1openvswitch_selinux(8)    SELinux Policy openvswitch    openvswitch_selinux(8)
2
3
4

NAME

6       openvswitch_selinux  -  Security  Enhanced  Linux  Policy for the open‐
7       vswitch processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the openvswitch processes via  flexible
11       mandatory access control.
12
13       The  openvswitch processes execute with the openvswitch_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openvswitch_t
20
21
22

ENTRYPOINTS

24       The   openvswitch_t   SELinux   type  can  be  entered  via  the  open‐
25       vswitch_exec_t file type.
26
27       The default entrypoint paths for the openvswitch_t domain are the  fol‐
28       lowing:
29
30       /usr/bin/ovs-vsctl,      /usr/bin/ovs-appctl,      /usr/sbin/ovsdb-ctl,
31       /usr/sbin/ovs-vswitchd,    /usr/sbin/ovsdb-server,     /usr/share/open‐
32       vswitch/scripts/ovs-ctl
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       openvswitch policy is very flexible allowing users to setup their open‐
42       vswitch processes in as secure a method as possible.
43
44       The following process types are defined for openvswitch:
45
46       openvswitch_t
47
48       Note: semanage permissive -a openvswitch_t can  be  used  to  make  the
49       process  type openvswitch_t permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy  is customizable based on least access required.  open‐
56       vswitch policy is extremely flexible and has several booleans that  al‐
57       low  you to manipulate the policy and run openvswitch with the tightest
58       access possible.
59
60
61
62       If you want to allow all domains to execute in fips_mode, you must turn
63       on the fips_mode boolean. Enabled by default.
64
65       setsebool -P fips_mode 1
66
67
68

PORT TYPES

70       SELinux defines port types to represent TCP and UDP ports.
71
72       You  can  see  the  types associated with a port by using the following
73       command:
74
75       semanage port -l
76
77
78       Policy governs the access  confined  processes  have  to  these  ports.
79       SELinux  openvswitch  policy  is  very flexible allowing users to setup
80       their openvswitch processes in as secure a method as possible.
81
82       The following port types are defined for openvswitch:
83
84
85       openvswitch_port_t
86
87
88
89       Default Defined Ports:
90                 tcp 6634
91

MANAGED FILES

93       The SELinux process type openvswitch_t can manage  files  labeled  with
94       the  following  file types.  The paths listed are the default paths for
95       these file types.  Note the processes UID still need to have  DAC  per‐
96       missions.
97
98       cluster_conf_t
99
100            /etc/cluster(/.*)?
101
102       cluster_var_lib_t
103
104            /var/lib/pcsd(/.*)?
105            /var/lib/cluster(/.*)?
106            /var/lib/openais(/.*)?
107            /var/lib/pengine(/.*)?
108            /var/lib/corosync(/.*)?
109            /usr/lib/heartbeat(/.*)?
110            /var/lib/heartbeat(/.*)?
111            /var/lib/pacemaker(/.*)?
112
113       cluster_var_run_t
114
115            /var/run/crm(/.*)?
116            /var/run/cman_.*
117            /var/run/rsctmp(/.*)?
118            /var/run/aisexec.*
119            /var/run/heartbeat(/.*)?
120            /var/run/pcsd-ruby.socket
121            /var/run/corosync-qnetd(/.*)?
122            /var/run/corosync-qdevice(/.*)?
123            /var/run/corosync.pid
124            /var/run/cpglockd.pid
125            /var/run/rgmanager.pid
126            /var/run/cluster/rgmanager.sk
127
128       hugetlbfs_t
129
130            /dev/hugepages
131            /usr/lib/udev/devices/hugepages
132
133       krb5_host_rcache_t
134
135            /var/tmp/krb5_0.rcache2
136            /var/cache/krb5rcache(/.*)?
137            /var/tmp/nfs_0
138            /var/tmp/DNS_25
139            /var/tmp/host_0
140            /var/tmp/imap_0
141            /var/tmp/HTTP_23
142            /var/tmp/HTTP_48
143            /var/tmp/ldap_55
144            /var/tmp/ldap_487
145            /var/tmp/ldapmap1_0
146
147       openvswitch_log_t
148
149            /var/log/openvswitch(/.*)?
150
151       openvswitch_rw_t
152
153            /etc/openvswitch(/.*)?
154
155       openvswitch_tmp_t
156
157
158       openvswitch_var_lib_t
159
160            /var/lib/openvswitch(/.*)?
161
162       openvswitch_var_run_t
163
164            /var/run/openvswitch(/.*)?
165
166       root_t
167
168            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
169            /
170            /initrd
171
172       svirt_image_t
173
174
175       svirt_tmp_t
176
177
178       sysfs_t
179
180            /sys(/.*)?
181
182

FILE CONTEXTS

184       SELinux requires files to have an extended attribute to define the file
185       type.
186
187       You can see the context of a file using the -Z option to ls
188
189       Policy governs the access  confined  processes  have  to  these  files.
190       SELinux  openvswitch  policy  is  very flexible allowing users to setup
191       their openvswitch processes in as secure a method as possible.
192
193       STANDARD FILE CONTEXT
194
195       SELinux defines the file context types  for  the  openvswitch,  if  you
196       wanted  to store files with these types in a diffent paths, you need to
197       execute the semanage command to specify alternate labeling and then use
198       restorecon to put the labels on disk.
199
200       semanage   fcontext   -a   -t   openvswitch_unit_file_t   '/srv/myopen‐
201       vswitch_content(/.*)?'
202       restorecon -R -v /srv/myopenvswitch_content
203
204       Note: SELinux often uses regular expressions  to  specify  labels  that
205       match multiple files.
206
207       The following file types are defined for openvswitch:
208
209
210
211       openvswitch_exec_t
212
213       - Set files with the openvswitch_exec_t type, if you want to transition
214       an executable to the openvswitch_t domain.
215
216
217       Paths:
218            /usr/bin/ovs-vsctl,   /usr/bin/ovs-appctl,    /usr/sbin/ovsdb-ctl,
219            /usr/sbin/ovs-vswitchd,  /usr/sbin/ovsdb-server,  /usr/share/open‐
220            vswitch/scripts/ovs-ctl
221
222
223       openvswitch_log_t
224
225       - Set files with the openvswitch_log_t type, if you want to  treat  the
226       data  as openvswitch log data, usually stored under the /var/log direc‐
227       tory.
228
229
230
231       openvswitch_rw_t
232
233       - Set files with the openvswitch_rw_t type, if you want  to  treat  the
234       files as openvswitch read/write content.
235
236
237
238       openvswitch_tmp_t
239
240       - Set files with the openvswitch_tmp_t type, if you want to store open‐
241       vswitch temporary files in the /tmp directories.
242
243
244
245       openvswitch_unit_file_t
246
247       - Set files with the openvswitch_unit_file_t type, if you want to treat
248       the files as openvswitch unit content.
249
250
251
252       openvswitch_var_lib_t
253
254       -  Set  files with the openvswitch_var_lib_t type, if you want to store
255       the openvswitch files under the /var/lib directory.
256
257
258
259       openvswitch_var_run_t
260
261       - Set files with the openvswitch_var_run_t type, if you want  to  store
262       the openvswitch files under the /run or /var/run directory.
263
264
265
266       Note:  File context can be temporarily modified with the chcon command.
267       If you want to permanently change the file context you need to use  the
268       semanage fcontext command.  This will modify the SELinux labeling data‐
269       base.  You will need to use restorecon to apply the labels.
270
271

COMMANDS

273       semanage fcontext can also be used to manipulate default  file  context
274       mappings.
275
276       semanage  permissive  can  also  be used to manipulate whether or not a
277       process type is permissive.
278
279       semanage module can also be used to enable/disable/install/remove  pol‐
280       icy modules.
281
282       semanage port can also be used to manipulate the port definitions
283
284       semanage boolean can also be used to manipulate the booleans
285
286
287       system-config-selinux is a GUI tool available to customize SELinux pol‐
288       icy settings.
289
290

AUTHOR

292       This manual page was auto-generated using sepolicy manpage .
293
294

SEE ALSO

296       selinux(8), openvswitch(8), semanage(8), restorecon(8),  chcon(1),  se‐
297       policy(8), setsebool(8)
298
299
300
301openvswitch                        22-05-27             openvswitch_selinux(8)
Impressum