openshift_selinux(8)

1openshift_selinux(8)       SELinux Policy openshift       openshift_selinux(8)
2
3
4

NAME

6       openshift_selinux  -  Security  Enhanced Linux Policy for the openshift
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the openshift  processes  via  flexible
11       mandatory access control.
12
13       The  openshift processes execute with the openshift_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep openshift_t
20
21
22

ENTRYPOINTS

24       The  openshift_t  SELinux  type  can be entered via the crontab_exec_t,
25       user_cron_spool_t file types.
26
27       The default entrypoint paths for the openshift_t domain are the follow‐
28       ing:
29
30       /usr/bin/(f)?crontab,        /usr/bin/at,        /usr/sbin/fcronsighup,
31       /usr/libexec/fcronsighup,     /var/spool/at(/.*)?,     /var/spool/cron,
32       /var/spool/cron/[^/]+
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       openshift  policy  is very flexible allowing users to setup their open‐
42       shift processes in as secure a method as possible.
43
44       The following process types are defined for openshift:
45
46       openshift_initrc_t, openshift_cgroup_read_t, openshift_net_read_t, openshift_cron_t, openshift_t, openshift_app_t, openshift_script_t
47
48       Note: semanage permissive -a  openshift_t  can  be  used  to  make  the
49       process  type  openshift_t  permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

MCS Constrained

55       The  SELinux  process  type openshift_t is an MCS (Multi Category Secu‐
56       rity) constrained type.  Sometimes this separation is  referred  to  as
57       sVirt.  These types are usually used for securing multi-tenant environ‐
58       ments, such as virtualization, containers or separation of users.   The
59       tools used to launch MCS types, pick out a different MCS label for each
60       process group.
61
62       For example one process might be  launched  with  openshift_t:s0:c1,c2,
63       and  another  process  launched  with openshift_t:s0:c3,c4. The SELinux
64       kernel only allows these processes can only write  to  content  with  a
65       matching  MCS  label,  or a MCS Label of s0. A process running with the
66       MCS level of s0:c1,c2 is not allowed to write to content with  the  MCS
67       label of s0:c3,c4
68
69

BOOLEANS

71       SELinux  policy  is customizable based on least access required.  open‐
72       shift policy is extremely flexible and has several booleans that  allow
73       you to manipulate the policy and run openshift with the tightest access
74       possible.
75
76
77
78       If you want to determine whether crond can execute jobs in the user do‐
79       main as opposed to the the generic cronjob domain, you must turn on the
80       cron_userdomain_transition boolean. Enabled by default.
81
82       setsebool -P cron_userdomain_transition 1
83
84
85
86       If you want to deny any process from ptracing or  debugging  any  other
87       processes,  you  must  turn on the deny_ptrace boolean. Disabled by de‐
88       fault.
89
90       setsebool -P deny_ptrace 1
91
92
93
94       If you want to allow system to run with  NIS,  you  must  turn  on  the
95       nis_enabled boolean. Disabled by default.
96
97       setsebool -P nis_enabled 1
98
99
100

PORT TYPES

102       SELinux defines port types to represent TCP and UDP ports.
103
104       You  can  see  the  types associated with a port by using the following
105       command:
106
107       semanage port -l
108
109
110       Policy governs the access  confined  processes  have  to  these  ports.
111       SELinux openshift policy is very flexible allowing users to setup their
112       openshift processes in as secure a method as possible.
113
114       The following port types are defined for openshift:
115
116
117       openshift_port_t
118
119
120
121       MANAGED FILES
122
123              The SELinux process type openshift_t can  manage  files  labeled
124              with the following file types.  The paths listed are the default
125              paths for these file types.  Note the processes UID  still  need
126              to have DAC permissions.
127
128              faillog_t
129
130                   /var/log/btmp.*
131                   /var/log/faillog.*
132                   /var/log/tallylog.*
133                   /var/run/faillock(/.*)?
134
135              hugetlbfs_t
136
137                   /dev/hugepages
138                   /usr/lib/udev/devices/hugepages
139
140              krb5_host_rcache_t
141
142                   /var/tmp/krb5_0.rcache2
143                   /var/cache/krb5rcache(/.*)?
144                   /var/tmp/nfs_0
145                   /var/tmp/DNS_25
146                   /var/tmp/host_0
147                   /var/tmp/imap_0
148                   /var/tmp/HTTP_23
149                   /var/tmp/HTTP_48
150                   /var/tmp/ldap_55
151                   /var/tmp/ldap_487
152                   /var/tmp/ldapmap1_0
153
154              openshift_tmpfs_t
155
156
157              postfix_spool_t
158
159                   /var/spool/postfix.*
160                   /var/spool/postfix/defer(/.*)?
161                   /var/spool/postfix/flush(/.*)?
162                   /var/spool/postfix/deferred(/.*)?
163                   /var/spool/postfix/maildrop(/.*)?
164
165              security_t
166
167                   /selinux
168
169

FILE CONTEXTS

171       SELinux requires files to have an extended attribute to define the file
172       type.
173
174       You can see the context of a file using the -Z option to ls
175
176       Policy governs the access  confined  processes  have  to  these  files.
177       SELinux openshift policy is very flexible allowing users to setup their
178       openshift processes in as secure a method as possible.
179
180       EQUIVALENCE DIRECTORIES
181
182
183       openshift policy stores data with multiple different file context types
184       under the /var/lib/openshift directory.  If you would like to store the
185       data in a different directory you can use the semanage command to  cre‐
186       ate an equivalence mapping.  If you wanted to store this data under the
187       /srv directory you would execute the following command:
188
189       semanage fcontext -a -e /var/lib/openshift /srv/openshift
190       restorecon -R -v /srv/openshift
191
192       openshift policy stores data with multiple different file context types
193       under  the  /var/lib/stickshift  directory.  If you would like to store
194       the data in a different directory you can use the semanage  command  to
195       create  an equivalence mapping.  If you wanted to store this data under
196       the /srv directory you would execute the following command:
197
198       semanage fcontext -a -e /var/lib/stickshift /srv/stickshift
199       restorecon -R -v /srv/stickshift
200
201       STANDARD FILE CONTEXT
202
203       SELinux defines the file context types for the openshift, if you wanted
204       to  store files with these types in a different paths, you need to exe‐
205       cute the semanage command to specify alternate labeling  and  then  use
206       restorecon to put the labels on disk.
207
208       semanage  fcontext  -a  -t openshift_initrc_exec_t '/srv/openshift/con‐
209       tent(/.*)?'
210       restorecon -R -v /srv/myopenshift_content
211
212       Note: SELinux often uses regular expressions  to  specify  labels  that
213       match multiple files.
214
215       The following file types are defined for openshift:
216
217
218
219       openshift_app_tmp_t
220
221       -  Set  files  with  the openshift_app_tmp_t type, if you want to store
222       openshift app temporary files in the /tmp directories.
223
224
225
226       openshift_cgroup_read_exec_t
227
228       - Set files with the openshift_cgroup_read_exec_t type, if you want  to
229       transition an executable to the openshift_cgroup_read_t domain.
230
231
232
233       openshift_cgroup_read_tmp_t
234
235       -  Set  files with the openshift_cgroup_read_tmp_t type, if you want to
236       store openshift cgroup read temporary files in the /tmp directories.
237
238
239
240       openshift_content_t
241
242       - Set files with the openshift_content_t type, if you want to treat the
243       files as openshift content.
244
245
246
247       openshift_cron_exec_t
248
249       - Set files with the openshift_cron_exec_t type, if you want to transi‐
250       tion an executable to the openshift_cron_t domain.
251
252
253
254       openshift_cron_tmp_t
255
256       - Set files with the openshift_cron_tmp_t type, if you  want  to  store
257       openshift cron temporary files in the /tmp directories.
258
259
260
261       openshift_htaccess_t
262
263       -  Set  files  with the openshift_htaccess_t type, if you want to treat
264       the file as a openshift access file.
265
266
267
268       openshift_initrc_exec_t
269
270       - Set files with the openshift_initrc_exec_t type, if you want to tran‐
271       sition an executable to the openshift_initrc_t domain.
272
273
274       Paths:
275            /usr/s?bin/mcollectived,             /usr/s?bin/(oo|rhc)-restorer,
276            /usr/s?bin/oo-admin-ctl-gears,  /usr/s?bin/(oo|rhc)-restorer-wrap‐
277            per.sh, /etc/rc.d/init.d/libra, /etc/rc.d/init.d/mcollective
278
279
280       openshift_initrc_tmp_t
281
282       -  Set files with the openshift_initrc_tmp_t type, if you want to store
283       openshift initrc temporary files in the /tmp directories.
284
285
286
287       openshift_log_t
288
289       - Set files with the openshift_log_t type, if you  want  to  treat  the
290       data  as  openshift  log data, usually stored under the /var/log direc‐
291       tory.
292
293
294       Paths:
295            /var/log/openshift(/.*)?, /var/log/mcollective.log.*
296
297
298       openshift_net_read_exec_t
299
300       - Set files with the openshift_net_read_exec_t type,  if  you  want  to
301       transition an executable to the openshift_net_read_t domain.
302
303
304
305       openshift_ra_content_t
306
307       -  Set files with the openshift_ra_content_t type, if you want to treat
308       the files as openshift read/append content.
309
310
311
312       openshift_rw_content_t
313
314       - Set files with the openshift_rw_content_t type, if you want to  treat
315       the files as openshift read/write content.
316
317
318
319       openshift_rw_file_t
320
321       - Set files with the openshift_rw_file_t type, if you want to treat the
322       files as openshift rw content.
323
324
325       Paths:
326            /var/lib/openshift/.*/data(/.*)?,                  /var/lib/stick‐
327            shift/.*/data(/.*)?
328
329
330       openshift_script_exec_t
331
332       - Set files with the openshift_script_exec_t type, if you want to tran‐
333       sition an executable to the openshift_script_t domain.
334
335
336
337       openshift_tmp_t
338
339       - Set files with the openshift_tmp_t type, if you want to  store  open‐
340       shift temporary files in the /tmp directories.
341
342
343       Paths:
344            /var/lib/openshift/.*/.tmp(/.*)?,     /var/lib/openshift/.*/.sand‐
345            box(/.*)?,   /var/lib/stickshift/.*/.tmp(/.*)?,    /var/lib/stick‐
346            shift/.*/.sandbox(/.*)?
347
348
349       openshift_tmpfs_t
350
351       - Set files with the openshift_tmpfs_t type, if you want to store open‐
352       shift files on a tmpfs file system.
353
354
355
356       openshift_var_lib_t
357
358       - Set files with the openshift_var_lib_t type, if you want to store the
359       openshift files under the /var/lib directory.
360
361
362       Paths:
363            /var/lib/openshift(/.*)?, /var/lib/stickshift(/.*)?, /var/lib/con‐
364            tainers/home(/.*)?
365
366
367       openshift_var_run_t
368
369       - Set files with the openshift_var_run_t type, if you want to store the
370       openshift files under the /run or /var/run directory.
371
372
373       Paths:
374            /var/run/openshift(/.*)?, /var/run/stickshift(/.*)?
375
376
377       Note:  File context can be temporarily modified with the chcon command.
378       If you want to permanently change the file context you need to use  the
379       semanage fcontext command.  This will modify the SELinux labeling data‐
380       base.  You will need to use restorecon to apply the labels.
381
382

COMMANDS

384       semanage fcontext can also be used to manipulate default  file  context
385       mappings.
386
387       semanage  permissive  can  also  be used to manipulate whether or not a
388       process type is permissive.
389
390       semanage module can also be used to enable/disable/install/remove  pol‐
391       icy modules.
392
393       semanage port can also be used to manipulate the port definitions
394
395       semanage boolean can also be used to manipulate the booleans
396
397
398       system-config-selinux is a GUI tool available to customize SELinux pol‐
399       icy settings.
400
401

AUTHOR

403       This manual page was auto-generated using sepolicy manpage .
404
405