1cluster_selinux(8) SELinux Policy cluster cluster_selinux(8)
2
3
4
6 cluster_selinux - Security Enhanced Linux Policy for the cluster pro‐
7 cesses
8
10 Security-Enhanced Linux secures the cluster processes via flexible
11 mandatory access control.
12
13 The cluster processes execute with the cluster_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep cluster_t
20
21
22
24 The cluster_t SELinux type can be entered via the cluster_exec_t file
25 type.
26
27 The default entrypoint paths for the cluster_t domain are the follow‐
28 ing:
29
30 /usr/sbin/pcsd, /usr/sbin/aisexec, /usr/lib/pcsd/pcsd,
31 /usr/sbin/ccs_tool, /usr/sbin/corosync, /usr/sbin/cpglockd,
32 /usr/sbin/cman_tool, /usr/sbin/rgmanager, /usr/sbin/ldirectord,
33 /usr/sbin/pacemakerd, /usr/bin/corosync-qnetd, /usr/sbin/corosync-cfg‐
34 tool, /usr/sbin/corosync-notifyd, /usr/sbin/corosync-qdevice,
35 /usr/lib/pcs/pcs_snmp_agent, /usr/sbin/pacemaker-remoted,
36 /usr/sbin/pacemaker_remoted, /usr/lib/heartbeat/heartbeat,
37 /usr/share/corosync/corosync, /usr/share/corosync/corosync-qdevice
38
40 SELinux defines process types (domains) for each process running on the
41 system
42
43 You can see the context of a process using the -Z option to ps
44
45 Policy governs the access confined processes have to files. SELinux
46 cluster policy is very flexible allowing users to setup their cluster
47 processes in as secure a method as possible.
48
49 The following process types are defined for cluster:
50
51 cluster_t
52
53 Note: semanage permissive -a cluster_t can be used to make the process
54 type cluster_t permissive. SELinux does not deny access to permissive
55 process types, but the AVC (SELinux denials) messages are still gener‐
56 ated.
57
58
60 SELinux policy is customizable based on least access required. cluster
61 policy is extremely flexible and has several booleans that allow you to
62 manipulate the policy and run cluster with the tightest access possi‐
63 ble.
64
65
66
67 If you want to allow cluster administrative cluster domains memcheck-
68 amd64- to use executable memory, you must turn on the cluster_use_ex‐
69 ecmem boolean. Disabled by default.
70
71 setsebool -P cluster_use_execmem 1
72
73
74
75 If you want to deny user domains applications to map a memory region as
76 both executable and writable, this is dangerous and the executable
77 should be reported in bugzilla, you must turn on the deny_execmem bool‐
78 ean. Enabled by default.
79
80 setsebool -P deny_execmem 1
81
82
83
84 If you want to control the ability to mmap a low area of the address
85 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
86 the mmap_low_allowed boolean. Disabled by default.
87
88 setsebool -P mmap_low_allowed 1
89
90
91
92 If you want to disable kernel module loading, you must turn on the se‐
93 cure_mode_insmod boolean. Enabled by default.
94
95 setsebool -P secure_mode_insmod 1
96
97
98
99 If you want to allow unconfined executables to make their heap memory
100 executable. Doing this is a really bad idea. Probably indicates a
101 badly coded executable, but could indicate an attack. This executable
102 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
103 echeap boolean. Disabled by default.
104
105 setsebool -P selinuxuser_execheap 1
106
107
108
109 If you want to allow unconfined executables to make their stack exe‐
110 cutable. This should never, ever be necessary. Probably indicates a
111 badly coded executable, but could indicate an attack. This executable
112 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
113 stack boolean. Enabled by default.
114
115 setsebool -P selinuxuser_execstack 1
116
117
118
120 If you want to allow users to resolve user passwd entries directly from
121 ldap rather then using a sssd server for the cluster_t, you must turn
122 on the authlogin_nsswitch_use_ldap boolean.
123
124 setsebool -P authlogin_nsswitch_use_ldap 1
125
126
127 If you want to allow confined applications to run with kerberos for the
128 cluster_t, you must turn on the kerberos_enabled boolean.
129
130 setsebool -P kerberos_enabled 1
131
132
134 SELinux defines port types to represent TCP and UDP ports.
135
136 You can see the types associated with a port by using the following
137 command:
138
139 semanage port -l
140
141
142 Policy governs the access confined processes have to these ports.
143 SELinux cluster policy is very flexible allowing users to setup their
144 cluster processes in as secure a method as possible.
145
146 The following port types are defined for cluster:
147
148
149 cluster_port_t
150
151
152
153 Default Defined Ports:
154 tcp 5149,40040,50006-50008
155 udp 5149,50006-50008
156
158 The SELinux process type cluster_t can manage files labeled with the
159 following file types. The paths listed are the default paths for these
160 file types. Note the processes UID still need to have DAC permissions.
161
162 file_type
163
164 all files on the system
165
166
168 SELinux requires files to have an extended attribute to define the file
169 type.
170
171 You can see the context of a file using the -Z option to ls
172
173 Policy governs the access confined processes have to these files.
174 SELinux cluster policy is very flexible allowing users to setup their
175 cluster processes in as secure a method as possible.
176
177 EQUIVALENCE DIRECTORIES
178
179
180 cluster policy stores data with multiple different file context types
181 under the /var/log/pacemaker directory. If you would like to store the
182 data in a different directory you can use the semanage command to cre‐
183 ate an equivalence mapping. If you wanted to store this data under the
184 /srv directory you would execute the following command:
185
186 semanage fcontext -a -e /var/log/pacemaker /srv/pacemaker
187 restorecon -R -v /srv/pacemaker
188
189 STANDARD FILE CONTEXT
190
191 SELinux defines the file context types for the cluster, if you wanted
192 to store files with these types in a diffent paths, you need to execute
193 the semanage command to specify alternate labeling and then use re‐
194 storecon to put the labels on disk.
195
196 semanage fcontext -a -t cluster_unit_file_t '/srv/mycluster_con‐
197 tent(/.*)?'
198 restorecon -R -v /srv/mycluster_content
199
200 Note: SELinux often uses regular expressions to specify labels that
201 match multiple files.
202
203 The following file types are defined for cluster:
204
205
206
207 cluster_conf_t
208
209 - Set files with the cluster_conf_t type, if you want to treat the
210 files as cluster configuration data, usually stored under the /etc di‐
211 rectory.
212
213
214
215 cluster_exec_t
216
217 - Set files with the cluster_exec_t type, if you want to transition an
218 executable to the cluster_t domain.
219
220
221 Paths:
222 /usr/sbin/pcsd, /usr/sbin/aisexec, /usr/lib/pcsd/pcsd,
223 /usr/sbin/ccs_tool, /usr/sbin/corosync, /usr/sbin/cpglockd,
224 /usr/sbin/cman_tool, /usr/sbin/rgmanager, /usr/sbin/ldirectord,
225 /usr/sbin/pacemakerd, /usr/bin/corosync-qnetd, /usr/sbin/corosync-
226 cfgtool, /usr/sbin/corosync-notifyd, /usr/sbin/corosync-qdevice,
227 /usr/lib/pcs/pcs_snmp_agent, /usr/sbin/pacemaker-remoted,
228 /usr/sbin/pacemaker_remoted, /usr/lib/heartbeat/heartbeat,
229 /usr/share/corosync/corosync, /usr/share/corosync/corosync-qdevice
230
231
232 cluster_initrc_exec_t
233
234 - Set files with the cluster_initrc_exec_t type, if you want to transi‐
235 tion an executable to the cluster_initrc_t domain.
236
237
238 Paths:
239 /etc/rc.d/init.d/openais, /etc/rc.d/init.d/corosync,
240 /etc/rc.d/init.d/cpglockd, /etc/rc.d/init.d/heartbeat,
241 /etc/rc.d/init.d/pacemaker, /etc/rc.d/init.d/rgmanager
242
243
244 cluster_tmp_t
245
246 - Set files with the cluster_tmp_t type, if you want to store cluster
247 temporary files in the /tmp directories.
248
249
250
251 cluster_tmpfs_t
252
253 - Set files with the cluster_tmpfs_t type, if you want to store cluster
254 files on a tmpfs file system.
255
256
257
258 cluster_unit_file_t
259
260 - Set files with the cluster_unit_file_t type, if you want to treat the
261 files as cluster unit content.
262
263
264 Paths:
265 /usr/lib/systemd/system/pcsd.*, /usr/lib/systemd/sys‐
266 tem/corosync.*, /usr/lib/systemd/system/pacemaker.*, /usr/lib/sys‐
267 temd/system/corosync-qnetd.*, /usr/lib/systemd/system/corosync-
268 qdevice.*
269
270
271 cluster_var_lib_t
272
273 - Set files with the cluster_var_lib_t type, if you want to store the
274 cluster files under the /var/lib directory.
275
276
277 Paths:
278 /var/lib/pcsd(/.*)?, /var/lib/cluster(/.*)?, /var/lib/ope‐
279 nais(/.*)?, /var/lib/pengine(/.*)?, /var/lib/corosync(/.*)?,
280 /usr/lib/heartbeat(/.*)?, /var/lib/heartbeat(/.*)?, /var/lib/pace‐
281 maker(/.*)?
282
283
284 cluster_var_log_t
285
286 - Set files with the cluster_var_log_t type, if you want to treat the
287 data as cluster var log data, usually stored under the /var/log direc‐
288 tory.
289
290
291 Paths:
292 /var/log/ctdb(/.*)?, /var/log/pcsd(/.*)?, /var/log/pace‐
293 maker(/.*)?, /var/log/pacemaker.log.*, /var/log/cluster/ai‐
294 sexec.log.*, /var/log/cluster/corosync.log.*, /var/log/cluster/cp‐
295 glockd.log.*, /var/log/cluster/rgmanager.log.*
296
297
298 cluster_var_run_t
299
300 - Set files with the cluster_var_run_t type, if you want to store the
301 cluster files under the /run or /var/run directory.
302
303
304 Paths:
305 /var/run/crm(/.*)?, /var/run/cman_.*, /var/run/rsctmp(/.*)?,
306 /var/run/aisexec.*, /var/run/heartbeat(/.*)?, /var/run/pcsd-
307 ruby.socket, /var/run/corosync-qnetd(/.*)?, /var/run/corosync-qde‐
308 vice(/.*)?, /var/run/corosync.pid, /var/run/cpglockd.pid,
309 /var/run/rgmanager.pid, /var/run/cluster/rgmanager.sk
310
311
312 Note: File context can be temporarily modified with the chcon command.
313 If you want to permanently change the file context you need to use the
314 semanage fcontext command. This will modify the SELinux labeling data‐
315 base. You will need to use restorecon to apply the labels.
316
317
319 semanage fcontext can also be used to manipulate default file context
320 mappings.
321
322 semanage permissive can also be used to manipulate whether or not a
323 process type is permissive.
324
325 semanage module can also be used to enable/disable/install/remove pol‐
326 icy modules.
327
328 semanage port can also be used to manipulate the port definitions
329
330 semanage boolean can also be used to manipulate the booleans
331
332
333 system-config-selinux is a GUI tool available to customize SELinux pol‐
334 icy settings.
335
336
338 This manual page was auto-generated using sepolicy manpage .
339
340
342 selinux(8), cluster(8), semanage(8), restorecon(8), chcon(1), sepol‐
343 icy(8), setsebool(8)
344
345
346
347cluster 23-02-03 cluster_selinux(8)