abrt_selinux(8)

1abrt_selinux(8)               SELinux Policy abrt              abrt_selinux(8)
2
3
4

NAME

6       abrt_selinux - Security Enhanced Linux Policy for the abrt processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the abrt processes via flexible manda‐
10       tory access control.
11
12       The abrt processes execute with the abrt_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep abrt_t
19
20
21

ENTRYPOINTS

23       The abrt_t SELinux type can be entered via the abrt_exec_t file type.
24
25       The default entrypoint paths for the abrt_t domain are the following:
26
27       /usr/sbin/abrt-harvest.*,     /usr/sbin/abrtd,     /usr/sbin/abrt-dbus,
28       /usr/sbin/abrt-install-ccpp-hook
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       abrt  policy  is  very flexible allowing users to setup their abrt pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for abrt:
41
42       abrt_t, abrt_dump_oops_t, abrt_handle_event_t, abrt_helper_t, abrt_retrace_worker_t, abrt_retrace_coredump_t, abrt_watch_log_t, abrt_upload_watch_t
43
44       Note: semanage permissive -a abrt_t can be used  to  make  the  process
45       type  abrt_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  abrt
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run abrt with the tightest access possible.
54
55
56
57       If  you  want  to  determine  whether  ABRT  can  run  in the abrt_han‐
58       dle_event_t domain to handle ABRT event scripts, you must turn  on  the
59       abrt_handle_event boolean. Disabled by default.
60
61       setsebool -P abrt_handle_event 1
62
63
64
65       If you want to deny user domains applications to map a memory region as
66       both executable and writable, this  is  dangerous  and  the  executable
67       should be reported in bugzilla, you must turn on the deny_execmem bool‐
68       ean. Enabled by default.
69
70       setsebool -P deny_execmem 1
71
72
73
74       If you want to allow all domains to execute in fips_mode, you must turn
75       on the fips_mode boolean. Enabled by default.
76
77       setsebool -P fips_mode 1
78
79
80

MANAGED FILES

82       The  SELinux process type abrt_t can manage files labeled with the fol‐
83       lowing file types.  The paths listed are the default  paths  for  these
84       file types.  Note the processes UID still need to have DAC permissions.
85
86       abrt_tmp_t
87
88
89       abrt_upload_watch_tmp_t
90
91
92       abrt_var_cache_t
93
94            /var/tmp/abrt(/.*)?
95            /var/cache/abrt(/.*)?
96            /var/spool/abrt(/.*)?
97            /var/spool/debug(/.*)?
98            /var/cache/abrt-di(/.*)?
99            /var/spool/rhsm/debug(/.*)?
100
101       abrt_var_log_t
102
103            /var/log/abrt-logger.*
104
105       cluster_conf_t
106
107            /etc/cluster(/.*)?
108
109       cluster_var_lib_t
110
111            /var/lib/pcsd(/.*)?
112            /var/lib/cluster(/.*)?
113            /var/lib/openais(/.*)?
114            /var/lib/pengine(/.*)?
115            /var/lib/corosync(/.*)?
116            /usr/lib/heartbeat(/.*)?
117            /var/lib/heartbeat(/.*)?
118            /var/lib/pacemaker(/.*)?
119
120       cluster_var_run_t
121
122            /var/run/crm(/.*)?
123            /var/run/cman_.*
124            /var/run/rsctmp(/.*)?
125            /var/run/aisexec.*
126            /var/run/heartbeat(/.*)?
127            /var/run/pcsd-ruby.socket
128            /var/run/corosync-qnetd(/.*)?
129            /var/run/corosync-qdevice(/.*)?
130            /var/run/corosync.pid
131            /var/run/cpglockd.pid
132            /var/run/rgmanager.pid
133            /var/run/cluster/rgmanager.sk
134
135       kdump_crash_t
136
137            /var/crash(/.*)?
138
139       krb5_host_rcache_t
140
141            /var/tmp/krb5_0.rcache2
142            /var/cache/krb5rcache(/.*)?
143            /var/tmp/nfs_0
144            /var/tmp/DNS_25
145            /var/tmp/host_0
146            /var/tmp/imap_0
147            /var/tmp/HTTP_23
148            /var/tmp/HTTP_48
149            /var/tmp/ldap_55
150            /var/tmp/ldap_487
151            /var/tmp/ldapmap1_0
152
153       mail_home_rw_t
154
155            /root/Maildir(/.*)?
156            /root/.esmtp_queue(/.*)?
157            /var/lib/arpwatch/.esmtp_queue(/.*)?
158            /home/[^/]+/.maildir(/.*)?
159            /home/[^/]+/Maildir(/.*)?
160            /home/[^/]+/.esmtp_queue(/.*)?
161
162       rhsmcertd_var_run_t
163
164            /var/run/rhsm(/.*)?
165
166       root_t
167
168            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
169            /
170            /initrd
171
172       rpm_log_t
173
174            /var/log/dnf.log.*
175            /var/log/dnf.rpm.log.*
176            /var/log/dnf.librepo.log.*
177            /var/log/hawkey.*
178            /var/log/up2date.*
179            /var/log/yum.log.*
180
181       rpm_var_cache_t
182
183            /var/cache/dnf(/.*)?
184            /var/cache/yum(/.*)?
185            /var/spool/up2date(/.*)?
186            /var/cache/PackageKit(/.*)?
187
188       rpm_var_run_t
189
190            /var/run/yum.*
191            /var/run/PackageKit(/.*)?
192
193       sysfs_t
194
195            /sys(/.*)?
196
197

FILE CONTEXTS

199       SELinux requires files to have an extended attribute to define the file
200       type.
201
202       You can see the context of a file using the -Z option to ls
203
204       Policy governs the access  confined  processes  have  to  these  files.
205       SELinux abrt policy is very flexible allowing users to setup their abrt
206       processes in as secure a method as possible.
207
208       EQUIVALENCE DIRECTORIES
209
210
211       abrt policy stores data with multiple different file context types  un‐
212       der the /var/cache/abrt directory.  If you would like to store the data
213       in a different directory you can use the semanage command to create  an
214       equivalence  mapping.   If you wanted to store this data under the /srv
215       directory you would execute the following command:
216
217       semanage fcontext -a -e /var/cache/abrt /srv/abrt
218       restorecon -R -v /srv/abrt
219
220       abrt policy stores data with multiple different file context types  un‐
221       der  the  /var/run/abrt directory.  If you would like to store the data
222       in a different directory you can use the semanage command to create  an
223       equivalence  mapping.   If you wanted to store this data under the /srv
224       directory you would execute the following command:
225
226       semanage fcontext -a -e /var/run/abrt /srv/abrt
227       restorecon -R -v /srv/abrt
228
229       abrt policy stores data with multiple different file context types  un‐
230       der the /var/spool/abrt directory.  If you would like to store the data
231       in a different directory you can use the semanage command to create  an
232       equivalence  mapping.   If you wanted to store this data under the /srv
233       directory you would execute the following command:
234
235       semanage fcontext -a -e /var/spool/abrt /srv/abrt
236       restorecon -R -v /srv/abrt
237
238       STANDARD FILE CONTEXT
239
240       SELinux defines the file context types for the abrt, if you  wanted  to
241       store  files  with  these types in a diffent paths, you need to execute
242       the semanage command to specify alternate labeling  and  then  use  re‐
243       storecon to put the labels on disk.
244
245       semanage   fcontext  -a  -t  abrt_upload_watch_tmp_t  '/srv/myabrt_con‐
246       tent(/.*)?'
247       restorecon -R -v /srv/myabrt_content
248
249       Note: SELinux often uses regular expressions  to  specify  labels  that
250       match multiple files.
251
252       The following file types are defined for abrt:
253
254
255
256       abrt_dump_oops_exec_t
257
258       - Set files with the abrt_dump_oops_exec_t type, if you want to transi‐
259       tion an executable to the abrt_dump_oops_t domain.
260
261
262       Paths:
263            /usr/bin/abrt-dump-.*,                /usr/bin/abrt-uefioops-oops,
264            /usr/libexec/abrt-hook-ccpp
265
266
267       abrt_etc_t
268
269       -  Set  files with the abrt_etc_t type, if you want to store abrt files
270       in the /etc directories.
271
272
273
274       abrt_exec_t
275
276       - Set files with the abrt_exec_t type, if you want to transition an ex‐
277       ecutable to the abrt_t domain.
278
279
280       Paths:
281            /usr/sbin/abrt-harvest.*,   /usr/sbin/abrtd,  /usr/sbin/abrt-dbus,
282            /usr/sbin/abrt-install-ccpp-hook
283
284
285       abrt_handle_event_exec_t
286
287       - Set files with the abrt_handle_event_exec_t  type,  if  you  want  to
288       transition an executable to the abrt_handle_event_t domain.
289
290
291
292       abrt_helper_exec_t
293
294       - Set files with the abrt_helper_exec_t type, if you want to transition
295       an executable to the abrt_helper_t domain.
296
297
298
299       abrt_initrc_exec_t
300
301       - Set files with the abrt_initrc_exec_t type, if you want to transition
302       an executable to the abrt_initrc_t domain.
303
304
305
306       abrt_retrace_cache_t
307
308       -  Set  files  with the abrt_retrace_cache_t type, if you want to store
309       the files under the /var/cache directory.
310
311
312       Paths:
313            /var/cache/abrt-retrace(/.*)?, /var/cache/retrace-server(/.*)?
314
315
316       abrt_retrace_coredump_exec_t
317
318       - Set files with the abrt_retrace_coredump_exec_t type, if you want  to
319       transition an executable to the abrt_retrace_coredump_t domain.
320
321
322
323       abrt_retrace_spool_t
324
325       -  Set  files  with the abrt_retrace_spool_t type, if you want to store
326       the abrt retrace files under the /var/spool directory.
327
328
329       Paths:
330            /var/spool/faf(/.*)?,               /var/spool/abrt-retrace(/.*)?,
331            /var/spool/retrace-server(/.*)?
332
333
334       abrt_retrace_worker_exec_t
335
336       -  Set  files  with the abrt_retrace_worker_exec_t type, if you want to
337       transition an executable to the abrt_retrace_worker_t domain.
338
339
340       Paths:
341            /usr/bin/abrt-retrace-worker, /usr/bin/retrace-server-worker
342
343
344       abrt_tmp_t
345
346       - Set files with the abrt_tmp_t type, if you want to store abrt  tempo‐
347       rary files in the /tmp directories.
348
349
350
351       abrt_unit_file_t
352
353       -  Set  files  with the abrt_unit_file_t type, if you want to treat the
354       files as abrt unit content.
355
356
357
358       abrt_upload_watch_exec_t
359
360       - Set files with the abrt_upload_watch_exec_t  type,  if  you  want  to
361       transition an executable to the abrt_upload_watch_t domain.
362
363
364
365       abrt_upload_watch_tmp_t
366
367       - Set files with the abrt_upload_watch_tmp_t type, if you want to store
368       abrt upload watch temporary files in the /tmp directories.
369
370
371
372       abrt_var_cache_t
373
374       - Set files with the abrt_var_cache_t type, if you want  to  store  the
375       files under the /var/cache directory.
376
377
378       Paths:
379            /var/tmp/abrt(/.*)?, /var/cache/abrt(/.*)?, /var/spool/abrt(/.*)?,
380            /var/spool/debug(/.*)?,                  /var/cache/abrt-di(/.*)?,
381            /var/spool/rhsm/debug(/.*)?
382
383
384       abrt_var_lib_t
385
386       - Set files with the abrt_var_lib_t type, if you want to store the abrt
387       files under the /var/lib directory.
388
389
390
391       abrt_var_log_t
392
393       - Set files with the abrt_var_log_t type, if you want to treat the data
394       as abrt var log data, usually stored under the /var/log directory.
395
396
397
398       abrt_var_run_t
399
400       - Set files with the abrt_var_run_t type, if you want to store the abrt
401       files under the /run or /var/run directory.
402
403
404       Paths:
405            /var/run/abrt(/.*)?, /var/run/abrtd?.lock, /var/run/abrtd?.socket,
406            /var/run/abrt.pid
407
408
409       abrt_watch_log_exec_t
410
411       - Set files with the abrt_watch_log_exec_t type, if you want to transi‐
412       tion an executable to the abrt_watch_log_t domain.
413
414
415
416       Note: File context can be temporarily modified with the chcon  command.
417       If  you want to permanently change the file context you need to use the
418       semanage fcontext command.  This will modify the SELinux labeling data‐
419       base.  You will need to use restorecon to apply the labels.
420
421

SHARING FILES

423       If  you  want to share files with multiple domains (Apache, FTP, rsync,
424       Samba), you can set a file context of public_content_t and  public_con‐
425       tent_rw_t.   These  context  allow any of the above domains to read the
426       content.  If you want a particular domain to write to  the  public_con‐
427       tent_rw_t domain, you must set the appropriate boolean.
428
429       Allow  abrt  servers to read the /var/abrt directory by adding the pub‐
430       lic_content_t file type to the directory  and  by  restoring  the  file
431       type.
432
433       semanage fcontext -a -t public_content_t "/var/abrt(/.*)?"
434       restorecon -F -R -v /var/abrt
435
436       Allow  abrt  servers to read and write /var/abrt/incoming by adding the
437       public_content_rw_t type to the directory and  by  restoring  the  file
438       type.  You also need to turn on the abrt_anon_write boolean.
439
440       semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?"
441       restorecon -F -R -v /var/abrt/incoming
442       setsebool -P abrt_anon_write 1
443
444
445       If  you  want to allow ABRT to modify public files used for public file
446       transfer services., you must turn on the abrt_anon_write boolean.
447
448       setsebool -P abrt_anon_write 1
449
450

COMMANDS

452       semanage fcontext can also be used to manipulate default  file  context
453       mappings.
454
455       semanage  permissive  can  also  be used to manipulate whether or not a
456       process type is permissive.
457
458       semanage module can also be used to enable/disable/install/remove  pol‐
459       icy modules.
460
461       semanage boolean can also be used to manipulate the booleans
462
463
464       system-config-selinux is a GUI tool available to customize SELinux pol‐
465       icy settings.
466
467

AUTHOR

469       This manual page was auto-generated using sepolicy manpage .
470
471