cyrus_selinux(8)

1cyrus_selinux(8)             SELinux Policy cyrus             cyrus_selinux(8)
2
3
4

NAME

6       cyrus_selinux - Security Enhanced Linux Policy for the cyrus processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the cyrus processes via flexible manda‐
10       tory access control.
11
12       The cyrus processes execute with the  cyrus_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep cyrus_t
19
20
21

ENTRYPOINTS

23       The cyrus_t SELinux type can be entered via the cyrus_exec_t file type.
24
25       The default entrypoint paths for the cyrus_t domain are the following:
26
27       /usr/lib/cyrus/master, /usr/libexec/cyrus-imapd/master, /usr/lib/cyrus-
28       imapd/cyrus-master, /usr/libexec/cyrus-imapd/cyrus-master
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       cyrus  policy is very flexible allowing users to setup their cyrus pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for cyrus:
41
42       cyrus_t
43
44       Note: semanage permissive -a cyrus_t can be used to  make  the  process
45       type  cyrus_t  permissive.  SELinux  does not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is customizable based on least access required.  cyrus
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run cyrus with the tightest access possible.
54
55
56
57       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
58       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
59       Enabled by default.
60
61       setsebool -P daemons_dontaudit_scheduling 1
62
63
64
65       If you want to allow all domains to execute in fips_mode, you must turn
66       on the fips_mode boolean. Enabled by default.
67
68       setsebool -P fips_mode 1
69
70
71
72       If you want to allow system to run with  NIS,  you  must  turn  on  the
73       nis_enabled boolean. Disabled by default.
74
75       setsebool -P nis_enabled 1
76
77
78

PORT TYPES

80       SELinux defines port types to represent TCP and UDP ports.
81
82       You  can  see  the  types associated with a port by using the following
83       command:
84
85       semanage port -l
86
87
88       Policy governs the access  confined  processes  have  to  these  ports.
89       SELinux  cyrus  policy  is  very flexible allowing users to setup their
90       cyrus processes in as secure a method as possible.
91
92       The following port types are defined for cyrus:
93
94
95       cyrus_imapd_port_t
96
97
98
99       Default Defined Ports:
100                 tcp 2005
101

MANAGED FILES

103       The SELinux process type cyrus_t can manage files labeled with the fol‐
104       lowing  file  types.   The paths listed are the default paths for these
105       file types.  Note the processes UID still need to have DAC permissions.
106
107       cluster_conf_t
108
109            /etc/cluster(/.*)?
110
111       cluster_var_lib_t
112
113            /var/lib/pcsd(/.*)?
114            /var/lib/cluster(/.*)?
115            /var/lib/openais(/.*)?
116            /var/lib/pengine(/.*)?
117            /var/lib/corosync(/.*)?
118            /usr/lib/heartbeat(/.*)?
119            /var/lib/heartbeat(/.*)?
120            /var/lib/pacemaker(/.*)?
121
122       cluster_var_run_t
123
124            /var/run/crm(/.*)?
125            /var/run/cman_.*
126            /var/run/rsctmp(/.*)?
127            /var/run/aisexec.*
128            /var/run/heartbeat(/.*)?
129            /var/run/pcsd-ruby.socket
130            /var/run/corosync-qnetd(/.*)?
131            /var/run/corosync-qdevice(/.*)?
132            /var/run/corosync.pid
133            /var/run/cpglockd.pid
134            /var/run/rgmanager.pid
135            /var/run/cluster/rgmanager.sk
136
137       cyrus_tmp_t
138
139
140       cyrus_var_lib_t
141
142            /var/imap(/.*)?
143            /var/lib/imap(/.*)?
144
145       cyrus_var_run_t
146
147            /var/run/cyrus.*
148
149       krb5_host_rcache_t
150
151            /var/tmp/krb5_0.rcache2
152            /var/cache/krb5rcache(/.*)?
153            /var/tmp/nfs_0
154            /var/tmp/DNS_25
155            /var/tmp/host_0
156            /var/tmp/imap_0
157            /var/tmp/HTTP_23
158            /var/tmp/HTTP_48
159            /var/tmp/ldap_55
160            /var/tmp/ldap_487
161            /var/tmp/ldapmap1_0
162
163       mail_spool_t
164
165            /var/mail(/.*)?
166            /var/spool/imap(/.*)?
167            /var/spool/mail(/.*)?
168            /var/spool/smtpd(/.*)?
169
170       root_t
171
172            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
173            /
174            /initrd
175
176       snmpd_var_lib_t
177
178            /var/agentx(/.*)?
179            /var/net-snmp(/.*)
180            /var/lib/snmp(/.*)?
181            /var/net-snmp(/.*)?
182            /var/lib/net-snmp(/.*)?
183            /var/spool/snmptt(/.*)?
184            /usr/share/snmp/mibs/.index
185
186

FILE CONTEXTS

188       SELinux requires files to have an extended attribute to define the file
189       type.
190
191       You can see the context of a file using the -Z option to ls
192
193       Policy  governs  the  access  confined  processes  have to these files.
194       SELinux cyrus policy is very flexible allowing  users  to  setup  their
195       cyrus processes in as secure a method as possible.
196
197       STANDARD FILE CONTEXT
198
199       SELinux  defines the file context types for the cyrus, if you wanted to
200       store files with these types in a different paths, you need to  execute
201       the  semanage  command  to  specify alternate labeling and then use re‐
202       storecon to put the labels on disk.
203
204       semanage fcontext -a -t cyrus_exec_t '/srv/cyrus/content(/.*)?'
205       restorecon -R -v /srv/mycyrus_content
206
207       Note: SELinux often uses regular expressions  to  specify  labels  that
208       match multiple files.
209
210       The following file types are defined for cyrus:
211
212
213
214       cyrus_exec_t
215
216       -  Set  files  with the cyrus_exec_t type, if you want to transition an
217       executable to the cyrus_t domain.
218
219
220       Paths:
221            /usr/lib/cyrus/master,            /usr/libexec/cyrus-imapd/master,
222            /usr/lib/cyrus-imapd/cyrus-master, /usr/libexec/cyrus-imapd/cyrus-
223            master
224
225
226       cyrus_initrc_exec_t
227
228       - Set files with the cyrus_initrc_exec_t type, if you want  to  transi‐
229       tion an executable to the cyrus_initrc_t domain.
230
231
232
233       cyrus_keytab_t
234
235       -  Set  files  with  the  cyrus_keytab_t type, if you want to treat the
236       files as kerberos keytab files.
237
238
239
240       cyrus_tmp_t
241
242       - Set files with the cyrus_tmp_t type, if you want to store cyrus  tem‐
243       porary files in the /tmp directories.
244
245
246
247       cyrus_var_lib_t
248
249       -  Set  files  with  the cyrus_var_lib_t type, if you want to store the
250       cyrus files under the /var/lib directory.
251
252
253       Paths:
254            /var/imap(/.*)?, /var/lib/imap(/.*)?
255
256
257       cyrus_var_run_t
258
259       - Set files with the cyrus_var_run_t type, if you  want  to  store  the
260       cyrus files under the /run or /var/run directory.
261
262
263
264       Note:  File context can be temporarily modified with the chcon command.
265       If you want to permanently change the file context you need to use  the
266       semanage fcontext command.  This will modify the SELinux labeling data‐
267       base.  You will need to use restorecon to apply the labels.
268
269

COMMANDS

271       semanage fcontext can also be used to manipulate default  file  context
272       mappings.
273
274       semanage  permissive  can  also  be used to manipulate whether or not a
275       process type is permissive.
276
277       semanage module can also be used to enable/disable/install/remove  pol‐
278       icy modules.
279
280       semanage port can also be used to manipulate the port definitions
281
282       semanage boolean can also be used to manipulate the booleans
283
284
285       system-config-selinux is a GUI tool available to customize SELinux pol‐
286       icy settings.
287
288

AUTHOR

290       This manual page was auto-generated using sepolicy manpage .
291
292