  semanage  permissive -a pki_ra_t can be used to make the process
46       type pki_ra_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   pki_ra
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run pki_ra with the tightest access possible.
55
56
57
58       If you want to allow all domains to execute in fips_mode, you must turn
59       on the fips_mode boolean. Enabled by default.
60
61       setsebool -P fips_mode 1
62
63
64

PORT TYPES

66       SELinux defines port types to represent TCP and UDP ports.
67
68       You  can  see  the  types associated with a port by using the following
69       command:
70
71       semanage port -l
72
73
74       Policy governs the access  confined  processes  have  to  these  ports.
75       SELinux  pki_ra  policy  is very flexible allowing users to setup their
76       pki_ra processes in as secure a method as possible.
77
78       The following port types are defined for pki_ra:
79
80
81       pki_ra_port_t
82
83
84
85       Default Defined Ports:
86                 tcp 12888-12889
87

MANAGED FILES

89       The SELinux process type pki_ra_t can manage  files  labeled  with  the
90       following file types.  The paths listed are the default paths for these
91       file types.  Note the processes UID still need to have DAC permissions.
92
93       cluster_conf_t
94
95            /etc/cluster(/.*)?
96
97       cluster_var_lib_t
98
99            /var/lib/pcsd(/.*)?
100            /var/lib/cluster(/.*)?
101            /var/lib/openais(/.*)?
102            /var/lib/pengine(/.*)?
103            /var/lib/corosync(/.*)?
104            /usr/lib/heartbeat(/.*)?
105            /var/lib/heartbeat(/.*)?
106            /var/lib/pacemaker(/.*)?
107
108       cluster_var_run_t
109
110            /var/run/crm(/.*)?
111            /var/run/cman_.*
112            /var/run/rsctmp(/.*)?
113            /var/run/aisexec.*
114            /var/run/heartbeat(/.*)?
115            /var/run/pcsd-ruby.socket
116            /var/run/corosync-qnetd(/.*)?
117            /var/run/corosync-qdevice(/.*)?
118            /var/run/corosync.pid
119            /var/run/cpglockd.pid
120            /var/run/rgmanager.pid
121            /var/run/cluster/rgmanager.sk
122
123       krb5_host_rcache_t
124
125            /var/tmp/krb5_0.rcache2
126            /var/cache/krb5rcache(/.*)?
127            /var/tmp/nfs_0
128            /var/tmp/DNS_25
129            /var/tmp/host_0
130            /var/tmp/imap_0
131            /var/tmp/HTTP_23
132            /var/tmp/HTTP_48
133            /var/tmp/ldap_55
134            /var/tmp/ldap_487
135            /var/tmp/ldapmap1_0
136
137       mail_spool_t
138
139            /var/mail(/.*)?
140            /var/spool/imap(/.*)?
141            /var/spool/mail(/.*)?
142            /var/spool/smtpd(/.*)?
143
144       mqueue_spool_t
145
146            /var/spool/(client)?mqueue(/.*)?
147            /var/spool/mqueue.in(/.*)?
148
149       pki_common_t
150
151            /opt/nfast(/.*)?
152
153       pki_ra_etc_rw_t
154
155            /etc/pki-ra(/.*)?
156            /etc/sysconfig/pki/ra(/.*)?
157
158       pki_ra_lock_t
159
160
161       pki_ra_log_t
162
163            /var/log/pki-ra(/.*)?
164
165       pki_ra_tmp_t
166
167
168       pki_ra_var_lib_t
169
170            /var/lib/pki-ra(/.*)?
171
172       pki_ra_var_run_t
173
174            /var/run/pki/ra(/.*)?
175
176       root_t
177
178            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
179            /
180            /initrd
181
182

FILE CONTEXTS

184       SELinux requires files to have an extended attribute to define the file
185       type.
186
187       You can see the context of a file using the -Z option to ls
188
189       Policy  governs  the  access  confined  processes  have to these files.
190       SELinux pki_ra policy is very flexible allowing users  to  setup  their
191       pki_ra processes in as secure a method as possible.
192
193       EQUIVALENCE DIRECTORIES
194
195
196       pki_ra  policy  stores  data with multiple different file context types
197       under the /var/lib/pki-ra directory.  If you would like  to  store  the
198       data  in a different directory you can use the semanage command to cre‐
199       ate an equivalence mapping.  If you wanted to store this data under the
200       /srv directory you would execute the following command:
201
202       semanage fcontext -a -e /var/lib/pki-ra /srv/pki-ra
203       restorecon -R -v /srv/pki-ra
204
205       STANDARD FILE CONTEXT
206
207       SELinux defines the file context types for the pki_ra, if you wanted to
208       store files with these types in a diffent paths, you  need  to  execute
209       the  semanage  command  to sepecify alternate labeling and then use re‐
210       storecon to put the labels on disk.
211
212       semanage fcontext -a -t pki_ra_tmp_t '/srv/mypki_ra_content(/.*)?'
213       restorecon -R -v /srv/mypki_ra_content
214
215       Note: SELinux often uses regular expressions  to  specify  labels  that
216       match multiple files.
217
218       The following file types are defined for pki_ra:
219
220
221
222       pki_ra_etc_rw_t
223
224       -  Set  files  with  the pki_ra_etc_rw_t type, if you want to treat the
225       files as pki ra etc read/write content.
226
227
228       Paths:
229            /etc/pki-ra(/.*)?, /etc/sysconfig/pki/ra(/.*)?
230
231
232       pki_ra_exec_t
233
234       - Set files with the pki_ra_exec_t type, if you want to  transition  an
235       executable to the pki_ra_t domain.
236
237
238
239       pki_ra_lock_t
240
241       - Set files with the pki_ra_lock_t type, if you want to treat the files
242       as pki ra lock data, stored under the /var/lock directory
243
244
245
246       pki_ra_log_t
247
248       - Set files with the pki_ra_log_t type, if you want to treat  the  data
249       as pki ra log data, usually stored under the /var/log directory.
250
251
252
253       pki_ra_script_exec_t
254
255       -  Set files with the pki_ra_script_exec_t type, if you want to transi‐
256       tion an executable to the pki_ra_script_t domain.
257
258
259
260       pki_ra_tmp_t
261
262       - Set files with the pki_ra_tmp_t type, if you want  to  store  pki  ra
263       temporary files in the /tmp directories.
264
265
266
267       pki_ra_tomcat_exec_t
268
269       -  Set files with the pki_ra_tomcat_exec_t type, if you want to transi‐
270       tion an executable to the pki_ra_tomcat_t domain.
271
272
273
274       pki_ra_var_lib_t
275
276       - Set files with the pki_ra_var_lib_t type, if you want  to  store  the
277       pki ra files under the /var/lib directory.
278
279
280
281       pki_ra_var_run_t
282
283       -  Set  files  with the pki_ra_var_run_t type, if you want to store the
284       pki ra files under the /run or /var/run directory.
285
286
287
288       Note: File context can be temporarily modified with the chcon  command.
289       If  you want to permanently change the file context you need to use the
290       semanage fcontext command.  This will modify the SELinux labeling data‐
291       base.  You will need to use restorecon to apply the labels.
292
293

COMMANDS

295       semanage  fcontext  can also be used to manipulate default file context
296       mappings.
297
298       semanage permissive can also be used to manipulate  whether  or  not  a
299       process type is permissive.
300
301       semanage  module can also be used to enable/disable/install/remove pol‐
302       icy modules.
303
304       semanage port can also be used to manipulate the port definitions
305
306       semanage boolean can also be used to manipulate the booleans
307
308
309       system-config-selinux is a GUI tool available to customize SELinux pol‐
310       icy settings.
311
312

AUTHOR

314       This manual page was auto-generated using sepolicy manpage .
315
316

SEE ALSO

318       selinux(8),  pki_ra(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
319       icy(8), setsebool(8)
320
321
322
323pki_ra                             21-06-09                  pki_ra_selinux(8)
Impressum