openshift_selinux(8)

1openshift_selinux(8)       SELinux Policy openshift       openshift_selinux(8)
2
3
4

NAME

6       openshift_selinux  -  Security  Enhanced Linux Policy for the openshift
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the openshift  processes  via  flexible
11       mandatory access control.
12
13       The  openshift processes execute with the openshift_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openshift_t
20
21
22

ENTRYPOINTS

24       The  openshift_t  SELinux  type  can be entered via the crontab_exec_t,
25       user_cron_spool_t file types.
26
27       The default entrypoint paths for the openshift_t domain are the follow‐
28       ing:
29
30       /usr/bin/(f)?crontab,        /usr/bin/at,        /usr/sbin/fcronsighup,
31       /usr/libexec/fcronsighup,     /var/spool/at(/.*)?,     /var/spool/cron,
32       /var/spool/cron/[^/]+
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       openshift  policy  is very flexible allowing users to setup their open‐
42       shift processes in as secure a method as possible.
43
44       The following process types are defined for openshift:
45
46       openshift_initrc_t, openshift_cgroup_read_t, openshift_net_read_t, openshift_cron_t, openshift_t, openshift_app_t, openshift_script_t
47
48       Note: semanage permissive -a  openshift_t  can  be  used  to  make  the
49       process  type  openshift_t  permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

MCS Constrained

55       The  SELinux  process  type openshift_t is an MCS (Multi Category Secu‐
56       rity) constrained type.  Sometimes this separation is  referred  to  as
57       sVirt.  These types are usually used for securing multi-tenant environ‐
58       ments, such as virtualization, containers or separation of users.   The
59       tools used to launch MCS types, pick out a different MCS label for each
60       process group.
61
62       For example one process might be  launched  with  openshift_t:s0:c1,c2,
63       and  another  process  launched  with openshift_t:s0:c3,c4. The SELinux
64       kernel only allows these processes can only write  to  content  with  a
65       matching  MCS  label,  or a MCS Label of s0. A process running with the
66       MCS level of s0:c1,c2 is not allowed to write to content with  the  MCS
67       label of s0:c3,c4
68
69

BOOLEANS

71       SELinux  policy  is customizable based on least access required.  open‐
72       shift policy is extremely flexible and has several booleans that  allow
73       you to manipulate the policy and run openshift with the tightest access
74       possible.
75
76
77
78       If you want to determine whether crond can execute jobs in the user do‐
79       main as opposed to the the generic cronjob domain, you must turn on the
80       cron_userdomain_transition boolean. Enabled by default.
81
82       setsebool -P cron_userdomain_transition 1
83
84
85
86       If you want to deny any process from ptracing or  debugging  any  other
87       processes,  you  must  turn  on the deny_ptrace boolean. Enabled by de‐
88       fault.
89
90       setsebool -P deny_ptrace 1
91
92
93

PORT TYPES

95       SELinux defines port types to represent TCP and UDP ports.
96
97       You can see the types associated with a port  by  using  the  following
98       command:
99
100       semanage port -l
101
102
103       Policy  governs  the  access  confined  processes  have to these ports.
104       SELinux openshift policy is very flexible allowing users to setup their
105       openshift processes in as secure a method as possible.
106
107       The following port types are defined for openshift:
108
109
110       openshift_port_t
111
112
113
114       MANAGED FILES
115
116              The  SELinux  process  type openshift_t can manage files labeled
117              with the following file types.  The paths listed are the default
118              paths  for  these file types.  Note the processes UID still need
119              to have DAC permissions.
120
121              faillog_t
122
123                   /var/log/btmp.*
124                   /var/log/faillog.*
125                   /var/log/tallylog.*
126                   /var/run/faillock(/.*)?
127
128              hugetlbfs_t
129
130                   /dev/hugepages
131                   /usr/lib/udev/devices/hugepages
132
133              krb5_host_rcache_t
134
135                   /var/tmp/krb5_0.rcache2
136                   /var/cache/krb5rcache(/.*)?
137                   /var/tmp/nfs_0
138                   /var/tmp/DNS_25
139                   /var/tmp/host_0
140                   /var/tmp/imap_0
141                   /var/tmp/HTTP_23
142                   /var/tmp/HTTP_48
143                   /var/tmp/ldap_55
144                   /var/tmp/ldap_487
145                   /var/tmp/ldapmap1_0
146
147              openshift_tmpfs_t
148
149
150              postfix_spool_t
151
152                   /var/spool/postfix.*
153                   /var/spool/postfix/defer(/.*)?
154                   /var/spool/postfix/flush(/.*)?
155                   /var/spool/postfix/deferred(/.*)?
156                   /var/spool/postfix/maildrop(/.*)?
157
158              security_t
159
160                   /selinux
161
162

FILE CONTEXTS

164       SELinux requires files to have an extended attribute to define the file
165       type.
166
167       You can see the context of a file using the -Z option to ls
168
169       Policy  governs  the  access  confined  processes  have to these files.
170       SELinux openshift policy is very flexible allowing users to setup their
171       openshift processes in as secure a method as possible.
172
173       EQUIVALENCE DIRECTORIES
174
175
176       openshift policy stores data with multiple different file context types
177       under the /var/lib/openshift directory.  If you would like to store the
178       data  in a different directory you can use the semanage command to cre‐
179       ate an equivalence mapping.  If you wanted to store this data under the
180       /srv directory you would execute the following command:
181
182       semanage fcontext -a -e /var/lib/openshift /srv/openshift
183       restorecon -R -v /srv/openshift
184
185       openshift policy stores data with multiple different file context types
186       under the /var/lib/stickshift directory.  If you would  like  to  store
187       the  data  in a different directory you can use the semanage command to
188       create an equivalence mapping.  If you wanted to store this data  under
189       the /srv directory you would execute the following command:
190
191       semanage fcontext -a -e /var/lib/stickshift /srv/stickshift
192       restorecon -R -v /srv/stickshift
193
194       STANDARD FILE CONTEXT
195
196       SELinux defines the file context types for the openshift, if you wanted
197       to store files with these types in a diffent paths, you need to execute
198       the  semanage  command  to  specify alternate labeling and then use re‐
199       storecon to put the labels on disk.
200
201       semanage fcontext -a -t  openshift_ra_content_t  '/srv/myopenshift_con‐
202       tent(/.*)?'
203       restorecon -R -v /srv/myopenshift_content
204
205       Note:  SELinux  often  uses  regular expressions to specify labels that
206       match multiple files.
207
208       The following file types are defined for openshift:
209
210
211
212       openshift_app_tmp_t
213
214       - Set files with the openshift_app_tmp_t type, if  you  want  to  store
215       openshift app temporary files in the /tmp directories.
216
217
218
219       openshift_cgroup_read_exec_t
220
221       -  Set files with the openshift_cgroup_read_exec_t type, if you want to
222       transition an executable to the openshift_cgroup_read_t domain.
223
224
225
226       openshift_cgroup_read_tmp_t
227
228       - Set files with the openshift_cgroup_read_tmp_t type, if you  want  to
229       store openshift cgroup read temporary files in the /tmp directories.
230
231
232
233       openshift_content_t
234
235       - Set files with the openshift_content_t type, if you want to treat the
236       files as openshift content.
237
238
239
240       openshift_cron_exec_t
241
242       - Set files with the openshift_cron_exec_t type, if you want to transi‐
243       tion an executable to the openshift_cron_t domain.
244
245
246
247       openshift_cron_tmp_t
248
249       -  Set  files  with the openshift_cron_tmp_t type, if you want to store
250       openshift cron temporary files in the /tmp directories.
251
252
253
254       openshift_htaccess_t
255
256       - Set files with the openshift_htaccess_t type, if you  want  to  treat
257       the file as a openshift access file.
258
259
260
261       openshift_initrc_exec_t
262
263       - Set files with the openshift_initrc_exec_t type, if you want to tran‐
264       sition an executable to the openshift_initrc_t domain.
265
266
267       Paths:
268            /usr/s?bin/mcollectived,             /usr/s?bin/(oo|rhc)-restorer,
269            /usr/s?bin/oo-admin-ctl-gears,  /usr/s?bin/(oo|rhc)-restorer-wrap‐
270            per.sh, /etc/rc.d/init.d/libra, /etc/rc.d/init.d/mcollective
271
272
273       openshift_initrc_tmp_t
274
275       - Set files with the openshift_initrc_tmp_t type, if you want to  store
276       openshift initrc temporary files in the /tmp directories.
277
278
279
280       openshift_log_t
281
282       -  Set  files  with  the openshift_log_t type, if you want to treat the
283       data as openshift log data, usually stored under  the  /var/log  direc‐
284       tory.
285
286
287       Paths:
288            /var/log/openshift(/.*)?, /var/log/mcollective.log.*
289
290
291       openshift_net_read_exec_t
292
293       -  Set  files  with  the openshift_net_read_exec_t type, if you want to
294       transition an executable to the openshift_net_read_t domain.
295
296
297
298       openshift_ra_content_t
299
300       - Set files with the openshift_ra_content_t type, if you want to  treat
301       the files as openshift read/append content.
302
303
304
305       openshift_rw_content_t
306
307       -  Set files with the openshift_rw_content_t type, if you want to treat
308       the files as openshift read/write content.
309
310
311
312       openshift_rw_file_t
313
314       - Set files with the openshift_rw_file_t type, if you want to treat the
315       files as openshift rw content.
316
317
318       Paths:
319            /var/lib/openshift/.*/data(/.*)?,                  /var/lib/stick‐
320            shift/.*/data(/.*)?
321
322
323       openshift_script_exec_t
324
325       - Set files with the openshift_script_exec_t type, if you want to tran‐
326       sition an executable to the openshift_script_t domain.
327
328
329
330       openshift_tmp_t
331
332       -  Set  files with the openshift_tmp_t type, if you want to store open‐
333       shift temporary files in the /tmp directories.
334
335
336       Paths:
337            /var/lib/openshift/.*/.tmp(/.*)?,     /var/lib/openshift/.*/.sand‐
338            box(/.*)?,    /var/lib/stickshift/.*/.tmp(/.*)?,   /var/lib/stick‐
339            shift/.*/.sandbox(/.*)?
340
341
342       openshift_tmpfs_t
343
344       - Set files with the openshift_tmpfs_t type, if you want to store open‐
345       shift files on a tmpfs file system.
346
347
348
349       openshift_var_lib_t
350
351       - Set files with the openshift_var_lib_t type, if you want to store the
352       openshift files under the /var/lib directory.
353
354
355       Paths:
356            /var/lib/openshift(/.*)?, /var/lib/stickshift(/.*)?, /var/lib/con‐
357            tainers/home(/.*)?
358
359
360       openshift_var_run_t
361
362       - Set files with the openshift_var_run_t type, if you want to store the
363       openshift files under the /run or /var/run directory.
364
365
366       Paths:
367            /var/run/openshift(/.*)?, /var/run/stickshift(/.*)?
368
369
370       Note: File context can be temporarily modified with the chcon  command.
371       If  you want to permanently change the file context you need to use the
372       semanage fcontext command.  This will modify the SELinux labeling data‐
373       base.  You will need to use restorecon to apply the labels.
374
375

COMMANDS

377       semanage  fcontext  can also be used to manipulate default file context
378       mappings.
379
380       semanage permissive can also be used to manipulate  whether  or  not  a
381       process type is permissive.
382
383       semanage  module can also be used to enable/disable/install/remove pol‐
384       icy modules.
385
386       semanage port can also be used to manipulate the port definitions
387
388       semanage boolean can also be used to manipulate the booleans
389
390
391       system-config-selinux is a GUI tool available to customize SELinux pol‐
392       icy settings.
393
394

AUTHOR

396       This manual page was auto-generated using sepolicy manpage .
397
398