1dlm_controld_selinux(8) SELinux Policy dlm_controld dlm_controld_selinux(8)
2
6 dlm_controld_selinux - Security Enhanced Linux Policy for the dlm_con‐
7 trold processes
8
10 Security-Enhanced Linux secures the dlm_controld processes via flexible
11 mandatory access control.
12 The dlm_controld processes execute with the dlm_controld_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16 For example:
18 ps -eZ | grep dlm_controld_t
20
24 The dlm_controld_t SELinux type can be entered via the dlm_con‐
25 trold_exec_t file type.
26 The default entrypoint paths for the dlm_controld_t domain are the fol‐
28 lowing:
29 /usr/sbin/dlm_controld
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 dlm_controld policy is very flexible allowing users to setup their
40 dlm_controld processes in as secure a method as possible.
41 The following process types are defined for dlm_controld:
43 dlm_controld_t
45 Note: semanage permissive -a dlm_controld_t can be used to make the
47 process type dlm_controld_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
53 SELinux policy is customizable based on least access required.
54 dlm_controld policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run dlm_controld with the tight‐
56 est access possible.
57 If you want to allow cluster administrative cluster domains memcheck-
61 amd64- to use executable memory, you must turn on the cluster_use_ex‐
62 ecmem boolean. Disabled by default.
63 setsebool -P cluster_use_execmem 1
65 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70 setsebool -P fips_mode 1
72 If you want to allow system to run with NIS, you must turn on the
76 nis_enabled boolean. Disabled by default.
77 setsebool -P nis_enabled 1
79
83 The SELinux process type dlm_controld_t can manage files labeled with
84 the following file types. The paths listed are the default paths for
85 these file types. Note the processes UID still need to have DAC per‐
86 missions.
87 cluster_conf_t
89 /etc/cluster(/.*)?
91 cluster_log
93 cluster_tmpfs_t
96 cluster_var_lib_t
99 /var/lib/pcsd(/.*)?
101 /var/lib/cluster(/.*)?
102 /var/lib/openais(/.*)?
103 /var/lib/pengine(/.*)?
104 /var/lib/corosync(/.*)?
105 /usr/lib/heartbeat(/.*)?
106 /var/lib/heartbeat(/.*)?
107 /var/lib/pacemaker(/.*)?
108 cluster_var_run_t
110 /var/run/crm(/.*)?
112 /var/run/cman_.*
113 /var/run/rsctmp(/.*)?
114 /var/run/aisexec.*
115 /var/run/heartbeat(/.*)?
116 /var/run/pcsd-ruby.socket
117 /var/run/corosync-qnetd(/.*)?
118 /var/run/corosync-qdevice(/.*)?
119 /var/run/corosync.pid
120 /var/run/cpglockd.pid
121 /var/run/rgmanager.pid
122 /var/run/cluster/rgmanager.sk
123 configfs_t
125 dlm_controld_tmpfs_t
128 dlm_controld_var_run_t
131 /var/run/dlm_controld(/.*)?
133 /var/run/dlm_controld.pid
134 krb5_host_rcache_t
136 /var/tmp/krb5_0.rcache2
138 /var/cache/krb5rcache(/.*)?
139 /var/tmp/nfs_0
140 /var/tmp/DNS_25
141 /var/tmp/host_0
142 /var/tmp/imap_0
143 /var/tmp/HTTP_23
144 /var/tmp/HTTP_48
145 /var/tmp/ldap_55
146 /var/tmp/ldap_487
147 /var/tmp/ldapmap1_0
148 root_t
150 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
152 /
153 /initrd
154 sysfs_t
156 /sys(/.*)?
158
161 SELinux requires files to have an extended attribute to define the file
162 type.
163 You can see the context of a file using the -Z option to ls
165 Policy governs the access confined processes have to these files.
167 SELinux dlm_controld policy is very flexible allowing users to setup
168 their dlm_controld processes in as secure a method as possible.
169 EQUIVALENCE DIRECTORIES
171 dlm_controld policy stores data with multiple different file context
174 types under the /var/run/dlm_controld directory. If you would like to
175 store the data in a different directory you can use the semanage com‐
176 mand to create an equivalence mapping. If you wanted to store this
177 data under the /srv directory you would execute the following command:
178 semanage fcontext -a -e /var/run/dlm_controld /srv/dlm_controld
180 restorecon -R -v /srv/dlm_controld
181 STANDARD FILE CONTEXT
183 SELinux defines the file context types for the dlm_controld, if you
185 wanted to store files with these types in a diffent paths, you need to
186 execute the semanage command to specify alternate labeling and then use
187 restorecon to put the labels on disk.
188 semanage fcontext -a -t dlm_controld_var_run_t '/srv/mydlm_con‐
190 trold_content(/.*)?'
191 restorecon -R -v /srv/mydlm_controld_content
192 Note: SELinux often uses regular expressions to specify labels that
194 match multiple files.
195 The following file types are defined for dlm_controld:
197 dlm_controld_exec_t
201 - Set files with the dlm_controld_exec_t type, if you want to transi‐
203 tion an executable to the dlm_controld_t domain.
204 dlm_controld_initrc_exec_t
208 - Set files with the dlm_controld_initrc_exec_t type, if you want to
210 transition an executable to the dlm_controld_initrc_t domain.
211 dlm_controld_tmpfs_t
215 - Set files with the dlm_controld_tmpfs_t type, if you want to store
217 dlm controld files on a tmpfs file system.
218 dlm_controld_var_log_t
222 - Set files with the dlm_controld_var_log_t type, if you want to treat
224 the data as dlm controld var log data, usually stored under the
225 /var/log directory.
226 Paths:
229 /var/log/dlm_controld(/.*)?, /var/log/cluster/dlm_controld.log.*
230 dlm_controld_var_run_t
233 - Set files with the dlm_controld_var_run_t type, if you want to store
235 the dlm controld files under the /run or /var/run directory.
236 Paths:
239 /var/run/dlm_controld(/.*)?, /var/run/dlm_controld.pid
240 Note: File context can be temporarily modified with the chcon command.
243 If you want to permanently change the file context you need to use the
244 semanage fcontext command. This will modify the SELinux labeling data‐
245 base. You will need to use restorecon to apply the labels.
246
249 semanage fcontext can also be used to manipulate default file context
250 mappings.
251 semanage permissive can also be used to manipulate whether or not a
253 process type is permissive.
254 semanage module can also be used to enable/disable/install/remove pol‐
256 icy modules.
257 semanage boolean can also be used to manipulate the booleans
259 system-config-selinux is a GUI tool available to customize SELinux pol‐
262 icy settings.
263
266 This manual page was auto-generated using sepolicy manpage .
267
270 selinux(8), dlm_controld(8), semanage(8), restorecon(8), chcon(1), se‐
271 policy(8), setsebool(8)
272dlm_controld 22-05-27 dlm_controld_selinux(8)