cluster_selinux(8)

1cluster_selinux(8)          SELinux Policy cluster          cluster_selinux(8)
2
3
4

NAME

6       cluster_selinux  -  Security Enhanced Linux Policy for the cluster pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  cluster  processes  via  flexible
11       mandatory access control.
12
13       The  cluster processes execute with the cluster_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep cluster_t
20
21
22

ENTRYPOINTS

24       The  cluster_t  SELinux type can be entered via the cluster_exec_t file
25       type.
26
27       The default entrypoint paths for the cluster_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/pcsd,          /usr/sbin/aisexec,         /usr/lib/pcsd/pcsd,
31       /usr/sbin/ccs_tool,       /usr/sbin/corosync,       /usr/sbin/cpglockd,
32       /usr/sbin/cman_tool,     /usr/sbin/rgmanager,     /usr/sbin/ldirectord,
33       /usr/sbin/pacemakerd, /usr/bin/corosync-qnetd,  /usr/sbin/corosync-cfg‐
34       tool,      /usr/sbin/corosync-notifyd,      /usr/sbin/corosync-qdevice,
35       /usr/lib/pcs/pcs_snmp_agent,               /usr/sbin/pacemaker-remoted,
36       /usr/sbin/pacemaker_remoted,              /usr/lib/heartbeat/heartbeat,
37       /usr/share/corosync/corosync, /usr/share/corosync/corosync-qdevice
38

PROCESS TYPES

40       SELinux defines process types (domains) for each process running on the
41       system
42
43       You can see the context of a process using the -Z option to ps
44
45       Policy  governs  the  access confined processes have to files.  SELinux
46       cluster policy is very flexible allowing users to setup  their  cluster
47       processes in as secure a method as possible.
48
49       The following process types are defined for cluster:
50
51       cluster_t
52
53       Note:  semanage permissive -a cluster_t can be used to make the process
54       type cluster_t permissive. SELinux does not deny access  to  permissive
55       process  types, but the AVC (SELinux denials) messages are still gener‐
56       ated.
57
58

BOOLEANS

60       SELinux policy is customizable based on least access required.  cluster
61       policy is extremely flexible and has several booleans that allow you to
62       manipulate the policy and run cluster with the tightest  access  possi‐
63       ble.
64
65
66
67       If  you  want to allow cluster administrative cluster domains memcheck-
68       amd64- to use executable memory, you must turn on  the  cluster_use_ex‐
69       ecmem boolean. Disabled by default.
70
71       setsebool -P cluster_use_execmem 1
72
73
74
75       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
76       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
77       Enabled by default.
78
79       setsebool -P daemons_dontaudit_scheduling 1
80
81
82
83       If you want to deny user domains applications to map a memory region as
84       both executable and writable, this  is  dangerous  and  the  executable
85       should be reported in bugzilla, you must turn on the deny_execmem bool‐
86       ean. Disabled by default.
87
88       setsebool -P deny_execmem 1
89
90
91
92       If you want to control the ability to mmap a low area  of  the  address
93       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
94       the mmap_low_allowed boolean. Disabled by default.
95
96       setsebool -P mmap_low_allowed 1
97
98
99
100       If you want to allow system to run with  NIS,  you  must  turn  on  the
101       nis_enabled boolean. Disabled by default.
102
103       setsebool -P nis_enabled 1
104
105
106
107       If  you want to disable kernel module loading, you must turn on the se‐
108       cure_mode_insmod boolean. Disabled by default.
109
110       setsebool -P secure_mode_insmod 1
111
112
113
114       If you want to allow unconfined executables to make their  heap  memory
115       executable.   Doing  this  is  a  really bad idea. Probably indicates a
116       badly coded executable, but could indicate an attack.  This  executable
117       should  be  reported  in bugzilla, you must turn on the selinuxuser_ex‐
118       echeap boolean. Disabled by default.
119
120       setsebool -P selinuxuser_execheap 1
121
122
123
124       If you want to allow unconfined executables to make  their  stack  exe‐
125       cutable.   This  should  never, ever be necessary. Probably indicates a
126       badly coded executable, but could indicate an attack.  This  executable
127       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
128       stack boolean. Enabled by default.
129
130       setsebool -P selinuxuser_execstack 1
131
132
133

NSSWITCH DOMAIN

135       If you want to allow users to resolve user passwd entries directly from
136       ldap  rather  then using a sssd server for the cluster_t, you must turn
137       on the authlogin_nsswitch_use_ldap boolean.
138
139       setsebool -P authlogin_nsswitch_use_ldap 1
140
141
142       If you want to allow confined applications to run with kerberos for the
143       cluster_t, you must turn on the kerberos_enabled boolean.
144
145       setsebool -P kerberos_enabled 1
146
147

PORT TYPES

149       SELinux defines port types to represent TCP and UDP ports.
150
151       You  can  see  the  types associated with a port by using the following
152       command:
153
154       semanage port -l
155
156
157       Policy governs the access  confined  processes  have  to  these  ports.
158       SELinux  cluster  policy is very flexible allowing users to setup their
159       cluster processes in as secure a method as possible.
160
161       The following port types are defined for cluster:
162
163
164       cluster_port_t
165
166
167
168       Default Defined Ports:
169                 tcp 5149,40040,50006-50008
170                 udp 5149,50006-50008
171

MANAGED FILES

173       The SELinux process type cluster_t can manage files  labeled  with  the
174       following file types.  The paths listed are the default paths for these
175       file types.  Note the processes UID still need to have DAC permissions.
176
177       file_type
178
179            all files on the system
180
181

FILE CONTEXTS

183       SELinux requires files to have an extended attribute to define the file
184       type.
185
186       You can see the context of a file using the -Z option to ls
187
188       Policy  governs  the  access  confined  processes  have to these files.
189       SELinux cluster policy is very flexible allowing users to  setup  their
190       cluster processes in as secure a method as possible.
191
192       EQUIVALENCE DIRECTORIES
193
194
195       cluster  policy  stores data with multiple different file context types
196       under the /var/log/pacemaker directory.  If you would like to store the
197       data  in a different directory you can use the semanage command to cre‐
198       ate an equivalence mapping.  If you wanted to store this data under the
199       /srv directory you would execute the following command:
200
201       semanage fcontext -a -e /var/log/pacemaker /srv/pacemaker
202       restorecon -R -v /srv/pacemaker
203
204       STANDARD FILE CONTEXT
205
206       SELinux  defines  the file context types for the cluster, if you wanted
207       to store files with these types in a different paths, you need to  exe‐
208       cute  the  semanage  command to specify alternate labeling and then use
209       restorecon to put the labels on disk.
210
211       semanage fcontext -a -t cluster_conf_t '/srv/cluster/content(/.*)?'
212       restorecon -R -v /srv/mycluster_content
213
214       Note: SELinux often uses regular expressions  to  specify  labels  that
215       match multiple files.
216
217       The following file types are defined for cluster:
218
219
220
221       cluster_conf_t
222
223       -  Set  files  with  the  cluster_conf_t type, if you want to treat the
224       files as cluster configuration data, usually stored under the /etc  di‐
225       rectory.
226
227
228
229       cluster_exec_t
230
231       -  Set files with the cluster_exec_t type, if you want to transition an
232       executable to the cluster_t domain.
233
234
235       Paths:
236            /usr/sbin/pcsd,       /usr/sbin/aisexec,       /usr/lib/pcsd/pcsd,
237            /usr/sbin/ccs_tool,     /usr/sbin/corosync,    /usr/sbin/cpglockd,
238            /usr/sbin/cman_tool,  /usr/sbin/rgmanager,   /usr/sbin/ldirectord,
239            /usr/sbin/pacemakerd, /usr/bin/corosync-qnetd, /usr/sbin/corosync-
240            cfgtool,  /usr/sbin/corosync-notifyd,  /usr/sbin/corosync-qdevice,
241            /usr/lib/pcs/pcs_snmp_agent,          /usr/sbin/pacemaker-remoted,
242            /usr/sbin/pacemaker_remoted,         /usr/lib/heartbeat/heartbeat,
243            /usr/share/corosync/corosync, /usr/share/corosync/corosync-qdevice
244
245
246       cluster_initrc_exec_t
247
248       - Set files with the cluster_initrc_exec_t type, if you want to transi‐
249       tion an executable to the cluster_initrc_t domain.
250
251
252       Paths:
253            /etc/rc.d/init.d/openais,               /etc/rc.d/init.d/corosync,
254            /etc/rc.d/init.d/cpglockd,             /etc/rc.d/init.d/heartbeat,
255            /etc/rc.d/init.d/pacemaker, /etc/rc.d/init.d/rgmanager
256
257
258       cluster_tmp_t
259
260       - Set files with the cluster_tmp_t type, if you want to  store  cluster
261       temporary files in the /tmp directories.
262
263
264
265       cluster_tmpfs_t
266
267       - Set files with the cluster_tmpfs_t type, if you want to store cluster
268       files on a tmpfs file system.
269
270
271
272       cluster_unit_file_t
273
274       - Set files with the cluster_unit_file_t type, if you want to treat the
275       files as cluster unit content.
276
277
278       Paths:
279            /usr/lib/systemd/system/pcsd.*,              /usr/lib/systemd/sys‐
280            tem/corosync.*, /usr/lib/systemd/system/pacemaker.*, /usr/lib/sys‐
281            temd/system/corosync-qnetd.*,    /usr/lib/systemd/system/corosync-
282            qdevice.*
283
284
285       cluster_var_lib_t
286
287       - Set files with the cluster_var_lib_t type, if you want to  store  the
288       cluster files under the /var/lib directory.
289
290
291       Paths:
292            /var/lib/pcsd(/.*)?,     /var/lib/cluster(/.*)?,     /var/lib/ope‐
293            nais(/.*)?,    /var/lib/pengine(/.*)?,    /var/lib/corosync(/.*)?,
294            /usr/lib/heartbeat(/.*)?, /var/lib/heartbeat(/.*)?, /var/lib/pace‐
295            maker(/.*)?
296
297
298       cluster_var_log_t
299
300       - Set files with the cluster_var_log_t type, if you want to  treat  the
301       data  as cluster var log data, usually stored under the /var/log direc‐
302       tory.
303
304
305       Paths:
306            /var/log/ctdb(/.*)?,      /var/log/pcsd(/.*)?,      /var/log/pace‐
307            maker(/.*)?,     /var/log/pacemaker.log.*,    /var/log/cluster/ai‐
308            sexec.log.*, /var/log/cluster/corosync.log.*, /var/log/cluster/cp‐
309            glockd.log.*, /var/log/cluster/rgmanager.log.*
310
311
312       cluster_var_run_t
313
314       -  Set  files with the cluster_var_run_t type, if you want to store the
315       cluster files under the /run or /var/run directory.
316
317
318       Paths:
319            /var/run/crm(/.*)?,    /var/run/cman_.*,    /var/run/rsctmp(/.*)?,
320            /var/run/aisexec.*,    /var/run/heartbeat(/.*)?,    /var/run/pcsd-
321            ruby.socket, /var/run/corosync-qnetd(/.*)?, /var/run/corosync-qde‐
322            vice(/.*)?,      /var/run/corosync.pid,     /var/run/cpglockd.pid,
323            /var/run/rgmanager.pid, /var/run/cluster/rgmanager.sk
324
325
326       Note: File context can be temporarily modified with the chcon  command.
327       If  you want to permanently change the file context you need to use the
328       semanage fcontext command.  This will modify the SELinux labeling data‐
329       base.  You will need to use restorecon to apply the labels.
330
331

COMMANDS

333       semanage  fcontext  can also be used to manipulate default file context
334       mappings.
335
336       semanage permissive can also be used to manipulate  whether  or  not  a
337       process type is permissive.
338
339       semanage  module can also be used to enable/disable/install/remove pol‐
340       icy modules.
341
342       semanage port can also be used to manipulate the port definitions
343
344       semanage boolean can also be used to manipulate the booleans
345
346
347       system-config-selinux is a GUI tool available to customize SELinux pol‐
348       icy settings.
349
350

AUTHOR

352       This manual page was auto-generated using sepolicy manpage .
353
354