1icecast_selinux(8)          SELinux Policy icecast          icecast_selinux(8)
2
3
4

NAME

6       icecast_selinux  -  Security Enhanced Linux Policy for the icecast pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  icecast  processes  via  flexible
11       mandatory access control.
12
13       The  icecast processes execute with the icecast_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep icecast_t
20
21
22

ENTRYPOINTS

24       The  icecast_t  SELinux type can be entered via the icecast_exec_t file
25       type.
26
27       The default entrypoint paths for the icecast_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/icecast
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       icecast  policy  is very flexible allowing users to setup their icecast
40       processes in as secure a method as possible.
41
42       The following process types are defined for icecast:
43
44       icecast_t
45
46       Note: semanage permissive -a icecast_t can be used to make the  process
47       type  icecast_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  icecast
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run icecast with the tightest access possi‐
56       ble.
57
58
59
60       If you want to determine whether icecast can listen on and  connect  to
61       any  TCP  port, you must turn on the icecast_use_any_tcp_ports boolean.
62       Disabled by default.
63
64       setsebool -P icecast_use_any_tcp_ports 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74

MANAGED FILES

76       The  SELinux  process  type icecast_t can manage files labeled with the
77       following file types.  The paths listed are the default paths for these
78       file types.  Note the processes UID still need to have DAC permissions.
79
80       cluster_conf_t
81
82            /etc/cluster(/.*)?
83
84       cluster_var_lib_t
85
86            /var/lib/pcsd(/.*)?
87            /var/lib/cluster(/.*)?
88            /var/lib/openais(/.*)?
89            /var/lib/pengine(/.*)?
90            /var/lib/corosync(/.*)?
91            /usr/lib/heartbeat(/.*)?
92            /var/lib/heartbeat(/.*)?
93            /var/lib/pacemaker(/.*)?
94
95       cluster_var_run_t
96
97            /var/run/crm(/.*)?
98            /var/run/cman_.*
99            /var/run/rsctmp(/.*)?
100            /var/run/aisexec.*
101            /var/run/heartbeat(/.*)?
102            /var/run/pcsd-ruby.socket
103            /var/run/corosync-qnetd(/.*)?
104            /var/run/corosync-qdevice(/.*)?
105            /var/run/corosync.pid
106            /var/run/cpglockd.pid
107            /var/run/rgmanager.pid
108            /var/run/cluster/rgmanager.sk
109
110       icecast_var_run_t
111
112            /var/run/icecast(/.*)?
113            /var/run/icecast.pid
114
115       krb5_host_rcache_t
116
117            /var/tmp/krb5_0.rcache2
118            /var/cache/krb5rcache(/.*)?
119            /var/tmp/nfs_0
120            /var/tmp/DNS_25
121            /var/tmp/host_0
122            /var/tmp/imap_0
123            /var/tmp/HTTP_23
124            /var/tmp/HTTP_48
125            /var/tmp/ldap_55
126            /var/tmp/ldap_487
127            /var/tmp/ldapmap1_0
128
129       root_t
130
131            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
132            /
133            /initrd
134
135

FILE CONTEXTS

137       SELinux requires files to have an extended attribute to define the file
138       type.
139
140       You can see the context of a file using the -Z option to ls
141
142       Policy governs the access  confined  processes  have  to  these  files.
143       SELinux  icecast  policy is very flexible allowing users to setup their
144       icecast processes in as secure a method as possible.
145
146       EQUIVALENCE DIRECTORIES
147
148
149       icecast policy stores data with multiple different file  context  types
150       under  the  /var/run/icecast directory.  If you would like to store the
151       data in a different directory you can use the semanage command to  cre‐
152       ate an equivalence mapping.  If you wanted to store this data under the
153       /srv directory you would execute the following command:
154
155       semanage fcontext -a -e /var/run/icecast /srv/icecast
156       restorecon -R -v /srv/icecast
157
158       STANDARD FILE CONTEXT
159
160       SELinux defines the file context types for the icecast, if  you  wanted
161       to store files with these types in a diffent paths, you need to execute
162       the semanage command to specify alternate labeling  and  then  use  re‐
163       storecon to put the labels on disk.
164
165       semanage   fcontext   -a   -t   icecast_var_run_t  '/srv/myicecast_con‐
166       tent(/.*)?'
167       restorecon -R -v /srv/myicecast_content
168
169       Note: SELinux often uses regular expressions  to  specify  labels  that
170       match multiple files.
171
172       The following file types are defined for icecast:
173
174
175
176       icecast_exec_t
177
178       -  Set files with the icecast_exec_t type, if you want to transition an
179       executable to the icecast_t domain.
180
181
182
183       icecast_initrc_exec_t
184
185       - Set files with the icecast_initrc_exec_t type, if you want to transi‐
186       tion an executable to the icecast_initrc_t domain.
187
188
189
190       icecast_log_t
191
192       -  Set files with the icecast_log_t type, if you want to treat the data
193       as icecast log data, usually stored under the /var/log directory.
194
195
196
197       icecast_var_run_t
198
199       - Set files with the icecast_var_run_t type, if you want to  store  the
200       icecast files under the /run or /var/run directory.
201
202
203       Paths:
204            /var/run/icecast(/.*)?, /var/run/icecast.pid
205
206
207       Note:  File context can be temporarily modified with the chcon command.
208       If you want to permanently change the file context you need to use  the
209       semanage fcontext command.  This will modify the SELinux labeling data‐
210       base.  You will need to use restorecon to apply the labels.
211
212

COMMANDS

214       semanage fcontext can also be used to manipulate default  file  context
215       mappings.
216
217       semanage  permissive  can  also  be used to manipulate whether or not a
218       process type is permissive.
219
220       semanage module can also be used to enable/disable/install/remove  pol‐
221       icy modules.
222
223       semanage boolean can also be used to manipulate the booleans
224
225
226       system-config-selinux is a GUI tool available to customize SELinux pol‐
227       icy settings.
228
229

AUTHOR

231       This manual page was auto-generated using sepolicy manpage .
232
233

SEE ALSO

235       selinux(8), icecast(8), semanage(8),  restorecon(8),  chcon(1),  sepol‐
236       icy(8), setsebool(8)
237
238
239
240icecast                            22-05-27                 icecast_selinux(8)
Impressum