1glance_registry_selinux(8S)ELinux Policy glance_registrgylance_registry_selinux(8)
2
3
4
6 glance_registry_selinux - Security Enhanced Linux Policy for the
7 glance_registry processes
8
10 Security-Enhanced Linux secures the glance_registry processes via flex‐
11 ible mandatory access control.
12
13 The glance_registry processes execute with the glance_registry_t
14 SELinux type. You can check if you have these processes running by exe‐
15 cuting the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep glance_registry_t
20
21
22
24 The glance_registry_t SELinux type can be entered via the glance_reg‐
25 istry_exec_t file type.
26
27 The default entrypoint paths for the glance_registry_t domain are the
28 following:
29
30 /usr/bin/glance-registry
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 glance_registry policy is very flexible allowing users to setup their
40 glance_registry processes in as secure a method as possible.
41
42 The following process types are defined for glance_registry:
43
44 glance_registry_t
45
46 Note: semanage permissive -a glance_registry_t can be used to make the
47 process type glance_registry_t permissive. SELinux does not deny access
48 to permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required.
54 glance_registry policy is extremely flexible and has several booleans
55 that allow you to manipulate the policy and run glance_registry with
56 the tightest access possible.
57
58
59
60 If you want to dontaudit all daemons scheduling requests (setsched,
61 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
62 Enabled by default.
63
64 setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow glance domain to use executable memory and exe‐
76 cutable stack, you must turn on the glance_use_execmem boolean. Dis‐
77 abled by default.
78
79 setsebool -P glance_use_execmem 1
80
81
82
83 If you want to allow system to run with NIS, you must turn on the
84 nis_enabled boolean. Disabled by default.
85
86 setsebool -P nis_enabled 1
87
88
89
91 SELinux defines port types to represent TCP and UDP ports.
92
93 You can see the types associated with a port by using the following
94 command:
95
96 semanage port -l
97
98
99 Policy governs the access confined processes have to these ports.
100 SELinux glance_registry policy is very flexible allowing users to setup
101 their glance_registry processes in as secure a method as possible.
102
103 The following port types are defined for glance_registry:
104
105
106 glance_registry_port_t
107
108
109
110 Default Defined Ports:
111 tcp 9191
112 udp 9191
113
115 The SELinux process type glance_registry_t can manage files labeled
116 with the following file types. The paths listed are the default paths
117 for these file types. Note the processes UID still need to have DAC
118 permissions.
119
120 cluster_conf_t
121
122 /etc/cluster(/.*)?
123
124 cluster_var_lib_t
125
126 /var/lib/pcsd(/.*)?
127 /var/lib/cluster(/.*)?
128 /var/lib/openais(/.*)?
129 /var/lib/pengine(/.*)?
130 /var/lib/corosync(/.*)?
131 /usr/lib/heartbeat(/.*)?
132 /var/lib/heartbeat(/.*)?
133 /var/lib/pacemaker(/.*)?
134
135 cluster_var_run_t
136
137 /var/run/crm(/.*)?
138 /var/run/cman_.*
139 /var/run/rsctmp(/.*)?
140 /var/run/aisexec.*
141 /var/run/heartbeat(/.*)?
142 /var/run/pcsd-ruby.socket
143 /var/run/corosync-qnetd(/.*)?
144 /var/run/corosync-qdevice(/.*)?
145 /var/run/corosync.pid
146 /var/run/cpglockd.pid
147 /var/run/rgmanager.pid
148 /var/run/cluster/rgmanager.sk
149
150 fusefs_t
151
152 /var/run/user/[0-9]+/gvfs
153
154 glance_registry_tmp_t
155
156
157 glance_registry_tmpfs_t
158
159
160 glance_var_lib_t
161
162 /var/lib/glance(/.*)?
163
164 glance_var_run_t
165
166 /var/run/glance(/.*)?
167
168 krb5_host_rcache_t
169
170 /var/tmp/krb5_0.rcache2
171 /var/cache/krb5rcache(/.*)?
172 /var/tmp/nfs_0
173 /var/tmp/DNS_25
174 /var/tmp/host_0
175 /var/tmp/imap_0
176 /var/tmp/HTTP_23
177 /var/tmp/HTTP_48
178 /var/tmp/ldap_55
179 /var/tmp/ldap_487
180 /var/tmp/ldapmap1_0
181
182 root_t
183
184 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
185 /
186 /initrd
187
188
190 SELinux requires files to have an extended attribute to define the file
191 type.
192
193 You can see the context of a file using the -Z option to ls
194
195 Policy governs the access confined processes have to these files.
196 SELinux glance_registry policy is very flexible allowing users to setup
197 their glance_registry processes in as secure a method as possible.
198
199 STANDARD FILE CONTEXT
200
201 SELinux defines the file context types for the glance_registry, if you
202 wanted to store files with these types in a different paths, you need
203 to execute the semanage command to specify alternate labeling and then
204 use restorecon to put the labels on disk.
205
206 semanage fcontext -a -t glance_registry_exec_t '/srv/glance_reg‐
207 istry/content(/.*)?'
208 restorecon -R -v /srv/myglance_registry_content
209
210 Note: SELinux often uses regular expressions to specify labels that
211 match multiple files.
212
213 The following file types are defined for glance_registry:
214
215
216
217 glance_registry_exec_t
218
219 - Set files with the glance_registry_exec_t type, if you want to tran‐
220 sition an executable to the glance_registry_t domain.
221
222
223
224 glance_registry_initrc_exec_t
225
226 - Set files with the glance_registry_initrc_exec_t type, if you want to
227 transition an executable to the glance_registry_initrc_t domain.
228
229
230
231 glance_registry_tmp_t
232
233 - Set files with the glance_registry_tmp_t type, if you want to store
234 glance registry temporary files in the /tmp directories.
235
236
237
238 glance_registry_tmpfs_t
239
240 - Set files with the glance_registry_tmpfs_t type, if you want to store
241 glance registry files on a tmpfs file system.
242
243
244
245 glance_registry_unit_file_t
246
247 - Set files with the glance_registry_unit_file_t type, if you want to
248 treat the files as glance registry unit content.
249
250
251
252 Note: File context can be temporarily modified with the chcon command.
253 If you want to permanently change the file context you need to use the
254 semanage fcontext command. This will modify the SELinux labeling data‐
255 base. You will need to use restorecon to apply the labels.
256
257
259 semanage fcontext can also be used to manipulate default file context
260 mappings.
261
262 semanage permissive can also be used to manipulate whether or not a
263 process type is permissive.
264
265 semanage module can also be used to enable/disable/install/remove pol‐
266 icy modules.
267
268 semanage port can also be used to manipulate the port definitions
269
270 semanage boolean can also be used to manipulate the booleans
271
272
273 system-config-selinux is a GUI tool available to customize SELinux pol‐
274 icy settings.
275
276
278 This manual page was auto-generated using sepolicy manpage .
279
280
282 selinux(8), glance_registry(8), semanage(8), restorecon(8), chcon(1),
283 sepolicy(8), setsebool(8)
284
285
286
287glance_registry 23-12-15 glance_registry_selinux(8)