1neutron_selinux(8)          SELinux Policy neutron          neutron_selinux(8)
2
3
4

NAME

6       neutron_selinux  -  Security Enhanced Linux Policy for the neutron pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  neutron  processes  via  flexible
11       mandatory access control.
12
13       The  neutron processes execute with the neutron_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep neutron_t
20
21
22

ENTRYPOINTS

24       The  neutron_t  SELinux type can be entered via the neutron_exec_t file
25       type.
26
27       The default entrypoint paths for the neutron_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/neutron-server,   /usr/bin/quantum-server,   /usr/bin/neutron-
31       l3-agent,     /usr/bin/neutron-rootwrap,     /usr/bin/quantum-l3-agent,
32       /usr/bin/neutron-ryu-agent,  /usr/bin/quantum-ryu-agent,  /usr/bin/neu‐
33       tron-dhcp-agent,  /usr/bin/quantum-dhcp-agent,  /usr/bin/neutron-lbaas-
34       agent,    /usr/bin/neutron-ovs-cleanup,   /usr/bin/quantum-ovs-cleanup,
35       /usr/bin/neutron-netns-cleanup,        /usr/bin/neutron-metadata-agent,
36       /usr/bin/neutron-linuxbridge-agent, /usr/bin/neutron-ns-metadata-proxy,
37       /usr/bin/neutron-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent,
38       /usr/bin/quantum-openvswitch-agent
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       neutron  policy  is very flexible allowing users to setup their neutron
48       processes in as secure a method as possible.
49
50       The following process types are defined for neutron:
51
52       neutron_t
53
54       Note: semanage permissive -a neutron_t can be used to make the  process
55       type  neutron_t  permissive. SELinux does not deny access to permissive
56       process types, but the AVC (SELinux denials) messages are still  gener‐
57       ated.
58
59

BOOLEANS

61       SELinux policy is customizable based on least access required.  neutron
62       policy is extremely flexible and has several booleans that allow you to
63       manipulate  the  policy and run neutron with the tightest access possi‐
64       ble.
65
66
67
68       If you want to determine whether neutron can connect to all TCP  ports,
69       you must turn on the neutron_can_network boolean. Disabled by default.
70
71       setsebool -P neutron_can_network 1
72
73
74
75       If you want to allow all domains to execute in fips_mode, you must turn
76       on the fips_mode boolean. Enabled by default.
77
78       setsebool -P fips_mode 1
79
80
81
82       If you want to allow confined applications to run  with  kerberos,  you
83       must turn on the kerberos_enabled boolean. Enabled by default.
84
85       setsebool -P kerberos_enabled 1
86
87
88
89       If  you  want  to  allow  system  to run with NIS, you must turn on the
90       nis_enabled boolean. Disabled by default.
91
92       setsebool -P nis_enabled 1
93
94
95

PORT TYPES

97       SELinux defines port types to represent TCP and UDP ports.
98
99       You can see the types associated with a port  by  using  the  following
100       command:
101
102       semanage port -l
103
104
105       Policy  governs  the  access  confined  processes  have to these ports.
106       SELinux neutron policy is very flexible allowing users to  setup  their
107       neutron processes in as secure a method as possible.
108
109       The following port types are defined for neutron:
110
111
112       neutron_port_t
113
114
115
116       Default Defined Ports:
117                 tcp 8775,9696,9697
118

MANAGED FILES

120       The  SELinux  process  type neutron_t can manage files labeled with the
121       following file types.  The paths listed are the default paths for these
122       file types.  Note the processes UID still need to have DAC permissions.
123
124       cluster_conf_t
125
126            /etc/cluster(/.*)?
127
128       cluster_var_lib_t
129
130            /var/lib/pcsd(/.*)?
131            /var/lib/cluster(/.*)?
132            /var/lib/openais(/.*)?
133            /var/lib/pengine(/.*)?
134            /var/lib/corosync(/.*)?
135            /usr/lib/heartbeat(/.*)?
136            /var/lib/heartbeat(/.*)?
137            /var/lib/pacemaker(/.*)?
138
139       cluster_var_run_t
140
141            /var/run/crm(/.*)?
142            /var/run/cman_.*
143            /var/run/rsctmp(/.*)?
144            /var/run/aisexec.*
145            /var/run/heartbeat(/.*)?
146            /var/run/pcsd-ruby.socket
147            /var/run/corosync-qnetd(/.*)?
148            /var/run/corosync-qdevice(/.*)?
149            /var/run/corosync.pid
150            /var/run/cpglockd.pid
151            /var/run/rgmanager.pid
152            /var/run/cluster/rgmanager.sk
153
154       faillog_t
155
156            /var/log/btmp.*
157            /var/log/faillog.*
158            /var/log/tallylog.*
159            /var/run/faillock(/.*)?
160
161       ifconfig_var_run_t
162
163            /var/run/netns
164
165       initrc_var_run_t
166
167            /var/run/utmp
168            /var/run/random-seed
169            /var/run/runlevel.dir
170            /var/run/setmixer_flag
171
172       krb5_host_rcache_t
173
174            /var/tmp/krb5_0.rcache2
175            /var/cache/krb5rcache(/.*)?
176            /var/tmp/nfs_0
177            /var/tmp/DNS_25
178            /var/tmp/host_0
179            /var/tmp/imap_0
180            /var/tmp/HTTP_23
181            /var/tmp/HTTP_48
182            /var/tmp/ldap_55
183            /var/tmp/ldap_487
184            /var/tmp/ldapmap1_0
185
186       krb5_keytab_t
187
188            /var/kerberos/krb5(/.*)?
189            /etc/krb5.keytab
190            /etc/krb5kdc/kadm5.keytab
191            /var/kerberos/krb5kdc/kadm5.keytab
192
193       lastlog_t
194
195            /var/log/lastlog.*
196
197       neutron_tmp_t
198
199
200       neutron_var_lib_t
201
202            /var/lib/neutron(/.*)?
203            /var/lib/quantum(/.*)?
204
205       neutron_var_run_t
206
207            /var/run/neutron(/.*)?
208            /var/run/quantum(/.*)?
209
210       root_t
211
212            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
213            /
214            /initrd
215
216       security_t
217
218            /selinux
219
220

FILE CONTEXTS

222       SELinux requires files to have an extended attribute to define the file
223       type.
224
225       You can see the context of a file using the -Z option to ls
226
227       Policy governs the access  confined  processes  have  to  these  files.
228       SELinux  neutron  policy is very flexible allowing users to setup their
229       neutron processes in as secure a method as possible.
230
231       STANDARD FILE CONTEXT
232
233       SELinux defines the file context types for the neutron, if  you  wanted
234       to store files with these types in a diffent paths, you need to execute
235       the semanage command to specify alternate labeling  and  then  use  re‐
236       storecon to put the labels on disk.
237
238       semanage   fcontext   -a  -t  neutron_unit_file_t  '/srv/myneutron_con‐
239       tent(/.*)?'
240       restorecon -R -v /srv/myneutron_content
241
242       Note: SELinux often uses regular expressions  to  specify  labels  that
243       match multiple files.
244
245       The following file types are defined for neutron:
246
247
248
249       neutron_exec_t
250
251       -  Set files with the neutron_exec_t type, if you want to transition an
252       executable to the neutron_t domain.
253
254
255       Paths:
256            /usr/bin/neutron-server,  /usr/bin/quantum-server,   /usr/bin/neu‐
257            tron-l3-agent,     /usr/bin/neutron-rootwrap,    /usr/bin/quantum-
258            l3-agent, /usr/bin/neutron-ryu-agent,  /usr/bin/quantum-ryu-agent,
259            /usr/bin/neutron-dhcp-agent,          /usr/bin/quantum-dhcp-agent,
260            /usr/bin/neutron-lbaas-agent,        /usr/bin/neutron-ovs-cleanup,
261            /usr/bin/quantum-ovs-cleanup,      /usr/bin/neutron-netns-cleanup,
262            /usr/bin/neutron-metadata-agent,     /usr/bin/neutron-linuxbridge-
263            agent,  /usr/bin/neutron-ns-metadata-proxy, /usr/bin/neutron-open‐
264            vswitch-agent, /usr/bin/quantum-linuxbridge-agent,  /usr/bin/quan‐
265            tum-openvswitch-agent
266
267
268       neutron_initrc_exec_t
269
270       - Set files with the neutron_initrc_exec_t type, if you want to transi‐
271       tion an executable to the neutron_initrc_t domain.
272
273
274       Paths:
275            /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*
276
277
278       neutron_log_t
279
280       - Set files with the neutron_log_t type, if you want to treat the  data
281       as neutron log data, usually stored under the /var/log directory.
282
283
284       Paths:
285            /var/log/neutron(/.*)?, /var/log/quantum(/.*)?
286
287
288       neutron_tmp_t
289
290       -  Set  files with the neutron_tmp_t type, if you want to store neutron
291       temporary files in the /tmp directories.
292
293
294
295       neutron_unit_file_t
296
297       - Set files with the neutron_unit_file_t type, if you want to treat the
298       files as neutron unit content.
299
300
301       Paths:
302            /usr/lib/systemd/system/neutron.*,   /usr/lib/systemd/system/quan‐
303            tum.*
304
305
306       neutron_var_lib_t
307
308       - Set files with the neutron_var_lib_t type, if you want to  store  the
309       neutron files under the /var/lib directory.
310
311
312       Paths:
313            /var/lib/neutron(/.*)?, /var/lib/quantum(/.*)?
314
315
316       neutron_var_run_t
317
318       -  Set  files with the neutron_var_run_t type, if you want to store the
319       neutron files under the /run or /var/run directory.
320
321
322       Paths:
323            /var/run/neutron(/.*)?, /var/run/quantum(/.*)?
324
325
326       Note: File context can be temporarily modified with the chcon  command.
327       If  you want to permanently change the file context you need to use the
328       semanage fcontext command.  This will modify the SELinux labeling data‐
329       base.  You will need to use restorecon to apply the labels.
330
331

COMMANDS

333       semanage  fcontext  can also be used to manipulate default file context
334       mappings.
335
336       semanage permissive can also be used to manipulate  whether  or  not  a
337       process type is permissive.
338
339       semanage  module can also be used to enable/disable/install/remove pol‐
340       icy modules.
341
342       semanage port can also be used to manipulate the port definitions
343
344       semanage boolean can also be used to manipulate the booleans
345
346
347       system-config-selinux is a GUI tool available to customize SELinux pol‐
348       icy settings.
349
350

AUTHOR

352       This manual page was auto-generated using sepolicy manpage .
353
354

SEE ALSO

356       selinux(8),  neutron(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
357       icy(8), setsebool(8)
358
359
360
361neutron                            22-05-27                 neutron_selinux(8)
Impressum