1apcupsd_selinux(8) SELinux Policy apcupsd apcupsd_selinux(8)
2
3
4
6 apcupsd_selinux - Security Enhanced Linux Policy for the apcupsd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the apcupsd processes via flexible
11 mandatory access control.
12
13 The apcupsd processes execute with the apcupsd_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep apcupsd_t
20
21
22
24 The apcupsd_t SELinux type can be entered via the apcupsd_exec_t file
25 type.
26
27 The default entrypoint paths for the apcupsd_t domain are the follow‐
28 ing:
29
30 /sbin/apcupsd, /usr/sbin/apcupsd
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 apcupsd policy is very flexible allowing users to setup their apcupsd
40 processes in as secure a method as possible.
41
42 The following process types are defined for apcupsd:
43
44 apcupsd_t, apcupsd_cgi_script_t
45
46 Note: semanage permissive -a apcupsd_t can be used to make the process
47 type apcupsd_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. apcupsd
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run apcupsd with the tightest access possi‐
56 ble.
57
58
59
60 If you want to dontaudit all daemons scheduling requests (setsched,
61 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
62 Enabled by default.
63
64 setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow system to run with NIS, you must turn on the
76 nis_enabled boolean. Disabled by default.
77
78 setsebool -P nis_enabled 1
79
80
81
83 SELinux defines port types to represent TCP and UDP ports.
84
85 You can see the types associated with a port by using the following
86 command:
87
88 semanage port -l
89
90
91 Policy governs the access confined processes have to these ports.
92 SELinux apcupsd policy is very flexible allowing users to setup their
93 apcupsd processes in as secure a method as possible.
94
95 The following port types are defined for apcupsd:
96
97
98 apcupsd_port_t
99
100
101
102 Default Defined Ports:
103 tcp 3551
104 udp 3551
105
107 The SELinux process type apcupsd_t can manage files labeled with the
108 following file types. The paths listed are the default paths for these
109 file types. Note the processes UID still need to have DAC permissions.
110
111 apcupsd_lock_t
112
113 /var/lock/LCK..
114 /var/lock/subsys/apcupsd
115
116 apcupsd_log_t
117
118 /var/log/apcupsd.events.*
119 /var/log/apcupsd.status.*
120
121 apcupsd_power_t
122
123 /etc/apcupsd/powerfail
124
125 apcupsd_tmp_t
126
127
128 apcupsd_var_run_t
129
130 /var/run/apcupsd.pid
131
132 cluster_conf_t
133
134 /etc/cluster(/.*)?
135
136 cluster_var_lib_t
137
138 /var/lib/pcsd(/.*)?
139 /var/lib/cluster(/.*)?
140 /var/lib/openais(/.*)?
141 /var/lib/pengine(/.*)?
142 /var/lib/corosync(/.*)?
143 /usr/lib/heartbeat(/.*)?
144 /var/lib/heartbeat(/.*)?
145 /var/lib/pacemaker(/.*)?
146
147 cluster_var_run_t
148
149 /var/run/crm(/.*)?
150 /var/run/cman_.*
151 /var/run/rsctmp(/.*)?
152 /var/run/aisexec.*
153 /var/run/heartbeat(/.*)?
154 /var/run/pcsd-ruby.socket
155 /var/run/corosync-qnetd(/.*)?
156 /var/run/corosync-qdevice(/.*)?
157 /var/run/corosync.pid
158 /var/run/cpglockd.pid
159 /var/run/rgmanager.pid
160 /var/run/cluster/rgmanager.sk
161
162 initrc_var_run_t
163
164 /var/run/utmp
165 /var/run/random-seed
166 /var/run/runlevel.dir
167 /var/run/setmixer_flag
168
169 krb5_host_rcache_t
170
171 /var/tmp/krb5_0.rcache2
172 /var/cache/krb5rcache(/.*)?
173 /var/tmp/nfs_0
174 /var/tmp/DNS_25
175 /var/tmp/host_0
176 /var/tmp/imap_0
177 /var/tmp/HTTP_23
178 /var/tmp/HTTP_48
179 /var/tmp/ldap_55
180 /var/tmp/ldap_487
181 /var/tmp/ldapmap1_0
182
183 root_t
184
185 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
186 /
187 /initrd
188
189 systemd_passwd_var_run_t
190
191 /var/run/systemd/ask-password(/.*)?
192 /var/run/systemd/ask-password-block(/.*)?
193
194
196 SELinux requires files to have an extended attribute to define the file
197 type.
198
199 You can see the context of a file using the -Z option to ls
200
201 Policy governs the access confined processes have to these files.
202 SELinux apcupsd policy is very flexible allowing users to setup their
203 apcupsd processes in as secure a method as possible.
204
205 STANDARD FILE CONTEXT
206
207 SELinux defines the file context types for the apcupsd, if you wanted
208 to store files with these types in a different paths, you need to exe‐
209 cute the semanage command to specify alternate labeling and then use
210 restorecon to put the labels on disk.
211
212 semanage fcontext -a -t apcupsd_exec_t '/srv/apcupsd/content(/.*)?'
213 restorecon -R -v /srv/myapcupsd_content
214
215 Note: SELinux often uses regular expressions to specify labels that
216 match multiple files.
217
218 The following file types are defined for apcupsd:
219
220
221
222 apcupsd_cgi_content_t
223
224 - Set files with the apcupsd_cgi_content_t type, if you want to treat
225 the files as apcupsd cgi content.
226
227
228
229 apcupsd_cgi_htaccess_t
230
231 - Set files with the apcupsd_cgi_htaccess_t type, if you want to treat
232 the file as a apcupsd cgi access file.
233
234
235
236 apcupsd_cgi_ra_content_t
237
238 - Set files with the apcupsd_cgi_ra_content_t type, if you want to
239 treat the files as apcupsd cgi read/append content.
240
241
242
243 apcupsd_cgi_rw_content_t
244
245 - Set files with the apcupsd_cgi_rw_content_t type, if you want to
246 treat the files as apcupsd cgi read/write content.
247
248
249
250 apcupsd_cgi_script_exec_t
251
252 - Set files with the apcupsd_cgi_script_exec_t type, if you want to
253 transition an executable to the apcupsd_cgi_script_t domain.
254
255
256 Paths:
257 /var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon.cgi,
258 /var/www/apcupsd/upsimage.cgi, /var/www/apcupsd/upsstats.cgi,
259 /var/www/apcupsd/upsfstats.cgi
260
261
262 apcupsd_exec_t
263
264 - Set files with the apcupsd_exec_t type, if you want to transition an
265 executable to the apcupsd_t domain.
266
267
268 Paths:
269 /sbin/apcupsd, /usr/sbin/apcupsd
270
271
272 apcupsd_initrc_exec_t
273
274 - Set files with the apcupsd_initrc_exec_t type, if you want to transi‐
275 tion an executable to the apcupsd_initrc_t domain.
276
277
278
279 apcupsd_lock_t
280
281 - Set files with the apcupsd_lock_t type, if you want to treat the
282 files as apcupsd lock data, stored under the /var/lock directory
283
284
285 Paths:
286 /var/lock/LCK.., /var/lock/subsys/apcupsd
287
288
289 apcupsd_log_t
290
291 - Set files with the apcupsd_log_t type, if you want to treat the data
292 as apcupsd log data, usually stored under the /var/log directory.
293
294
295 Paths:
296 /var/log/apcupsd.events.*, /var/log/apcupsd.status.*
297
298
299 apcupsd_power_t
300
301 - Set files with the apcupsd_power_t type, if you want to treat the
302 files as apcupsd power data.
303
304
305
306 apcupsd_tmp_t
307
308 - Set files with the apcupsd_tmp_t type, if you want to store apcupsd
309 temporary files in the /tmp directories.
310
311
312
313 apcupsd_unit_file_t
314
315 - Set files with the apcupsd_unit_file_t type, if you want to treat the
316 files as apcupsd unit content.
317
318
319
320 apcupsd_var_run_t
321
322 - Set files with the apcupsd_var_run_t type, if you want to store the
323 apcupsd files under the /run or /var/run directory.
324
325
326
327 Note: File context can be temporarily modified with the chcon command.
328 If you want to permanently change the file context you need to use the
329 semanage fcontext command. This will modify the SELinux labeling data‐
330 base. You will need to use restorecon to apply the labels.
331
332
334 semanage fcontext can also be used to manipulate default file context
335 mappings.
336
337 semanage permissive can also be used to manipulate whether or not a
338 process type is permissive.
339
340 semanage module can also be used to enable/disable/install/remove pol‐
341 icy modules.
342
343 semanage port can also be used to manipulate the port definitions
344
345 semanage boolean can also be used to manipulate the booleans
346
347
348 system-config-selinux is a GUI tool available to customize SELinux pol‐
349 icy settings.
350
351
353 This manual page was auto-generated using sepolicy manpage .
354
355
357 selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1), sepol‐
358 icy(8), setsebool(8), apcupsd_cgi_script_selinux(8)
359
360
361
362apcupsd 23-12-15 apcupsd_selinux(8)