1apcupsd_selinux(8) SELinux Policy apcupsd apcupsd_selinux(8)
2
6 apcupsd_selinux - Security Enhanced Linux Policy for the apcupsd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the apcupsd processes via flexible
11 mandatory access control.
12 The apcupsd processes execute with the apcupsd_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep apcupsd_t
20
24 The apcupsd_t SELinux type can be entered via the apcupsd_exec_t file
25 type.
26 The default entrypoint paths for the apcupsd_t domain are the follow‐
28 ing:
29 /sbin/apcupsd, /usr/sbin/apcupsd
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 apcupsd policy is very flexible allowing users to setup their apcupsd
40 processes in as secure a method as possible.
41 The following process types are defined for apcupsd:
43 apcupsd_t, apcupsd_cgi_script_t
45 Note: semanage permissive -a apcupsd_t can be used to make the process
47 type apcupsd_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
53 SELinux policy is customizable based on least access required. apcupsd
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run apcupsd with the tightest access possi‐
56 ble.
57 If you want to dontaudit all daemons scheduling requests (setsched,
61 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
62 Enabled by default.
63 setsebool -P daemons_dontaudit_scheduling 1
65 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70 setsebool -P fips_mode 1
72 If you want to allow system to run with NIS, you must turn on the
76 nis_enabled boolean. Disabled by default.
77 setsebool -P nis_enabled 1
79
83 SELinux defines port types to represent TCP and UDP ports.
84 You can see the types associated with a port by using the following
86 command:
87 semanage port -l
89 Policy governs the access confined processes have to these ports.
92 SELinux apcupsd policy is very flexible allowing users to setup their
93 apcupsd processes in as secure a method as possible.
94 The following port types are defined for apcupsd:
96 apcupsd_port_t
99 Default Defined Ports:
103 tcp 3551
104 udp 3551
105
107 The SELinux process type apcupsd_t can manage files labeled with the
108 following file types. The paths listed are the default paths for these
109 file types. Note the processes UID still need to have DAC permissions.
110 apcupsd_lock_t
112 /var/lock/LCK..
114 /var/lock/subsys/apcupsd
115 apcupsd_log_t
117 /var/log/apcupsd.events.*
119 /var/log/apcupsd.status.*
120 apcupsd_power_t
122 /etc/apcupsd/powerfail
124 apcupsd_tmp_t
126 apcupsd_var_run_t
129 /var/run/apcupsd.pid
131 cluster_conf_t
133 /etc/cluster(/.*)?
135 cluster_var_lib_t
137 /var/lib/pcsd(/.*)?
139 /var/lib/cluster(/.*)?
140 /var/lib/openais(/.*)?
141 /var/lib/pengine(/.*)?
142 /var/lib/corosync(/.*)?
143 /usr/lib/heartbeat(/.*)?
144 /var/lib/heartbeat(/.*)?
145 /var/lib/pacemaker(/.*)?
146 cluster_var_run_t
148 /var/run/crm(/.*)?
150 /var/run/cman_.*
151 /var/run/rsctmp(/.*)?
152 /var/run/aisexec.*
153 /var/run/heartbeat(/.*)?
154 /var/run/pcsd-ruby.socket
155 /var/run/corosync-qnetd(/.*)?
156 /var/run/corosync-qdevice(/.*)?
157 /var/run/corosync.pid
158 /var/run/cpglockd.pid
159 /var/run/rgmanager.pid
160 /var/run/cluster/rgmanager.sk
161 initrc_var_run_t
163 /var/run/utmp
165 /var/run/random-seed
166 /var/run/runlevel.dir
167 /var/run/setmixer_flag
168 krb5_host_rcache_t
170 /var/tmp/krb5_0.rcache2
172 /var/cache/krb5rcache(/.*)?
173 /var/tmp/nfs_0
174 /var/tmp/DNS_25
175 /var/tmp/host_0
176 /var/tmp/imap_0
177 /var/tmp/HTTP_23
178 /var/tmp/HTTP_48
179 /var/tmp/ldap_55
180 /var/tmp/ldap_487
181 /var/tmp/ldapmap1_0
182 root_t
184 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
186 /
187 /initrd
188 systemd_passwd_var_run_t
190 /var/run/systemd/ask-password(/.*)?
192 /var/run/systemd/ask-password-block(/.*)?
193
196 SELinux requires files to have an extended attribute to define the file
197 type.
198 You can see the context of a file using the -Z option to ls
200 Policy governs the access confined processes have to these files.
202 SELinux apcupsd policy is very flexible allowing users to setup their
203 apcupsd processes in as secure a method as possible.
204 STANDARD FILE CONTEXT
206 SELinux defines the file context types for the apcupsd, if you wanted
208 to store files with these types in a different paths, you need to exe‐
209 cute the semanage command to specify alternate labeling and then use
210 restorecon to put the labels on disk.
211 semanage fcontext -a -t apcupsd_exec_t '/srv/apcupsd/content(/.*)?'
213 restorecon -R -v /srv/myapcupsd_content
214 Note: SELinux often uses regular expressions to specify labels that
216 match multiple files.
217 The following file types are defined for apcupsd:
219 apcupsd_cgi_content_t
223 - Set files with the apcupsd_cgi_content_t type, if you want to treat
225 the files as apcupsd cgi content.
226 apcupsd_cgi_htaccess_t
230 - Set files with the apcupsd_cgi_htaccess_t type, if you want to treat
232 the file as a apcupsd cgi access file.
233 apcupsd_cgi_ra_content_t
237 - Set files with the apcupsd_cgi_ra_content_t type, if you want to
239 treat the files as apcupsd cgi read/append content.
240 apcupsd_cgi_rw_content_t
244 - Set files with the apcupsd_cgi_rw_content_t type, if you want to
246 treat the files as apcupsd cgi read/write content.
247 apcupsd_cgi_script_exec_t
251 - Set files with the apcupsd_cgi_script_exec_t type, if you want to
253 transition an executable to the apcupsd_cgi_script_t domain.
254 Paths:
257 /var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon.cgi,
258 /var/www/apcupsd/upsimage.cgi, /var/www/apcupsd/upsstats.cgi,
259 /var/www/apcupsd/upsfstats.cgi
260 apcupsd_exec_t
263 - Set files with the apcupsd_exec_t type, if you want to transition an
265 executable to the apcupsd_t domain.
266 Paths:
269 /sbin/apcupsd, /usr/sbin/apcupsd
270 apcupsd_initrc_exec_t
273 - Set files with the apcupsd_initrc_exec_t type, if you want to transi‐
275 tion an executable to the apcupsd_initrc_t domain.
276 apcupsd_lock_t
280 - Set files with the apcupsd_lock_t type, if you want to treat the
282 files as apcupsd lock data, stored under the /var/lock directory
283 Paths:
286 /var/lock/LCK.., /var/lock/subsys/apcupsd
287 apcupsd_log_t
290 - Set files with the apcupsd_log_t type, if you want to treat the data
292 as apcupsd log data, usually stored under the /var/log directory.
293 Paths:
296 /var/log/apcupsd.events.*, /var/log/apcupsd.status.*
297 apcupsd_power_t
300 - Set files with the apcupsd_power_t type, if you want to treat the
302 files as apcupsd power data.
303 apcupsd_tmp_t
307 - Set files with the apcupsd_tmp_t type, if you want to store apcupsd
309 temporary files in the /tmp directories.
310 apcupsd_unit_file_t
314 - Set files with the apcupsd_unit_file_t type, if you want to treat the
316 files as apcupsd unit content.
317 apcupsd_var_run_t
321 - Set files with the apcupsd_var_run_t type, if you want to store the
323 apcupsd files under the /run or /var/run directory.
324 Note: File context can be temporarily modified with the chcon command.
328 If you want to permanently change the file context you need to use the
329 semanage fcontext command. This will modify the SELinux labeling data‐
330 base. You will need to use restorecon to apply the labels.
331
334 semanage fcontext can also be used to manipulate default file context
335 mappings.
336 semanage permissive can also be used to manipulate whether or not a
338 process type is permissive.
339 semanage module can also be used to enable/disable/install/remove pol‐
341 icy modules.
342 semanage port can also be used to manipulate the port definitions
344 semanage boolean can also be used to manipulate the booleans
346 system-config-selinux is a GUI tool available to customize SELinux pol‐
349 icy settings.
350
353 This manual page was auto-generated using sepolicy manpage .
354
357 selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1), sepol‐
358 icy(8), setsebool(8), apcupsd_cgi_script_selinux(8)
359apcupsd 23-10-20 apcupsd_selinux(8)