1ctdbd_selinux(8) SELinux Policy ctdbd ctdbd_selinux(8)
2
3
4
6 ctdbd_selinux - Security Enhanced Linux Policy for the ctdbd processes
7
9 Security-Enhanced Linux secures the ctdbd processes via flexible manda‐
10 tory access control.
11
12 The ctdbd processes execute with the ctdbd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep ctdbd_t
19
20
21
23 The ctdbd_t SELinux type can be entered via the ctdbd_exec_t file type.
24
25 The default entrypoint paths for the ctdbd_t domain are the following:
26
27 /etc/ctdb/events.d/.*, /usr/sbin/ctdbd, /usr/sbin/ctdbd_wrapper
28
30 SELinux defines process types (domains) for each process running on the
31 system
32
33 You can see the context of a process using the -Z option to ps
34
35 Policy governs the access confined processes have to files. SELinux
36 ctdbd policy is very flexible allowing users to setup their ctdbd pro‐
37 cesses in as secure a method as possible.
38
39 The following process types are defined for ctdbd:
40
41 ctdbd_t
42
43 Note: semanage permissive -a ctdbd_t can be used to make the process
44 type ctdbd_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
48
50 SELinux policy is customizable based on least access required. ctdbd
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run ctdbd with the tightest access possible.
53
54
55
56 If you want to dontaudit all daemons scheduling requests (setsched,
57 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
58 Enabled by default.
59
60 setsebool -P daemons_dontaudit_scheduling 1
61
62
63
64 If you want to allow all domains to execute in fips_mode, you must turn
65 on the fips_mode boolean. Enabled by default.
66
67 setsebool -P fips_mode 1
68
69
70
71 If you want to allow system to run with NIS, you must turn on the
72 nis_enabled boolean. Disabled by default.
73
74 setsebool -P nis_enabled 1
75
76
77
79 SELinux defines port types to represent TCP and UDP ports.
80
81 You can see the types associated with a port by using the following
82 command:
83
84 semanage port -l
85
86
87 Policy governs the access confined processes have to these ports.
88 SELinux ctdbd policy is very flexible allowing users to setup their ct‐
89 dbd processes in as secure a method as possible.
90
91 The following port types are defined for ctdbd:
92
93
94 ctdb_port_t
95
96
97
98 Default Defined Ports:
99 tcp 4379
100 udp 4379
101
103 The SELinux process type ctdbd_t can manage files labeled with the fol‐
104 lowing file types. The paths listed are the default paths for these
105 file types. Note the processes UID still need to have DAC permissions.
106
107 cifs_t
108
109
110 cluster_conf_t
111
112 /etc/cluster(/.*)?
113
114 cluster_var_lib_t
115
116 /var/lib/pcsd(/.*)?
117 /var/lib/cluster(/.*)?
118 /var/lib/openais(/.*)?
119 /var/lib/pengine(/.*)?
120 /var/lib/corosync(/.*)?
121 /usr/lib/heartbeat(/.*)?
122 /var/lib/heartbeat(/.*)?
123 /var/lib/pacemaker(/.*)?
124
125 cluster_var_run_t
126
127 /var/run/crm(/.*)?
128 /var/run/cman_.*
129 /var/run/rsctmp(/.*)?
130 /var/run/aisexec.*
131 /var/run/heartbeat(/.*)?
132 /var/run/pcsd-ruby.socket
133 /var/run/corosync-qnetd(/.*)?
134 /var/run/corosync-qdevice(/.*)?
135 /var/run/corosync.pid
136 /var/run/cpglockd.pid
137 /var/run/rgmanager.pid
138 /var/run/cluster/rgmanager.sk
139
140 ctdbd_exec_t
141
142 /etc/ctdb/events.d/.*
143 /usr/sbin/ctdbd
144 /usr/sbin/ctdbd_wrapper
145
146 ctdbd_spool_t
147
148 /var/spool/ctdb(/.*)?
149
150 ctdbd_tmp_t
151
152
153 ctdbd_var_lib_t
154
155 /var/lib/ctdb(/.*)?
156 /var/lib/ctdbd(/.*)?
157
158 ctdbd_var_run_t
159
160 /var/run/ctdb(/.*)?
161 /var/run/ctdbd(/.*)?
162
163 ctdbd_var_t
164
165 /var/ctdb(/.*)?
166
167 ecryptfs_t
168
169 /home/[^/]+/.Private(/.*)?
170 /home/[^/]+/.ecryptfs(/.*)?
171
172 fusefs_t
173
174 /var/run/user/[0-9]+/gvfs
175
176 krb5_host_rcache_t
177
178 /var/tmp/krb5_0.rcache2
179 /var/cache/krb5rcache(/.*)?
180 /var/tmp/nfs_0
181 /var/tmp/DNS_25
182 /var/tmp/host_0
183 /var/tmp/imap_0
184 /var/tmp/HTTP_23
185 /var/tmp/HTTP_48
186 /var/tmp/ldap_55
187 /var/tmp/ldap_487
188 /var/tmp/ldapmap1_0
189
190 nfs_t
191
192
193 root_t
194
195 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
196 /
197 /initrd
198
199 systemd_passwd_var_run_t
200
201 /var/run/systemd/ask-password(/.*)?
202 /var/run/systemd/ask-password-block(/.*)?
203
204
206 SELinux requires files to have an extended attribute to define the file
207 type.
208
209 You can see the context of a file using the -Z option to ls
210
211 Policy governs the access confined processes have to these files.
212 SELinux ctdbd policy is very flexible allowing users to setup their ct‐
213 dbd processes in as secure a method as possible.
214
215 EQUIVALENCE DIRECTORIES
216
217
218 ctdbd policy stores data with multiple different file context types un‐
219 der the /var/lib/ctdb directory. If you would like to store the data
220 in a different directory you can use the semanage command to create an
221 equivalence mapping. If you wanted to store this data under the /srv
222 directory you would execute the following command:
223
224 semanage fcontext -a -e /var/lib/ctdb /srv/ctdb
225 restorecon -R -v /srv/ctdb
226
227 ctdbd policy stores data with multiple different file context types un‐
228 der the /var/run/ctdb directory. If you would like to store the data
229 in a different directory you can use the semanage command to create an
230 equivalence mapping. If you wanted to store this data under the /srv
231 directory you would execute the following command:
232
233 semanage fcontext -a -e /var/run/ctdb /srv/ctdb
234 restorecon -R -v /srv/ctdb
235
236 STANDARD FILE CONTEXT
237
238 SELinux defines the file context types for the ctdbd, if you wanted to
239 store files with these types in a different paths, you need to execute
240 the semanage command to specify alternate labeling and then use re‐
241 storecon to put the labels on disk.
242
243 semanage fcontext -a -t ctdbd_exec_t '/srv/ctdbd/content(/.*)?'
244 restorecon -R -v /srv/myctdbd_content
245
246 Note: SELinux often uses regular expressions to specify labels that
247 match multiple files.
248
249 The following file types are defined for ctdbd:
250
251
252
253 ctdbd_exec_t
254
255 - Set files with the ctdbd_exec_t type, if you want to transition an
256 executable to the ctdbd_t domain.
257
258
259 Paths:
260 /etc/ctdb/events.d/.*, /usr/sbin/ctdbd, /usr/sbin/ctdbd_wrapper
261
262
263 ctdbd_initrc_exec_t
264
265 - Set files with the ctdbd_initrc_exec_t type, if you want to transi‐
266 tion an executable to the ctdbd_initrc_t domain.
267
268
269
270 ctdbd_log_t
271
272 - Set files with the ctdbd_log_t type, if you want to treat the data as
273 ctdbd log data, usually stored under the /var/log directory.
274
275
276 Paths:
277 /var/log/ctdb.log.*, /var/log/log.ctdb.*
278
279
280 ctdbd_spool_t
281
282 - Set files with the ctdbd_spool_t type, if you want to store the ctdbd
283 files under the /var/spool directory.
284
285
286
287 ctdbd_tmp_t
288
289 - Set files with the ctdbd_tmp_t type, if you want to store ctdbd tem‐
290 porary files in the /tmp directories.
291
292
293
294 ctdbd_var_lib_t
295
296 - Set files with the ctdbd_var_lib_t type, if you want to store the ct‐
297 dbd files under the /var/lib directory.
298
299
300 Paths:
301 /var/lib/ctdb(/.*)?, /var/lib/ctdbd(/.*)?
302
303
304 ctdbd_var_run_t
305
306 - Set files with the ctdbd_var_run_t type, if you want to store the ct‐
307 dbd files under the /run or /var/run directory.
308
309
310 Paths:
311 /var/run/ctdb(/.*)?, /var/run/ctdbd(/.*)?
312
313
314 ctdbd_var_t
315
316 - Set files with the ctdbd_var_t type, if you want to store the c files
317 under the /var directory.
318
319
320
321 Note: File context can be temporarily modified with the chcon command.
322 If you want to permanently change the file context you need to use the
323 semanage fcontext command. This will modify the SELinux labeling data‐
324 base. You will need to use restorecon to apply the labels.
325
326
328 semanage fcontext can also be used to manipulate default file context
329 mappings.
330
331 semanage permissive can also be used to manipulate whether or not a
332 process type is permissive.
333
334 semanage module can also be used to enable/disable/install/remove pol‐
335 icy modules.
336
337 semanage port can also be used to manipulate the port definitions
338
339 semanage boolean can also be used to manipulate the booleans
340
341
342 system-config-selinux is a GUI tool available to customize SELinux pol‐
343 icy settings.
344
345
347 This manual page was auto-generated using sepolicy manpage .
348
349
351 selinux(8), ctdbd(8), semanage(8), restorecon(8), chcon(1), sepol‐
352 icy(8), setsebool(8)
353
354
355
356ctdbd 23-12-15 ctdbd_selinux(8)