1memcached_selinux(8)       SELinux Policy memcached       memcached_selinux(8)
2
3
4

NAME

6       memcached_selinux  -  Security  Enhanced Linux Policy for the memcached
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the memcached  processes  via  flexible
11       mandatory access control.
12
13       The  memcached processes execute with the memcached_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep memcached_t
20
21
22

ENTRYPOINTS

24       The  memcached_t  SELinux  type can be entered via the memcached_exec_t
25       file type.
26
27       The default entrypoint paths for the memcached_t domain are the follow‐
28       ing:
29
30       /usr/bin/memcached
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       memcached  policy  is  very flexible allowing users to setup their mem‐
40       cached processes in as secure a method as possible.
41
42       The following process types are defined for memcached:
43
44       memcached_t
45
46       Note: semanage permissive -a  memcached_t  can  be  used  to  make  the
47       process  type  memcached_t  permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux  policy  is  customizable based on least access required.  mem‐
54       cached policy is extremely flexible and has several booleans that allow
55       you to manipulate the policy and run memcached with the tightest access
56       possible.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66

PORT TYPES

68       SELinux defines port types to represent TCP and UDP ports.
69
70       You  can  see  the  types associated with a port by using the following
71       command:
72
73       semanage port -l
74
75
76       Policy governs the access  confined  processes  have  to  these  ports.
77       SELinux memcached policy is very flexible allowing users to setup their
78       memcached processes in as secure a method as possible.
79
80       The following port types are defined for memcached:
81
82
83       memcache_port_t
84
85
86
87       Default Defined Ports:
88                 tcp 11211
89                 udp 11211
90

MANAGED FILES

92       The SELinux process type memcached_t can manage files labeled with  the
93       following file types.  The paths listed are the default paths for these
94       file types.  Note the processes UID still need to have DAC permissions.
95
96       cluster_conf_t
97
98            /etc/cluster(/.*)?
99
100       cluster_var_lib_t
101
102            /var/lib/pcsd(/.*)?
103            /var/lib/cluster(/.*)?
104            /var/lib/openais(/.*)?
105            /var/lib/pengine(/.*)?
106            /var/lib/corosync(/.*)?
107            /usr/lib/heartbeat(/.*)?
108            /var/lib/heartbeat(/.*)?
109            /var/lib/pacemaker(/.*)?
110
111       cluster_var_run_t
112
113            /var/run/crm(/.*)?
114            /var/run/cman_.*
115            /var/run/rsctmp(/.*)?
116            /var/run/aisexec.*
117            /var/run/heartbeat(/.*)?
118            /var/run/pcsd-ruby.socket
119            /var/run/corosync-qnetd(/.*)?
120            /var/run/corosync-qdevice(/.*)?
121            /var/run/corosync.pid
122            /var/run/cpglockd.pid
123            /var/run/rgmanager.pid
124            /var/run/cluster/rgmanager.sk
125
126       krb5_host_rcache_t
127
128            /var/tmp/krb5_0.rcache2
129            /var/cache/krb5rcache(/.*)?
130            /var/tmp/nfs_0
131            /var/tmp/DNS_25
132            /var/tmp/host_0
133            /var/tmp/imap_0
134            /var/tmp/HTTP_23
135            /var/tmp/HTTP_48
136            /var/tmp/ldap_55
137            /var/tmp/ldap_487
138            /var/tmp/ldapmap1_0
139
140       memcached_var_run_t
141
142            /var/run/memcached(/.*)?
143            /var/run/ipa_memcached(/.*)?
144
145       root_t
146
147            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
148            /
149            /initrd
150
151

FILE CONTEXTS

153       SELinux requires files to have an extended attribute to define the file
154       type.
155
156       You can see the context of a file using the -Z option to ls
157
158       Policy  governs  the  access  confined  processes  have to these files.
159       SELinux memcached policy is very flexible allowing users to setup their
160       memcached processes in as secure a method as possible.
161
162       STANDARD FILE CONTEXT
163
164       SELinux defines the file context types for the memcached, if you wanted
165       to store files with these types in a diffent paths, you need to execute
166       the  semanage  command  to  specify alternate labeling and then use re‐
167       storecon to put the labels on disk.
168
169       semanage  fcontext  -a  -t  memcached_var_run_t  '/srv/mymemcached_con‐
170       tent(/.*)?'
171       restorecon -R -v /srv/mymemcached_content
172
173       Note:  SELinux  often  uses  regular expressions to specify labels that
174       match multiple files.
175
176       The following file types are defined for memcached:
177
178
179
180       memcached_exec_t
181
182       - Set files with the memcached_exec_t type, if you want  to  transition
183       an executable to the memcached_t domain.
184
185
186
187       memcached_initrc_exec_t
188
189       - Set files with the memcached_initrc_exec_t type, if you want to tran‐
190       sition an executable to the memcached_initrc_t domain.
191
192
193
194       memcached_var_run_t
195
196       - Set files with the memcached_var_run_t type, if you want to store the
197       memcached files under the /run or /var/run directory.
198
199
200       Paths:
201            /var/run/memcached(/.*)?, /var/run/ipa_memcached(/.*)?
202
203
204       Note:  File context can be temporarily modified with the chcon command.
205       If you want to permanently change the file context you need to use  the
206       semanage fcontext command.  This will modify the SELinux labeling data‐
207       base.  You will need to use restorecon to apply the labels.
208
209

COMMANDS

211       semanage fcontext can also be used to manipulate default  file  context
212       mappings.
213
214       semanage  permissive  can  also  be used to manipulate whether or not a
215       process type is permissive.
216
217       semanage module can also be used to enable/disable/install/remove  pol‐
218       icy modules.
219
220       semanage port can also be used to manipulate the port definitions
221
222       semanage boolean can also be used to manipulate the booleans
223
224
225       system-config-selinux is a GUI tool available to customize SELinux pol‐
226       icy settings.
227
228

AUTHOR

230       This manual page was auto-generated using sepolicy manpage .
231
232

SEE ALSO

234       selinux(8), memcached(8), semanage(8), restorecon(8), chcon(1),  sepol‐
235       icy(8), setsebool(8)
236
237
238
239memcached                          23-02-03               memcached_selinux(8)
Impressum