1ricci_selinux(8)             SELinux Policy ricci             ricci_selinux(8)
2
3
4

NAME

6       ricci_selinux - Security Enhanced Linux Policy for the ricci processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the ricci processes via flexible manda‐
10       tory access control.
11
12       The ricci processes execute with the  ricci_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep ricci_t
19
20
21

ENTRYPOINTS

23       The ricci_t SELinux type can be entered via  the  bin_t,  ricci_exec_t,
24       usr_t file types.
25
26       The default entrypoint paths for the ricci_t domain are the following:
27
28       All  executables  with  the default executable label, usually stored in
29       /usr/bin and /usr/sbin.  /usr/sbin/ricci, /opt/.*,  /usr/.*,  /emul/.*,
30       /export(/.*)?,    /ostree(/.*)?,   /usr/doc(/.*)?/lib(/.*)?,   /usr/in‐
31       clu.e(/.*)?,    /usr/share/rpm(/.*)?,    /usr/share/doc(/.*)?/README.*,
32       /usr/lib/modules(/.*)/vmlinuz,     /usr/lib/modules(/.*)/initramfs.img,
33       /usr/lib/sysimage(/.*)?, /usr/lib/ostree-boot(/.*)?, /opt, /usr, /emul
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       ricci policy is very flexible allowing users to setup their ricci  pro‐
43       cesses in as secure a method as possible.
44
45       The following process types are defined for ricci:
46
47       ricci_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_modlog_t, ricci_modrpm_t, ricci_modservice_t, ricci_modstorage_t
48
49       Note:  semanage  permissive  -a ricci_t can be used to make the process
50       type ricci_t permissive. SELinux does not  deny  access  to  permissive
51       process  types, but the AVC (SELinux denials) messages are still gener‐
52       ated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access  required.   ricci
57       policy is extremely flexible and has several booleans that allow you to
58       manipulate the policy and run ricci with the tightest access possible.
59
60
61
62       If you want to allow all domains to execute in fips_mode, you must turn
63       on the fips_mode boolean. Enabled by default.
64
65       setsebool -P fips_mode 1
66
67
68

PORT TYPES

70       SELinux defines port types to represent TCP and UDP ports.
71
72       You  can  see  the  types associated with a port by using the following
73       command:
74
75       semanage port -l
76
77
78       Policy governs the access  confined  processes  have  to  these  ports.
79       SELinux  ricci  policy  is  very flexible allowing users to setup their
80       ricci processes in as secure a method as possible.
81
82       The following port types are defined for ricci:
83
84
85       ricci_modcluster_port_t
86
87
88
89       Default Defined Ports:
90                 tcp 16851
91                 udp 16851
92
93
94       ricci_port_t
95
96
97
98       Default Defined Ports:
99                 tcp 11111
100                 udp 11111
101

MANAGED FILES

103       The SELinux process type ricci_t can manage files labeled with the fol‐
104       lowing  file  types.   The paths listed are the default paths for these
105       file types.  Note the processes UID still need to have DAC permissions.
106
107       cluster_conf_t
108
109            /etc/cluster(/.*)?
110
111       cluster_var_lib_t
112
113            /var/lib/pcsd(/.*)?
114            /var/lib/cluster(/.*)?
115            /var/lib/openais(/.*)?
116            /var/lib/pengine(/.*)?
117            /var/lib/corosync(/.*)?
118            /usr/lib/heartbeat(/.*)?
119            /var/lib/heartbeat(/.*)?
120            /var/lib/pacemaker(/.*)?
121
122       cluster_var_run_t
123
124            /var/run/crm(/.*)?
125            /var/run/cman_.*
126            /var/run/rsctmp(/.*)?
127            /var/run/aisexec.*
128            /var/run/heartbeat(/.*)?
129            /var/run/pcsd-ruby.socket
130            /var/run/corosync-qnetd(/.*)?
131            /var/run/corosync-qdevice(/.*)?
132            /var/run/corosync.pid
133            /var/run/cpglockd.pid
134            /var/run/rgmanager.pid
135            /var/run/cluster/rgmanager.sk
136
137       faillog_t
138
139            /var/log/btmp.*
140            /var/log/faillog.*
141            /var/log/tallylog.*
142            /var/run/faillock(/.*)?
143
144       krb5_host_rcache_t
145
146            /var/tmp/krb5_0.rcache2
147            /var/cache/krb5rcache(/.*)?
148            /var/tmp/nfs_0
149            /var/tmp/DNS_25
150            /var/tmp/host_0
151            /var/tmp/imap_0
152            /var/tmp/HTTP_23
153            /var/tmp/HTTP_48
154            /var/tmp/ldap_55
155            /var/tmp/ldap_487
156            /var/tmp/ldapmap1_0
157
158       ricci_tmp_t
159
160
161       ricci_var_lib_t
162
163            /var/lib/ricci(/.*)?
164
165       ricci_var_run_t
166
167            /var/run/ricci.pid
168
169       root_t
170
171            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
172            /
173            /initrd
174
175       systemd_passwd_var_run_t
176
177            /var/run/systemd/ask-password(/.*)?
178            /var/run/systemd/ask-password-block(/.*)?
179
180

FILE CONTEXTS

182       SELinux requires files to have an extended attribute to define the file
183       type.
184
185       You can see the context of a file using the -Z option to ls
186
187       Policy  governs  the  access  confined  processes  have to these files.
188       SELinux ricci policy is very flexible allowing  users  to  setup  their
189       ricci processes in as secure a method as possible.
190
191       STANDARD FILE CONTEXT
192
193       SELinux  defines the file context types for the ricci, if you wanted to
194       store files with these types in a diffent paths, you  need  to  execute
195       the  semanage  command  to  specify alternate labeling and then use re‐
196       storecon to put the labels on disk.
197
198       semanage  fcontext  -a  -t  ricci_modstorage_lock_t  '/srv/myricci_con‐
199       tent(/.*)?'
200       restorecon -R -v /srv/myricci_content
201
202       Note:  SELinux  often  uses  regular expressions to specify labels that
203       match multiple files.
204
205       The following file types are defined for ricci:
206
207
208
209       ricci_exec_t
210
211       - Set files with the ricci_exec_t type, if you want  to  transition  an
212       executable to the ricci_t domain.
213
214
215
216       ricci_initrc_exec_t
217
218       -  Set  files with the ricci_initrc_exec_t type, if you want to transi‐
219       tion an executable to the ricci_initrc_t domain.
220
221
222
223       ricci_modcluster_exec_t
224
225       - Set files with the ricci_modcluster_exec_t type, if you want to tran‐
226       sition an executable to the ricci_modcluster_t domain.
227
228
229
230       ricci_modcluster_var_lib_t
231
232       -  Set  files  with the ricci_modcluster_var_lib_t type, if you want to
233       store the ricci modcluster files under the /var/lib directory.
234
235
236
237       ricci_modcluster_var_log_t
238
239       - Set files with the ricci_modcluster_var_log_t type, if  you  want  to
240       treat  the  data as ricci modcluster var log data, usually stored under
241       the /var/log directory.
242
243
244
245       ricci_modcluster_var_run_t
246
247       - Set files with the ricci_modcluster_var_run_t type, if  you  want  to
248       store the ricci modcluster files under the /run or /var/run directory.
249
250
251       Paths:
252            /var/run/clumond.sock, /var/run/modclusterd.pid
253
254
255       ricci_modclusterd_exec_t
256
257       -  Set  files  with  the  ricci_modclusterd_exec_t type, if you want to
258       transition an executable to the ricci_modclusterd_t domain.
259
260
261
262       ricci_modclusterd_tmpfs_t
263
264       - Set files with the ricci_modclusterd_tmpfs_t type,  if  you  want  to
265       store ricci modclusterd files on a tmpfs file system.
266
267
268
269       ricci_modlog_exec_t
270
271       -  Set  files with the ricci_modlog_exec_t type, if you want to transi‐
272       tion an executable to the ricci_modlog_t domain.
273
274
275
276       ricci_modrpm_exec_t
277
278       - Set files with the ricci_modrpm_exec_t type, if you want  to  transi‐
279       tion an executable to the ricci_modrpm_t domain.
280
281
282
283       ricci_modservice_exec_t
284
285       - Set files with the ricci_modservice_exec_t type, if you want to tran‐
286       sition an executable to the ricci_modservice_t domain.
287
288
289
290       ricci_modstorage_exec_t
291
292       - Set files with the ricci_modstorage_exec_t type, if you want to tran‐
293       sition an executable to the ricci_modstorage_t domain.
294
295
296
297       ricci_modstorage_lock_t
298
299       - Set files with the ricci_modstorage_lock_t type, if you want to treat
300       the files as ricci modstorage lock data, stored under the /var/lock di‐
301       rectory
302
303
304
305       ricci_tmp_t
306
307       -  Set files with the ricci_tmp_t type, if you want to store ricci tem‐
308       porary files in the /tmp directories.
309
310
311
312       ricci_var_lib_t
313
314       - Set files with the ricci_var_lib_t type, if you  want  to  store  the
315       ricci files under the /var/lib directory.
316
317
318
319       ricci_var_log_t
320
321       -  Set  files  with  the ricci_var_log_t type, if you want to treat the
322       data as ricci var log data, usually stored under  the  /var/log  direc‐
323       tory.
324
325
326
327       ricci_var_run_t
328
329       -  Set  files  with  the ricci_var_run_t type, if you want to store the
330       ricci files under the /run or /var/run directory.
331
332
333
334       Note: File context can be temporarily modified with the chcon  command.
335       If  you want to permanently change the file context you need to use the
336       semanage fcontext command.  This will modify the SELinux labeling data‐
337       base.  You will need to use restorecon to apply the labels.
338
339

COMMANDS

341       semanage  fcontext  can also be used to manipulate default file context
342       mappings.
343
344       semanage permissive can also be used to manipulate  whether  or  not  a
345       process type is permissive.
346
347       semanage  module can also be used to enable/disable/install/remove pol‐
348       icy modules.
349
350       semanage port can also be used to manipulate the port definitions
351
352       semanage boolean can also be used to manipulate the booleans
353
354
355       system-config-selinux is a GUI tool available to customize SELinux pol‐
356       icy settings.
357
358

AUTHOR

360       This manual page was auto-generated using sepolicy manpage .
361
362

SEE ALSO

364       selinux(8),  ricci(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
365       icy(8),   setsebool(8),   ricci_modcluster_selinux(8),   ricci_modclus‐
366       ter_selinux(8),       ricci_modclusterd_selinux(8),      ricci_modclus‐
367       terd_selinux(8),   ricci_modlog_selinux(8),    ricci_modlog_selinux(8),
368       ricci_modrpm_selinux(8),     ricci_modrpm_selinux(8),     ricci_modser‐
369       vice_selinux(8),      ricci_modservice_selinux(8),       ricci_modstor‐
370       age_selinux(8), ricci_modstorage_selinux(8)
371
372
373
374ricci                              22-05-27                   ricci_selinux(8)
Impressum