1prelude_selinux(8)          SELinux Policy prelude          prelude_selinux(8)
2
3
4

NAME

6       prelude_selinux  -  Security Enhanced Linux Policy for the prelude pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  prelude  processes  via  flexible
11       mandatory access control.
12
13       The  prelude processes execute with the prelude_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep prelude_t
20
21
22

ENTRYPOINTS

24       The  prelude_t  SELinux type can be entered via the prelude_exec_t file
25       type.
26
27       The default entrypoint paths for the prelude_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/prelude-manager
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       prelude  policy  is very flexible allowing users to setup their prelude
40       processes in as secure a method as possible.
41
42       The following process types are defined for prelude:
43
44       prelude_t, prelude_audisp_t, prelude_correlator_t, prelude_lml_t
45
46       Note: semanage permissive -a prelude_t can be used to make the  process
47       type  prelude_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  prelude
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run prelude with the tightest access possi‐
56       ble.
57
58
59
60       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
61       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
62       Enabled by default.
63
64       setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to  allow  system  to run with NIS, you must turn on the
76       nis_enabled boolean. Disabled by default.
77
78       setsebool -P nis_enabled 1
79
80
81

PORT TYPES

83       SELinux defines port types to represent TCP and UDP ports.
84
85       You can see the types associated with a port  by  using  the  following
86       command:
87
88       semanage port -l
89
90
91       Policy  governs  the  access  confined  processes  have to these ports.
92       SELinux prelude policy is very flexible allowing users to  setup  their
93       prelude processes in as secure a method as possible.
94
95       The following port types are defined for prelude:
96
97
98       prelude_port_t
99
100
101
102       Default Defined Ports:
103                 tcp 4690
104                 udp 4690
105

MANAGED FILES

107       The  SELinux  process  type prelude_t can manage files labeled with the
108       following file types.  The paths listed are the default paths for these
109       file types.  Note the processes UID still need to have DAC permissions.
110
111       cluster_conf_t
112
113            /etc/cluster(/.*)?
114
115       cluster_var_lib_t
116
117            /var/lib/pcsd(/.*)?
118            /var/lib/cluster(/.*)?
119            /var/lib/openais(/.*)?
120            /var/lib/pengine(/.*)?
121            /var/lib/corosync(/.*)?
122            /usr/lib/heartbeat(/.*)?
123            /var/lib/heartbeat(/.*)?
124            /var/lib/pacemaker(/.*)?
125
126       cluster_var_run_t
127
128            /var/run/crm(/.*)?
129            /var/run/cman_.*
130            /var/run/rsctmp(/.*)?
131            /var/run/aisexec.*
132            /var/run/heartbeat(/.*)?
133            /var/run/pcsd-ruby.socket
134            /var/run/corosync-qnetd(/.*)?
135            /var/run/corosync-qdevice(/.*)?
136            /var/run/corosync.pid
137            /var/run/cpglockd.pid
138            /var/run/rgmanager.pid
139            /var/run/cluster/rgmanager.sk
140
141       krb5_host_rcache_t
142
143            /var/tmp/krb5_0.rcache2
144            /var/cache/krb5rcache(/.*)?
145            /var/tmp/nfs_0
146            /var/tmp/DNS_25
147            /var/tmp/host_0
148            /var/tmp/imap_0
149            /var/tmp/HTTP_23
150            /var/tmp/HTTP_48
151            /var/tmp/ldap_55
152            /var/tmp/ldap_487
153            /var/tmp/ldapmap1_0
154
155       prelude_spool_t
156
157            /var/spool/prelude(/.*)?
158            /var/spool/prelude-manager(/.*)?
159
160       prelude_var_lib_t
161
162            /var/lib/prelude-lml(/.*)?
163
164       prelude_var_run_t
165
166            /var/run/prelude-manager(/.*)?
167
168       root_t
169
170            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
171            /
172            /initrd
173
174

FILE CONTEXTS

176       SELinux requires files to have an extended attribute to define the file
177       type.
178
179       You can see the context of a file using the -Z option to ls
180
181       Policy governs the access  confined  processes  have  to  these  files.
182       SELinux  prelude  policy is very flexible allowing users to setup their
183       prelude processes in as secure a method as possible.
184
185       EQUIVALENCE DIRECTORIES
186
187
188       prelude policy stores data with multiple different file  context  types
189       under the /var/spool/prelude directory.  If you would like to store the
190       data in a different directory you can use the semanage command to  cre‐
191       ate an equivalence mapping.  If you wanted to store this data under the
192       /srv directory you would execute the following command:
193
194       semanage fcontext -a -e /var/spool/prelude /srv/prelude
195       restorecon -R -v /srv/prelude
196
197       STANDARD FILE CONTEXT
198
199       SELinux defines the file context types for the prelude, if  you  wanted
200       to  store files with these types in a different paths, you need to exe‐
201       cute the semanage command to specify alternate labeling  and  then  use
202       restorecon to put the labels on disk.
203
204       semanage fcontext -a -t prelude_exec_t '/srv/prelude/content(/.*)?'
205       restorecon -R -v /srv/myprelude_content
206
207       Note:  SELinux  often  uses  regular expressions to specify labels that
208       match multiple files.
209
210       The following file types are defined for prelude:
211
212
213
214       prelude_audisp_exec_t
215
216       - Set files with the prelude_audisp_exec_t type, if you want to transi‐
217       tion an executable to the prelude_audisp_t domain.
218
219
220       Paths:
221            /sbin/audisp-prelude, /usr/sbin/audisp-prelude
222
223
224       prelude_audisp_var_run_t
225
226       -  Set  files  with  the  prelude_audisp_var_run_t type, if you want to
227       store the prelude audisp files under the /run or /var/run directory.
228
229
230
231       prelude_correlator_config_t
232
233       - Set files with the prelude_correlator_config_t type, if you  want  to
234       treat  the  files  as  prelude  correlator  configuration data, usually
235       stored under the /etc directory.
236
237
238
239       prelude_correlator_exec_t
240
241       - Set files with the prelude_correlator_exec_t type,  if  you  want  to
242       transition an executable to the prelude_correlator_t domain.
243
244
245
246       prelude_exec_t
247
248       -  Set files with the prelude_exec_t type, if you want to transition an
249       executable to the prelude_t domain.
250
251
252
253       prelude_initrc_exec_t
254
255       - Set files with the prelude_initrc_exec_t type, if you want to transi‐
256       tion an executable to the prelude_initrc_t domain.
257
258
259       Paths:
260            /etc/rc.d/init.d/prelude-lml,    /etc/rc.d/init.d/prelude-manager,
261            /etc/rc.d/init.d/prelude-correlator
262
263
264       prelude_lml_exec_t
265
266       - Set files with the prelude_lml_exec_t type, if you want to transition
267       an executable to the prelude_lml_t domain.
268
269
270
271       prelude_lml_tmp_t
272
273       -  Set files with the prelude_lml_tmp_t type, if you want to store pre‐
274       lude lml temporary files in the /tmp directories.
275
276
277
278       prelude_lml_var_run_t
279
280       - Set files with the prelude_lml_var_run_t type, if you want  to  store
281       the prelude lml files under the /run or /var/run directory.
282
283
284
285       prelude_log_t
286
287       -  Set files with the prelude_log_t type, if you want to treat the data
288       as prelude log data, usually stored under the /var/log directory.
289
290
291
292       prelude_spool_t
293
294       - Set files with the prelude_spool_t type, if you  want  to  store  the
295       prelude files under the /var/spool directory.
296
297
298       Paths:
299            /var/spool/prelude(/.*)?, /var/spool/prelude-manager(/.*)?
300
301
302       prelude_var_lib_t
303
304       -  Set  files with the prelude_var_lib_t type, if you want to store the
305       prelude files under the /var/lib directory.
306
307
308
309       prelude_var_run_t
310
311       - Set files with the prelude_var_run_t type, if you want to  store  the
312       prelude files under the /run or /var/run directory.
313
314
315
316       Note:  File context can be temporarily modified with the chcon command.
317       If you want to permanently change the file context you need to use  the
318       semanage fcontext command.  This will modify the SELinux labeling data‐
319       base.  You will need to use restorecon to apply the labels.
320
321

COMMANDS

323       semanage fcontext can also be used to manipulate default  file  context
324       mappings.
325
326       semanage  permissive  can  also  be used to manipulate whether or not a
327       process type is permissive.
328
329       semanage module can also be used to enable/disable/install/remove  pol‐
330       icy modules.
331
332       semanage port can also be used to manipulate the port definitions
333
334       semanage boolean can also be used to manipulate the booleans
335
336
337       system-config-selinux is a GUI tool available to customize SELinux pol‐
338       icy settings.
339
340

AUTHOR

342       This manual page was auto-generated using sepolicy manpage .
343
344

SEE ALSO

346       selinux(8), prelude(8), semanage(8),  restorecon(8),  chcon(1),  sepol‐
347       icy(8),     setsebool(8),    prelude_audisp_selinux(8),    prelude_aud‐
348       isp_selinux(8),     prelude_correlator_selinux(8),     prelude_correla‐
349       tor_selinux(8), prelude_lml_selinux(8), prelude_lml_selinux(8)
350
351
352
353prelude                            23-10-20                 prelude_selinux(8)
Impressum