1openvswitch_selinux(8)    SELinux Policy openvswitch    openvswitch_selinux(8)
2
3
4

NAME

6       openvswitch_selinux  -  Security  Enhanced  Linux  Policy for the open‐
7       vswitch processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the openvswitch processes via  flexible
11       mandatory access control.
12
13       The  openvswitch processes execute with the openvswitch_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openvswitch_t
20
21
22

ENTRYPOINTS

24       The   openvswitch_t   SELinux   type  can  be  entered  via  the  open‐
25       vswitch_exec_t file type.
26
27       The default entrypoint paths for the openvswitch_t domain are the  fol‐
28       lowing:
29
30       /usr/bin/ovs-vsctl,      /usr/bin/ovs-appctl,      /usr/sbin/ovsdb-ctl,
31       /usr/sbin/ovs-vswitchd,    /usr/sbin/ovsdb-server,     /usr/share/open‐
32       vswitch/scripts/ovs-ctl
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       openvswitch policy is very flexible allowing users to setup their open‐
42       vswitch processes in as secure a method as possible.
43
44       The following process types are defined for openvswitch:
45
46       openvswitch_t
47
48       Note: semanage permissive -a openvswitch_t can  be  used  to  make  the
49       process  type openvswitch_t permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy  is customizable based on least access required.  open‐
56       vswitch policy is extremely flexible and has several booleans that  al‐
57       low  you to manipulate the policy and run openvswitch with the tightest
58       access possible.
59
60
61
62       If you want to allow all domains to execute in fips_mode, you must turn
63       on the fips_mode boolean. Enabled by default.
64
65       setsebool -P fips_mode 1
66
67
68

PORT TYPES

70       SELinux defines port types to represent TCP and UDP ports.
71
72       You  can  see  the  types associated with a port by using the following
73       command:
74
75       semanage port -l
76
77
78       Policy governs the access  confined  processes  have  to  these  ports.
79       SELinux  openvswitch  policy  is  very flexible allowing users to setup
80       their openvswitch processes in as secure a method as possible.
81
82       The following port types are defined for openvswitch:
83
84
85       openvswitch_port_t
86
87
88
89       Default Defined Ports:
90                 tcp 6634
91

MANAGED FILES

93       The SELinux process type openvswitch_t can manage  files  labeled  with
94       the  following  file types.  The paths listed are the default paths for
95       these file types.  Note the processes UID still need to have  DAC  per‐
96       missions.
97
98       cluster_conf_t
99
100            /etc/cluster(/.*)?
101
102       cluster_var_lib_t
103
104            /var/lib/pcsd(/.*)?
105            /var/lib/cluster(/.*)?
106            /var/lib/openais(/.*)?
107            /var/lib/pengine(/.*)?
108            /var/lib/corosync(/.*)?
109            /usr/lib/heartbeat(/.*)?
110            /var/lib/heartbeat(/.*)?
111            /var/lib/pacemaker(/.*)?
112
113       cluster_var_run_t
114
115            /var/run/crm(/.*)?
116            /var/run/cman_.*
117            /var/run/rsctmp(/.*)?
118            /var/run/aisexec.*
119            /var/run/heartbeat(/.*)?
120            /var/run/pcsd-ruby.socket
121            /var/run/corosync-qnetd(/.*)?
122            /var/run/corosync-qdevice(/.*)?
123            /var/run/corosync.pid
124            /var/run/cpglockd.pid
125            /var/run/rgmanager.pid
126            /var/run/cluster/rgmanager.sk
127
128       hugetlbfs_t
129
130            /dev/hugepages
131            /usr/lib/udev/devices/hugepages
132
133       krb5_host_rcache_t
134
135            /var/tmp/krb5_0.rcache2
136            /var/cache/krb5rcache(/.*)?
137            /var/tmp/nfs_0
138            /var/tmp/DNS_25
139            /var/tmp/host_0
140            /var/tmp/imap_0
141            /var/tmp/HTTP_23
142            /var/tmp/HTTP_48
143            /var/tmp/ldap_55
144            /var/tmp/ldap_487
145            /var/tmp/ldapmap1_0
146
147       openvswitch_log_t
148
149            /var/log/openvswitch(/.*)?
150
151       openvswitch_rw_t
152
153            /etc/openvswitch(/.*)?
154
155       openvswitch_tmp_t
156
157
158       openvswitch_var_lib_t
159
160            /var/lib/openvswitch(/.*)?
161
162       openvswitch_var_run_t
163
164            /var/run/openvswitch(/.*)?
165
166       root_t
167
168            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
169            /
170            /initrd
171
172       svirt_image_t
173
174
175       svirt_tmp_t
176
177
178       sysfs_t
179
180            /sys(/.*)?
181
182

FILE CONTEXTS

184       SELinux requires files to have an extended attribute to define the file
185       type.
186
187       You can see the context of a file using the -Z option to ls
188
189       Policy governs the access  confined  processes  have  to  these  files.
190       SELinux  openvswitch  policy  is  very flexible allowing users to setup
191       their openvswitch processes in as secure a method as possible.
192
193       STANDARD FILE CONTEXT
194
195       SELinux defines the file context types  for  the  openvswitch,  if  you
196       wanted  to store files with these types in a diffent paths, you need to
197       execute the semanage command to specify alternate labeling and then use
198       restorecon to put the labels on disk.
199
200       semanage   fcontext   -a   -t   openvswitch_unit_file_t   '/srv/myopen‐
201       vswitch_content(/.*)?'
202       restorecon -R -v /srv/myopenvswitch_content
203
204       Note: SELinux often uses regular expressions  to  specify  labels  that
205       match multiple files.
206
207       The following file types are defined for openvswitch:
208
209
210
211       openvswitch_exec_t
212
213       - Set files with the openvswitch_exec_t type, if you want to transition
214       an executable to the openvswitch_t domain.
215
216
217       Paths:
218            /usr/bin/ovs-vsctl,   /usr/bin/ovs-appctl,    /usr/sbin/ovsdb-ctl,
219            /usr/sbin/ovs-vswitchd,  /usr/sbin/ovsdb-server,  /usr/share/open‐
220            vswitch/scripts/ovs-ctl
221
222
223       openvswitch_log_t
224
225       - Set files with the openvswitch_log_t type, if you want to  treat  the
226       data  as openvswitch log data, usually stored under the /var/log direc‐
227       tory.
228
229
230
231       openvswitch_rw_t
232
233       - Set files with the openvswitch_rw_t type, if you want  to  treat  the
234       files as openvswitch read/write content.
235
236
237
238       openvswitch_tmp_t
239
240       - Set files with the openvswitch_tmp_t type, if you want to store open‐
241       vswitch temporary files in the /tmp directories.
242
243
244
245       openvswitch_tmpfs_t
246
247       - Set files with the openvswitch_tmpfs_t type, if  you  want  to  store
248       openvswitch files on a tmpfs file system.
249
250
251
252       openvswitch_unit_file_t
253
254       - Set files with the openvswitch_unit_file_t type, if you want to treat
255       the files as openvswitch unit content.
256
257
258
259       openvswitch_var_lib_t
260
261       - Set files with the openvswitch_var_lib_t type, if you want  to  store
262       the openvswitch files under the /var/lib directory.
263
264
265
266       openvswitch_var_run_t
267
268       -  Set  files with the openvswitch_var_run_t type, if you want to store
269       the openvswitch files under the /run or /var/run directory.
270
271
272
273       Note: File context can be temporarily modified with the chcon  command.
274       If  you want to permanently change the file context you need to use the
275       semanage fcontext command.  This will modify the SELinux labeling data‐
276       base.  You will need to use restorecon to apply the labels.
277
278

COMMANDS

280       semanage  fcontext  can also be used to manipulate default file context
281       mappings.
282
283       semanage permissive can also be used to manipulate  whether  or  not  a
284       process type is permissive.
285
286       semanage  module can also be used to enable/disable/install/remove pol‐
287       icy modules.
288
289       semanage port can also be used to manipulate the port definitions
290
291       semanage boolean can also be used to manipulate the booleans
292
293
294       system-config-selinux is a GUI tool available to customize SELinux pol‐
295       icy settings.
296
297

AUTHOR

299       This manual page was auto-generated using sepolicy manpage .
300
301

SEE ALSO

303       selinux(8),  openvswitch(8),  semanage(8), restorecon(8), chcon(1), se‐
304       policy(8), setsebool(8)
305
306
307
308openvswitch                        23-02-03             openvswitch_selinux(8)
Impressum