1openvswitch_selinux(8) SELinux Policy openvswitch openvswitch_selinux(8)
2
3
4
6 openvswitch_selinux - Security Enhanced Linux Policy for the open‐
7 vswitch processes
8
10 Security-Enhanced Linux secures the openvswitch processes via flexible
11 mandatory access control.
12
13 The openvswitch processes execute with the openvswitch_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep openvswitch_t
20
21
22
24 The openvswitch_t SELinux type can be entered via the open‐
25 vswitch_exec_t file type.
26
27 The default entrypoint paths for the openvswitch_t domain are the fol‐
28 lowing:
29
30 /usr/bin/ovs-vsctl, /usr/bin/ovs-appctl, /usr/sbin/ovsdb-ctl,
31 /usr/sbin/ovs-vswitchd, /usr/sbin/ovsdb-server, /usr/share/open‐
32 vswitch/scripts/ovs-ctl
33
35 SELinux defines process types (domains) for each process running on the
36 system
37
38 You can see the context of a process using the -Z option to ps
39
40 Policy governs the access confined processes have to files. SELinux
41 openvswitch policy is very flexible allowing users to setup their open‐
42 vswitch processes in as secure a method as possible.
43
44 The following process types are defined for openvswitch:
45
46 openvswitch_t
47
48 Note: semanage permissive -a openvswitch_t can be used to make the
49 process type openvswitch_t permissive. SELinux does not deny access to
50 permissive process types, but the AVC (SELinux denials) messages are
51 still generated.
52
53
55 SELinux policy is customizable based on least access required. open‐
56 vswitch policy is extremely flexible and has several booleans that al‐
57 low you to manipulate the policy and run openvswitch with the tightest
58 access possible.
59
60
61
62 If you want to allow all domains to execute in fips_mode, you must turn
63 on the fips_mode boolean. Enabled by default.
64
65 setsebool -P fips_mode 1
66
67
68
70 SELinux defines port types to represent TCP and UDP ports.
71
72 You can see the types associated with a port by using the following
73 command:
74
75 semanage port -l
76
77
78 Policy governs the access confined processes have to these ports.
79 SELinux openvswitch policy is very flexible allowing users to setup
80 their openvswitch processes in as secure a method as possible.
81
82 The following port types are defined for openvswitch:
83
84
85 openvswitch_port_t
86
87
88
89 Default Defined Ports:
90 tcp 6634
91
93 The SELinux process type openvswitch_t can manage files labeled with
94 the following file types. The paths listed are the default paths for
95 these file types. Note the processes UID still need to have DAC per‐
96 missions.
97
98 cluster_conf_t
99
100 /etc/cluster(/.*)?
101
102 cluster_var_lib_t
103
104 /var/lib/pcsd(/.*)?
105 /var/lib/cluster(/.*)?
106 /var/lib/openais(/.*)?
107 /var/lib/pengine(/.*)?
108 /var/lib/corosync(/.*)?
109 /usr/lib/heartbeat(/.*)?
110 /var/lib/heartbeat(/.*)?
111 /var/lib/pacemaker(/.*)?
112
113 cluster_var_run_t
114
115 /var/run/crm(/.*)?
116 /var/run/cman_.*
117 /var/run/rsctmp(/.*)?
118 /var/run/aisexec.*
119 /var/run/heartbeat(/.*)?
120 /var/run/pcsd-ruby.socket
121 /var/run/corosync-qnetd(/.*)?
122 /var/run/corosync-qdevice(/.*)?
123 /var/run/corosync.pid
124 /var/run/cpglockd.pid
125 /var/run/rgmanager.pid
126 /var/run/cluster/rgmanager.sk
127
128 hugetlbfs_t
129
130 /dev/hugepages
131 /usr/lib/udev/devices/hugepages
132
133 krb5_host_rcache_t
134
135 /var/tmp/krb5_0.rcache2
136 /var/cache/krb5rcache(/.*)?
137 /var/tmp/nfs_0
138 /var/tmp/DNS_25
139 /var/tmp/host_0
140 /var/tmp/imap_0
141 /var/tmp/HTTP_23
142 /var/tmp/HTTP_48
143 /var/tmp/ldap_55
144 /var/tmp/ldap_487
145 /var/tmp/ldapmap1_0
146
147 openvswitch_log_t
148
149 /var/log/openvswitch(/.*)?
150
151 openvswitch_rw_t
152
153 /etc/openvswitch(/.*)?
154
155 openvswitch_tmp_t
156
157
158 openvswitch_var_lib_t
159
160 /var/lib/openvswitch(/.*)?
161
162 openvswitch_var_run_t
163
164 /var/run/openvswitch(/.*)?
165
166 root_t
167
168 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
169 /
170 /initrd
171
172 svirt_image_t
173
174
175 svirt_tmp_t
176
177
178 sysfs_t
179
180 /sys(/.*)?
181
182
184 SELinux requires files to have an extended attribute to define the file
185 type.
186
187 You can see the context of a file using the -Z option to ls
188
189 Policy governs the access confined processes have to these files.
190 SELinux openvswitch policy is very flexible allowing users to setup
191 their openvswitch processes in as secure a method as possible.
192
193 STANDARD FILE CONTEXT
194
195 SELinux defines the file context types for the openvswitch, if you
196 wanted to store files with these types in a diffent paths, you need to
197 execute the semanage command to specify alternate labeling and then use
198 restorecon to put the labels on disk.
199
200 semanage fcontext -a -t openvswitch_unit_file_t '/srv/myopen‐
201 vswitch_content(/.*)?'
202 restorecon -R -v /srv/myopenvswitch_content
203
204 Note: SELinux often uses regular expressions to specify labels that
205 match multiple files.
206
207 The following file types are defined for openvswitch:
208
209
210
211 openvswitch_exec_t
212
213 - Set files with the openvswitch_exec_t type, if you want to transition
214 an executable to the openvswitch_t domain.
215
216
217 Paths:
218 /usr/bin/ovs-vsctl, /usr/bin/ovs-appctl, /usr/sbin/ovsdb-ctl,
219 /usr/sbin/ovs-vswitchd, /usr/sbin/ovsdb-server, /usr/share/open‐
220 vswitch/scripts/ovs-ctl
221
222
223 openvswitch_log_t
224
225 - Set files with the openvswitch_log_t type, if you want to treat the
226 data as openvswitch log data, usually stored under the /var/log direc‐
227 tory.
228
229
230
231 openvswitch_rw_t
232
233 - Set files with the openvswitch_rw_t type, if you want to treat the
234 files as openvswitch read/write content.
235
236
237
238 openvswitch_tmp_t
239
240 - Set files with the openvswitch_tmp_t type, if you want to store open‐
241 vswitch temporary files in the /tmp directories.
242
243
244
245 openvswitch_tmpfs_t
246
247 - Set files with the openvswitch_tmpfs_t type, if you want to store
248 openvswitch files on a tmpfs file system.
249
250
251
252 openvswitch_unit_file_t
253
254 - Set files with the openvswitch_unit_file_t type, if you want to treat
255 the files as openvswitch unit content.
256
257
258
259 openvswitch_var_lib_t
260
261 - Set files with the openvswitch_var_lib_t type, if you want to store
262 the openvswitch files under the /var/lib directory.
263
264
265
266 openvswitch_var_run_t
267
268 - Set files with the openvswitch_var_run_t type, if you want to store
269 the openvswitch files under the /run or /var/run directory.
270
271
272
273 Note: File context can be temporarily modified with the chcon command.
274 If you want to permanently change the file context you need to use the
275 semanage fcontext command. This will modify the SELinux labeling data‐
276 base. You will need to use restorecon to apply the labels.
277
278
280 semanage fcontext can also be used to manipulate default file context
281 mappings.
282
283 semanage permissive can also be used to manipulate whether or not a
284 process type is permissive.
285
286 semanage module can also be used to enable/disable/install/remove pol‐
287 icy modules.
288
289 semanage port can also be used to manipulate the port definitions
290
291 semanage boolean can also be used to manipulate the booleans
292
293
294 system-config-selinux is a GUI tool available to customize SELinux pol‐
295 icy settings.
296
297
299 This manual page was auto-generated using sepolicy manpage .
300
301
303 selinux(8), openvswitch(8), semanage(8), restorecon(8), chcon(1), se‐
304 policy(8), setsebool(8)
305
306
307
308openvswitch 23-02-03 openvswitch_selinux(8)