pki_tomcat_selinux(8)

1pki_tomcat_selinux(8)      SELinux Policy pki_tomcat     pki_tomcat_selinux(8)
2
3
4

NAME

6       pki_tomcat_selinux  - Security Enhanced Linux Policy for the pki_tomcat
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the pki_tomcat processes  via  flexible
11       mandatory access control.
12
13       The  pki_tomcat  processes  execute with the pki_tomcat_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pki_tomcat_t
20
21
22

ENTRYPOINTS

24       The  pki_tomcat_t SELinux type can be entered via the pki_tomcat_exec_t
25       file type.
26
27       The default entrypoint paths for the pki_tomcat_t domain are  the  fol‐
28       lowing:
29
30       /usr/bin/pkidaemon
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       pki_tomcat  policy  is  very  flexible  allowing  users  to setup their
40       pki_tomcat processes in as secure a method as possible.
41
42       The following process types are defined for pki_tomcat:
43
44       pki_tomcat_t, pki_tomcat_script_t
45
46       Note: semanage permissive -a pki_tomcat_t  can  be  used  to  make  the
47       process  type  pki_tomcat_t permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       pki_tomcat policy is extremely flexible and has several  booleans  that
55       allow you to manipulate the policy and run pki_tomcat with the tightest
56       access possible.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66
67       If  you  want  to  allow tomcat to use executable memory and executable
68       stack, you must turn on the tomcat_use_execmem boolean. Disabled by de‐
69       fault.
70
71       setsebool -P tomcat_use_execmem 1
72
73
74

MANAGED FILES

76       The SELinux process type pki_tomcat_t can manage files labeled with the
77       following file types.  The paths listed are the default paths for these
78       file types.  Note the processes UID still need to have DAC permissions.
79
80       cluster_conf_t
81
82            /etc/cluster(/.*)?
83
84       cluster_var_lib_t
85
86            /var/lib/pcsd(/.*)?
87            /var/lib/cluster(/.*)?
88            /var/lib/openais(/.*)?
89            /var/lib/pengine(/.*)?
90            /var/lib/corosync(/.*)?
91            /usr/lib/heartbeat(/.*)?
92            /var/lib/heartbeat(/.*)?
93            /var/lib/pacemaker(/.*)?
94
95       cluster_var_run_t
96
97            /var/run/crm(/.*)?
98            /var/run/cman_.*
99            /var/run/rsctmp(/.*)?
100            /var/run/aisexec.*
101            /var/run/heartbeat(/.*)?
102            /var/run/pcsd-ruby.socket
103            /var/run/corosync-qnetd(/.*)?
104            /var/run/corosync-qdevice(/.*)?
105            /var/run/corosync.pid
106            /var/run/cpglockd.pid
107            /var/run/rgmanager.pid
108            /var/run/cluster/rgmanager.sk
109
110       dirsrv_var_lib_t
111
112            /var/lib/dirsrv(/.*)?
113
114       krb5_host_rcache_t
115
116            /var/tmp/krb5_0.rcache2
117            /var/cache/krb5rcache(/.*)?
118            /var/tmp/nfs_0
119            /var/tmp/DNS_25
120            /var/tmp/host_0
121            /var/tmp/imap_0
122            /var/tmp/HTTP_23
123            /var/tmp/HTTP_48
124            /var/tmp/ldap_55
125            /var/tmp/ldap_487
126            /var/tmp/ldapmap1_0
127
128       pki_common_t
129
130            /opt/nfast(/.*)?
131
132       pki_tomcat_cache_t
133
134
135       pki_tomcat_cert_t
136
137            /var/lib/pki-ca/alias(/.*)?
138            /etc/pki/pki-tomcat/ca(/.*)?
139            /var/lib/pki-kra/alias(/.*)?
140            /var/lib/pki-tks/alias(/.*)?
141            /var/lib/pki-ocsp/alias(/.*)?
142            /etc/pki/pki-tomcat/alias(/.*)?
143            /var/lib/ipa/pki-ca/publish(/.*)?
144
145       pki_tomcat_etc_rw_t
146
147            /etc/pki-ca(/.*)?
148            /etc/pki-kra(/.*)?
149            /etc/pki-tks(/.*)?
150            /etc/pki-ocsp(/.*)?
151            /etc/pki/pki-tomcat(/.*)?
152            /etc/sysconfig/pki/tomcat(/.*)?
153
154       pki_tomcat_lock_t
155
156            /var/lock/subsys/pkidaemon
157
158       pki_tomcat_log_t
159
160            /var/log/pki-ca(/.*)?
161            /var/log/pki-kra(/.*)?
162            /var/log/pki-tks(/.*)?
163            /var/log/pki-ocsp(/.*)?
164            /var/log/pki/pki-tomcat(/.*)?
165
166       pki_tomcat_tmp_t
167
168
169       pki_tomcat_var_lib_t
170
171            /var/lib/pki-ca(/.*)?
172            /var/lib/pki-kra(/.*)?
173            /var/lib/pki-tks(/.*)?
174            /var/lib/pki-ocsp(/.*)?
175            /var/lib/pki/pki-tomcat(/.*)?
176
177       pki_tomcat_var_run_t
178
179            /var/run/pki-ca.pid
180            /var/run/pki-kra.pid
181            /var/run/pki-tks.pid
182            /var/run/pki-ocsp.pid
183            /var/run/pki/tomcat(/.*)?
184
185       root_t
186
187            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
188            /
189            /initrd
190
191       user_tmp_t
192
193            /dev/shm/mono.*
194            /var/run/user/[^/]+
195            /tmp/.ICE-unix(/.*)?
196            /tmp/.X11-unix(/.*)?
197            /dev/shm/pulse-shm.*
198            /tmp/.X0-lock
199            /var/run/user
200            /tmp/hsperfdata_root
201            /var/tmp/hsperfdata_root
202            /home/[^/]+/tmp
203            /home/[^/]+/.tmp
204            /var/run/user/[0-9]+
205            /tmp/gconfd-[^/]+
206
207

FILE CONTEXTS

209       SELinux requires files to have an extended attribute to define the file
210       type.
211
212       You can see the context of a file using the -Z option to ls
213
214       Policy governs the access  confined  processes  have  to  these  files.
215       SELinux  pki_tomcat  policy  is  very  flexible allowing users to setup
216       their pki_tomcat processes in as secure a method as possible.
217
218       EQUIVALENCE DIRECTORIES
219
220
221       pki_tomcat policy stores data  with  multiple  different  file  context
222       types  under the /var/lib/pki-ca directory.  If you would like to store
223       the data in a different directory you can use the semanage  command  to
224       create  an equivalence mapping.  If you wanted to store this data under
225       the /srv directory you would execute the following command:
226
227       semanage fcontext -a -e /var/lib/pki-ca /srv/pki-ca
228       restorecon -R -v /srv/pki-ca
229
230       pki_tomcat policy stores data  with  multiple  different  file  context
231       types under the /var/lib/pki-kra directory.  If you would like to store
232       the data in a different directory you can use the semanage  command  to
233       create  an equivalence mapping.  If you wanted to store this data under
234       the /srv directory you would execute the following command:
235
236       semanage fcontext -a -e /var/lib/pki-kra /srv/pki-kra
237       restorecon -R -v /srv/pki-kra
238
239       pki_tomcat policy stores data  with  multiple  different  file  context
240       types  under  the  /var/lib/pki-ocsp  directory.   If you would like to
241       store the data in a different directory you can use the  semanage  com‐
242       mand  to  create  an  equivalence mapping.  If you wanted to store this
243       data under the /srv directory you would execute the following command:
244
245       semanage fcontext -a -e /var/lib/pki-ocsp /srv/pki-ocsp
246       restorecon -R -v /srv/pki-ocsp
247
248       pki_tomcat policy stores data  with  multiple  different  file  context
249       types under the /var/lib/pki-tks directory.  If you would like to store
250       the data in a different directory you can use the semanage  command  to
251       create  an equivalence mapping.  If you wanted to store this data under
252       the /srv directory you would execute the following command:
253
254       semanage fcontext -a -e /var/lib/pki-tks /srv/pki-tks
255       restorecon -R -v /srv/pki-tks
256
257       STANDARD FILE CONTEXT
258
259       SELinux defines the file context  types  for  the  pki_tomcat,  if  you
260       wanted  to store files with these types in a diffent paths, you need to
261       execute the semanage command to specify alternate labeling and then use
262       restorecon to put the labels on disk.
263
264       semanage   fcontext  -a  -t  pki_tomcat_lock_t  '/srv/mypki_tomcat_con‐
265       tent(/.*)?'
266       restorecon -R -v /srv/mypki_tomcat_content
267
268       Note: SELinux often uses regular expressions  to  specify  labels  that
269       match multiple files.
270
271       The following file types are defined for pki_tomcat:
272
273
274
275       pki_tomcat_cache_t
276
277       -  Set files with the pki_tomcat_cache_t type, if you want to store the
278       files under the /var/cache directory.
279
280
281
282       pki_tomcat_cert_t
283
284       - Set files with the pki_tomcat_cert_t type, if you want to  treat  the
285       files as pki tomcat certificate data.
286
287
288       Paths:
289            /var/lib/pki-ca/alias(/.*)?,         /etc/pki/pki-tomcat/ca(/.*)?,
290            /var/lib/pki-kra/alias(/.*)?,        /var/lib/pki-tks/alias(/.*)?,
291            /var/lib/pki-ocsp/alias(/.*)?,    /etc/pki/pki-tomcat/alias(/.*)?,
292            /var/lib/ipa/pki-ca/publish(/.*)?
293
294
295       pki_tomcat_etc_rw_t
296
297       - Set files with the pki_tomcat_etc_rw_t type, if you want to treat the
298       files as pki tomcat etc read/write content.
299
300
301       Paths:
302            /etc/pki-ca(/.*)?,     /etc/pki-kra(/.*)?,     /etc/pki-tks(/.*)?,
303            /etc/pki-ocsp(/.*)?,    /etc/pki/pki-tomcat(/.*)?,    /etc/syscon‐
304            fig/pki/tomcat(/.*)?
305
306
307       pki_tomcat_exec_t
308
309       -  Set files with the pki_tomcat_exec_t type, if you want to transition
310       an executable to the pki_tomcat_t domain.
311
312
313
314       pki_tomcat_lock_t
315
316       - Set files with the pki_tomcat_lock_t type, if you want to  treat  the
317       files as pki tomcat lock data, stored under the /var/lock directory
318
319
320
321       pki_tomcat_log_t
322
323       -  Set  files  with the pki_tomcat_log_t type, if you want to treat the
324       data as pki tomcat log data, usually stored under the  /var/log  direc‐
325       tory.
326
327
328       Paths:
329            /var/log/pki-ca(/.*)?,    /var/log/pki-kra(/.*)?,    /var/log/pki-
330            tks(/.*)?, /var/log/pki-ocsp(/.*)?, /var/log/pki/pki-tomcat(/.*)?
331
332
333       pki_tomcat_tmp_t
334
335       - Set files with the pki_tomcat_tmp_t type, if you want  to  store  pki
336       tomcat temporary files in the /tmp directories.
337
338
339
340       pki_tomcat_unit_file_t
341
342       -  Set files with the pki_tomcat_unit_file_t type, if you want to treat
343       the files as pki tomcat unit content.
344
345
346
347       pki_tomcat_var_lib_t
348
349       - Set files with the pki_tomcat_var_lib_t type, if you  want  to  store
350       the pki tomcat files under the /var/lib directory.
351
352
353       Paths:
354            /var/lib/pki-ca(/.*)?,    /var/lib/pki-kra(/.*)?,    /var/lib/pki-
355            tks(/.*)?, /var/lib/pki-ocsp(/.*)?, /var/lib/pki/pki-tomcat(/.*)?
356
357
358       pki_tomcat_var_run_t
359
360       - Set files with the pki_tomcat_var_run_t type, if you  want  to  store
361       the pki tomcat files under the /run or /var/run directory.
362
363
364       Paths:
365            /var/run/pki-ca.pid,  /var/run/pki-kra.pid,  /var/run/pki-tks.pid,
366            /var/run/pki-ocsp.pid, /var/run/pki/tomcat(/.*)?
367
368
369       Note: File context can be temporarily modified with the chcon  command.
370       If  you want to permanently change the file context you need to use the
371       semanage fcontext command.  This will modify the SELinux labeling data‐
372       base.  You will need to use restorecon to apply the labels.
373
374

COMMANDS

376       semanage  fcontext  can also be used to manipulate default file context
377       mappings.
378
379       semanage permissive can also be used to manipulate  whether  or  not  a
380       process type is permissive.
381
382       semanage  module can also be used to enable/disable/install/remove pol‐
383       icy modules.
384
385       semanage boolean can also be used to manipulate the booleans
386
387
388       system-config-selinux is a GUI tool available to customize SELinux pol‐
389       icy settings.
390
391

AUTHOR

393       This manual page was auto-generated using sepolicy manpage .
394
395