1openshift_selinux(8) SELinux Policy openshift openshift_selinux(8)
2
3
4
6 openshift_selinux - Security Enhanced Linux Policy for the openshift
7 processes
8
10 Security-Enhanced Linux secures the openshift processes via flexible
11 mandatory access control.
12
13 The openshift processes execute with the openshift_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep openshift_t
20
21
22
24 The openshift_t SELinux type can be entered via the crontab_exec_t,
25 user_cron_spool_t file types.
26
27 The default entrypoint paths for the openshift_t domain are the follow‐
28 ing:
29
30 /usr/bin/(f)?crontab, /usr/bin/at, /usr/sbin/fcronsighup,
31 /usr/libexec/fcronsighup, /var/spool/at(/.*)?, /var/spool/cron,
32 /var/spool/cron/[^/]+
33
35 SELinux defines process types (domains) for each process running on the
36 system
37
38 You can see the context of a process using the -Z option to ps
39
40 Policy governs the access confined processes have to files. SELinux
41 openshift policy is very flexible allowing users to setup their open‐
42 shift processes in as secure a method as possible.
43
44 The following process types are defined for openshift:
45
46 openshift_initrc_t, openshift_cgroup_read_t, openshift_net_read_t, openshift_cron_t, openshift_t, openshift_app_t, openshift_script_t
47
48 Note: semanage permissive -a openshift_t can be used to make the
49 process type openshift_t permissive. SELinux does not deny access to
50 permissive process types, but the AVC (SELinux denials) messages are
51 still generated.
52
53
55 The SELinux process type openshift_t is an MCS (Multi Category Secu‐
56 rity) constrained type. Sometimes this separation is referred to as
57 sVirt. These types are usually used for securing multi-tenant environ‐
58 ments, such as virtualization, containers or separation of users. The
59 tools used to launch MCS types, pick out a different MCS label for each
60 process group.
61
62 For example one process might be launched with openshift_t:s0:c1,c2,
63 and another process launched with openshift_t:s0:c3,c4. The SELinux
64 kernel only allows these processes can only write to content with a
65 matching MCS label, or a MCS Label of s0. A process running with the
66 MCS level of s0:c1,c2 is not allowed to write to content with the MCS
67 label of s0:c3,c4
68
69
71 SELinux policy is customizable based on least access required. open‐
72 shift policy is extremely flexible and has several booleans that allow
73 you to manipulate the policy and run openshift with the tightest access
74 possible.
75
76
77
78 If you want to determine whether crond can execute jobs in the user do‐
79 main as opposed to the the generic cronjob domain, you must turn on the
80 cron_userdomain_transition boolean. Enabled by default.
81
82 setsebool -P cron_userdomain_transition 1
83
84
85
86 If you want to deny any process from ptracing or debugging any other
87 processes, you must turn on the deny_ptrace boolean. Enabled by de‐
88 fault.
89
90 setsebool -P deny_ptrace 1
91
92
93
95 SELinux defines port types to represent TCP and UDP ports.
96
97 You can see the types associated with a port by using the following
98 command:
99
100 semanage port -l
101
102
103 Policy governs the access confined processes have to these ports.
104 SELinux openshift policy is very flexible allowing users to setup their
105 openshift processes in as secure a method as possible.
106
107 The following port types are defined for openshift:
108
109
110 openshift_port_t
111
112
113
114 MANAGED FILES
115
116 The SELinux process type openshift_t can manage files labeled
117 with the following file types. The paths listed are the default
118 paths for these file types. Note the processes UID still need
119 to have DAC permissions.
120
121 faillog_t
122
123 /var/log/btmp.*
124 /var/log/faillog.*
125 /var/log/tallylog.*
126 /var/run/faillock(/.*)?
127
128 hugetlbfs_t
129
130 /dev/hugepages
131 /usr/lib/udev/devices/hugepages
132
133 krb5_host_rcache_t
134
135 /var/tmp/krb5_0.rcache2
136 /var/cache/krb5rcache(/.*)?
137 /var/tmp/nfs_0
138 /var/tmp/DNS_25
139 /var/tmp/host_0
140 /var/tmp/imap_0
141 /var/tmp/HTTP_23
142 /var/tmp/HTTP_48
143 /var/tmp/ldap_55
144 /var/tmp/ldap_487
145 /var/tmp/ldapmap1_0
146
147 openshift_tmpfs_t
148
149
150 postfix_spool_t
151
152 /var/spool/postfix.*
153 /var/spool/postfix/defer(/.*)?
154 /var/spool/postfix/flush(/.*)?
155 /var/spool/postfix/deferred(/.*)?
156 /var/spool/postfix/maildrop(/.*)?
157
158 security_t
159
160 /selinux
161
162
164 SELinux requires files to have an extended attribute to define the file
165 type.
166
167 You can see the context of a file using the -Z option to ls
168
169 Policy governs the access confined processes have to these files.
170 SELinux openshift policy is very flexible allowing users to setup their
171 openshift processes in as secure a method as possible.
172
173 EQUIVALENCE DIRECTORIES
174
175
176 openshift policy stores data with multiple different file context types
177 under the /var/lib/openshift directory. If you would like to store the
178 data in a different directory you can use the semanage command to cre‐
179 ate an equivalence mapping. If you wanted to store this data under the
180 /srv directory you would execute the following command:
181
182 semanage fcontext -a -e /var/lib/openshift /srv/openshift
183 restorecon -R -v /srv/openshift
184
185 openshift policy stores data with multiple different file context types
186 under the /var/lib/stickshift directory. If you would like to store
187 the data in a different directory you can use the semanage command to
188 create an equivalence mapping. If you wanted to store this data under
189 the /srv directory you would execute the following command:
190
191 semanage fcontext -a -e /var/lib/stickshift /srv/stickshift
192 restorecon -R -v /srv/stickshift
193
194 STANDARD FILE CONTEXT
195
196 SELinux defines the file context types for the openshift, if you wanted
197 to store files with these types in a diffent paths, you need to execute
198 the semanage command to specify alternate labeling and then use re‐
199 storecon to put the labels on disk.
200
201 semanage fcontext -a -t openshift_ra_content_t '/srv/myopenshift_con‐
202 tent(/.*)?'
203 restorecon -R -v /srv/myopenshift_content
204
205 Note: SELinux often uses regular expressions to specify labels that
206 match multiple files.
207
208 The following file types are defined for openshift:
209
210
211
212 openshift_app_tmp_t
213
214 - Set files with the openshift_app_tmp_t type, if you want to store
215 openshift app temporary files in the /tmp directories.
216
217
218
219 openshift_cgroup_read_exec_t
220
221 - Set files with the openshift_cgroup_read_exec_t type, if you want to
222 transition an executable to the openshift_cgroup_read_t domain.
223
224
225
226 openshift_cgroup_read_tmp_t
227
228 - Set files with the openshift_cgroup_read_tmp_t type, if you want to
229 store openshift cgroup read temporary files in the /tmp directories.
230
231
232
233 openshift_content_t
234
235 - Set files with the openshift_content_t type, if you want to treat the
236 files as openshift content.
237
238
239
240 openshift_cron_exec_t
241
242 - Set files with the openshift_cron_exec_t type, if you want to transi‐
243 tion an executable to the openshift_cron_t domain.
244
245
246
247 openshift_cron_tmp_t
248
249 - Set files with the openshift_cron_tmp_t type, if you want to store
250 openshift cron temporary files in the /tmp directories.
251
252
253
254 openshift_htaccess_t
255
256 - Set files with the openshift_htaccess_t type, if you want to treat
257 the file as a openshift access file.
258
259
260
261 openshift_initrc_exec_t
262
263 - Set files with the openshift_initrc_exec_t type, if you want to tran‐
264 sition an executable to the openshift_initrc_t domain.
265
266
267 Paths:
268 /usr/s?bin/mcollectived, /usr/s?bin/(oo|rhc)-restorer,
269 /usr/s?bin/oo-admin-ctl-gears, /usr/s?bin/(oo|rhc)-restorer-wrap‐
270 per.sh, /etc/rc.d/init.d/libra, /etc/rc.d/init.d/mcollective
271
272
273 openshift_initrc_tmp_t
274
275 - Set files with the openshift_initrc_tmp_t type, if you want to store
276 openshift initrc temporary files in the /tmp directories.
277
278
279
280 openshift_log_t
281
282 - Set files with the openshift_log_t type, if you want to treat the
283 data as openshift log data, usually stored under the /var/log direc‐
284 tory.
285
286
287 Paths:
288 /var/log/openshift(/.*)?, /var/log/mcollective.log.*
289
290
291 openshift_net_read_exec_t
292
293 - Set files with the openshift_net_read_exec_t type, if you want to
294 transition an executable to the openshift_net_read_t domain.
295
296
297
298 openshift_ra_content_t
299
300 - Set files with the openshift_ra_content_t type, if you want to treat
301 the files as openshift read/append content.
302
303
304
305 openshift_rw_content_t
306
307 - Set files with the openshift_rw_content_t type, if you want to treat
308 the files as openshift read/write content.
309
310
311
312 openshift_rw_file_t
313
314 - Set files with the openshift_rw_file_t type, if you want to treat the
315 files as openshift rw content.
316
317
318 Paths:
319 /var/lib/openshift/.*/data(/.*)?, /var/lib/stick‐
320 shift/.*/data(/.*)?
321
322
323 openshift_script_exec_t
324
325 - Set files with the openshift_script_exec_t type, if you want to tran‐
326 sition an executable to the openshift_script_t domain.
327
328
329
330 openshift_tmp_t
331
332 - Set files with the openshift_tmp_t type, if you want to store open‐
333 shift temporary files in the /tmp directories.
334
335
336 Paths:
337 /var/lib/openshift/.*/.tmp(/.*)?, /var/lib/openshift/.*/.sand‐
338 box(/.*)?, /var/lib/stickshift/.*/.tmp(/.*)?, /var/lib/stick‐
339 shift/.*/.sandbox(/.*)?
340
341
342 openshift_tmpfs_t
343
344 - Set files with the openshift_tmpfs_t type, if you want to store open‐
345 shift files on a tmpfs file system.
346
347
348
349 openshift_var_lib_t
350
351 - Set files with the openshift_var_lib_t type, if you want to store the
352 openshift files under the /var/lib directory.
353
354
355 Paths:
356 /var/lib/openshift(/.*)?, /var/lib/stickshift(/.*)?, /var/lib/con‐
357 tainers/home(/.*)?
358
359
360 openshift_var_run_t
361
362 - Set files with the openshift_var_run_t type, if you want to store the
363 openshift files under the /run or /var/run directory.
364
365
366 Paths:
367 /var/run/openshift(/.*)?, /var/run/stickshift(/.*)?
368
369
370 Note: File context can be temporarily modified with the chcon command.
371 If you want to permanently change the file context you need to use the
372 semanage fcontext command. This will modify the SELinux labeling data‐
373 base. You will need to use restorecon to apply the labels.
374
375
377 semanage fcontext can also be used to manipulate default file context
378 mappings.
379
380 semanage permissive can also be used to manipulate whether or not a
381 process type is permissive.
382
383 semanage module can also be used to enable/disable/install/remove pol‐
384 icy modules.
385
386 semanage port can also be used to manipulate the port definitions
387
388 semanage boolean can also be used to manipulate the booleans
389
390
391 system-config-selinux is a GUI tool available to customize SELinux pol‐
392 icy settings.
393
394
396 This manual page was auto-generated using sepolicy manpage .
397
398
400 selinux(8), openshift(8), semanage(8), restorecon(8), chcon(1), sepol‐
401 icy(8), setsebool(8), openshift_app_selinux(8), open‐
402 shift_app_selinux(8), openshift_cgroup_read_selinux(8), open‐
403 shift_cgroup_read_selinux(8), openshift_cron_selinux(8), open‐
404 shift_cron_selinux(8), openshift_initrc_selinux(8), openshift_ini‐
405 trc_selinux(8), openshift_net_read_selinux(8), open‐
406 shift_net_read_selinux(8), openshift_script_selinux(8), open‐
407 shift_script_selinux(8)
408
409
410
411openshift 23-02-03 openshift_selinux(8)