1xenstored_selinux(8)       SELinux Policy xenstored       xenstored_selinux(8)
2
3
4

NAME

6       xenstored_selinux  -  Security  Enhanced Linux Policy for the xenstored
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the xenstored  processes  via  flexible
11       mandatory access control.
12
13       The  xenstored processes execute with the xenstored_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep xenstored_t
20
21
22

ENTRYPOINTS

24       The  xenstored_t  SELinux  type can be entered via the xenstored_exec_t
25       file type.
26
27       The default entrypoint paths for the xenstored_t domain are the follow‐
28       ing:
29
30       /usr/sbin/xenstored, /usr/sbin/oxenstored, /etc/xen/scripts/launch-xen‐
31       store
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       xenstored policy is very flexible allowing users to  setup  their  xen‐
41       stored processes in as secure a method as possible.
42
43       The following process types are defined for xenstored:
44
45       xenstored_t
46
47       Note:  semanage  permissive  -a  xenstored_t  can  be  used to make the
48       process type xenstored_t permissive. SELinux does not  deny  access  to
49       permissive  process  types,  but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least  access  required.   xen‐
55       stored policy is extremely flexible and has several booleans that allow
56       you to manipulate the policy and run xenstored with the tightest access
57       possible.
58
59
60
61       If you want to allow all domains to execute in fips_mode, you must turn
62       on the fips_mode boolean. Enabled by default.
63
64       setsebool -P fips_mode 1
65
66
67
68       If you want to allow system to run with  NIS,  you  must  turn  on  the
69       nis_enabled boolean. Disabled by default.
70
71       setsebool -P nis_enabled 1
72
73
74

MANAGED FILES

76       The  SELinux process type xenstored_t can manage files labeled with the
77       following file types.  The paths listed are the default paths for these
78       file types.  Note the processes UID still need to have DAC permissions.
79
80       cluster_conf_t
81
82            /etc/cluster(/.*)?
83
84       cluster_var_lib_t
85
86            /var/lib/pcsd(/.*)?
87            /var/lib/cluster(/.*)?
88            /var/lib/openais(/.*)?
89            /var/lib/pengine(/.*)?
90            /var/lib/corosync(/.*)?
91            /usr/lib/heartbeat(/.*)?
92            /var/lib/heartbeat(/.*)?
93            /var/lib/pacemaker(/.*)?
94
95       cluster_var_run_t
96
97            /var/run/crm(/.*)?
98            /var/run/cman_.*
99            /var/run/rsctmp(/.*)?
100            /var/run/aisexec.*
101            /var/run/heartbeat(/.*)?
102            /var/run/pcsd-ruby.socket
103            /var/run/corosync-qnetd(/.*)?
104            /var/run/corosync-qdevice(/.*)?
105            /var/run/corosync.pid
106            /var/run/cpglockd.pid
107            /var/run/rgmanager.pid
108            /var/run/cluster/rgmanager.sk
109
110       krb5_host_rcache_t
111
112            /var/tmp/krb5_0.rcache2
113            /var/cache/krb5rcache(/.*)?
114            /var/tmp/nfs_0
115            /var/tmp/DNS_25
116            /var/tmp/host_0
117            /var/tmp/imap_0
118            /var/tmp/HTTP_23
119            /var/tmp/HTTP_48
120            /var/tmp/ldap_55
121            /var/tmp/ldap_487
122            /var/tmp/ldapmap1_0
123
124       root_t
125
126            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
127            /
128            /initrd
129
130       xenfs_t
131
132
133       xenstored_tmp_t
134
135
136       xenstored_var_lib_t
137
138            /var/lib/xenstored(/.*)?
139
140       xenstored_var_log_t
141
142            /var/log/xenstored.*
143
144       xenstored_var_run_t
145
146            /var/run/xenstored(/.*)?
147            /var/run/xenstore.pid
148
149

FILE CONTEXTS

151       SELinux requires files to have an extended attribute to define the file
152       type.
153
154       You can see the context of a file using the -Z option to ls
155
156       Policy governs the access  confined  processes  have  to  these  files.
157       SELinux xenstored policy is very flexible allowing users to setup their
158       xenstored processes in as secure a method as possible.
159
160       STANDARD FILE CONTEXT
161
162       SELinux defines the file context types for the xenstored, if you wanted
163       to store files with these types in a diffent paths, you need to execute
164       the semanage command to specify alternate labeling  and  then  use  re‐
165       storecon to put the labels on disk.
166
167       semanage  fcontext  -a  -t  xenstored_var_run_t  '/srv/myxenstored_con‐
168       tent(/.*)?'
169       restorecon -R -v /srv/myxenstored_content
170
171       Note: SELinux often uses regular expressions  to  specify  labels  that
172       match multiple files.
173
174       The following file types are defined for xenstored:
175
176
177
178       xenstored_exec_t
179
180       -  Set  files with the xenstored_exec_t type, if you want to transition
181       an executable to the xenstored_t domain.
182
183
184       Paths:
185            /usr/sbin/xenstored,                         /usr/sbin/oxenstored,
186            /etc/xen/scripts/launch-xenstore
187
188
189       xenstored_tmp_t
190
191       -  Set  files  with the xenstored_tmp_t type, if you want to store xen‐
192       stored temporary files in the /tmp directories.
193
194
195
196       xenstored_var_lib_t
197
198       - Set files with the xenstored_var_lib_t type, if you want to store the
199       xenstored files under the /var/lib directory.
200
201
202
203       xenstored_var_log_t
204
205       - Set files with the xenstored_var_log_t type, if you want to treat the
206       data as xenstored var log data, usually stored under the  /var/log  di‐
207       rectory.
208
209
210
211       xenstored_var_run_t
212
213       - Set files with the xenstored_var_run_t type, if you want to store the
214       xenstored files under the /run or /var/run directory.
215
216
217       Paths:
218            /var/run/xenstored(/.*)?, /var/run/xenstore.pid
219
220
221       Note: File context can be temporarily modified with the chcon  command.
222       If  you want to permanently change the file context you need to use the
223       semanage fcontext command.  This will modify the SELinux labeling data‐
224       base.  You will need to use restorecon to apply the labels.
225
226

COMMANDS

228       semanage  fcontext  can also be used to manipulate default file context
229       mappings.
230
231       semanage permissive can also be used to manipulate  whether  or  not  a
232       process type is permissive.
233
234       semanage  module can also be used to enable/disable/install/remove pol‐
235       icy modules.
236
237       semanage boolean can also be used to manipulate the booleans
238
239
240       system-config-selinux is a GUI tool available to customize SELinux pol‐
241       icy settings.
242
243

AUTHOR

245       This manual page was auto-generated using sepolicy manpage .
246
247

SEE ALSO

249       selinux(8),  xenstored(8), semanage(8), restorecon(8), chcon(1), sepol‐
250       icy(8), setsebool(8)
251
252
253
254xenstored                          23-02-03               xenstored_selinux(8)
Impressum