1innd_selinux(8) SELinux Policy innd innd_selinux(8)
2
3
4
6 innd_selinux - Security Enhanced Linux Policy for the innd processes
7
9 Security-Enhanced Linux secures the innd processes via flexible manda‐
10 tory access control.
11
12 The innd processes execute with the innd_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep innd_t
19
20
21
23 The innd_t SELinux type can be entered via the innd_exec_t file type.
24
25 The default entrypoint paths for the innd_t domain are the following:
26
27 /usr/sbin/innd.*, /usr/libexec/news/rc.news, /usr/bin/suck,
28 /etc/news/boot, /usr/bin/inews, /usr/bin/rnews, /usr/bin/rpost,
29 /usr/sbin/in.nnrpd, /usr/libexec/news/sm, /usr/libexec/news/innd,
30 /usr/libexec/news/inews, /usr/libexec/news/inndf,
31 /usr/libexec/news/nnrpd, /usr/libexec/news/rnews, /usr/libexec/news/ex‐
32 pire, /usr/libexec/news/fastrm, /usr/libexec/news/shlock,
33 /usr/libexec/news/actsync, /usr/libexec/news/archive,
34 /usr/libexec/news/batcher, /usr/libexec/news/ctlinnd,
35 /usr/libexec/news/getlist, /usr/libexec/news/innfeed,
36 /usr/libexec/news/innxmit, /usr/libexec/news/makedbz,
37 /usr/libexec/news/nntpget, /usr/libexec/news/buffchan,
38 /usr/libexec/news/convdate, /usr/libexec/news/cvtbatch,
39 /usr/libexec/news/filechan, /usr/libexec/news/overchan,
40 /usr/libexec/news/inndstart, /usr/libexec/news/innxbatch,
41 /usr/libexec/newsinnconfval, /usr/libexec/news/expireover,
42 /usr/libexec/news/shrinkfile, /usr/libexec/news/grephistory,
43 /usr/libexec/news/makehistory, /usr/libexec/news/newsrequeue,
44 /usr/libexec/news/ovdb_recover, /usr/libexec/news/prunehistory,
45 /usr/libexec/news/startinnfeed
46
48 SELinux defines process types (domains) for each process running on the
49 system
50
51 You can see the context of a process using the -Z option to ps
52
53 Policy governs the access confined processes have to files. SELinux
54 innd policy is very flexible allowing users to setup their innd pro‐
55 cesses in as secure a method as possible.
56
57 The following process types are defined for innd:
58
59 innd_t
60
61 Note: semanage permissive -a innd_t can be used to make the process
62 type innd_t permissive. SELinux does not deny access to permissive
63 process types, but the AVC (SELinux denials) messages are still gener‐
64 ated.
65
66
68 SELinux policy is customizable based on least access required. innd
69 policy is extremely flexible and has several booleans that allow you to
70 manipulate the policy and run innd with the tightest access possible.
71
72
73
74 If you want to allow all domains to execute in fips_mode, you must turn
75 on the fips_mode boolean. Enabled by default.
76
77 setsebool -P fips_mode 1
78
79
80
82 SELinux defines port types to represent TCP and UDP ports.
83
84 You can see the types associated with a port by using the following
85 command:
86
87 semanage port -l
88
89
90 Policy governs the access confined processes have to these ports.
91 SELinux innd policy is very flexible allowing users to setup their innd
92 processes in as secure a method as possible.
93
94 The following port types are defined for innd:
95
96
97 innd_port_t
98
99
100
101 Default Defined Ports:
102 tcp 119
103
105 The SELinux process type innd_t can manage files labeled with the fol‐
106 lowing file types. The paths listed are the default paths for these
107 file types. Note the processes UID still need to have DAC permissions.
108
109 cluster_conf_t
110
111 /etc/cluster(/.*)?
112
113 cluster_var_lib_t
114
115 /var/lib/pcsd(/.*)?
116 /var/lib/cluster(/.*)?
117 /var/lib/openais(/.*)?
118 /var/lib/pengine(/.*)?
119 /var/lib/corosync(/.*)?
120 /usr/lib/heartbeat(/.*)?
121 /var/lib/heartbeat(/.*)?
122 /var/lib/pacemaker(/.*)?
123
124 cluster_var_run_t
125
126 /var/run/crm(/.*)?
127 /var/run/cman_.*
128 /var/run/rsctmp(/.*)?
129 /var/run/aisexec.*
130 /var/run/heartbeat(/.*)?
131 /var/run/pcsd-ruby.socket
132 /var/run/corosync-qnetd(/.*)?
133 /var/run/corosync-qdevice(/.*)?
134 /var/run/corosync.pid
135 /var/run/cpglockd.pid
136 /var/run/rgmanager.pid
137 /var/run/cluster/rgmanager.sk
138
139 innd_log_t
140
141 /var/log/news(/.*)?
142
143 innd_var_lib_t
144
145 /var/lib/news(/.*)?
146
147 innd_var_run_t
148
149 /var/run/innd(/.*)?
150 /var/run/news(/.*)?
151 /var/run/innd.pid
152 /var/run/news.pid
153
154 krb5_host_rcache_t
155
156 /var/tmp/krb5_0.rcache2
157 /var/cache/krb5rcache(/.*)?
158 /var/tmp/nfs_0
159 /var/tmp/DNS_25
160 /var/tmp/host_0
161 /var/tmp/imap_0
162 /var/tmp/HTTP_23
163 /var/tmp/HTTP_48
164 /var/tmp/ldap_55
165 /var/tmp/ldap_487
166 /var/tmp/ldapmap1_0
167
168 news_spool_t
169
170 /var/spool/news(/.*)?
171
172 root_t
173
174 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
175 /
176 /initrd
177
178
180 SELinux requires files to have an extended attribute to define the file
181 type.
182
183 You can see the context of a file using the -Z option to ls
184
185 Policy governs the access confined processes have to these files.
186 SELinux innd policy is very flexible allowing users to setup their innd
187 processes in as secure a method as possible.
188
189 EQUIVALENCE DIRECTORIES
190
191
192 innd policy stores data with multiple different file context types un‐
193 der the /var/run/innd directory. If you would like to store the data
194 in a different directory you can use the semanage command to create an
195 equivalence mapping. If you wanted to store this data under the /srv
196 directory you would execute the following command:
197
198 semanage fcontext -a -e /var/run/innd /srv/innd
199 restorecon -R -v /srv/innd
200
201 innd policy stores data with multiple different file context types un‐
202 der the /var/run/news directory. If you would like to store the data
203 in a different directory you can use the semanage command to create an
204 equivalence mapping. If you wanted to store this data under the /srv
205 directory you would execute the following command:
206
207 semanage fcontext -a -e /var/run/news /srv/news
208 restorecon -R -v /srv/news
209
210 STANDARD FILE CONTEXT
211
212 SELinux defines the file context types for the innd, if you wanted to
213 store files with these types in a diffent paths, you need to execute
214 the semanage command to specify alternate labeling and then use re‐
215 storecon to put the labels on disk.
216
217 semanage fcontext -a -t innd_var_run_t '/srv/myinnd_content(/.*)?'
218 restorecon -R -v /srv/myinnd_content
219
220 Note: SELinux often uses regular expressions to specify labels that
221 match multiple files.
222
223 The following file types are defined for innd:
224
225
226
227 innd_etc_t
228
229 - Set files with the innd_etc_t type, if you want to store innd files
230 in the /etc directories.
231
232
233
234 innd_exec_t
235
236 - Set files with the innd_exec_t type, if you want to transition an ex‐
237 ecutable to the innd_t domain.
238
239
240 Paths:
241 /usr/sbin/innd.*, /usr/libexec/news/rc.news, /usr/bin/suck,
242 /etc/news/boot, /usr/bin/inews, /usr/bin/rnews, /usr/bin/rpost,
243 /usr/sbin/in.nnrpd, /usr/libexec/news/sm, /usr/libexec/news/innd,
244 /usr/libexec/news/inews, /usr/libexec/news/inndf,
245 /usr/libexec/news/nnrpd, /usr/libexec/news/rnews,
246 /usr/libexec/news/expire, /usr/libexec/news/fastrm,
247 /usr/libexec/news/shlock, /usr/libexec/news/actsync,
248 /usr/libexec/news/archive, /usr/libexec/news/batcher,
249 /usr/libexec/news/ctlinnd, /usr/libexec/news/getlist,
250 /usr/libexec/news/innfeed, /usr/libexec/news/innxmit,
251 /usr/libexec/news/makedbz, /usr/libexec/news/nntpget,
252 /usr/libexec/news/buffchan, /usr/libexec/news/convdate,
253 /usr/libexec/news/cvtbatch, /usr/libexec/news/filechan,
254 /usr/libexec/news/overchan, /usr/libexec/news/inndstart,
255 /usr/libexec/news/innxbatch, /usr/libexec/newsinnconfval,
256 /usr/libexec/news/expireover, /usr/libexec/news/shrinkfile,
257 /usr/libexec/news/grephistory, /usr/libexec/news/makehistory,
258 /usr/libexec/news/newsrequeue, /usr/libexec/news/ovdb_recover,
259 /usr/libexec/news/prunehistory, /usr/libexec/news/startinnfeed
260
261
262 innd_initrc_exec_t
263
264 - Set files with the innd_initrc_exec_t type, if you want to transition
265 an executable to the innd_initrc_t domain.
266
267
268
269 innd_log_t
270
271 - Set files with the innd_log_t type, if you want to treat the data as
272 innd log data, usually stored under the /var/log directory.
273
274
275
276 innd_unit_file_t
277
278 - Set files with the innd_unit_file_t type, if you want to treat the
279 files as innd unit content.
280
281
282
283 innd_var_lib_t
284
285 - Set files with the innd_var_lib_t type, if you want to store the innd
286 files under the /var/lib directory.
287
288
289
290 innd_var_run_t
291
292 - Set files with the innd_var_run_t type, if you want to store the innd
293 files under the /run or /var/run directory.
294
295
296 Paths:
297 /var/run/innd(/.*)?, /var/run/news(/.*)?, /var/run/innd.pid,
298 /var/run/news.pid
299
300
301 Note: File context can be temporarily modified with the chcon command.
302 If you want to permanently change the file context you need to use the
303 semanage fcontext command. This will modify the SELinux labeling data‐
304 base. You will need to use restorecon to apply the labels.
305
306
308 semanage fcontext can also be used to manipulate default file context
309 mappings.
310
311 semanage permissive can also be used to manipulate whether or not a
312 process type is permissive.
313
314 semanage module can also be used to enable/disable/install/remove pol‐
315 icy modules.
316
317 semanage port can also be used to manipulate the port definitions
318
319 semanage boolean can also be used to manipulate the booleans
320
321
322 system-config-selinux is a GUI tool available to customize SELinux pol‐
323 icy settings.
324
325
327 This manual page was auto-generated using sepolicy manpage .
328
329
331 selinux(8), innd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
332 setsebool(8)
333
334
335
336innd 23-02-03 innd_selinux(8)