1pki_tomcat_selinux(8)      SELinux Policy pki_tomcat     pki_tomcat_selinux(8)
2
3
4

NAME

6       pki_tomcat_selinux  - Security Enhanced Linux Policy for the pki_tomcat
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the pki_tomcat processes  via  flexible
11       mandatory access control.
12
13       The  pki_tomcat  processes  execute with the pki_tomcat_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pki_tomcat_t
20
21
22

ENTRYPOINTS

24       The  pki_tomcat_t SELinux type can be entered via the pki_tomcat_exec_t
25       file type.
26
27       The default entrypoint paths for the pki_tomcat_t domain are  the  fol‐
28       lowing:
29
30       /usr/bin/pkidaemon
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       pki_tomcat  policy  is  very  flexible  allowing  users  to setup their
40       pki_tomcat processes in as secure a method as possible.
41
42       The following process types are defined for pki_tomcat:
43
44       pki_tomcat_t, pki_tomcat_script_t
45
46       Note: semanage permissive -a pki_tomcat_t  can  be  used  to  make  the
47       process  type  pki_tomcat_t permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       pki_tomcat policy is extremely flexible and has several  booleans  that
55       allow you to manipulate the policy and run pki_tomcat with the tightest
56       access possible.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66
67       If  you  want  to  allow tomcat to use executable memory and executable
68       stack, you must turn on the tomcat_use_execmem boolean. Disabled by de‐
69       fault.
70
71       setsebool -P tomcat_use_execmem 1
72
73
74

MANAGED FILES

76       The SELinux process type pki_tomcat_t can manage files labeled with the
77       following file types.  The paths listed are the default paths for these
78       file types.  Note the processes UID still need to have DAC permissions.
79
80       cluster_conf_t
81
82            /etc/cluster(/.*)?
83
84       cluster_var_lib_t
85
86            /var/lib/pcsd(/.*)?
87            /var/lib/cluster(/.*)?
88            /var/lib/openais(/.*)?
89            /var/lib/pengine(/.*)?
90            /var/lib/corosync(/.*)?
91            /usr/lib/heartbeat(/.*)?
92            /var/lib/heartbeat(/.*)?
93            /var/lib/pacemaker(/.*)?
94
95       cluster_var_run_t
96
97            /var/run/crm(/.*)?
98            /var/run/cman_.*
99            /var/run/rsctmp(/.*)?
100            /var/run/aisexec.*
101            /var/run/heartbeat(/.*)?
102            /var/run/pcsd-ruby.socket
103            /var/run/corosync-qnetd(/.*)?
104            /var/run/corosync-qdevice(/.*)?
105            /var/run/corosync.pid
106            /var/run/cpglockd.pid
107            /var/run/rgmanager.pid
108            /var/run/cluster/rgmanager.sk
109
110       dirsrv_var_lib_t
111
112            /var/lib/dirsrv(/.*)?
113
114       krb5_host_rcache_t
115
116            /var/tmp/krb5_0.rcache2
117            /var/cache/krb5rcache(/.*)?
118            /var/tmp/nfs_0
119            /var/tmp/DNS_25
120            /var/tmp/host_0
121            /var/tmp/imap_0
122            /var/tmp/HTTP_23
123            /var/tmp/HTTP_48
124            /var/tmp/ldap_55
125            /var/tmp/ldap_487
126            /var/tmp/ldapmap1_0
127
128       pki_common_t
129
130            /opt/nfast(/.*)?
131
132       pki_tomcat_cache_t
133
134
135       pki_tomcat_cert_t
136
137            /var/lib/pki-ca/alias(/.*)?
138            /etc/pki/pki-tomcat/ca(/.*)?
139            /var/lib/pki-kra/alias(/.*)?
140            /var/lib/pki-tks/alias(/.*)?
141            /var/lib/pki-ocsp/alias(/.*)?
142            /etc/pki/pki-tomcat/alias(/.*)?
143            /var/lib/ipa/pki-ca/publish(/.*)?
144
145       pki_tomcat_etc_rw_t
146
147            /etc/pki-ca(/.*)?
148            /etc/pki-kra(/.*)?
149            /etc/pki-tks(/.*)?
150            /etc/pki-ocsp(/.*)?
151            /etc/pki/pki-tomcat(/.*)?
152            /etc/sysconfig/pki/tomcat(/.*)?
153
154       pki_tomcat_lock_t
155
156            /var/lock/subsys/pkidaemon
157
158       pki_tomcat_log_t
159
160            /var/log/pki-ca(/.*)?
161            /var/log/pki-kra(/.*)?
162            /var/log/pki-tks(/.*)?
163            /var/log/pki-ocsp(/.*)?
164            /var/log/pki/pki-tomcat(/.*)?
165
166       pki_tomcat_tmp_t
167
168
169       pki_tomcat_var_lib_t
170
171            /var/lib/pki-ca(/.*)?
172            /var/lib/pki-kra(/.*)?
173            /var/lib/pki-tks(/.*)?
174            /var/lib/pki-ocsp(/.*)?
175            /var/lib/pki/pki-tomcat(/.*)?
176
177       pki_tomcat_var_run_t
178
179            /var/run/pki-ca.pid
180            /var/run/pki-kra.pid
181            /var/run/pki-tks.pid
182            /var/run/pki-ocsp.pid
183            /var/run/pki/tomcat(/.*)?
184
185       root_t
186
187            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
188            /
189            /initrd
190
191       user_tmp_t
192
193            /dev/shm/mono.*
194            /var/run/user(/.*)?
195            /tmp/.ICE-unix(/.*)?
196            /tmp/.X11-unix(/.*)?
197            /dev/shm/pulse-shm.*
198            /tmp/.X0-lock
199            /tmp/hsperfdata_root
200            /var/tmp/hsperfdata_root
201            /home/[^/]+/tmp
202            /home/[^/]+/.tmp
203            /tmp/gconfd-[^/]+
204
205

FILE CONTEXTS

207       SELinux requires files to have an extended attribute to define the file
208       type.
209
210       You can see the context of a file using the -Z option to ls
211
212       Policy governs the access  confined  processes  have  to  these  files.
213       SELinux  pki_tomcat  policy  is  very  flexible allowing users to setup
214       their pki_tomcat processes in as secure a method as possible.
215
216       EQUIVALENCE DIRECTORIES
217
218
219       pki_tomcat policy stores data  with  multiple  different  file  context
220       types  under the /var/lib/pki-ca directory.  If you would like to store
221       the data in a different directory you can use the semanage  command  to
222       create  an equivalence mapping.  If you wanted to store this data under
223       the /srv directory you would execute the following command:
224
225       semanage fcontext -a -e /var/lib/pki-ca /srv/pki-ca
226       restorecon -R -v /srv/pki-ca
227
228       pki_tomcat policy stores data  with  multiple  different  file  context
229       types under the /var/lib/pki-kra directory.  If you would like to store
230       the data in a different directory you can use the semanage  command  to
231       create  an equivalence mapping.  If you wanted to store this data under
232       the /srv directory you would execute the following command:
233
234       semanage fcontext -a -e /var/lib/pki-kra /srv/pki-kra
235       restorecon -R -v /srv/pki-kra
236
237       pki_tomcat policy stores data  with  multiple  different  file  context
238       types  under  the  /var/lib/pki-ocsp  directory.   If you would like to
239       store the data in a different directory you can use the  semanage  com‐
240       mand  to  create  an  equivalence mapping.  If you wanted to store this
241       data under the /srv directory you would execute the following command:
242
243       semanage fcontext -a -e /var/lib/pki-ocsp /srv/pki-ocsp
244       restorecon -R -v /srv/pki-ocsp
245
246       pki_tomcat policy stores data  with  multiple  different  file  context
247       types under the /var/lib/pki-tks directory.  If you would like to store
248       the data in a different directory you can use the semanage  command  to
249       create  an equivalence mapping.  If you wanted to store this data under
250       the /srv directory you would execute the following command:
251
252       semanage fcontext -a -e /var/lib/pki-tks /srv/pki-tks
253       restorecon -R -v /srv/pki-tks
254
255       STANDARD FILE CONTEXT
256
257       SELinux defines the file context  types  for  the  pki_tomcat,  if  you
258       wanted  to store files with these types in a diffent paths, you need to
259       execute the semanage command to sepecify alternate  labeling  and  then
260       use restorecon to put the labels on disk.
261
262       semanage   fcontext  -a  -t  pki_tomcat_lock_t  '/srv/mypki_tomcat_con‐
263       tent(/.*)?'
264       restorecon -R -v /srv/mypki_tomcat_content
265
266       Note: SELinux often uses regular expressions  to  specify  labels  that
267       match multiple files.
268
269       The following file types are defined for pki_tomcat:
270
271
272
273       pki_tomcat_cache_t
274
275       -  Set files with the pki_tomcat_cache_t type, if you want to store the
276       files under the /var/cache directory.
277
278
279
280       pki_tomcat_cert_t
281
282       - Set files with the pki_tomcat_cert_t type, if you want to  treat  the
283       files as pki tomcat certificate data.
284
285
286       Paths:
287            /var/lib/pki-ca/alias(/.*)?,         /etc/pki/pki-tomcat/ca(/.*)?,
288            /var/lib/pki-kra/alias(/.*)?,        /var/lib/pki-tks/alias(/.*)?,
289            /var/lib/pki-ocsp/alias(/.*)?,    /etc/pki/pki-tomcat/alias(/.*)?,
290            /var/lib/ipa/pki-ca/publish(/.*)?
291
292
293       pki_tomcat_etc_rw_t
294
295       - Set files with the pki_tomcat_etc_rw_t type, if you want to treat the
296       files as pki tomcat etc read/write content.
297
298
299       Paths:
300            /etc/pki-ca(/.*)?,     /etc/pki-kra(/.*)?,     /etc/pki-tks(/.*)?,
301            /etc/pki-ocsp(/.*)?,    /etc/pki/pki-tomcat(/.*)?,    /etc/syscon‐
302            fig/pki/tomcat(/.*)?
303
304
305       pki_tomcat_exec_t
306
307       -  Set files with the pki_tomcat_exec_t type, if you want to transition
308       an executable to the pki_tomcat_t domain.
309
310
311
312       pki_tomcat_lock_t
313
314       - Set files with the pki_tomcat_lock_t type, if you want to  treat  the
315       files as pki tomcat lock data, stored under the /var/lock directory
316
317
318
319       pki_tomcat_log_t
320
321       -  Set  files  with the pki_tomcat_log_t type, if you want to treat the
322       data as pki tomcat log data, usually stored under the  /var/log  direc‐
323       tory.
324
325
326       Paths:
327            /var/log/pki-ca(/.*)?,    /var/log/pki-kra(/.*)?,    /var/log/pki-
328            tks(/.*)?, /var/log/pki-ocsp(/.*)?, /var/log/pki/pki-tomcat(/.*)?
329
330
331       pki_tomcat_tmp_t
332
333       - Set files with the pki_tomcat_tmp_t type, if you want  to  store  pki
334       tomcat temporary files in the /tmp directories.
335
336
337
338       pki_tomcat_unit_file_t
339
340       -  Set files with the pki_tomcat_unit_file_t type, if you want to treat
341       the files as pki tomcat unit content.
342
343
344
345       pki_tomcat_var_lib_t
346
347       - Set files with the pki_tomcat_var_lib_t type, if you  want  to  store
348       the pki tomcat files under the /var/lib directory.
349
350
351       Paths:
352            /var/lib/pki-ca(/.*)?,    /var/lib/pki-kra(/.*)?,    /var/lib/pki-
353            tks(/.*)?, /var/lib/pki-ocsp(/.*)?, /var/lib/pki/pki-tomcat(/.*)?
354
355
356       pki_tomcat_var_run_t
357
358       - Set files with the pki_tomcat_var_run_t type, if you  want  to  store
359       the pki tomcat files under the /run or /var/run directory.
360
361
362       Paths:
363            /var/run/pki-ca.pid,  /var/run/pki-kra.pid,  /var/run/pki-tks.pid,
364            /var/run/pki-ocsp.pid, /var/run/pki/tomcat(/.*)?
365
366
367       Note: File context can be temporarily modified with the chcon  command.
368       If  you want to permanently change the file context you need to use the
369       semanage fcontext command.  This will modify the SELinux labeling data‐
370       base.  You will need to use restorecon to apply the labels.
371
372

COMMANDS

374       semanage  fcontext  can also be used to manipulate default file context
375       mappings.
376
377       semanage permissive can also be used to manipulate  whether  or  not  a
378       process type is permissive.
379
380       semanage  module can also be used to enable/disable/install/remove pol‐
381       icy modules.
382
383       semanage boolean can also be used to manipulate the booleans
384
385
386       system-config-selinux is a GUI tool available to customize SELinux pol‐
387       icy settings.
388
389

AUTHOR

391       This manual page was auto-generated using sepolicy manpage .
392
393

SEE ALSO

395       selinux(8), pki_tomcat(8), semanage(8), restorecon(8), chcon(1), sepol‐
396       icy(8),    setsebool(8),     pki_tomcat_script_selinux(8),     pki_tom‐
397       cat_script_selinux(8)
398
399
400
401pki_tomcat                         21-06-09              pki_tomcat_selinux(8)
Impressum