1shorewall_selinux(8)       SELinux Policy shorewall       shorewall_selinux(8)
2
3
4

NAME

6       shorewall_selinux  -  Security  Enhanced Linux Policy for the shorewall
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the shorewall  processes  via  flexible
11       mandatory access control.
12
13       The  shorewall processes execute with the shorewall_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep shorewall_t
20
21
22

ENTRYPOINTS

24       The  shorewall_t  SELinux type can be entered via the shorewall_exec_t,
25       shorewall_var_lib_t file types.
26
27       The default entrypoint paths for the shorewall_t domain are the follow‐
28       ing:
29
30       /sbin/shorewall6?,     /usr/sbin/shorewall6?,     /sbin/shorewall-lite,
31       /usr/sbin/shorewall-lite,   /var/lib/shorewall(/.*)?,   /var/lib/shore‐
32       wall6(/.*)?,       /var/lib/shorewall-lite(/.*)?,       /var/lib/shore‐
33       wall6-lite(/.*)?
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       shorewall policy is very flexible allowing users to setup their  shore‐
43       wall processes in as secure a method as possible.
44
45       The following process types are defined for shorewall:
46
47       shorewall_t
48
49       Note:  semanage  permissive  -a  shorewall_t  can  be  used to make the
50       process type shorewall_t permissive. SELinux does not  deny  access  to
51       permissive  process  types,  but the AVC (SELinux denials) messages are
52       still generated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access required.   shore‐
57       wall  policy  is extremely flexible and has several booleans that allow
58       you to manipulate the policy and run shorewall with the tightest access
59       possible.
60
61
62
63       If you want to allow all domains to execute in fips_mode, you must turn
64       on the fips_mode boolean. Enabled by default.
65
66       setsebool -P fips_mode 1
67
68
69
70       If you want to allow system to run with  NIS,  you  must  turn  on  the
71       nis_enabled boolean. Disabled by default.
72
73       setsebool -P nis_enabled 1
74
75
76

MANAGED FILES

78       The  SELinux process type shorewall_t can manage files labeled with the
79       following file types.  The paths listed are the default paths for these
80       file types.  Note the processes UID still need to have DAC permissions.
81
82       cluster_conf_t
83
84            /etc/cluster(/.*)?
85
86       cluster_var_lib_t
87
88            /var/lib/pcsd(/.*)?
89            /var/lib/cluster(/.*)?
90            /var/lib/openais(/.*)?
91            /var/lib/pengine(/.*)?
92            /var/lib/corosync(/.*)?
93            /usr/lib/heartbeat(/.*)?
94            /var/lib/heartbeat(/.*)?
95            /var/lib/pacemaker(/.*)?
96
97       cluster_var_run_t
98
99            /var/run/crm(/.*)?
100            /var/run/cman_.*
101            /var/run/rsctmp(/.*)?
102            /var/run/aisexec.*
103            /var/run/heartbeat(/.*)?
104            /var/run/pcsd-ruby.socket
105            /var/run/corosync-qnetd(/.*)?
106            /var/run/corosync-qdevice(/.*)?
107            /var/run/corosync.pid
108            /var/run/cpglockd.pid
109            /var/run/rgmanager.pid
110            /var/run/cluster/rgmanager.sk
111
112       initrc_var_run_t
113
114            /var/run/utmp
115            /var/run/random-seed
116            /var/run/runlevel.dir
117            /var/run/setmixer_flag
118
119       krb5_host_rcache_t
120
121            /var/tmp/krb5_0.rcache2
122            /var/cache/krb5rcache(/.*)?
123            /var/tmp/nfs_0
124            /var/tmp/DNS_25
125            /var/tmp/host_0
126            /var/tmp/imap_0
127            /var/tmp/HTTP_23
128            /var/tmp/HTTP_48
129            /var/tmp/ldap_55
130            /var/tmp/ldap_487
131            /var/tmp/ldapmap1_0
132
133       root_t
134
135            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
136            /
137            /initrd
138
139       shorewall_lock_t
140
141            /var/lock/subsys/shorewall
142
143       shorewall_log_t
144
145            /var/log/shorewall.*
146
147       shorewall_tmp_t
148
149
150       shorewall_var_lib_t
151
152            /var/lib/shorewall(/.*)?
153            /var/lib/shorewall6(/.*)?
154            /var/lib/shorewall-lite(/.*)?
155            /var/lib/shorewall6-lite(/.*)?
156
157

FILE CONTEXTS

159       SELinux requires files to have an extended attribute to define the file
160       type.
161
162       You can see the context of a file using the -Z option to ls
163
164       Policy governs the access  confined  processes  have  to  these  files.
165       SELinux shorewall policy is very flexible allowing users to setup their
166       shorewall processes in as secure a method as possible.
167
168       EQUIVALENCE DIRECTORIES
169
170
171       shorewall policy stores data with multiple different file context types
172       under the /var/lib/shorewall directory.  If you would like to store the
173       data in a different directory you can use the semanage command to  cre‐
174       ate an equivalence mapping.  If you wanted to store this data under the
175       /srv directory you would execute the following command:
176
177       semanage fcontext -a -e /var/lib/shorewall /srv/shorewall
178       restorecon -R -v /srv/shorewall
179
180       STANDARD FILE CONTEXT
181
182       SELinux defines the file context types for the shorewall, if you wanted
183       to store files with these types in a diffent paths, you need to execute
184       the semanage command to specify alternate labeling  and  then  use  re‐
185       storecon to put the labels on disk.
186
187       semanage   fcontext   -a   -t   shorewall_log_t  '/srv/myshorewall_con‐
188       tent(/.*)?'
189       restorecon -R -v /srv/myshorewall_content
190
191       Note: SELinux often uses regular expressions  to  specify  labels  that
192       match multiple files.
193
194       The following file types are defined for shorewall:
195
196
197
198       shorewall_etc_t
199
200       -  Set files with the shorewall_etc_t type, if you want to store shore‐
201       wall files in the /etc directories.
202
203
204       Paths:
205            /etc/shorewall(/.*)?,    /etc/shorewall6(/.*)?,    /etc/shorewall-
206            lite(/.*)?
207
208
209       shorewall_exec_t
210
211       -  Set  files with the shorewall_exec_t type, if you want to transition
212       an executable to the shorewall_t domain.
213
214
215       Paths:
216            /sbin/shorewall6?,  /usr/sbin/shorewall6?,   /sbin/shorewall-lite,
217            /usr/sbin/shorewall-lite
218
219
220       shorewall_initrc_exec_t
221
222       - Set files with the shorewall_initrc_exec_t type, if you want to tran‐
223       sition an executable to the shorewall_initrc_t domain.
224
225
226
227       shorewall_lock_t
228
229       - Set files with the shorewall_lock_t type, if you want  to  treat  the
230       files as shorewall lock data, stored under the /var/lock directory
231
232
233
234       shorewall_log_t
235
236       -  Set  files  with  the shorewall_log_t type, if you want to treat the
237       data as shorewall log data, usually stored under  the  /var/log  direc‐
238       tory.
239
240
241
242       shorewall_tmp_t
243
244       -  Set files with the shorewall_tmp_t type, if you want to store shore‐
245       wall temporary files in the /tmp directories.
246
247
248
249       shorewall_var_lib_t
250
251       - Set files with the shorewall_var_lib_t type, if you want to store the
252       shorewall files under the /var/lib directory.
253
254
255       Paths:
256            /var/lib/shorewall(/.*)?,               /var/lib/shorewall6(/.*)?,
257            /var/lib/shorewall-lite(/.*)?, /var/lib/shorewall6-lite(/.*)?
258
259
260       Note: File context can be temporarily modified with the chcon  command.
261       If  you want to permanently change the file context you need to use the
262       semanage fcontext command.  This will modify the SELinux labeling data‐
263       base.  You will need to use restorecon to apply the labels.
264
265

COMMANDS

267       semanage  fcontext  can also be used to manipulate default file context
268       mappings.
269
270       semanage permissive can also be used to manipulate  whether  or  not  a
271       process type is permissive.
272
273       semanage  module can also be used to enable/disable/install/remove pol‐
274       icy modules.
275
276       semanage boolean can also be used to manipulate the booleans
277
278
279       system-config-selinux is a GUI tool available to customize SELinux pol‐
280       icy settings.
281
282

AUTHOR

284       This manual page was auto-generated using sepolicy manpage .
285
286

SEE ALSO

288       selinux(8),  shorewall(8), semanage(8), restorecon(8), chcon(1), sepol‐
289       icy(8), setsebool(8)
290
291
292
293shorewall                          22-05-27               shorewall_selinux(8)
Impressum