phc2sys_selinux(8)

1phc2sys_selinux(8)          SELinux Policy phc2sys          phc2sys_selinux(8)
2
3
4

NAME

6       phc2sys_selinux  -  Security Enhanced Linux Policy for the phc2sys pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  phc2sys  processes  via  flexible
11       mandatory access control.
12
13       The  phc2sys processes execute with the phc2sys_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep phc2sys_t
20
21
22

ENTRYPOINTS

24       The  phc2sys_t  SELinux type can be entered via the phc2sys_exec_t file
25       type.
26
27       The default entrypoint paths for the phc2sys_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/phc2sys
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       phc2sys  policy  is very flexible allowing users to setup their phc2sys
40       processes in as secure a method as possible.
41
42       The following process types are defined for phc2sys:
43
44       phc2sys_t
45
46       Note: semanage permissive -a phc2sys_t can be used to make the  process
47       type  phc2sys_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  phc2sys
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run phc2sys with the tightest access possi‐
56       ble.
57
58
59
60       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
61       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
62       Enabled by default.
63
64       setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74

MANAGED FILES

76       The  SELinux  process  type phc2sys_t can manage files labeled with the
77       following file types.  The paths listed are the default paths for these
78       file types.  Note the processes UID still need to have DAC permissions.
79
80       chronyd_tmpfs_t
81
82
83       cluster_conf_t
84
85            /etc/cluster(/.*)?
86
87       cluster_var_lib_t
88
89            /var/lib/pcsd(/.*)?
90            /var/lib/cluster(/.*)?
91            /var/lib/openais(/.*)?
92            /var/lib/pengine(/.*)?
93            /var/lib/corosync(/.*)?
94            /usr/lib/heartbeat(/.*)?
95            /var/lib/heartbeat(/.*)?
96            /var/lib/pacemaker(/.*)?
97
98       cluster_var_run_t
99
100            /var/run/crm(/.*)?
101            /var/run/cman_.*
102            /var/run/rsctmp(/.*)?
103            /var/run/aisexec.*
104            /var/run/heartbeat(/.*)?
105            /var/run/pcsd-ruby.socket
106            /var/run/corosync-qnetd(/.*)?
107            /var/run/corosync-qdevice(/.*)?
108            /var/run/corosync.pid
109            /var/run/cpglockd.pid
110            /var/run/rgmanager.pid
111            /var/run/cluster/rgmanager.sk
112
113       gpsd_tmpfs_t
114
115
116       ntpd_tmpfs_t
117
118
119       root_t
120
121            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
122            /
123            /initrd
124
125       timemaster_tmpfs_t
126
127
128       timemaster_var_run_t
129
130            /var/run/timemaster(/.*)?
131
132

FILE CONTEXTS

134       SELinux requires files to have an extended attribute to define the file
135       type.
136
137       You can see the context of a file using the -Z option to ls
138
139       Policy governs the access  confined  processes  have  to  these  files.
140       SELinux  phc2sys  policy is very flexible allowing users to setup their
141       phc2sys processes in as secure a method as possible.
142
143       STANDARD FILE CONTEXT
144
145       SELinux defines the file context types for the phc2sys, if  you  wanted
146       to  store files with these types in a different paths, you need to exe‐
147       cute the semanage command to specify alternate labeling  and  then  use
148       restorecon to put the labels on disk.
149
150       semanage fcontext -a -t phc2sys_exec_t '/srv/phc2sys/content(/.*)?'
151       restorecon -R -v /srv/myphc2sys_content
152
153       Note:  SELinux  often  uses  regular expressions to specify labels that
154       match multiple files.
155
156       The following file types are defined for phc2sys:
157
158
159
160       phc2sys_exec_t
161
162       - Set files with the phc2sys_exec_t type, if you want to transition  an
163       executable to the phc2sys_t domain.
164
165
166
167       phc2sys_unit_file_t
168
169       - Set files with the phc2sys_unit_file_t type, if you want to treat the
170       files as phc2sys unit content.
171
172
173
174       Note: File context can be temporarily modified with the chcon  command.
175       If  you want to permanently change the file context you need to use the
176       semanage fcontext command.  This will modify the SELinux labeling data‐
177       base.  You will need to use restorecon to apply the labels.
178
179

COMMANDS

181       semanage  fcontext  can also be used to manipulate default file context
182       mappings.
183
184       semanage permissive can also be used to manipulate  whether  or  not  a
185       process type is permissive.
186
187       semanage  module can also be used to enable/disable/install/remove pol‐
188       icy modules.
189
190       semanage boolean can also be used to manipulate the booleans
191
192
193       system-config-selinux is a GUI tool available to customize SELinux pol‐
194       icy settings.
195
196

AUTHOR

198       This manual page was auto-generated using sepolicy manpage .
199
200