1pcp_pmlogger_selinux(8)   SELinux Policy pcp_pmlogger  pcp_pmlogger_selinux(8)
2
3
4

NAME

6       pcp_pmlogger_selinux  -  Security Enhanced Linux Policy for the pcp_pm‐
7       logger processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the pcp_pmlogger processes via flexible
11       mandatory access control.
12
13       The  pcp_pmlogger  processes  execute  with  the pcp_pmlogger_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pcp_pmlogger_t
20
21
22

ENTRYPOINTS

24       The  pcp_pmlogger_t  SELinux  type  can  be  entered via the pcp_pmlog‐
25       ger_exec_t file type.
26
27       The default entrypoint paths for the pcp_pmlogger_t domain are the fol‐
28       lowing:
29
30       /usr/bin/pmlogger,                         /usr/share/pcp/lib/pmlogger,
31       /usr/libexec/pcp/bin/pmlogger
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       pcp_pmlogger policy is very flexible  allowing  users  to  setup  their
41       pcp_pmlogger processes in as secure a method as possible.
42
43       The following process types are defined for pcp_pmlogger:
44
45       pcp_pmlogger_t
46
47       Note:  semanage  permissive  -a  pcp_pmlogger_t can be used to make the
48       process type pcp_pmlogger_t permissive. SELinux does not deny access to
49       permissive  process  types,  but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least access required.  pcp_pm‐
55       logger policy is extremely flexible and has several booleans that allow
56       you to manipulate the policy and run pcp_pmlogger with the tightest ac‐
57       cess possible.
58
59
60
61       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
62       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
63       Enabled by default.
64
65       setsebool -P daemons_dontaudit_scheduling 1
66
67
68
69       If you want to allow all domains to execute in fips_mode, you must turn
70       on the fips_mode boolean. Enabled by default.
71
72       setsebool -P fips_mode 1
73
74
75
76       If you want to allow system to run with  NIS,  you  must  turn  on  the
77       nis_enabled boolean. Disabled by default.
78
79       setsebool -P nis_enabled 1
80
81
82
83       If you want to allow pcp to bind to all unreserved_ports, you must turn
84       on the pcp_bind_all_unreserved_ports boolean. Disabled by default.
85
86       setsebool -P pcp_bind_all_unreserved_ports 1
87
88
89

MANAGED FILES

91       The SELinux process type pcp_pmlogger_t can manage files  labeled  with
92       the  following  file types.  The paths listed are the default paths for
93       these file types.  Note the processes UID still need to have  DAC  per‐
94       missions.
95
96       cluster_conf_t
97
98            /etc/cluster(/.*)?
99
100       cluster_var_lib_t
101
102            /var/lib/pcsd(/.*)?
103            /var/lib/cluster(/.*)?
104            /var/lib/openais(/.*)?
105            /var/lib/pengine(/.*)?
106            /var/lib/corosync(/.*)?
107            /usr/lib/heartbeat(/.*)?
108            /var/lib/heartbeat(/.*)?
109            /var/lib/pacemaker(/.*)?
110
111       cluster_var_run_t
112
113            /var/run/crm(/.*)?
114            /var/run/cman_.*
115            /var/run/rsctmp(/.*)?
116            /var/run/aisexec.*
117            /var/run/heartbeat(/.*)?
118            /var/run/pcsd-ruby.socket
119            /var/run/corosync-qnetd(/.*)?
120            /var/run/corosync-qdevice(/.*)?
121            /var/run/corosync.pid
122            /var/run/cpglockd.pid
123            /var/run/rgmanager.pid
124            /var/run/cluster/rgmanager.sk
125
126       krb5_host_rcache_t
127
128            /var/tmp/krb5_0.rcache2
129            /var/cache/krb5rcache(/.*)?
130            /var/tmp/nfs_0
131            /var/tmp/DNS_25
132            /var/tmp/host_0
133            /var/tmp/imap_0
134            /var/tmp/HTTP_23
135            /var/tmp/HTTP_48
136            /var/tmp/ldap_55
137            /var/tmp/ldap_487
138            /var/tmp/ldapmap1_0
139
140       pcp_log_t
141
142            /var/log/pcp(/.*)?
143
144       pcp_tmp_t
145
146
147       pcp_tmpfs_t
148
149
150       pcp_var_lib_t
151
152            /var/lib/pcp(/.*)?
153
154       pcp_var_run_t
155
156            /var/run/pcp(/.*)?
157            /var/run/pmcd.socket
158            /var/run/pmlogger.primary.socket
159
160       root_t
161
162            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
163            /
164            /initrd
165
166       systemd_passwd_var_run_t
167
168            /var/run/systemd/ask-password(/.*)?
169            /var/run/systemd/ask-password-block(/.*)?
170
171

FILE CONTEXTS

173       SELinux requires files to have an extended attribute to define the file
174       type.
175
176       You can see the context of a file using the -Z option to ls
177
178       Policy governs the access  confined  processes  have  to  these  files.
179       SELinux  pcp_pmlogger  policy  is very flexible allowing users to setup
180       their pcp_pmlogger processes in as secure a method as possible.
181
182       STANDARD FILE CONTEXT
183
184       SELinux defines the file context types for  the  pcp_pmlogger,  if  you
185       wanted  to  store files with these types in a different paths, you need
186       to execute the semanage command to specify alternate labeling and  then
187       use restorecon to put the labels on disk.
188
189       semanage  fcontext  -a  -t  pcp_pmlogger_exec_t '/srv/pcp_pmlogger/con‐
190       tent(/.*)?'
191       restorecon -R -v /srv/mypcp_pmlogger_content
192
193       Note: SELinux often uses regular expressions  to  specify  labels  that
194       match multiple files.
195
196       The following file types are defined for pcp_pmlogger:
197
198
199
200       pcp_pmlogger_exec_t
201
202       -  Set  files with the pcp_pmlogger_exec_t type, if you want to transi‐
203       tion an executable to the pcp_pmlogger_t domain.
204
205
206       Paths:
207            /usr/bin/pmlogger,                    /usr/share/pcp/lib/pmlogger,
208            /usr/libexec/pcp/bin/pmlogger
209
210
211       pcp_pmlogger_initrc_exec_t
212
213       -  Set  files  with the pcp_pmlogger_initrc_exec_t type, if you want to
214       transition an executable to the pcp_pmlogger_initrc_t domain.
215
216
217       Paths:
218            /etc/rc.d/init.d/pmlogger, /usr/libexec/pcp/lib/pmlogger
219
220
221       Note: File context can be temporarily modified with the chcon  command.
222       If  you want to permanently change the file context you need to use the
223       semanage fcontext command.  This will modify the SELinux labeling data‐
224       base.  You will need to use restorecon to apply the labels.
225
226

COMMANDS

228       semanage  fcontext  can also be used to manipulate default file context
229       mappings.
230
231       semanage permissive can also be used to manipulate  whether  or  not  a
232       process type is permissive.
233
234       semanage  module can also be used to enable/disable/install/remove pol‐
235       icy modules.
236
237       semanage boolean can also be used to manipulate the booleans
238
239
240       system-config-selinux is a GUI tool available to customize SELinux pol‐
241       icy settings.
242
243

AUTHOR

245       This manual page was auto-generated using sepolicy manpage .
246
247

SEE ALSO

249       selinux(8),  pcp_pmlogger(8), semanage(8), restorecon(8), chcon(1), se‐
250       policy(8), setsebool(8)
251
252
253
254pcp_pmlogger                       23-10-20            pcp_pmlogger_selinux(8)
Impressum