1pegasus_selinux(8)          SELinux Policy pegasus          pegasus_selinux(8)
2
3
4

NAME

6       pegasus_selinux  -  Security Enhanced Linux Policy for the pegasus pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  pegasus  processes  via  flexible
11       mandatory access control.
12
13       The  pegasus processes execute with the pegasus_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pegasus_t
20
21
22

ENTRYPOINTS

24       The  pegasus_t  SELinux type can be entered via the pegasus_exec_t file
25       type.
26
27       The default entrypoint paths for the pegasus_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/cimserver, /usr/sbin/init_repository
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       pegasus  policy  is very flexible allowing users to setup their pegasus
40       processes in as secure a method as possible.
41
42       The following process types are defined for pegasus:
43
44       pegasus_t, pegasus_openlmi_admin_t, pegasus_openlmi_account_t, pegasus_openlmi_logicalfile_t, pegasus_openlmi_services_t, pegasus_openlmi_storage_t, pegasus_openlmi_system_t, pegasus_openlmi_unconfined_t
45
46       Note: semanage permissive -a pegasus_t can be used to make the  process
47       type  pegasus_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  pegasus
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run pegasus with the tightest access possi‐
56       ble.
57
58
59
60       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
61       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
62       Enabled by default.
63
64       setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to  allow  system  to run with NIS, you must turn on the
76       nis_enabled boolean. Disabled by default.
77
78       setsebool -P nis_enabled 1
79
80
81

PORT TYPES

83       SELinux defines port types to represent TCP and UDP ports.
84
85       You can see the types associated with a port  by  using  the  following
86       command:
87
88       semanage port -l
89
90
91       Policy  governs  the  access  confined  processes  have to these ports.
92       SELinux pegasus policy is very flexible allowing users to  setup  their
93       pegasus processes in as secure a method as possible.
94
95       The following port types are defined for pegasus:
96
97
98       pegasus_http_port_t
99
100
101
102       Default Defined Ports:
103                 tcp 5988
104
105
106       pegasus_https_port_t
107
108
109
110       Default Defined Ports:
111                 tcp 5989
112

MANAGED FILES

114       The  SELinux  process  type pegasus_t can manage files labeled with the
115       following file types.  The paths listed are the default paths for these
116       file types.  Note the processes UID still need to have DAC permissions.
117
118       cluster_conf_t
119
120            /etc/cluster(/.*)?
121
122       cluster_var_lib_t
123
124            /var/lib/pcsd(/.*)?
125            /var/lib/cluster(/.*)?
126            /var/lib/openais(/.*)?
127            /var/lib/pengine(/.*)?
128            /var/lib/corosync(/.*)?
129            /usr/lib/heartbeat(/.*)?
130            /var/lib/heartbeat(/.*)?
131            /var/lib/pacemaker(/.*)?
132
133       cluster_var_run_t
134
135            /var/run/crm(/.*)?
136            /var/run/cman_.*
137            /var/run/rsctmp(/.*)?
138            /var/run/aisexec.*
139            /var/run/heartbeat(/.*)?
140            /var/run/pcsd-ruby.socket
141            /var/run/corosync-qnetd(/.*)?
142            /var/run/corosync-qdevice(/.*)?
143            /var/run/corosync.pid
144            /var/run/cpglockd.pid
145            /var/run/rgmanager.pid
146            /var/run/cluster/rgmanager.sk
147
148       faillog_t
149
150            /var/log/btmp.*
151            /var/log/faillog.*
152            /var/log/tallylog.*
153            /var/run/faillock(/.*)?
154
155       initrc_var_run_t
156
157            /var/run/utmp
158            /var/run/random-seed
159            /var/run/runlevel.dir
160            /var/run/setmixer_flag
161
162       krb5_host_rcache_t
163
164            /var/tmp/krb5_0.rcache2
165            /var/cache/krb5rcache(/.*)?
166            /var/tmp/nfs_0
167            /var/tmp/DNS_25
168            /var/tmp/host_0
169            /var/tmp/imap_0
170            /var/tmp/HTTP_23
171            /var/tmp/HTTP_48
172            /var/tmp/ldap_55
173            /var/tmp/ldap_487
174            /var/tmp/ldapmap1_0
175
176       krb5_keytab_t
177
178            /var/kerberos/krb5(/.*)?
179            /etc/krb5.keytab
180            /etc/krb5kdc/kadm5.keytab
181            /var/kerberos/krb5kdc/kadm5.keytab
182
183       pegasus_cache_t
184
185
186       pegasus_data_t
187
188            /var/lib/Pegasus(/.*)?
189            /etc/Pegasus/pegasus_current.conf
190            /etc/Pegasus/cimserver_current.conf
191
192       pegasus_tmp_t
193
194
195       pegasus_var_run_t
196
197            /var/run/tog-pegasus(/.*)?
198
199       root_t
200
201            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
202            /
203            /initrd
204
205       sysfs_t
206
207            /sys(/.*)?
208
209       virt_etc_rw_t
210
211            /etc/xen/.*/.*
212            /etc/xen/[^/]*
213            /etc/libvirt/.*/.*
214            /etc/libvirt/[^/]*
215
216       virt_etc_t
217
218            /etc/xen/[^/]*
219            /etc/libvirt/[^/]*
220            /etc/xen
221            /etc/libvirt
222
223

FILE CONTEXTS

225       SELinux requires files to have an extended attribute to define the file
226       type.
227
228       You can see the context of a file using the -Z option to ls
229
230       Policy governs the access  confined  processes  have  to  these  files.
231       SELinux  pegasus  policy is very flexible allowing users to setup their
232       pegasus processes in as secure a method as possible.
233
234       STANDARD FILE CONTEXT
235
236       SELinux defines the file context types for the pegasus, if  you  wanted
237       to  store files with these types in a different paths, you need to exe‐
238       cute the semanage command to specify alternate labeling  and  then  use
239       restorecon to put the labels on disk.
240
241       semanage fcontext -a -t pegasus_exec_t '/srv/pegasus/content(/.*)?'
242       restorecon -R -v /srv/mypegasus_content
243
244       Note:  SELinux  often  uses  regular expressions to specify labels that
245       match multiple files.
246
247       The following file types are defined for pegasus:
248
249
250
251       pegasus_cache_t
252
253       - Set files with the pegasus_cache_t type, if you  want  to  store  the
254       files under the /var/cache directory.
255
256
257
258       pegasus_conf_t
259
260       -  Set  files  with  the  pegasus_conf_t type, if you want to treat the
261       files as pegasus configuration data, usually stored under the /etc  di‐
262       rectory.
263
264
265
266       pegasus_data_t
267
268       -  Set  files  with  the  pegasus_data_t type, if you want to treat the
269       files as pegasus content.
270
271
272       Paths:
273            /var/lib/Pegasus(/.*)?,         /etc/Pegasus/pegasus_current.conf,
274            /etc/Pegasus/cimserver_current.conf
275
276
277       pegasus_exec_t
278
279       -  Set files with the pegasus_exec_t type, if you want to transition an
280       executable to the pegasus_t domain.
281
282
283       Paths:
284            /usr/sbin/cimserver, /usr/sbin/init_repository
285
286
287       pegasus_mof_t
288
289       - Set files with the pegasus_mof_t type, if you want to treat the files
290       as pegasus mof data.
291
292
293
294       pegasus_openlmi_account_exec_t
295
296       -  Set  files with the pegasus_openlmi_account_exec_t type, if you want
297       to transition an executable to the pegasus_openlmi_account_t domain.
298
299
300
301       pegasus_openlmi_admin_exec_t
302
303       - Set files with the pegasus_openlmi_admin_exec_t type, if you want  to
304       transition an executable to the pegasus_openlmi_admin_t domain.
305
306
307       Paths:
308            /usr/libexec/pegasus/cmpiLMI_Service-cimprovagt,  /usr/libexec/pe‐
309            gasus/cmpiLMI_Journald-cimprovagt
310
311
312       pegasus_openlmi_logicalfile_exec_t
313
314       - Set files with the pegasus_openlmi_logicalfile_exec_t  type,  if  you
315       want  to  transition an executable to the pegasus_openlmi_logicalfile_t
316       domain.
317
318
319
320       pegasus_openlmi_services_exec_t
321
322       - Set files with the pegasus_openlmi_services_exec_t type, if you  want
323       to transition an executable to the pegasus_openlmi_services_t domain.
324
325
326
327       pegasus_openlmi_storage_exec_t
328
329       -  Set  files with the pegasus_openlmi_storage_exec_t type, if you want
330       to transition an executable to the pegasus_openlmi_storage_t domain.
331
332
333       Paths:
334            /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt, /usr/libexec/pe‐
335            gasus/pycmpiLMI_Storage-cimprovagt
336
337
338       pegasus_openlmi_storage_lib_t
339
340       - Set files with the pegasus_openlmi_storage_lib_t type, if you want to
341       treat the files as pegasus openlmi storage lib data.
342
343
344
345       pegasus_openlmi_storage_tmp_t
346
347       - Set files with the pegasus_openlmi_storage_tmp_t type, if you want to
348       store pegasus openlmi storage temporary files in the /tmp directories.
349
350
351
352       pegasus_openlmi_storage_var_run_t
353
354       -  Set  files  with  the pegasus_openlmi_storage_var_run_t type, if you
355       want to store the pegasus openlmi  storage  files  under  the  /run  or
356       /var/run directory.
357
358
359
360       pegasus_openlmi_system_exec_t
361
362       - Set files with the pegasus_openlmi_system_exec_t type, if you want to
363       transition an executable to the pegasus_openlmi_system_t domain.
364
365
366       Paths:
367            /usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt,    /usr/libexec/pega‐
368            sus/cmpiLMI_Networking-cimprovagt,              /usr/libexec/pega‐
369            sus/cmpiLMI_PowerManagement-cimprovagt
370
371
372       pegasus_openlmi_unconfined_exec_t
373
374       - Set files with the  pegasus_openlmi_unconfined_exec_t  type,  if  you
375       want  to  transition  an executable to the pegasus_openlmi_unconfined_t
376       domain.
377
378
379
380       pegasus_tmp_t
381
382       - Set files with the pegasus_tmp_t type, if you want to  store  pegasus
383       temporary files in the /tmp directories.
384
385
386
387       pegasus_var_run_t
388
389       -  Set  files with the pegasus_var_run_t type, if you want to store the
390       pegasus files under the /run or /var/run directory.
391
392
393
394       Note: File context can be temporarily modified with the chcon  command.
395       If  you want to permanently change the file context you need to use the
396       semanage fcontext command.  This will modify the SELinux labeling data‐
397       base.  You will need to use restorecon to apply the labels.
398
399

COMMANDS

401       semanage  fcontext  can also be used to manipulate default file context
402       mappings.
403
404       semanage permissive can also be used to manipulate  whether  or  not  a
405       process type is permissive.
406
407       semanage  module can also be used to enable/disable/install/remove pol‐
408       icy modules.
409
410       semanage port can also be used to manipulate the port definitions
411
412       semanage boolean can also be used to manipulate the booleans
413
414
415       system-config-selinux is a GUI tool available to customize SELinux pol‐
416       icy settings.
417
418

AUTHOR

420       This manual page was auto-generated using sepolicy manpage .
421
422

SEE ALSO

424       selinux(8),  pegasus(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
425       icy(8),   setsebool(8),    pegasus_openlmi_account_selinux(8),    pega‐
426       sus_openlmi_account_selinux(8), pegasus_openlmi_admin_selinux(8), pega‐
427       sus_openlmi_admin_selinux(8),   pegasus_openlmi_logicalfile_selinux(8),
428       pegasus_openlmi_logicalfile_selinux(8),            pegasus_openlmi_ser‐
429       vices_selinux(8),      pegasus_openlmi_services_selinux(8),       pega‐
430       sus_openlmi_storage_selinux(8), pegasus_openlmi_storage_selinux(8), pe‐
431       gasus_openlmi_system_selinux(8), pegasus_openlmi_system_selinux(8), pe‐
432       gasus_openlmi_unconfined_selinux(8),             pegasus_openlmi_uncon‐
433       fined_selinux(8)
434
435
436
437pegasus                            23-10-20                 pegasus_selinux(8)
Impressum