pki_ra_selinux(8)

1pki_ra_selinux(8)            SELinux Policy pki_ra           pki_ra_selinux(8)
2
3
4

NAME

6       pki_ra_selinux  -  Security  Enhanced  Linux Policy for the pki_ra pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  pki_ra  processes  via  flexible
11       mandatory access control.
12
13       The  pki_ra  processes  execute with the pki_ra_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep pki_ra_t
20
21
22

ENTRYPOINTS

24       The  pki_ra_t  SELinux  type  can be entered via the pki_ra_exec_t file
25       type.
26
27       The default entrypoint paths for the pki_ra_t domain are the following:
28
29       /var/lib/pki-ra/pki-ra
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       pki_ra policy is very flexible allowing users  to  setup  their  pki_ra
39       processes in as secure a method as possible.
40
41       The following process types are defined for pki_ra:
42
43       pki_ra_t
44
45       Note:  semanage  permissive -a pki_ra_t can be used to make the process
46       type pki_ra_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   pki_ra
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run pki_ra with the tightest access possible.
55
56
57
58       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
59       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
60       Enabled by default.
61
62       setsebool -P daemons_dontaudit_scheduling 1
63
64
65
66       If you want to allow all domains to execute in fips_mode, you must turn
67       on the fips_mode boolean. Enabled by default.
68
69       setsebool -P fips_mode 1
70
71
72
73       If  you  want  to  allow  system  to run with NIS, you must turn on the
74       nis_enabled boolean. Disabled by default.
75
76       setsebool -P nis_enabled 1
77
78
79

PORT TYPES

81       SELinux defines port types to represent TCP and UDP ports.
82
83       You can see the types associated with a port  by  using  the  following
84       command:
85
86       semanage port -l
87
88
89       Policy  governs  the  access  confined  processes  have to these ports.
90       SELinux pki_ra policy is very flexible allowing users  to  setup  their
91       pki_ra processes in as secure a method as possible.
92
93       The following port types are defined for pki_ra:
94
95
96       pki_ra_port_t
97
98
99
100       Default Defined Ports:
101                 tcp 12888-12889
102

MANAGED FILES

104       The  SELinux  process  type  pki_ra_t can manage files labeled with the
105       following file types.  The paths listed are the default paths for these
106       file types.  Note the processes UID still need to have DAC permissions.
107
108       cluster_conf_t
109
110            /etc/cluster(/.*)?
111
112       cluster_var_lib_t
113
114            /var/lib/pcsd(/.*)?
115            /var/lib/cluster(/.*)?
116            /var/lib/openais(/.*)?
117            /var/lib/pengine(/.*)?
118            /var/lib/corosync(/.*)?
119            /usr/lib/heartbeat(/.*)?
120            /var/lib/heartbeat(/.*)?
121            /var/lib/pacemaker(/.*)?
122
123       cluster_var_run_t
124
125            /var/run/crm(/.*)?
126            /var/run/cman_.*
127            /var/run/rsctmp(/.*)?
128            /var/run/aisexec.*
129            /var/run/heartbeat(/.*)?
130            /var/run/pcsd-ruby.socket
131            /var/run/corosync-qnetd(/.*)?
132            /var/run/corosync-qdevice(/.*)?
133            /var/run/corosync.pid
134            /var/run/cpglockd.pid
135            /var/run/rgmanager.pid
136            /var/run/cluster/rgmanager.sk
137
138       krb5_host_rcache_t
139
140            /var/tmp/krb5_0.rcache2
141            /var/cache/krb5rcache(/.*)?
142            /var/tmp/nfs_0
143            /var/tmp/DNS_25
144            /var/tmp/host_0
145            /var/tmp/imap_0
146            /var/tmp/HTTP_23
147            /var/tmp/HTTP_48
148            /var/tmp/ldap_55
149            /var/tmp/ldap_487
150            /var/tmp/ldapmap1_0
151
152       mail_spool_t
153
154            /var/mail(/.*)?
155            /var/spool/imap(/.*)?
156            /var/spool/mail(/.*)?
157            /var/spool/smtpd(/.*)?
158
159       mqueue_spool_t
160
161            /var/spool/(client)?mqueue(/.*)?
162            /var/spool/mqueue.in(/.*)?
163
164       pki_common_t
165
166            /opt/nfast(/.*)?
167
168       pki_ra_etc_rw_t
169
170            /etc/pki-ra(/.*)?
171            /etc/sysconfig/pki/ra(/.*)?
172
173       pki_ra_lock_t
174
175
176       pki_ra_log_t
177
178            /var/log/pki-ra(/.*)?
179
180       pki_ra_tmp_t
181
182
183       pki_ra_var_lib_t
184
185            /var/lib/pki-ra(/.*)?
186
187       pki_ra_var_run_t
188
189            /var/run/pki/ra(/.*)?
190
191       root_t
192
193            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
194            /
195            /initrd
196
197

FILE CONTEXTS

199       SELinux requires files to have an extended attribute to define the file
200       type.
201
202       You can see the context of a file using the -Z option to ls
203
204       Policy governs the access  confined  processes  have  to  these  files.
205       SELinux  pki_ra  policy  is very flexible allowing users to setup their
206       pki_ra processes in as secure a method as possible.
207
208       EQUIVALENCE DIRECTORIES
209
210
211       pki_ra policy stores data with multiple different  file  context  types
212       under  the  /var/lib/pki-ra  directory.  If you would like to store the
213       data in a different directory you can use the semanage command to  cre‐
214       ate an equivalence mapping.  If you wanted to store this data under the
215       /srv directory you would execute the following command:
216
217       semanage fcontext -a -e /var/lib/pki-ra /srv/pki-ra
218       restorecon -R -v /srv/pki-ra
219
220       STANDARD FILE CONTEXT
221
222       SELinux defines the file context types for the pki_ra, if you wanted to
223       store  files with these types in a different paths, you need to execute
224       the semanage command to specify alternate labeling  and  then  use  re‐
225       storecon to put the labels on disk.
226
227       semanage   fcontext   -a   -t   pki_ra_tomcat_exec_t  '/srv/pki_ra/con‐
228       tent(/.*)?'
229       restorecon -R -v /srv/mypki_ra_content
230
231       Note: SELinux often uses regular expressions  to  specify  labels  that
232       match multiple files.
233
234       The following file types are defined for pki_ra:
235
236
237
238       pki_ra_etc_rw_t
239
240       -  Set  files  with  the pki_ra_etc_rw_t type, if you want to treat the
241       files as pki ra etc read/write content.
242
243
244       Paths:
245            /etc/pki-ra(/.*)?, /etc/sysconfig/pki/ra(/.*)?
246
247
248       pki_ra_exec_t
249
250       - Set files with the pki_ra_exec_t type, if you want to  transition  an
251       executable to the pki_ra_t domain.
252
253
254
255       pki_ra_lock_t
256
257       - Set files with the pki_ra_lock_t type, if you want to treat the files
258       as pki ra lock data, stored under the /var/lock directory
259
260
261
262       pki_ra_log_t
263
264       - Set files with the pki_ra_log_t type, if you want to treat  the  data
265       as pki ra log data, usually stored under the /var/log directory.
266
267
268
269       pki_ra_script_exec_t
270
271       -  Set files with the pki_ra_script_exec_t type, if you want to transi‐
272       tion an executable to the pki_ra_script_t domain.
273
274
275
276       pki_ra_tmp_t
277
278       - Set files with the pki_ra_tmp_t type, if you want  to  store  pki  ra
279       temporary files in the /tmp directories.
280
281
282
283       pki_ra_tomcat_exec_t
284
285       -  Set files with the pki_ra_tomcat_exec_t type, if you want to transi‐
286       tion an executable to the pki_ra_tomcat_t domain.
287
288
289
290       pki_ra_var_lib_t
291
292       - Set files with the pki_ra_var_lib_t type, if you want  to  store  the
293       pki ra files under the /var/lib directory.
294
295
296
297       pki_ra_var_run_t
298
299       -  Set  files  with the pki_ra_var_run_t type, if you want to store the
300       pki ra files under the /run or /var/run directory.
301
302
303
304       Note: File context can be temporarily modified with the chcon  command.
305       If  you want to permanently change the file context you need to use the
306       semanage fcontext command.  This will modify the SELinux labeling data‐
307       base.  You will need to use restorecon to apply the labels.
308
309

COMMANDS

311       semanage  fcontext  can also be used to manipulate default file context
312       mappings.
313
314       semanage permissive can also be used to manipulate  whether  or  not  a
315       process type is permissive.
316
317       semanage  module can also be used to enable/disable/install/remove pol‐
318       icy modules.
319
320       semanage port can also be used to manipulate the port definitions
321
322       semanage boolean can also be used to manipulate the booleans
323
324
325       system-config-selinux is a GUI tool available to customize SELinux pol‐
326       icy settings.
327
328

AUTHOR

330       This manual page was auto-generated using sepolicy manpage .
331
332