1qm_selinux(8) SELinux Policy qm qm_selinux(8)
2
6 qm_selinux - Security Enhanced Linux Policy for the qm processes
7
9 Security-Enhanced Linux secures the qm processes via flexible mandatory
10 access control.
11 The qm processes execute with the qm_t SELinux type. You can check if
13 you have these processes running by executing the ps command with the
14 -Z qualifier.
15 For example:
17 ps -eZ | grep qm_t
19
23 The qm_t SELinux type can be entered via the qm_file_type file type.
24 The default entrypoint paths for the qm_t domain are the following:
26
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux qm
36 policy is very flexible allowing users to setup their qm processes in
37 as secure a method as possible.
38 The following process types are defined for qm:
40 qm_t, qm_container_t, qm_container_kvm_t, qm_container_init_t, qmail_clean_t, qmail_inject_t, qmail_local_t, qmail_lspawn_t, qmail_queue_t, qmail_remote_t, qmail_rspawn_t, qmail_send_t, qmail_smtpd_t, qmail_splogger_t, qmail_start_t, qmail_tcp_env_t
42 Note: semanage permissive -a qm_t can be used to make the process type
44 qm_t permissive. SELinux does not deny access to permissive process
45 types, but the AVC (SELinux denials) messages are still generated.
46
49 SELinux policy is customizable based on least access required. qm pol‐
50 icy is extremely flexible and has several booleans that allow you to
51 manipulate the policy and run qm with the tightest access possible.
52 If you want to allow all domains to execute in fips_mode, you must turn
56 on the fips_mode boolean. Enabled by default.
57 setsebool -P fips_mode 1
59
63 The SELinux process type qm_t can manage files labeled with the follow‐
64 ing file types. The paths listed are the default paths for these file
65 types. Note the processes UID still need to have DAC permissions.
66 cgroup_t
68 /sys/fs/cgroup
70 initrc_tmp_t
72 mnt_t
75 /mnt(/[^/]*)?
77 /mnt(/[^/]*)?
78 /rhev(/[^/]*)?
79 /rhev/[^/]*/.*
80 /media(/[^/]*)?
81 /media(/[^/]*)?
82 /media/.hal-.*
83 /var/run/media(/[^/]*)?
84 /afs
85 /net
86 /misc
87 /rhev
88 net_conf_t
90 /etc/hosts[^/]*
92 /etc/yp.conf.*
93 /etc/denyhosts.*
94 /etc/hosts.deny.*
95 /etc/resolv.conf.*
96 /etc/.resolv.conf.*
97 /etc/resolv-secure.conf.*
98 /var/run/cloud-init(/.*)?
99 /var/run/systemd/network(/.*)?
100 /etc/sysconfig/networking(/.*)?
101 /etc/sysconfig/network-scripts(/.*)?
102 /etc/sysconfig/network-scripts/.*resolv.conf
103 /var/run/NetworkManager/resolv.conf.*
104 /etc/ethers
105 /etc/ntp.conf
106 /var/run/systemd/resolve/resolv.conf
107 /var/run/systemd/resolve/stub-resolv.conf
108 /var/run/NetworkManager/no-stub-resolv.conf
109 qm_file_type
111 security_t
114 /selinux
116 tmp_t
118 /sandbox(/.*)?
120 /tmp
121 /usr/tmp
122 /var/tmp
123 /var/tmp
124 /tmp-inst
125 /var/tmp-inst
126 /var/tmp/tmp-inst
127 /var/tmp/vi.recover
128
131 SELinux requires files to have an extended attribute to define the file
132 type.
133 You can see the context of a file using the -Z option to ls
135 Policy governs the access confined processes have to these files.
137 SELinux qm policy is very flexible allowing users to setup their qm
138 processes in as secure a method as possible.
139 STANDARD FILE CONTEXT
141 SELinux defines the file context types for the qm, if you wanted to
143 store files with these types in a different paths, you need to execute
144 the semanage command to specify alternate labeling and then use re‐
145 storecon to put the labels on disk.
146 semanage fcontext -a -t qm_file_t '/srv/qm/content(/.*)?'
148 restorecon -R -v /srv/myqm_content
149 Note: SELinux often uses regular expressions to specify labels that
151 match multiple files.
152 The following file types are defined for qm:
154 qm_container_file_t
158 - Set files with the qm_container_file_t type, if you want to treat the
160 files as qm container content.
161 qm_container_kvm_var_run_t
165 - Set files with the qm_container_kvm_var_run_t type, if you want to
167 store the qm container kvm files under the /run or /var/run directory.
168 qm_container_ro_file_t
172 - Set files with the qm_container_ro_file_t type, if you want to treat
174 the files as qm container ro content.
175 Paths:
178 /usr/lib/qm/rootfs/var/lib/containers/storage/overlay(/.*)?,
179 /usr/lib/qm/rootfs/var/lib/containers/storage/overlay2(/.*)?,
180 /usr/lib/qm/rootfs/var/lib/containers/storage/overlay-im‐
181 ages(/.*)?, /usr/lib/qm/rootfs/var/lib/containers/storage/overlay-
182 layers(/.*)?, /usr/lib/qm/rootfs/var/lib/containers/storage/over‐
183 lay2-images(/.*)?, /usr/lib/qm/rootfs/var/lib/containers/stor‐
184 age/overlay2-layers(/.*)?
185 qm_container_var_lib_t
188 - Set files with the qm_container_var_lib_t type, if you want to store
190 the qm container files under the /var/lib directory.
191 qm_file_t
195 - Set files with the qm_file_t type, if you want to treat the files as
197 qm content.
198 qmail_alias_home_t
202 - Set files with the qmail_alias_home_t type, if you want to store
204 qmail alias files in the users home directory.
205 Paths:
208 /var/qmail/alias(/.*)?, /var/qmail/alias
209 qmail_clean_exec_t
212 - Set files with the qmail_clean_exec_t type, if you want to transition
214 an executable to the qmail_clean_t domain.
215 qmail_etc_t
219 - Set files with the qmail_etc_t type, if you want to store qmail files
221 in the /etc directories.
222 Paths:
225 /var/qmail/owners(/.*)?, /var/qmail/control(/.*)?
226 qmail_exec_t
229 - Set files with the qmail_exec_t type, if you want to transition an
231 executable to the qmail_t domain.
232 qmail_inject_exec_t
236 - Set files with the qmail_inject_exec_t type, if you want to transi‐
238 tion an executable to the qmail_inject_t domain.
239 qmail_keytab_t
243 - Set files with the qmail_keytab_t type, if you want to treat the
245 files as kerberos keytab files.
246 qmail_local_exec_t
250 - Set files with the qmail_local_exec_t type, if you want to transition
252 an executable to the qmail_local_t domain.
253 qmail_lspawn_exec_t
257 - Set files with the qmail_lspawn_exec_t type, if you want to transi‐
259 tion an executable to the qmail_lspawn_t domain.
260 qmail_queue_exec_t
264 - Set files with the qmail_queue_exec_t type, if you want to transition
266 an executable to the qmail_queue_t domain.
267 qmail_remote_exec_t
271 - Set files with the qmail_remote_exec_t type, if you want to transi‐
273 tion an executable to the qmail_remote_t domain.
274 qmail_rspawn_exec_t
278 - Set files with the qmail_rspawn_exec_t type, if you want to transi‐
280 tion an executable to the qmail_rspawn_t domain.
281 qmail_send_exec_t
285 - Set files with the qmail_send_exec_t type, if you want to transition
287 an executable to the qmail_send_t domain.
288 qmail_smtpd_exec_t
292 - Set files with the qmail_smtpd_exec_t type, if you want to transition
294 an executable to the qmail_smtpd_t domain.
295 qmail_splogger_exec_t
299 - Set files with the qmail_splogger_exec_t type, if you want to transi‐
301 tion an executable to the qmail_splogger_t domain.
302 qmail_spool_t
306 - Set files with the qmail_spool_t type, if you want to store the qmail
308 files under the /var/spool directory.
309 qmail_start_exec_t
313 - Set files with the qmail_start_exec_t type, if you want to transition
315 an executable to the qmail_start_t domain.
316 qmail_tcp_env_exec_t
320 - Set files with the qmail_tcp_env_exec_t type, if you want to transi‐
322 tion an executable to the qmail_tcp_env_t domain.
323 Note: File context can be temporarily modified with the chcon command.
327 If you want to permanently change the file context you need to use the
328 semanage fcontext command. This will modify the SELinux labeling data‐
329 base. You will need to use restorecon to apply the labels.
330
333 semanage fcontext can also be used to manipulate default file context
334 mappings.
335 semanage permissive can also be used to manipulate whether or not a
337 process type is permissive.
338 semanage module can also be used to enable/disable/install/remove pol‐
340 icy modules.
341 semanage boolean can also be used to manipulate the booleans
343 system-config-selinux is a GUI tool available to customize SELinux pol‐
346 icy settings.
347
350 This manual page was auto-generated using sepolicy manpage .
351
354 selinux(8), qm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
355 setsebool(8), qm_container_selinux(8), qm_container_selinux(8), qm_con‐
356 tainer_init_selinux(8), qm_container_init_selinux(8), qm_con‐
357 tainer_kvm_selinux(8), qm_container_kvm_selinux(8)
358qm 23-04-12 qm_selinux(8)