1shorewall_selinux(8)       SELinux Policy shorewall       shorewall_selinux(8)
2
3
4

NAME

6       shorewall_selinux  -  Security  Enhanced Linux Policy for the shorewall
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the shorewall  processes  via  flexible
11       mandatory access control.
12
13       The  shorewall processes execute with the shorewall_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep shorewall_t
20
21
22

ENTRYPOINTS

24       The  shorewall_t  SELinux type can be entered via the shorewall_exec_t,
25       shorewall_var_lib_t file types.
26
27       The default entrypoint paths for the shorewall_t domain are the follow‐
28       ing:
29
30       /sbin/shorewall6?,     /usr/sbin/shorewall6?,     /sbin/shorewall-lite,
31       /usr/sbin/shorewall-lite,   /var/lib/shorewall(/.*)?,   /var/lib/shore‐
32       wall6(/.*)?, /var/lib/shorewall-lite(/.*)?
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       shorewall  policy is very flexible allowing users to setup their shore‐
42       wall processes in as secure a method as possible.
43
44       The following process types are defined for shorewall:
45
46       shorewall_t
47
48       Note: semanage permissive -a  shorewall_t  can  be  used  to  make  the
49       process  type  shorewall_t  permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy is customizable based on least access required.  shore‐
56       wall policy is extremely flexible and has several booleans  that  allow
57       you to manipulate the policy and run shorewall with the tightest access
58       possible.
59
60
61
62       If you want to allow all domains to execute in fips_mode, you must turn
63       on the fips_mode boolean. Enabled by default.
64
65       setsebool -P fips_mode 1
66
67
68
69       If  you  want  to  allow  system  to run with NIS, you must turn on the
70       nis_enabled boolean. Disabled by default.
71
72       setsebool -P nis_enabled 1
73
74
75

MANAGED FILES

77       The SELinux process type shorewall_t can manage files labeled with  the
78       following file types.  The paths listed are the default paths for these
79       file types.  Note the processes UID still need to have DAC permissions.
80
81       cluster_conf_t
82
83            /etc/cluster(/.*)?
84
85       cluster_var_lib_t
86
87            /var/lib/pcsd(/.*)?
88            /var/lib/cluster(/.*)?
89            /var/lib/openais(/.*)?
90            /var/lib/pengine(/.*)?
91            /var/lib/corosync(/.*)?
92            /usr/lib/heartbeat(/.*)?
93            /var/lib/heartbeat(/.*)?
94            /var/lib/pacemaker(/.*)?
95
96       cluster_var_run_t
97
98            /var/run/crm(/.*)?
99            /var/run/cman_.*
100            /var/run/rsctmp(/.*)?
101            /var/run/aisexec.*
102            /var/run/heartbeat(/.*)?
103            /var/run/pcsd-ruby.socket
104            /var/run/corosync-qnetd(/.*)?
105            /var/run/corosync-qdevice(/.*)?
106            /var/run/corosync.pid
107            /var/run/cpglockd.pid
108            /var/run/rgmanager.pid
109            /var/run/cluster/rgmanager.sk
110
111       initrc_var_run_t
112
113            /var/run/utmp
114            /var/run/random-seed
115            /var/run/runlevel.dir
116            /var/run/setmixer_flag
117
118       krb5_host_rcache_t
119
120            /var/tmp/krb5_0.rcache2
121            /var/cache/krb5rcache(/.*)?
122            /var/tmp/nfs_0
123            /var/tmp/DNS_25
124            /var/tmp/host_0
125            /var/tmp/imap_0
126            /var/tmp/HTTP_23
127            /var/tmp/HTTP_48
128            /var/tmp/ldap_55
129            /var/tmp/ldap_487
130            /var/tmp/ldapmap1_0
131
132       root_t
133
134            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
135            /
136            /initrd
137
138       shorewall_lock_t
139
140            /var/lock/subsys/shorewall
141
142       shorewall_log_t
143
144            /var/log/shorewall.*
145
146       shorewall_tmp_t
147
148
149       shorewall_var_lib_t
150
151            /var/lib/shorewall(/.*)?
152            /var/lib/shorewall6(/.*)?
153            /var/lib/shorewall-lite(/.*)?
154
155

FILE CONTEXTS

157       SELinux requires files to have an extended attribute to define the file
158       type.
159
160       You can see the context of a file using the -Z option to ls
161
162       Policy  governs  the  access  confined  processes  have to these files.
163       SELinux shorewall policy is very flexible allowing users to setup their
164       shorewall processes in as secure a method as possible.
165
166       EQUIVALENCE DIRECTORIES
167
168
169       shorewall policy stores data with multiple different file context types
170       under the /var/lib/shorewall directory.  If you would like to store the
171       data  in a different directory you can use the semanage command to cre‐
172       ate an equivalence mapping.  If you wanted to store this data under the
173       /srv directory you would execute the following command:
174
175       semanage fcontext -a -e /var/lib/shorewall /srv/shorewall
176       restorecon -R -v /srv/shorewall
177
178       STANDARD FILE CONTEXT
179
180       SELinux defines the file context types for the shorewall, if you wanted
181       to store files with these types in a diffent paths, you need to execute
182       the  semanage  command  to sepecify alternate labeling and then use re‐
183       storecon to put the labels on disk.
184
185       semanage  fcontext   -a   -t   shorewall_log_t   '/srv/myshorewall_con‐
186       tent(/.*)?'
187       restorecon -R -v /srv/myshorewall_content
188
189       Note:  SELinux  often  uses  regular expressions to specify labels that
190       match multiple files.
191
192       The following file types are defined for shorewall:
193
194
195
196       shorewall_etc_t
197
198       - Set files with the shorewall_etc_t type, if you want to store  shore‐
199       wall files in the /etc directories.
200
201
202       Paths:
203            /etc/shorewall(/.*)?,    /etc/shorewall6(/.*)?,    /etc/shorewall-
204            lite(/.*)?
205
206
207       shorewall_exec_t
208
209       - Set files with the shorewall_exec_t type, if you want  to  transition
210       an executable to the shorewall_t domain.
211
212
213       Paths:
214            /sbin/shorewall6?,   /usr/sbin/shorewall6?,  /sbin/shorewall-lite,
215            /usr/sbin/shorewall-lite
216
217
218       shorewall_initrc_exec_t
219
220       - Set files with the shorewall_initrc_exec_t type, if you want to tran‐
221       sition an executable to the shorewall_initrc_t domain.
222
223
224
225       shorewall_lock_t
226
227       -  Set  files  with the shorewall_lock_t type, if you want to treat the
228       files as shorewall lock data, stored under the /var/lock directory
229
230
231
232       shorewall_log_t
233
234       - Set files with the shorewall_log_t type, if you  want  to  treat  the
235       data  as  shorewall  log data, usually stored under the /var/log direc‐
236       tory.
237
238
239
240       shorewall_tmp_t
241
242       - Set files with the shorewall_tmp_t type, if you want to store  shore‐
243       wall temporary files in the /tmp directories.
244
245
246
247       shorewall_var_lib_t
248
249       - Set files with the shorewall_var_lib_t type, if you want to store the
250       shorewall files under the /var/lib directory.
251
252
253       Paths:
254            /var/lib/shorewall(/.*)?,               /var/lib/shorewall6(/.*)?,
255            /var/lib/shorewall-lite(/.*)?
256
257
258       Note:  File context can be temporarily modified with the chcon command.
259       If you want to permanently change the file context you need to use  the
260       semanage fcontext command.  This will modify the SELinux labeling data‐
261       base.  You will need to use restorecon to apply the labels.
262
263

COMMANDS

265       semanage fcontext can also be used to manipulate default  file  context
266       mappings.
267
268       semanage  permissive  can  also  be used to manipulate whether or not a
269       process type is permissive.
270
271       semanage module can also be used to enable/disable/install/remove  pol‐
272       icy modules.
273
274       semanage boolean can also be used to manipulate the booleans
275
276
277       system-config-selinux is a GUI tool available to customize SELinux pol‐
278       icy settings.
279
280

AUTHOR

282       This manual page was auto-generated using sepolicy manpage .
283
284

SEE ALSO

286       selinux(8), shorewall(8), semanage(8), restorecon(8), chcon(1),  sepol‐
287       icy(8), setsebool(8)
288
289
290
291shorewall                          21-06-09               shorewall_selinux(8)
Impressum