1gfs_controld_selinux(8) SELinux Policy gfs_controld gfs_controld_selinux(8)
2
3
4
6 gfs_controld_selinux - Security Enhanced Linux Policy for the gfs_con‐
7 trold processes
8
10 Security-Enhanced Linux secures the gfs_controld processes via flexible
11 mandatory access control.
12
13 The gfs_controld processes execute with the gfs_controld_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep gfs_controld_t
20
21
22
24 The gfs_controld_t SELinux type can be entered via the gfs_con‐
25 trold_exec_t file type.
26
27 The default entrypoint paths for the gfs_controld_t domain are the fol‐
28 lowing:
29
30 /usr/sbin/gfs_controld
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 gfs_controld policy is very flexible allowing users to setup their
40 gfs_controld processes in as secure a method as possible.
41
42 The following process types are defined for gfs_controld:
43
44 gfs_controld_t
45
46 Note: semanage permissive -a gfs_controld_t can be used to make the
47 process type gfs_controld_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required.
54 gfs_controld policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run gfs_controld with the tight‐
56 est access possible.
57
58
59
60 If you want to allow cluster administrative cluster domains memcheck-
61 amd64- to use executable memory, you must turn on the cluster_use_ex‐
62 ecmem boolean. Disabled by default.
63
64 setsebool -P cluster_use_execmem 1
65
66
67
68 If you want to dontaudit all daemons scheduling requests (setsched,
69 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
70 Enabled by default.
71
72 setsebool -P daemons_dontaudit_scheduling 1
73
74
75
76 If you want to allow all domains to execute in fips_mode, you must turn
77 on the fips_mode boolean. Enabled by default.
78
79 setsebool -P fips_mode 1
80
81
82
83 If you want to allow system to run with NIS, you must turn on the
84 nis_enabled boolean. Disabled by default.
85
86 setsebool -P nis_enabled 1
87
88
89
91 The SELinux process type gfs_controld_t can manage files labeled with
92 the following file types. The paths listed are the default paths for
93 these file types. Note the processes UID still need to have DAC per‐
94 missions.
95
96 cluster_conf_t
97
98 /etc/cluster(/.*)?
99
100 cluster_log
101
102
103 cluster_var_lib_t
104
105 /var/lib/pcsd(/.*)?
106 /var/lib/cluster(/.*)?
107 /var/lib/openais(/.*)?
108 /var/lib/pengine(/.*)?
109 /var/lib/corosync(/.*)?
110 /usr/lib/heartbeat(/.*)?
111 /var/lib/heartbeat(/.*)?
112 /var/lib/pacemaker(/.*)?
113
114 cluster_var_run_t
115
116 /var/run/crm(/.*)?
117 /var/run/cman_.*
118 /var/run/rsctmp(/.*)?
119 /var/run/aisexec.*
120 /var/run/heartbeat(/.*)?
121 /var/run/pcsd-ruby.socket
122 /var/run/corosync-qnetd(/.*)?
123 /var/run/corosync-qdevice(/.*)?
124 /var/run/corosync.pid
125 /var/run/cpglockd.pid
126 /var/run/rgmanager.pid
127 /var/run/cluster/rgmanager.sk
128
129 gfs_controld_tmpfs_t
130
131
132 gfs_controld_var_run_t
133
134 /var/run/gfs_controld.pid
135
136 krb5_host_rcache_t
137
138 /var/tmp/krb5_0.rcache2
139 /var/cache/krb5rcache(/.*)?
140 /var/tmp/nfs_0
141 /var/tmp/DNS_25
142 /var/tmp/host_0
143 /var/tmp/imap_0
144 /var/tmp/HTTP_23
145 /var/tmp/HTTP_48
146 /var/tmp/ldap_55
147 /var/tmp/ldap_487
148 /var/tmp/ldapmap1_0
149
150 root_t
151
152 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
153 /
154 /initrd
155
156 sysfs_t
157
158 /sys(/.*)?
159
160
162 SELinux requires files to have an extended attribute to define the file
163 type.
164
165 You can see the context of a file using the -Z option to ls
166
167 Policy governs the access confined processes have to these files.
168 SELinux gfs_controld policy is very flexible allowing users to setup
169 their gfs_controld processes in as secure a method as possible.
170
171 STANDARD FILE CONTEXT
172
173 SELinux defines the file context types for the gfs_controld, if you
174 wanted to store files with these types in a different paths, you need
175 to execute the semanage command to specify alternate labeling and then
176 use restorecon to put the labels on disk.
177
178 semanage fcontext -a -t gfs_controld_exec_t '/srv/gfs_controld/con‐
179 tent(/.*)?'
180 restorecon -R -v /srv/mygfs_controld_content
181
182 Note: SELinux often uses regular expressions to specify labels that
183 match multiple files.
184
185 The following file types are defined for gfs_controld:
186
187
188
189 gfs_controld_exec_t
190
191 - Set files with the gfs_controld_exec_t type, if you want to transi‐
192 tion an executable to the gfs_controld_t domain.
193
194
195
196 gfs_controld_tmpfs_t
197
198 - Set files with the gfs_controld_tmpfs_t type, if you want to store
199 gfs controld files on a tmpfs file system.
200
201
202
203 gfs_controld_var_log_t
204
205 - Set files with the gfs_controld_var_log_t type, if you want to treat
206 the data as gfs controld var log data, usually stored under the
207 /var/log directory.
208
209
210
211 gfs_controld_var_run_t
212
213 - Set files with the gfs_controld_var_run_t type, if you want to store
214 the gfs controld files under the /run or /var/run directory.
215
216
217
218 Note: File context can be temporarily modified with the chcon command.
219 If you want to permanently change the file context you need to use the
220 semanage fcontext command. This will modify the SELinux labeling data‐
221 base. You will need to use restorecon to apply the labels.
222
223
225 semanage fcontext can also be used to manipulate default file context
226 mappings.
227
228 semanage permissive can also be used to manipulate whether or not a
229 process type is permissive.
230
231 semanage module can also be used to enable/disable/install/remove pol‐
232 icy modules.
233
234 semanage boolean can also be used to manipulate the booleans
235
236
237 system-config-selinux is a GUI tool available to customize SELinux pol‐
238 icy settings.
239
240
242 This manual page was auto-generated using sepolicy manpage .
243
244
246 selinux(8), gfs_controld(8), semanage(8), restorecon(8), chcon(1), se‐
247 policy(8), setsebool(8)
248
249
250
251gfs_controld 23-12-15 gfs_controld_selinux(8)