cluster_selinux(8)

1cluster_selinux(8)          SELinux Policy cluster          cluster_selinux(8)
2
3
4

NAME

6       cluster_selinux  -  Security Enhanced Linux Policy for the cluster pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  cluster  processes  via  flexible
11       mandatory access control.
12
13       The  cluster processes execute with the cluster_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep cluster_t
20
21
22

ENTRYPOINTS

24       The  cluster_t  SELinux type can be entered via the cluster_exec_t file
25       type.
26
27       The default entrypoint paths for the cluster_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/pcsd,          /usr/sbin/aisexec,         /usr/lib/pcsd/pcsd,
31       /usr/sbin/ccs_tool,       /usr/sbin/corosync,       /usr/sbin/cpglockd,
32       /usr/sbin/cman_tool,     /usr/sbin/rgmanager,     /usr/sbin/ldirectord,
33       /usr/sbin/pacemakerd, /usr/bin/corosync-qnetd,  /usr/sbin/corosync-cfg‐
34       tool,      /usr/sbin/corosync-notifyd,      /usr/sbin/corosync-qdevice,
35       /usr/lib/pcs/pcs_snmp_agent,               /usr/sbin/pacemaker-remoted,
36       /usr/sbin/pacemaker_remoted,              /usr/lib/heartbeat/heartbeat,
37       /usr/share/corosync/corosync, /usr/share/corosync/corosync-qdevice
38

PROCESS TYPES

40       SELinux defines process types (domains) for each process running on the
41       system
42
43       You can see the context of a process using the -Z option to ps
44
45       Policy  governs  the  access confined processes have to files.  SELinux
46       cluster policy is very flexible allowing users to setup  their  cluster
47       processes in as secure a method as possible.
48
49       The following process types are defined for cluster:
50
51       cluster_t
52
53       Note:  semanage permissive -a cluster_t can be used to make the process
54       type cluster_t permissive. SELinux does not deny access  to  permissive
55       process  types, but the AVC (SELinux denials) messages are still gener‐
56       ated.
57
58

BOOLEANS

60       SELinux policy is customizable based on least access required.  cluster
61       policy is extremely flexible and has several booleans that allow you to
62       manipulate the policy and run cluster with the tightest  access  possi‐
63       ble.
64
65
66
67       If  you  want to allow cluster administrative cluster domains memcheck-
68       amd64- to use executable memory, you must turn on  the  cluster_use_ex‐
69       ecmem boolean. Disabled by default.
70
71       setsebool -P cluster_use_execmem 1
72
73
74
75       If you want to deny user domains applications to map a memory region as
76       both executable and writable, this  is  dangerous  and  the  executable
77       should be reported in bugzilla, you must turn on the deny_execmem bool‐
78       ean. Enabled by default.
79
80       setsebool -P deny_execmem 1
81
82
83
84       If you want to control the ability to mmap a low area  of  the  address
85       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
86       the mmap_low_allowed boolean. Disabled by default.
87
88       setsebool -P mmap_low_allowed 1
89
90
91
92       If you want to disable kernel module loading, you must turn on the  se‐
93       cure_mode_insmod boolean. Enabled by default.
94
95       setsebool -P secure_mode_insmod 1
96
97
98
99       If  you  want to allow unconfined executables to make their heap memory
100       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
101       badly  coded  executable, but could indicate an attack. This executable
102       should be reported in bugzilla, you must turn  on  the  selinuxuser_ex‐
103       echeap boolean. Disabled by default.
104
105       setsebool -P selinuxuser_execheap 1
106
107
108
109       If  you  want  to allow unconfined executables to make their stack exe‐
110       cutable.  This should never, ever be necessary.  Probably  indicates  a
111       badly  coded  executable, but could indicate an attack. This executable
112       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
113       stack boolean. Enabled by default.
114
115       setsebool -P selinuxuser_execstack 1
116
117
118

NSSWITCH DOMAIN

120       If you want to allow users to resolve user passwd entries directly from
121       ldap rather then using a sssd server for the cluster_t, you  must  turn
122       on the authlogin_nsswitch_use_ldap boolean.
123
124       setsebool -P authlogin_nsswitch_use_ldap 1
125
126
127       If you want to allow confined applications to run with kerberos for the
128       cluster_t, you must turn on the kerberos_enabled boolean.
129
130       setsebool -P kerberos_enabled 1
131
132

PORT TYPES

134       SELinux defines port types to represent TCP and UDP ports.
135
136       You can see the types associated with a port  by  using  the  following
137       command:
138
139       semanage port -l
140
141
142       Policy  governs  the  access  confined  processes  have to these ports.
143       SELinux cluster policy is very flexible allowing users to  setup  their
144       cluster processes in as secure a method as possible.
145
146       The following port types are defined for cluster:
147
148
149       cluster_port_t
150
151
152
153       Default Defined Ports:
154                 tcp 5149,40040,50006-50008
155                 udp 5149,50006-50008
156

MANAGED FILES

158       The  SELinux  process  type cluster_t can manage files labeled with the
159       following file types.  The paths listed are the default paths for these
160       file types.  Note the processes UID still need to have DAC permissions.
161
162       file_type
163
164            all files on the system
165
166

FILE CONTEXTS

168       SELinux requires files to have an extended attribute to define the file
169       type.
170
171       You can see the context of a file using the -Z option to ls
172
173       Policy governs the access  confined  processes  have  to  these  files.
174       SELinux  cluster  policy is very flexible allowing users to setup their
175       cluster processes in as secure a method as possible.
176
177       EQUIVALENCE DIRECTORIES
178
179
180       cluster policy stores data with multiple different file  context  types
181       under the /var/log/pacemaker directory.  If you would like to store the
182       data in a different directory you can use the semanage command to  cre‐
183       ate an equivalence mapping.  If you wanted to store this data under the
184       /srv directory you would execute the following command:
185
186       semanage fcontext -a -e /var/log/pacemaker /srv/pacemaker
187       restorecon -R -v /srv/pacemaker
188
189       STANDARD FILE CONTEXT
190
191       SELinux defines the file context types for the cluster, if  you  wanted
192       to store files with these types in a diffent paths, you need to execute
193       the semanage command to specify alternate labeling  and  then  use  re‐
194       storecon to put the labels on disk.
195
196       semanage   fcontext   -a  -t  cluster_unit_file_t  '/srv/mycluster_con‐
197       tent(/.*)?'
198       restorecon -R -v /srv/mycluster_content
199
200       Note: SELinux often uses regular expressions  to  specify  labels  that
201       match multiple files.
202
203       The following file types are defined for cluster:
204
205
206
207       cluster_conf_t
208
209       -  Set  files  with  the  cluster_conf_t type, if you want to treat the
210       files as cluster configuration data, usually stored under the /etc  di‐
211       rectory.
212
213
214
215       cluster_exec_t
216
217       -  Set files with the cluster_exec_t type, if you want to transition an
218       executable to the cluster_t domain.
219
220
221       Paths:
222            /usr/sbin/pcsd,       /usr/sbin/aisexec,       /usr/lib/pcsd/pcsd,
223            /usr/sbin/ccs_tool,     /usr/sbin/corosync,    /usr/sbin/cpglockd,
224            /usr/sbin/cman_tool,  /usr/sbin/rgmanager,   /usr/sbin/ldirectord,
225            /usr/sbin/pacemakerd, /usr/bin/corosync-qnetd, /usr/sbin/corosync-
226            cfgtool,  /usr/sbin/corosync-notifyd,  /usr/sbin/corosync-qdevice,
227            /usr/lib/pcs/pcs_snmp_agent,          /usr/sbin/pacemaker-remoted,
228            /usr/sbin/pacemaker_remoted,         /usr/lib/heartbeat/heartbeat,
229            /usr/share/corosync/corosync, /usr/share/corosync/corosync-qdevice
230
231
232       cluster_initrc_exec_t
233
234       - Set files with the cluster_initrc_exec_t type, if you want to transi‐
235       tion an executable to the cluster_initrc_t domain.
236
237
238       Paths:
239            /etc/rc.d/init.d/openais,               /etc/rc.d/init.d/corosync,
240            /etc/rc.d/init.d/cpglockd,             /etc/rc.d/init.d/heartbeat,
241            /etc/rc.d/init.d/pacemaker, /etc/rc.d/init.d/rgmanager
242
243
244       cluster_tmp_t
245
246       - Set files with the cluster_tmp_t type, if you want to  store  cluster
247       temporary files in the /tmp directories.
248
249
250
251       cluster_tmpfs_t
252
253       - Set files with the cluster_tmpfs_t type, if you want to store cluster
254       files on a tmpfs file system.
255
256
257
258       cluster_unit_file_t
259
260       - Set files with the cluster_unit_file_t type, if you want to treat the
261       files as cluster unit content.
262
263
264       Paths:
265            /usr/lib/systemd/system/pcsd.*,              /usr/lib/systemd/sys‐
266            tem/corosync.*, /usr/lib/systemd/system/pacemaker.*, /usr/lib/sys‐
267            temd/system/corosync-qnetd.*,    /usr/lib/systemd/system/corosync-
268            qdevice.*
269
270
271       cluster_var_lib_t
272
273       - Set files with the cluster_var_lib_t type, if you want to  store  the
274       cluster files under the /var/lib directory.
275
276
277       Paths:
278            /var/lib/pcsd(/.*)?,     /var/lib/cluster(/.*)?,     /var/lib/ope‐
279            nais(/.*)?,    /var/lib/pengine(/.*)?,    /var/lib/corosync(/.*)?,
280            /usr/lib/heartbeat(/.*)?, /var/lib/heartbeat(/.*)?, /var/lib/pace‐
281            maker(/.*)?
282
283
284       cluster_var_log_t
285
286       - Set files with the cluster_var_log_t type, if you want to  treat  the
287       data  as cluster var log data, usually stored under the /var/log direc‐
288       tory.
289
290
291       Paths:
292            /var/log/ctdb(/.*)?,      /var/log/pcsd(/.*)?,      /var/log/pace‐
293            maker(/.*)?,     /var/log/pacemaker.log.*,    /var/log/cluster/ai‐
294            sexec.log.*, /var/log/cluster/corosync.log.*, /var/log/cluster/cp‐
295            glockd.log.*, /var/log/cluster/rgmanager.log.*
296
297
298       cluster_var_run_t
299
300       -  Set  files with the cluster_var_run_t type, if you want to store the
301       cluster files under the /run or /var/run directory.
302
303
304       Paths:
305            /var/run/crm(/.*)?,    /var/run/cman_.*,    /var/run/rsctmp(/.*)?,
306            /var/run/aisexec.*,    /var/run/heartbeat(/.*)?,    /var/run/pcsd-
307            ruby.socket, /var/run/corosync-qnetd(/.*)?, /var/run/corosync-qde‐
308            vice(/.*)?,      /var/run/corosync.pid,     /var/run/cpglockd.pid,
309            /var/run/rgmanager.pid, /var/run/cluster/rgmanager.sk
310
311
312       Note: File context can be temporarily modified with the chcon  command.
313       If  you want to permanently change the file context you need to use the
314       semanage fcontext command.  This will modify the SELinux labeling data‐
315       base.  You will need to use restorecon to apply the labels.
316
317

COMMANDS

319       semanage  fcontext  can also be used to manipulate default file context
320       mappings.
321
322       semanage permissive can also be used to manipulate  whether  or  not  a
323       process type is permissive.
324
325       semanage  module can also be used to enable/disable/install/remove pol‐
326       icy modules.
327
328       semanage port can also be used to manipulate the port definitions
329
330       semanage boolean can also be used to manipulate the booleans
331
332
333       system-config-selinux is a GUI tool available to customize SELinux pol‐
334       icy settings.
335
336

AUTHOR

338       This manual page was auto-generated using sepolicy manpage .
339
340