1insights_client_selinux(8S)ELinux Policy insights_clienitnsights_client_selinux(8)
2
3
4
6 insights_client_selinux - Security Enhanced Linux Policy for the in‐
7 sights_client processes
8
10 Security-Enhanced Linux secures the insights_client processes via flex‐
11 ible mandatory access control.
12
13 The insights_client processes execute with the insights_client_t
14 SELinux type. You can check if you have these processes running by exe‐
15 cuting the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep insights_client_t
20
21
22
24 The insights_client_t SELinux type can be entered via the in‐
25 sights_client_exec_t file type.
26
27 The default entrypoint paths for the insights_client_t domain are the
28 following:
29
30 /usr/bin/insights-client, /usr/bin/redhat-access-insights
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 insights_client policy is very flexible allowing users to setup their
40 insights_client processes in as secure a method as possible.
41
42 The following process types are defined for insights_client:
43
44 insights_client_t
45
46 Note: semanage permissive -a insights_client_t can be used to make the
47 process type insights_client_t permissive. SELinux does not deny access
48 to permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required. in‐
54 sights_client policy is extremely flexible and has several booleans
55 that allow you to manipulate the policy and run insights_client with
56 the tightest access possible.
57
58
59
60 If you want to dontaudit all daemons scheduling requests (setsched,
61 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
62 Enabled by default.
63
64 setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68 If you want to deny user domains applications to map a memory region as
69 both executable and writable, this is dangerous and the executable
70 should be reported in bugzilla, you must turn on the deny_execmem bool‐
71 ean. Disabled by default.
72
73 setsebool -P deny_execmem 1
74
75
76
77 If you want to control the ability to mmap a low area of the address
78 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
79 the mmap_low_allowed boolean. Disabled by default.
80
81 setsebool -P mmap_low_allowed 1
82
83
84
85 If you want to allow system to run with NIS, you must turn on the
86 nis_enabled boolean. Disabled by default.
87
88 setsebool -P nis_enabled 1
89
90
91
92 If you want to disable kernel module loading, you must turn on the se‐
93 cure_mode_insmod boolean. Disabled by default.
94
95 setsebool -P secure_mode_insmod 1
96
97
98
99 If you want to allow unconfined executables to make their heap memory
100 executable. Doing this is a really bad idea. Probably indicates a
101 badly coded executable, but could indicate an attack. This executable
102 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
103 echeap boolean. Disabled by default.
104
105 setsebool -P selinuxuser_execheap 1
106
107
108
109 If you want to allow unconfined executables to make their stack exe‐
110 cutable. This should never, ever be necessary. Probably indicates a
111 badly coded executable, but could indicate an attack. This executable
112 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
113 stack boolean. Enabled by default.
114
115 setsebool -P selinuxuser_execstack 1
116
117
118
120 The SELinux process type insights_client_t can manage files labeled
121 with the following file types. The paths listed are the default paths
122 for these file types. Note the processes UID still need to have DAC
123 permissions.
124
125 file_type
126
127 all files on the system
128
129
131 SELinux requires files to have an extended attribute to define the file
132 type.
133
134 You can see the context of a file using the -Z option to ls
135
136 Policy governs the access confined processes have to these files.
137 SELinux insights_client policy is very flexible allowing users to setup
138 their insights_client processes in as secure a method as possible.
139
140 EQUIVALENCE DIRECTORIES
141
142
143 insights_client policy stores data with multiple different file context
144 types under the /var/cache/insights directory. If you would like to
145 store the data in a different directory you can use the semanage com‐
146 mand to create an equivalence mapping. If you wanted to store this
147 data under the /srv directory you would execute the following command:
148
149 semanage fcontext -a -e /var/cache/insights /srv/insights
150 restorecon -R -v /srv/insights
151
152 insights_client policy stores data with multiple different file context
153 types under the /var/tmp/insights-client directory. If you would like
154 to store the data in a different directory you can use the semanage
155 command to create an equivalence mapping. If you wanted to store this
156 data under the /srv directory you would execute the following command:
157
158 semanage fcontext -a -e /var/tmp/insights-client /srv/insights-client
159 restorecon -R -v /srv/insights-client
160
161 STANDARD FILE CONTEXT
162
163 SELinux defines the file context types for the insights_client, if you
164 wanted to store files with these types in a different paths, you need
165 to execute the semanage command to specify alternate labeling and then
166 use restorecon to put the labels on disk.
167
168 semanage fcontext -a -t insights_client_exec_t '/srv/in‐
169 sights_client/content(/.*)?'
170 restorecon -R -v /srv/myinsights_client_content
171
172 Note: SELinux often uses regular expressions to specify labels that
173 match multiple files.
174
175 The following file types are defined for insights_client:
176
177
178
179 insights_client_cache_t
180
181 - Set files with the insights_client_cache_t type, if you want to store
182 the files under the /var/cache directory.
183
184
185 Paths:
186 /var/cache/insights(/.*)?, /var/cache/insights-client(/.*)?
187
188
189 insights_client_etc_rw_t
190
191 - Set files with the insights_client_etc_rw_t type, if you want to
192 treat the files as insights client etc read/write content.
193
194
195 Paths:
196 /etc/insights-client/machine-id, /etc/insights-client/.cache.json,
197 /etc/insights-client/.lastupload, /etc/insights-client/.regis‐
198 tered, /etc/insights-client/.unregistered, /etc/insights-
199 client/.cache.json.asc, /etc/insights-client/.insights-core.etag,
200 /etc/insights-client/.last-upload.results, /etc/insights-
201 client/.insights-core-gpg-sig.etag, /etc/insights-client/insights-
202 client-egg-release
203
204
205 insights_client_etc_t
206
207 - Set files with the insights_client_etc_t type, if you want to store
208 insights client files in the /etc directories.
209
210
211 Paths:
212 /etc/insights-client/[^/]+, /etc/insights-client
213
214
215 insights_client_exec_t
216
217 - Set files with the insights_client_exec_t type, if you want to tran‐
218 sition an executable to the insights_client_t domain.
219
220
221 Paths:
222 /usr/bin/insights-client, /usr/bin/redhat-access-insights
223
224
225 insights_client_tmp_t
226
227 - Set files with the insights_client_tmp_t type, if you want to store
228 insights client temporary files in the /tmp directories.
229
230
231 Paths:
232 /var/tmp/insights-client(/.*)?, /tmp/insights-client.ppid,
233 /var/tmp/insights-client.ppid
234
235
236 insights_client_tmpfs_t
237
238 - Set files with the insights_client_tmpfs_t type, if you want to store
239 insights client files on a tmpfs file system.
240
241
242
243 insights_client_unit_file_t
244
245 - Set files with the insights_client_unit_file_t type, if you want to
246 treat the files as insights client unit content.
247
248
249
250 insights_client_var_lib_t
251
252 - Set files with the insights_client_var_lib_t type, if you want to
253 store the insights client files under the /var/lib directory.
254
255
256
257 insights_client_var_lock_t
258
259 - Set files with the insights_client_var_lock_t type, if you want to
260 treat the files as insights client var lock data, stored under the
261 /var/lock directory
262
263
264
265 insights_client_var_log_t
266
267 - Set files with the insights_client_var_log_t type, if you want to
268 treat the data as insights client var log data, usually stored under
269 the /var/log directory.
270
271
272
273 insights_client_var_run_t
274
275 - Set files with the insights_client_var_run_t type, if you want to
276 store the insights client files under the /run or /var/run directory.
277
278
279
280 Note: File context can be temporarily modified with the chcon command.
281 If you want to permanently change the file context you need to use the
282 semanage fcontext command. This will modify the SELinux labeling data‐
283 base. You will need to use restorecon to apply the labels.
284
285
287 semanage fcontext can also be used to manipulate default file context
288 mappings.
289
290 semanage permissive can also be used to manipulate whether or not a
291 process type is permissive.
292
293 semanage module can also be used to enable/disable/install/remove pol‐
294 icy modules.
295
296 semanage boolean can also be used to manipulate the booleans
297
298
299 system-config-selinux is a GUI tool available to customize SELinux pol‐
300 icy settings.
301
302
304 This manual page was auto-generated using sepolicy manpage .
305
306
308 selinux(8), insights_client(8), semanage(8), restorecon(8), chcon(1),
309 sepolicy(8), setsebool(8)
310
311
312
313insights_client 23-12-15 insights_client_selinux(8)