keystone_selinux(8)

1keystone_selinux(8)         SELinux Policy keystone        keystone_selinux(8)
2
3
4

NAME

6       keystone_selinux - Security Enhanced Linux Policy for the keystone pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  keystone  processes  via  flexible
11       mandatory access control.
12
13       The  keystone  processes  execute with the keystone_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep keystone_t
20
21
22

ENTRYPOINTS

24       The keystone_t SELinux type can be entered via the keystone_exec_t file
25       type.
26
27       The default entrypoint paths for the keystone_t domain are the  follow‐
28       ing:
29
30       /usr/bin/keystone-all
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       keystone policy is very flexible allowing users to setup their keystone
40       processes in as secure a method as possible.
41
42       The following process types are defined for keystone:
43
44       keystone_t, keystone_cgi_script_t
45
46       Note: semanage permissive -a keystone_t can be used to make the process
47       type  keystone_t permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is  customizable based on least access required.  key‐
54       stone policy is extremely flexible and has several booleans that  allow
55       you  to manipulate the policy and run keystone with the tightest access
56       possible.
57
58
59
60       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
61       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
62       Enabled by default.
63
64       setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Enabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88

PORT TYPES

90       SELinux defines port types to represent TCP and UDP ports.
91
92       You  can  see  the  types associated with a port by using the following
93       command:
94
95       semanage port -l
96
97
98       Policy governs the access  confined  processes  have  to  these  ports.
99       SELinux  keystone policy is very flexible allowing users to setup their
100       keystone processes in as secure a method as possible.
101
102       The following port types are defined for keystone:
103
104
105       keystone_port_t
106
107
108
109       Default Defined Ports:
110                 tcp 35357
111                 udp 35357
112

MANAGED FILES

114       The SELinux process type keystone_t can manage files labeled  with  the
115       following file types.  The paths listed are the default paths for these
116       file types.  Note the processes UID still need to have DAC permissions.
117
118       cluster_conf_t
119
120            /etc/cluster(/.*)?
121
122       cluster_var_lib_t
123
124            /var/lib/pcsd(/.*)?
125            /var/lib/cluster(/.*)?
126            /var/lib/openais(/.*)?
127            /var/lib/pengine(/.*)?
128            /var/lib/corosync(/.*)?
129            /usr/lib/heartbeat(/.*)?
130            /var/lib/heartbeat(/.*)?
131            /var/lib/pacemaker(/.*)?
132
133       cluster_var_run_t
134
135            /var/run/crm(/.*)?
136            /var/run/cman_.*
137            /var/run/rsctmp(/.*)?
138            /var/run/aisexec.*
139            /var/run/heartbeat(/.*)?
140            /var/run/pcsd-ruby.socket
141            /var/run/corosync-qnetd(/.*)?
142            /var/run/corosync-qdevice(/.*)?
143            /var/run/corosync.pid
144            /var/run/cpglockd.pid
145            /var/run/rgmanager.pid
146            /var/run/cluster/rgmanager.sk
147
148       faillog_t
149
150            /var/log/btmp.*
151            /var/log/faillog.*
152            /var/log/tallylog.*
153            /var/run/faillock(/.*)?
154
155       keystone_tmp_t
156
157
158       keystone_var_lib_t
159
160            /var/lib/keystone(/.*)?
161
162       keystone_var_run_t
163
164            /var/run/keystone(/.*)?
165
166       krb5_host_rcache_t
167
168            /var/tmp/krb5_0.rcache2
169            /var/cache/krb5rcache(/.*)?
170            /var/tmp/nfs_0
171            /var/tmp/DNS_25
172            /var/tmp/host_0
173            /var/tmp/imap_0
174            /var/tmp/HTTP_23
175            /var/tmp/HTTP_48
176            /var/tmp/ldap_55
177            /var/tmp/ldap_487
178            /var/tmp/ldapmap1_0
179
180       lastlog_t
181
182            /var/log/lastlog.*
183
184       root_t
185
186            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
187            /
188            /initrd
189
190       security_t
191
192            /selinux
193
194

FILE CONTEXTS

196       SELinux requires files to have an extended attribute to define the file
197       type.
198
199       You can see the context of a file using the -Z option to ls
200
201       Policy  governs  the  access  confined  processes  have to these files.
202       SELinux keystone policy is very flexible allowing users to setup  their
203       keystone processes in as secure a method as possible.
204
205       STANDARD FILE CONTEXT
206
207       SELinux  defines the file context types for the keystone, if you wanted
208       to store files with these types in a different paths, you need to  exe‐
209       cute  the  semanage  command to specify alternate labeling and then use
210       restorecon to put the labels on disk.
211
212       semanage fcontext -a -t keystone_exec_t '/srv/keystone/content(/.*)?'
213       restorecon -R -v /srv/mykeystone_content
214
215       Note: SELinux often uses regular expressions  to  specify  labels  that
216       match multiple files.
217
218       The following file types are defined for keystone:
219
220
221
222       keystone_cgi_content_t
223
224       -  Set files with the keystone_cgi_content_t type, if you want to treat
225       the files as keystone cgi content.
226
227
228
229       keystone_cgi_htaccess_t
230
231       - Set files with the keystone_cgi_htaccess_t type, if you want to treat
232       the file as a keystone cgi access file.
233
234
235
236       keystone_cgi_ra_content_t
237
238       -  Set  files  with  the keystone_cgi_ra_content_t type, if you want to
239       treat the files as keystone cgi read/append content.
240
241
242
243       keystone_cgi_rw_content_t
244
245       - Set files with the keystone_cgi_rw_content_t type,  if  you  want  to
246       treat the files as keystone cgi read/write content.
247
248
249
250       keystone_cgi_script_exec_t
251
252       -  Set  files  with the keystone_cgi_script_exec_t type, if you want to
253       transition an executable to the keystone_cgi_script_t domain.
254
255
256
257       keystone_exec_t
258
259       - Set files with the keystone_exec_t type, if you want to transition an
260       executable to the keystone_t domain.
261
262
263
264       keystone_initrc_exec_t
265
266       -  Set files with the keystone_initrc_exec_t type, if you want to tran‐
267       sition an executable to the keystone_initrc_t domain.
268
269
270
271       keystone_log_t
272
273       - Set files with the keystone_log_t type, if you want to treat the data
274       as keystone log data, usually stored under the /var/log directory.
275
276
277
278       keystone_tmp_t
279
280       - Set files with the keystone_tmp_t type, if you want to store keystone
281       temporary files in the /tmp directories.
282
283
284
285       keystone_unit_file_t
286
287       - Set files with the keystone_unit_file_t type, if you  want  to  treat
288       the files as keystone unit content.
289
290
291
292       keystone_var_lib_t
293
294       -  Set files with the keystone_var_lib_t type, if you want to store the
295       keystone files under the /var/lib directory.
296
297
298
299       keystone_var_run_t
300
301       - Set files with the keystone_var_run_t type, if you want to store  the
302       keystone files under the /run or /var/run directory.
303
304
305
306       Note:  File context can be temporarily modified with the chcon command.
307       If you want to permanently change the file context you need to use  the
308       semanage fcontext command.  This will modify the SELinux labeling data‐
309       base.  You will need to use restorecon to apply the labels.
310
311

COMMANDS

313       semanage fcontext can also be used to manipulate default  file  context
314       mappings.
315
316       semanage  permissive  can  also  be used to manipulate whether or not a
317       process type is permissive.
318
319       semanage module can also be used to enable/disable/install/remove  pol‐
320       icy modules.
321
322       semanage port can also be used to manipulate the port definitions
323
324       semanage boolean can also be used to manipulate the booleans
325
326
327       system-config-selinux is a GUI tool available to customize SELinux pol‐
328       icy settings.
329
330

AUTHOR

332       This manual page was auto-generated using sepolicy manpage .
333
334