neutron_selinux(8)

1neutron_selinux(8)          SELinux Policy neutron          neutron_selinux(8)
2
3
4

NAME

6       neutron_selinux  -  Security Enhanced Linux Policy for the neutron pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  neutron  processes  via  flexible
11       mandatory access control.
12
13       The  neutron processes execute with the neutron_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep neutron_t
20
21
22

ENTRYPOINTS

24       The  neutron_t  SELinux type can be entered via the neutron_exec_t file
25       type.
26
27       The default entrypoint paths for the neutron_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/neutron-server,   /usr/bin/quantum-server,   /usr/bin/neutron-
31       l3-agent,     /usr/bin/neutron-rootwrap,     /usr/bin/quantum-l3-agent,
32       /usr/bin/neutron-ryu-agent,  /usr/bin/quantum-ryu-agent,  /usr/bin/neu‐
33       tron-dhcp-agent,  /usr/bin/quantum-dhcp-agent,  /usr/bin/neutron-lbaas-
34       agent,    /usr/bin/neutron-ovs-cleanup,   /usr/bin/quantum-ovs-cleanup,
35       /usr/bin/neutron-netns-cleanup,        /usr/bin/neutron-metadata-agent,
36       /usr/bin/neutron-linuxbridge-agent, /usr/bin/neutron-ns-metadata-proxy,
37       /usr/bin/neutron-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent,
38       /usr/bin/quantum-openvswitch-agent
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       neutron  policy  is very flexible allowing users to setup their neutron
48       processes in as secure a method as possible.
49
50       The following process types are defined for neutron:
51
52       neutron_t
53
54       Note: semanage permissive -a neutron_t can be used to make the  process
55       type  neutron_t  permissive. SELinux does not deny access to permissive
56       process types, but the AVC (SELinux denials) messages are still  gener‐
57       ated.
58
59

BOOLEANS

61       SELinux policy is customizable based on least access required.  neutron
62       policy is extremely flexible and has several booleans that allow you to
63       manipulate  the  policy and run neutron with the tightest access possi‐
64       ble.
65
66
67
68       If you want to determine whether neutron can connect to all TCP  ports,
69       you must turn on the neutron_can_network boolean. Disabled by default.
70
71       setsebool -P neutron_can_network 1
72
73
74
75       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
76       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
77       Enabled by default.
78
79       setsebool -P daemons_dontaudit_scheduling 1
80
81
82
83       If you want to allow all domains to execute in fips_mode, you must turn
84       on the fips_mode boolean. Enabled by default.
85
86       setsebool -P fips_mode 1
87
88
89
90       If you want to allow confined applications to run  with  kerberos,  you
91       must turn on the kerberos_enabled boolean. Enabled by default.
92
93       setsebool -P kerberos_enabled 1
94
95
96
97       If  you  want  to  allow  system  to run with NIS, you must turn on the
98       nis_enabled boolean. Disabled by default.
99
100       setsebool -P nis_enabled 1
101
102
103

PORT TYPES

105       SELinux defines port types to represent TCP and UDP ports.
106
107       You can see the types associated with a port  by  using  the  following
108       command:
109
110       semanage port -l
111
112
113       Policy  governs  the  access  confined  processes  have to these ports.
114       SELinux neutron policy is very flexible allowing users to  setup  their
115       neutron processes in as secure a method as possible.
116
117       The following port types are defined for neutron:
118
119
120       neutron_port_t
121
122
123
124       Default Defined Ports:
125                 tcp 8775,9696,9697
126

MANAGED FILES

128       The  SELinux  process  type neutron_t can manage files labeled with the
129       following file types.  The paths listed are the default paths for these
130       file types.  Note the processes UID still need to have DAC permissions.
131
132       cluster_conf_t
133
134            /etc/cluster(/.*)?
135
136       cluster_var_lib_t
137
138            /var/lib/pcsd(/.*)?
139            /var/lib/cluster(/.*)?
140            /var/lib/openais(/.*)?
141            /var/lib/pengine(/.*)?
142            /var/lib/corosync(/.*)?
143            /usr/lib/heartbeat(/.*)?
144            /var/lib/heartbeat(/.*)?
145            /var/lib/pacemaker(/.*)?
146
147       cluster_var_run_t
148
149            /var/run/crm(/.*)?
150            /var/run/cman_.*
151            /var/run/rsctmp(/.*)?
152            /var/run/aisexec.*
153            /var/run/heartbeat(/.*)?
154            /var/run/pcsd-ruby.socket
155            /var/run/corosync-qnetd(/.*)?
156            /var/run/corosync-qdevice(/.*)?
157            /var/run/corosync.pid
158            /var/run/cpglockd.pid
159            /var/run/rgmanager.pid
160            /var/run/cluster/rgmanager.sk
161
162       faillog_t
163
164            /var/log/btmp.*
165            /var/log/faillog.*
166            /var/log/tallylog.*
167            /var/run/faillock(/.*)?
168
169       ifconfig_var_run_t
170
171            /var/run/netns
172
173       initrc_var_run_t
174
175            /var/run/utmp
176            /var/run/random-seed
177            /var/run/runlevel.dir
178            /var/run/setmixer_flag
179
180       krb5_host_rcache_t
181
182            /var/tmp/krb5_0.rcache2
183            /var/cache/krb5rcache(/.*)?
184            /var/tmp/nfs_0
185            /var/tmp/DNS_25
186            /var/tmp/host_0
187            /var/tmp/imap_0
188            /var/tmp/HTTP_23
189            /var/tmp/HTTP_48
190            /var/tmp/ldap_55
191            /var/tmp/ldap_487
192            /var/tmp/ldapmap1_0
193
194       krb5_keytab_t
195
196            /var/kerberos/krb5(/.*)?
197            /etc/krb5.keytab
198            /etc/krb5kdc/kadm5.keytab
199            /var/kerberos/krb5kdc/kadm5.keytab
200
201       lastlog_t
202
203            /var/log/lastlog.*
204
205       neutron_tmp_t
206
207
208       neutron_var_lib_t
209
210            /var/lib/neutron(/.*)?
211            /var/lib/quantum(/.*)?
212
213       neutron_var_run_t
214
215            /var/run/neutron(/.*)?
216            /var/run/quantum(/.*)?
217
218       root_t
219
220            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
221            /
222            /initrd
223
224       security_t
225
226            /selinux
227
228

FILE CONTEXTS

230       SELinux requires files to have an extended attribute to define the file
231       type.
232
233       You can see the context of a file using the -Z option to ls
234
235       Policy governs the access  confined  processes  have  to  these  files.
236       SELinux  neutron  policy is very flexible allowing users to setup their
237       neutron processes in as secure a method as possible.
238
239       STANDARD FILE CONTEXT
240
241       SELinux defines the file context types for the neutron, if  you  wanted
242       to  store files with these types in a different paths, you need to exe‐
243       cute the semanage command to specify alternate labeling  and  then  use
244       restorecon to put the labels on disk.
245
246       semanage fcontext -a -t neutron_exec_t '/srv/neutron/content(/.*)?'
247       restorecon -R -v /srv/myneutron_content
248
249       Note:  SELinux  often  uses  regular expressions to specify labels that
250       match multiple files.
251
252       The following file types are defined for neutron:
253
254
255
256       neutron_exec_t
257
258       - Set files with the neutron_exec_t type, if you want to transition  an
259       executable to the neutron_t domain.
260
261
262       Paths:
263            /usr/bin/neutron-server,   /usr/bin/quantum-server,  /usr/bin/neu‐
264            tron-l3-agent,    /usr/bin/neutron-rootwrap,     /usr/bin/quantum-
265            l3-agent,  /usr/bin/neutron-ryu-agent, /usr/bin/quantum-ryu-agent,
266            /usr/bin/neutron-dhcp-agent,          /usr/bin/quantum-dhcp-agent,
267            /usr/bin/neutron-lbaas-agent,        /usr/bin/neutron-ovs-cleanup,
268            /usr/bin/quantum-ovs-cleanup,      /usr/bin/neutron-netns-cleanup,
269            /usr/bin/neutron-metadata-agent,     /usr/bin/neutron-linuxbridge-
270            agent, /usr/bin/neutron-ns-metadata-proxy,  /usr/bin/neutron-open‐
271            vswitch-agent,  /usr/bin/quantum-linuxbridge-agent, /usr/bin/quan‐
272            tum-openvswitch-agent
273
274
275       neutron_initrc_exec_t
276
277       - Set files with the neutron_initrc_exec_t type, if you want to transi‐
278       tion an executable to the neutron_initrc_t domain.
279
280
281       Paths:
282            /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*
283
284
285       neutron_log_t
286
287       -  Set files with the neutron_log_t type, if you want to treat the data
288       as neutron log data, usually stored under the /var/log directory.
289
290
291       Paths:
292            /var/log/neutron(/.*)?, /var/log/quantum(/.*)?
293
294
295       neutron_tmp_t
296
297       - Set files with the neutron_tmp_t type, if you want to  store  neutron
298       temporary files in the /tmp directories.
299
300
301
302       neutron_unit_file_t
303
304       - Set files with the neutron_unit_file_t type, if you want to treat the
305       files as neutron unit content.
306
307
308       Paths:
309            /usr/lib/systemd/system/neutron.*,   /usr/lib/systemd/system/quan‐
310            tum.*
311
312
313       neutron_var_lib_t
314
315       -  Set  files with the neutron_var_lib_t type, if you want to store the
316       neutron files under the /var/lib directory.
317
318
319       Paths:
320            /var/lib/neutron(/.*)?, /var/lib/quantum(/.*)?
321
322
323       neutron_var_run_t
324
325       - Set files with the neutron_var_run_t type, if you want to  store  the
326       neutron files under the /run or /var/run directory.
327
328
329       Paths:
330            /var/run/neutron(/.*)?, /var/run/quantum(/.*)?
331
332
333       Note:  File context can be temporarily modified with the chcon command.
334       If you want to permanently change the file context you need to use  the
335       semanage fcontext command.  This will modify the SELinux labeling data‐
336       base.  You will need to use restorecon to apply the labels.
337
338

COMMANDS

340       semanage fcontext can also be used to manipulate default  file  context
341       mappings.
342
343       semanage  permissive  can  also  be used to manipulate whether or not a
344       process type is permissive.
345
346       semanage module can also be used to enable/disable/install/remove  pol‐
347       icy modules.
348
349       semanage port can also be used to manipulate the port definitions
350
351       semanage boolean can also be used to manipulate the booleans
352
353
354       system-config-selinux is a GUI tool available to customize SELinux pol‐
355       icy settings.
356
357

AUTHOR

359       This manual page was auto-generated using sepolicy manpage .
360
361