insights_client_selinux(8)

1insights_client_selinux(8S)ELinux Policy insights_clienitnsights_client_selinux(8)
2
3
4

NAME

6       insights_client_selinux  -  Security  Enhanced Linux Policy for the in‐
7       sights_client processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the insights_client processes via flex‐
11       ible mandatory access control.
12
13       The   insights_client  processes  execute  with  the  insights_client_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep insights_client_t
20
21
22

ENTRYPOINTS

24       The   insights_client_t  SELinux  type  can  be  entered  via  the  in‐
25       sights_client_exec_t file type.
26
27       The default entrypoint paths for the insights_client_t domain  are  the
28       following:
29
30       /usr/bin/insights-client, /usr/bin/redhat-access-insights
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       insights_client  policy  is very flexible allowing users to setup their
40       insights_client processes in as secure a method as possible.
41
42       The following process types are defined for insights_client:
43
44       insights_client_t
45
46       Note: semanage permissive -a insights_client_t can be used to make  the
47       process type insights_client_t permissive. SELinux does not deny access
48       to permissive process types, but the AVC (SELinux denials) messages are
49       still generated.
50
51

BOOLEANS

53       SELinux  policy  is  customizable  based on least access required.  in‐
54       sights_client policy is extremely flexible  and  has  several  booleans
55       that  allow  you  to manipulate the policy and run insights_client with
56       the tightest access possible.
57
58
59
60       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
61       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
62       Enabled by default.
63
64       setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68       If you want to deny user domains applications to map a memory region as
69       both  executable  and  writable,  this  is dangerous and the executable
70       should be reported in bugzilla, you must turn on the deny_execmem bool‐
71       ean. Disabled by default.
72
73       setsebool -P deny_execmem 1
74
75
76
77       If  you  want  to control the ability to mmap a low area of the address
78       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
79       the mmap_low_allowed boolean. Disabled by default.
80
81       setsebool -P mmap_low_allowed 1
82
83
84
85       If  you  want  to  allow  system  to run with NIS, you must turn on the
86       nis_enabled boolean. Disabled by default.
87
88       setsebool -P nis_enabled 1
89
90
91
92       If you want to disable kernel module loading, you must turn on the  se‐
93       cure_mode_insmod boolean. Disabled by default.
94
95       setsebool -P secure_mode_insmod 1
96
97
98
99       If  you  want to allow unconfined executables to make their heap memory
100       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
101       badly  coded  executable, but could indicate an attack. This executable
102       should be reported in bugzilla, you must turn  on  the  selinuxuser_ex‐
103       echeap boolean. Disabled by default.
104
105       setsebool -P selinuxuser_execheap 1
106
107
108
109       If  you  want  to allow unconfined executables to make their stack exe‐
110       cutable.  This should never, ever be necessary.  Probably  indicates  a
111       badly  coded  executable, but could indicate an attack. This executable
112       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
113       stack boolean. Enabled by default.
114
115       setsebool -P selinuxuser_execstack 1
116
117
118

MANAGED FILES

120       The  SELinux  process  type  insights_client_t can manage files labeled
121       with the following file types.  The paths listed are the default  paths
122       for  these  file  types.  Note the processes UID still need to have DAC
123       permissions.
124
125       file_type
126
127            all files on the system
128
129

FILE CONTEXTS

131       SELinux requires files to have an extended attribute to define the file
132       type.
133
134       You can see the context of a file using the -Z option to ls
135
136       Policy  governs  the  access  confined  processes  have to these files.
137       SELinux insights_client policy is very flexible allowing users to setup
138       their insights_client processes in as secure a method as possible.
139
140       EQUIVALENCE DIRECTORIES
141
142
143       insights_client policy stores data with multiple different file context
144       types under the /var/cache/insights directory.  If you  would  like  to
145       store  the  data in a different directory you can use the semanage com‐
146       mand to create an equivalence mapping.  If you  wanted  to  store  this
147       data under the /srv directory you would execute the following command:
148
149       semanage fcontext -a -e /var/cache/insights /srv/insights
150       restorecon -R -v /srv/insights
151
152       insights_client policy stores data with multiple different file context
153       types under the /var/tmp/insights-client directory.  If you would  like
154       to  store  the  data  in a different directory you can use the semanage
155       command to create an equivalence mapping.  If you wanted to store  this
156       data under the /srv directory you would execute the following command:
157
158       semanage fcontext -a -e /var/tmp/insights-client /srv/insights-client
159       restorecon -R -v /srv/insights-client
160
161       STANDARD FILE CONTEXT
162
163       SELinux  defines the file context types for the insights_client, if you
164       wanted to store files with these types in a different paths,  you  need
165       to  execute the semanage command to specify alternate labeling and then
166       use restorecon to put the labels on disk.
167
168       semanage    fcontext    -a    -t    insights_client_exec_t    '/srv/in‐
169       sights_client/content(/.*)?'
170       restorecon -R -v /srv/myinsights_client_content
171
172       Note:  SELinux  often  uses  regular expressions to specify labels that
173       match multiple files.
174
175       The following file types are defined for insights_client:
176
177
178
179       insights_client_cache_t
180
181       - Set files with the insights_client_cache_t type, if you want to store
182       the files under the /var/cache directory.
183
184
185       Paths:
186            /var/cache/insights(/.*)?, /var/cache/insights-client(/.*)?
187
188
189       insights_client_etc_rw_t
190
191       -  Set  files  with  the  insights_client_etc_rw_t type, if you want to
192       treat the files as insights client etc read/write content.
193
194
195       Paths:
196            /etc/insights-client/machine-id, /etc/insights-client/.cache.json,
197            /etc/insights-client/.lastupload,     /etc/insights-client/.regis‐
198            tered,     /etc/insights-client/.unregistered,      /etc/insights-
199            client/.cache.json.asc,  /etc/insights-client/.insights-core.etag,
200            /etc/insights-client/.last-upload.results,          /etc/insights-
201            client/.insights-core-gpg-sig.etag, /etc/insights-client/insights-
202            client-egg-release
203
204
205       insights_client_etc_t
206
207       - Set files with the insights_client_etc_t type, if you want  to  store
208       insights client files in the /etc directories.
209
210
211       Paths:
212            /etc/insights-client/[^/]+, /etc/insights-client
213
214
215       insights_client_exec_t
216
217       -  Set files with the insights_client_exec_t type, if you want to tran‐
218       sition an executable to the insights_client_t domain.
219
220
221       Paths:
222            /usr/bin/insights-client, /usr/bin/redhat-access-insights
223
224
225       insights_client_tmp_t
226
227       - Set files with the insights_client_tmp_t type, if you want  to  store
228       insights client temporary files in the /tmp directories.
229
230
231       Paths:
232            /var/tmp/insights-client(/.*)?,         /tmp/insights-client.ppid,
233            /var/tmp/insights-client.ppid
234
235
236       insights_client_tmpfs_t
237
238       - Set files with the insights_client_tmpfs_t type, if you want to store
239       insights client files on a tmpfs file system.
240
241
242
243       insights_client_unit_file_t
244
245       -  Set  files with the insights_client_unit_file_t type, if you want to
246       treat the files as insights client unit content.
247
248
249
250       insights_client_var_lib_t
251
252       - Set files with the insights_client_var_lib_t type,  if  you  want  to
253       store the insights client files under the /var/lib directory.
254
255
256
257       insights_client_var_lock_t
258
259       -  Set  files  with the insights_client_var_lock_t type, if you want to
260       treat the files as insights client var  lock  data,  stored  under  the
261       /var/lock directory
262
263
264
265       insights_client_var_log_t
266
267       -  Set  files  with  the insights_client_var_log_t type, if you want to
268       treat the data as insights client var log data,  usually  stored  under
269       the /var/log directory.
270
271
272
273       insights_client_var_run_t
274
275       -  Set  files  with  the insights_client_var_run_t type, if you want to
276       store the insights client files under the /run or /var/run directory.
277
278
279
280       Note: File context can be temporarily modified with the chcon  command.
281       If  you want to permanently change the file context you need to use the
282       semanage fcontext command.  This will modify the SELinux labeling data‐
283       base.  You will need to use restorecon to apply the labels.
284
285

COMMANDS

287       semanage  fcontext  can also be used to manipulate default file context
288       mappings.
289
290       semanage permissive can also be used to manipulate  whether  or  not  a
291       process type is permissive.
292
293       semanage  module can also be used to enable/disable/install/remove pol‐
294       icy modules.
295
296       semanage boolean can also be used to manipulate the booleans
297
298
299       system-config-selinux is a GUI tool available to customize SELinux pol‐
300       icy settings.
301
302

AUTHOR

304       This manual page was auto-generated using sepolicy manpage .
305
306