pegasus_selinux(8)

1pegasus_selinux(8)          SELinux Policy pegasus          pegasus_selinux(8)
2
3
4

NAME

6       pegasus_selinux  -  Security Enhanced Linux Policy for the pegasus pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  pegasus  processes  via  flexible
11       mandatory access control.
12
13       The  pegasus processes execute with the pegasus_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pegasus_t
20
21
22

ENTRYPOINTS

24       The  pegasus_t  SELinux type can be entered via the pegasus_exec_t file
25       type.
26
27       The default entrypoint paths for the pegasus_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/cimserver, /usr/sbin/init_repository
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       pegasus  policy  is very flexible allowing users to setup their pegasus
40       processes in as secure a method as possible.
41
42       The following process types are defined for pegasus:
43
44       pegasus_t, pegasus_openlmi_admin_t, pegasus_openlmi_account_t, pegasus_openlmi_logicalfile_t, pegasus_openlmi_services_t, pegasus_openlmi_storage_t, pegasus_openlmi_system_t, pegasus_openlmi_unconfined_t
45
46       Note: semanage permissive -a pegasus_t can be used to make the  process
47       type  pegasus_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  pegasus
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run pegasus with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66

PORT TYPES

68       SELinux defines port types to represent TCP and UDP ports.
69
70       You  can  see  the  types associated with a port by using the following
71       command:
72
73       semanage port -l
74
75
76       Policy governs the access  confined  processes  have  to  these  ports.
77       SELinux  pegasus  policy is very flexible allowing users to setup their
78       pegasus processes in as secure a method as possible.
79
80       The following port types are defined for pegasus:
81
82
83       pegasus_http_port_t
84
85
86
87       Default Defined Ports:
88                 tcp 5988
89
90
91       pegasus_https_port_t
92
93
94
95       Default Defined Ports:
96                 tcp 5989
97

MANAGED FILES

99       The SELinux process type pegasus_t can manage files  labeled  with  the
100       following file types.  The paths listed are the default paths for these
101       file types.  Note the processes UID still need to have DAC permissions.
102
103       cluster_conf_t
104
105            /etc/cluster(/.*)?
106
107       cluster_var_lib_t
108
109            /var/lib/pcsd(/.*)?
110            /var/lib/cluster(/.*)?
111            /var/lib/openais(/.*)?
112            /var/lib/pengine(/.*)?
113            /var/lib/corosync(/.*)?
114            /usr/lib/heartbeat(/.*)?
115            /var/lib/heartbeat(/.*)?
116            /var/lib/pacemaker(/.*)?
117
118       cluster_var_run_t
119
120            /var/run/crm(/.*)?
121            /var/run/cman_.*
122            /var/run/rsctmp(/.*)?
123            /var/run/aisexec.*
124            /var/run/heartbeat(/.*)?
125            /var/run/pcsd-ruby.socket
126            /var/run/corosync-qnetd(/.*)?
127            /var/run/corosync-qdevice(/.*)?
128            /var/run/corosync.pid
129            /var/run/cpglockd.pid
130            /var/run/rgmanager.pid
131            /var/run/cluster/rgmanager.sk
132
133       faillog_t
134
135            /var/log/btmp.*
136            /var/log/faillog.*
137            /var/log/tallylog.*
138            /var/run/faillock(/.*)?
139
140       initrc_var_run_t
141
142            /var/run/utmp
143            /var/run/random-seed
144            /var/run/runlevel.dir
145            /var/run/setmixer_flag
146
147       krb5_host_rcache_t
148
149            /var/tmp/krb5_0.rcache2
150            /var/cache/krb5rcache(/.*)?
151            /var/tmp/nfs_0
152            /var/tmp/DNS_25
153            /var/tmp/host_0
154            /var/tmp/imap_0
155            /var/tmp/HTTP_23
156            /var/tmp/HTTP_48
157            /var/tmp/ldap_55
158            /var/tmp/ldap_487
159            /var/tmp/ldapmap1_0
160
161       krb5_keytab_t
162
163            /var/kerberos/krb5(/.*)?
164            /etc/krb5.keytab
165            /etc/krb5kdc/kadm5.keytab
166            /var/kerberos/krb5kdc/kadm5.keytab
167
168       pegasus_cache_t
169
170
171       pegasus_data_t
172
173            /var/lib/Pegasus(/.*)?
174            /etc/Pegasus/pegasus_current.conf
175            /etc/Pegasus/cimserver_current.conf
176
177       pegasus_tmp_t
178
179
180       pegasus_var_run_t
181
182            /var/run/tog-pegasus(/.*)?
183
184       root_t
185
186            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
187            /
188            /initrd
189
190       sysfs_t
191
192            /sys(/.*)?
193
194       virt_etc_rw_t
195
196            /etc/xen/[^/]*
197            /etc/xen/.*/.*
198            /etc/libvirt/[^/]*
199            /etc/libvirt/.*/.*
200
201       virt_etc_t
202
203            /etc/xen/[^/]*
204            /etc/libvirt/[^/]*
205            /etc/xen
206            /etc/libvirt
207
208

FILE CONTEXTS

210       SELinux requires files to have an extended attribute to define the file
211       type.
212
213       You can see the context of a file using the -Z option to ls
214
215       Policy  governs  the  access  confined  processes  have to these files.
216       SELinux pegasus policy is very flexible allowing users to  setup  their
217       pegasus processes in as secure a method as possible.
218
219       STANDARD FILE CONTEXT
220
221       SELinux  defines  the file context types for the pegasus, if you wanted
222       to store files with these types in a diffent paths, you need to execute
223       the  semanage  command  to  specify alternate labeling and then use re‐
224       storecon to put the labels on disk.
225
226       semanage fcontext -a -t pegasus_openlmi_storage_var_run_t '/srv/mypega‐
227       sus_content(/.*)?'
228       restorecon -R -v /srv/mypegasus_content
229
230       Note:  SELinux  often  uses  regular expressions to specify labels that
231       match multiple files.
232
233       The following file types are defined for pegasus:
234
235
236
237       pegasus_cache_t
238
239       - Set files with the pegasus_cache_t type, if you  want  to  store  the
240       files under the /var/cache directory.
241
242
243
244       pegasus_conf_t
245
246       -  Set  files  with  the  pegasus_conf_t type, if you want to treat the
247       files as pegasus configuration data, usually stored under the /etc  di‐
248       rectory.
249
250
251
252       pegasus_data_t
253
254       -  Set  files  with  the  pegasus_data_t type, if you want to treat the
255       files as pegasus content.
256
257
258       Paths:
259            /var/lib/Pegasus(/.*)?,         /etc/Pegasus/pegasus_current.conf,
260            /etc/Pegasus/cimserver_current.conf
261
262
263       pegasus_exec_t
264
265       -  Set files with the pegasus_exec_t type, if you want to transition an
266       executable to the pegasus_t domain.
267
268
269       Paths:
270            /usr/sbin/cimserver, /usr/sbin/init_repository
271
272
273       pegasus_mof_t
274
275       - Set files with the pegasus_mof_t type, if you want to treat the files
276       as pegasus mof data.
277
278
279
280       pegasus_openlmi_account_exec_t
281
282       -  Set  files with the pegasus_openlmi_account_exec_t type, if you want
283       to transition an executable to the pegasus_openlmi_account_t domain.
284
285
286
287       pegasus_openlmi_admin_exec_t
288
289       - Set files with the pegasus_openlmi_admin_exec_t type, if you want  to
290       transition an executable to the pegasus_openlmi_admin_t domain.
291
292
293       Paths:
294            /usr/libexec/pegasus/cmpiLMI_Service-cimprovagt,  /usr/libexec/pe‐
295            gasus/cmpiLMI_Journald-cimprovagt
296
297
298       pegasus_openlmi_logicalfile_exec_t
299
300       - Set files with the pegasus_openlmi_logicalfile_exec_t  type,  if  you
301       want  to  transition an executable to the pegasus_openlmi_logicalfile_t
302       domain.
303
304
305
306       pegasus_openlmi_services_exec_t
307
308       - Set files with the pegasus_openlmi_services_exec_t type, if you  want
309       to transition an executable to the pegasus_openlmi_services_t domain.
310
311
312
313       pegasus_openlmi_storage_exec_t
314
315       -  Set  files with the pegasus_openlmi_storage_exec_t type, if you want
316       to transition an executable to the pegasus_openlmi_storage_t domain.
317
318
319       Paths:
320            /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt, /usr/libexec/pe‐
321            gasus/pycmpiLMI_Storage-cimprovagt
322
323
324       pegasus_openlmi_storage_lib_t
325
326       - Set files with the pegasus_openlmi_storage_lib_t type, if you want to
327       treat the files as pegasus openlmi storage lib data.
328
329
330
331       pegasus_openlmi_storage_tmp_t
332
333       - Set files with the pegasus_openlmi_storage_tmp_t type, if you want to
334       store pegasus openlmi storage temporary files in the /tmp directories.
335
336
337
338       pegasus_openlmi_storage_var_run_t
339
340       -  Set  files  with  the pegasus_openlmi_storage_var_run_t type, if you
341       want to store the pegasus openlmi  storage  files  under  the  /run  or
342       /var/run directory.
343
344
345
346       pegasus_openlmi_system_exec_t
347
348       - Set files with the pegasus_openlmi_system_exec_t type, if you want to
349       transition an executable to the pegasus_openlmi_system_t domain.
350
351
352       Paths:
353            /usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt,    /usr/libexec/pega‐
354            sus/cmpiLMI_Networking-cimprovagt,              /usr/libexec/pega‐
355            sus/cmpiLMI_PowerManagement-cimprovagt
356
357
358       pegasus_openlmi_unconfined_exec_t
359
360       - Set files with the  pegasus_openlmi_unconfined_exec_t  type,  if  you
361       want  to  transition  an executable to the pegasus_openlmi_unconfined_t
362       domain.
363
364
365
366       pegasus_tmp_t
367
368       - Set files with the pegasus_tmp_t type, if you want to  store  pegasus
369       temporary files in the /tmp directories.
370
371
372
373       pegasus_var_run_t
374
375       -  Set  files with the pegasus_var_run_t type, if you want to store the
376       pegasus files under the /run or /var/run directory.
377
378
379
380       Note: File context can be temporarily modified with the chcon  command.
381       If  you want to permanently change the file context you need to use the
382       semanage fcontext command.  This will modify the SELinux labeling data‐
383       base.  You will need to use restorecon to apply the labels.
384
385

COMMANDS

387       semanage  fcontext  can also be used to manipulate default file context
388       mappings.
389
390       semanage permissive can also be used to manipulate  whether  or  not  a
391       process type is permissive.
392
393       semanage  module can also be used to enable/disable/install/remove pol‐
394       icy modules.
395
396       semanage port can also be used to manipulate the port definitions
397
398       semanage boolean can also be used to manipulate the booleans
399
400
401       system-config-selinux is a GUI tool available to customize SELinux pol‐
402       icy settings.
403
404

AUTHOR

406       This manual page was auto-generated using sepolicy manpage .
407
408