1FIREWALLD.LOCKDOWN(5) firewalld.lockdown-whitelist FIREWALLD.LOCKDOWN(5)
2
3
4
6 firewalld.lockdown-whitelist - firewalld lockdown whitelist
7 configuration file
8
10 /etc/firewalld/lockdown-whitelists.xml
11
12
13
15 The firewalld lockdown-whitelist configuration file contains the
16 selinux contexts, commands, users and user ids that are white-listed
17 when firewalld lockdown feature is enabled (see firewalld.conf(5) and
18 firewall-cmd(1)).
19
20 This example configuration file shows the structure of an
21 lockdown-whitelist file:
22
23 <?xml version="1.0" encoding="utf-8"?>
24 <whitelist>
25 <selinux context="selinuxcontext"/>
26 <command name="commandline[*]"/>
27 <user {name="username|id="userid"}/>
28 </whitelist>
29
30
31
33 The config can contain these tags and attributes. Some of them are
34 mandatory, others optional.
35
36 whitelist
37 The mandatory whitelist start and end tag defines the
38 lockdown-whitelist. This tag can only be used once in a
39 lockdown-whitelist configuration file. There are no attributes for
40 this.
41
42 selinux
43 Is an optional empty-element tag and can be used several times to have
44 more than one selinux contexts entries. A selinux entry has exactly one
45 attribute:
46
47 context="string"
48 The context is the security (SELinux) context of a running
49 application or service.
50
51 To get the context of a running application use ps -e --context and
52 search for the application that should be white-listed.
53
54 Warning: If the context of an application is unconfined, then this
55 will open access for more than the desired application.
56
57 command
58 Is an optional empty-element tag and can be used several times to have
59 more than one command entry. A command entry has exactly one attribute:
60
61 name="string"
62 The command string is a complete command line including path and
63 also attributes.
64
65 If a command entry ends with an asterisk '*', then all command
66 lines starting with the command will match. If the '*' is not there
67 the absolute command inclusive arguments must match.
68
69 Commands for user root and others is not always the same, the used
70 path depends on the use of the PATH environment variable.
71
72 user
73 Is an optional empty-element tag and can be used several times to
74 white-list more than one user. A user entry has exactly one attribute
75 of these:
76
77 name="string"
78 The user with the name string will be white-listed.
79
80 id="integer"
81 The user with the id userid will be white-listed.
82
84 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
85 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
86 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
87 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
88 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
89 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
90
92 firewalld home page:
93 http://firewalld.org
94
95 More documentation with examples:
96 http://fedoraproject.org/wiki/FirewallD
97
99 Thomas Woerner <twoerner@redhat.com>
100 Developer
101
102 Jiri Popelka <jpopelka@redhat.com>
103 Developer
104
105 Eric Garver <eric@garver.life>
106 Developer
107
108
109
110firewalld 1.0.1 FIREWALLD.LOCKDOWN(5)