abrt_selinux(8)

1abrt_selinux(8)               SELinux Policy abrt              abrt_selinux(8)
2
3
4

NAME

6       abrt_selinux - Security Enhanced Linux Policy for the abrt processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the abrt processes via flexible manda‐
10       tory access control.
11
12       The abrt processes execute with the abrt_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep abrt_t
19
20
21

ENTRYPOINTS

23       The abrt_t SELinux type can be entered via the abrt_exec_t file type.
24
25       The default entrypoint paths for the abrt_t domain are the following:
26
27       /usr/sbin/abrt-harvest.*,     /usr/sbin/abrtd,     /usr/sbin/abrt-dbus,
28       /usr/sbin/abrt-install-ccpp-hook
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       abrt  policy  is  very flexible allowing users to setup their abrt pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for abrt:
41
42       abrt_t, abrt_dump_oops_t, abrt_handle_event_t, abrt_helper_t, abrt_retrace_worker_t, abrt_retrace_coredump_t, abrt_watch_log_t, abrt_upload_watch_t
43
44       Note: semanage permissive -a abrt_t can be used  to  make  the  process
45       type  abrt_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  abrt
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run abrt with the tightest access possible.
54
55
56
57       If  you  want  to  determine  whether  ABRT  can  run  in the abrt_han‐
58       dle_event_t domain to handle ABRT event scripts, you must turn  on  the
59       abrt_handle_event boolean. Disabled by default.
60
61       setsebool -P abrt_handle_event 1
62
63
64
65       If you want to deny user domains applications to map a memory region as
66       both executable and writable, this  is  dangerous  and  the  executable
67       should be reported in bugzilla, you must turn on the deny_execmem bool‐
68       ean. Enabled by default.
69
70       setsebool -P deny_execmem 1
71
72
73
74       If you want to allow all domains to execute in fips_mode, you must turn
75       on the fips_mode boolean. Enabled by default.
76
77       setsebool -P fips_mode 1
78
79
80

MANAGED FILES

82       The  SELinux process type abrt_t can manage files labeled with the fol‐
83       lowing file types.  The paths listed are the default  paths  for  these
84       file types.  Note the processes UID still need to have DAC permissions.
85
86       abrt_tmp_t
87
88
89       abrt_upload_watch_tmp_t
90
91
92       abrt_var_cache_t
93
94            /var/tmp/abrt(/.*)?
95            /var/cache/abrt(/.*)?
96            /var/spool/abrt(/.*)?
97            /var/spool/debug(/.*)?
98            /var/cache/abrt-di(/.*)?
99            /var/spool/rhsm/debug(/.*)?
100
101       abrt_var_log_t
102
103            /var/log/abrt-logger.*
104
105       cluster_conf_t
106
107            /etc/cluster(/.*)?
108
109       cluster_var_lib_t
110
111            /var/lib/pcsd(/.*)?
112            /var/lib/cluster(/.*)?
113            /var/lib/openais(/.*)?
114            /var/lib/pengine(/.*)?
115            /var/lib/corosync(/.*)?
116            /usr/lib/heartbeat(/.*)?
117            /var/lib/heartbeat(/.*)?
118            /var/lib/pacemaker(/.*)?
119
120       cluster_var_run_t
121
122            /var/run/crm(/.*)?
123            /var/run/cman_.*
124            /var/run/rsctmp(/.*)?
125            /var/run/aisexec.*
126            /var/run/heartbeat(/.*)?
127            /var/run/pcsd-ruby.socket
128            /var/run/corosync-qnetd(/.*)?
129            /var/run/corosync-qdevice(/.*)?
130            /var/run/corosync.pid
131            /var/run/cpglockd.pid
132            /var/run/rgmanager.pid
133            /var/run/cluster/rgmanager.sk
134
135       kdump_crash_t
136
137            /var/crash(/.*)?
138
139       krb5_host_rcache_t
140
141            /var/tmp/krb5_0.rcache2
142            /var/cache/krb5rcache(/.*)?
143            /var/tmp/nfs_0
144            /var/tmp/DNS_25
145            /var/tmp/host_0
146            /var/tmp/imap_0
147            /var/tmp/HTTP_23
148            /var/tmp/HTTP_48
149            /var/tmp/ldap_55
150            /var/tmp/ldap_487
151            /var/tmp/ldapmap1_0
152
153       mail_home_rw_t
154
155            /root/Maildir(/.*)?
156            /root/.esmtp_queue(/.*)?
157            /var/lib/arpwatch/.esmtp_queue(/.*)?
158            /home/[^/]+/.maildir(/.*)?
159            /home/[^/]+/Maildir(/.*)?
160            /home/[^/]+/.esmtp_queue(/.*)?
161
162       rhsmcertd_var_run_t
163
164            /var/run/rhsm(/.*)?
165
166       root_t
167
168            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
169            /
170            /initrd
171
172       rpm_log_t
173
174            /var/log/dnf.log.*
175            /var/log/dnf.rpm.log.*
176            /var/log/dnf.librepo.log.*
177            /var/log/hawkey.*
178            /var/log/up2date.*
179            /var/log/yum.log.*
180
181       rpm_var_cache_t
182
183            /var/cache/dnf(/.*)?
184            /var/cache/yum(/.*)?
185            /var/spool/up2date(/.*)?
186            /var/cache/PackageKit(/.*)?
187
188       rpm_var_run_t
189
190            /var/run/yum.*
191            /var/run/PackageKit(/.*)?
192
193       sysfs_t
194
195            /sys(/.*)?
196
197

FILE CONTEXTS

199       SELinux requires files to have an extended attribute to define the file
200       type.
201
202       You can see the context of a file using the -Z option to ls
203
204       Policy governs the access  confined  processes  have  to  these  files.
205       SELinux abrt policy is very flexible allowing users to setup their abrt
206       processes in as secure a method as possible.
207
208       EQUIVALENCE DIRECTORIES
209
210
211       abrt policy stores data with multiple different file context types  un‐
212       der the /var/cache/abrt directory.  If you would like to store the data
213       in a different directory you can use the semanage command to create  an
214       equivalence  mapping.   If you wanted to store this data under the /srv
215       directory you would execute the following command:
216
217       semanage fcontext -a -e /var/cache/abrt /srv/abrt
218       restorecon -R -v /srv/abrt
219
220       abrt policy stores data with multiple different file context types  un‐
221       der  the  /var/run/abrt directory.  If you would like to store the data
222       in a different directory you can use the semanage command to create  an
223       equivalence  mapping.   If you wanted to store this data under the /srv
224       directory you would execute the following command:
225
226       semanage fcontext -a -e /var/run/abrt /srv/abrt
227       restorecon -R -v /srv/abrt
228
229       abrt policy stores data with multiple different file context types  un‐
230       der the /var/spool/abrt directory.  If you would like to store the data
231       in a different directory you can use the semanage command to create  an
232       equivalence  mapping.   If you wanted to store this data under the /srv
233       directory you would execute the following command:
234
235       semanage fcontext -a -e /var/spool/abrt /srv/abrt
236       restorecon -R -v /srv/abrt
237
238       STANDARD FILE CONTEXT
239
240       SELinux defines the file context types for the abrt, if you  wanted  to
241       store  files  with  these types in a diffent paths, you need to execute
242       the semanage command to specify alternate labeling  and  then  use  re‐
243       storecon to put the labels on disk.
244
245       semanage   fcontext  -a  -t  abrt_upload_watch_tmp_t  '/srv/myabrt_con‐
246       tent(/.*)?'
247       restorecon -R -v /srv/myabrt_content
248
249       Note: SELinux often uses regular expressions  to  specify  labels  that
250       match multiple files.
251
252       The following file types are defined for abrt:
253
254
255
256       abrt_dump_oops_exec_t
257
258       - Set files with the abrt_dump_oops_exec_t type, if you want to transi‐
259       tion an executable to the abrt_dump_oops_t domain.
260
261
262       Paths:
263            /usr/bin/abrt-dump-.*,                /usr/bin/abrt-uefioops-oops,
264            /usr/libexec/abrt-hook-ccpp
265
266
267       abrt_etc_t
268
269       -  Set  files with the abrt_etc_t type, if you want to store abrt files
270       in the /etc directories.
271
272
273
274       abrt_exec_t
275
276       - Set files with the abrt_exec_t type, if you want to transition an ex‐
277       ecutable to the abrt_t domain.
278
279
280       Paths:
281            /usr/sbin/abrt-harvest.*,   /usr/sbin/abrtd,  /usr/sbin/abrt-dbus,
282            /usr/sbin/abrt-install-ccpp-hook
283
284
285       abrt_handle_event_exec_t
286
287       - Set files with the abrt_handle_event_exec_t  type,  if  you  want  to
288       transition an executable to the abrt_handle_event_t domain.
289
290
291       Paths:
292            /usr/libexec/abrt-handle-event,     /usr/bin/abrt-action-generate-
293            backtrace
294
295
296       abrt_helper_exec_t
297
298       - Set files with the abrt_helper_exec_t type, if you want to transition
299       an executable to the abrt_helper_t domain.
300
301
302
303       abrt_initrc_exec_t
304
305       - Set files with the abrt_initrc_exec_t type, if you want to transition
306       an executable to the abrt_initrc_t domain.
307
308
309
310       abrt_retrace_cache_t
311
312       - Set files with the abrt_retrace_cache_t type, if you  want  to  store
313       the files under the /var/cache directory.
314
315
316       Paths:
317            /var/cache/abrt-retrace(/.*)?, /var/cache/retrace-server(/.*)?
318
319
320       abrt_retrace_coredump_exec_t
321
322       -  Set files with the abrt_retrace_coredump_exec_t type, if you want to
323       transition an executable to the abrt_retrace_coredump_t domain.
324
325
326
327       abrt_retrace_spool_t
328
329       - Set files with the abrt_retrace_spool_t type, if you  want  to  store
330       the abrt retrace files under the /var/spool directory.
331
332
333       Paths:
334            /var/spool/faf(/.*)?,               /var/spool/abrt-retrace(/.*)?,
335            /var/spool/retrace-server(/.*)?
336
337
338       abrt_retrace_worker_exec_t
339
340       - Set files with the abrt_retrace_worker_exec_t type, if  you  want  to
341       transition an executable to the abrt_retrace_worker_t domain.
342
343
344       Paths:
345            /usr/bin/abrt-retrace-worker, /usr/bin/retrace-server-worker
346
347
348       abrt_tmp_t
349
350       -  Set files with the abrt_tmp_t type, if you want to store abrt tempo‐
351       rary files in the /tmp directories.
352
353
354
355       abrt_unit_file_t
356
357       - Set files with the abrt_unit_file_t type, if you want  to  treat  the
358       files as abrt unit content.
359
360
361
362       abrt_upload_watch_exec_t
363
364       -  Set  files  with  the  abrt_upload_watch_exec_t type, if you want to
365       transition an executable to the abrt_upload_watch_t domain.
366
367
368
369       abrt_upload_watch_tmp_t
370
371       - Set files with the abrt_upload_watch_tmp_t type, if you want to store
372       abrt upload watch temporary files in the /tmp directories.
373
374
375
376       abrt_var_cache_t
377
378       -  Set  files  with the abrt_var_cache_t type, if you want to store the
379       files under the /var/cache directory.
380
381
382       Paths:
383            /var/tmp/abrt(/.*)?, /var/cache/abrt(/.*)?, /var/spool/abrt(/.*)?,
384            /var/spool/debug(/.*)?,                  /var/cache/abrt-di(/.*)?,
385            /var/spool/rhsm/debug(/.*)?
386
387
388       abrt_var_lib_t
389
390       - Set files with the abrt_var_lib_t type, if you want to store the abrt
391       files under the /var/lib directory.
392
393
394
395       abrt_var_log_t
396
397       - Set files with the abrt_var_log_t type, if you want to treat the data
398       as abrt var log data, usually stored under the /var/log directory.
399
400
401
402       abrt_var_run_t
403
404       - Set files with the abrt_var_run_t type, if you want to store the abrt
405       files under the /run or /var/run directory.
406
407
408       Paths:
409            /var/run/abrt(/.*)?, /var/run/abrtd?.lock, /var/run/abrtd?.socket,
410            /var/run/abrt.pid
411
412
413       abrt_watch_log_exec_t
414
415       - Set files with the abrt_watch_log_exec_t type, if you want to transi‐
416       tion an executable to the abrt_watch_log_t domain.
417
418
419
420       Note:  File context can be temporarily modified with the chcon command.
421       If you want to permanently change the file context you need to use  the
422       semanage fcontext command.  This will modify the SELinux labeling data‐
423       base.  You will need to use restorecon to apply the labels.
424
425

SHARING FILES

427       If you want to share files with multiple domains (Apache,  FTP,  rsync,
428       Samba),  you can set a file context of public_content_t and public_con‐
429       tent_rw_t.  These context allow any of the above domains  to  read  the
430       content.   If  you want a particular domain to write to the public_con‐
431       tent_rw_t domain, you must set the appropriate boolean.
432
433       Allow abrt servers to read the /var/abrt directory by adding  the  pub‐
434       lic_content_t  file  type  to  the  directory and by restoring the file
435       type.
436
437       semanage fcontext -a -t public_content_t "/var/abrt(/.*)?"
438       restorecon -F -R -v /var/abrt
439
440       Allow abrt servers to read and write /var/abrt/incoming by  adding  the
441       public_content_rw_t  type  to  the  directory and by restoring the file
442       type.  You also need to turn on the abrt_anon_write boolean.
443
444       semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?"
445       restorecon -F -R -v /var/abrt/incoming
446       setsebool -P abrt_anon_write 1
447
448
449       If you want to allow ABRT to modify public files used for  public  file
450       transfer services., you must turn on the abrt_anon_write boolean.
451
452       setsebool -P abrt_anon_write 1
453
454

COMMANDS

456       semanage  fcontext  can also be used to manipulate default file context
457       mappings.
458
459       semanage permissive can also be used to manipulate  whether  or  not  a
460       process type is permissive.
461
462       semanage  module can also be used to enable/disable/install/remove pol‐
463       icy modules.
464
465       semanage boolean can also be used to manipulate the booleans
466
467
468       system-config-selinux is a GUI tool available to customize SELinux pol‐
469       icy settings.
470
471

AUTHOR

473       This manual page was auto-generated using sepolicy manpage .
474
475