1pkcs_slotd_selinux(8) SELinux Policy pkcs_slotd pkcs_slotd_selinux(8)
2
6 pkcs_slotd_selinux - Security Enhanced Linux Policy for the pkcs_slotd
7 processes
8
10 Security-Enhanced Linux secures the pkcs_slotd processes via flexible
11 mandatory access control.
12 The pkcs_slotd processes execute with the pkcs_slotd_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16 For example:
18 ps -eZ | grep pkcs_slotd_t
20
24 The pkcs_slotd_t SELinux type can be entered via the pkcs_slotd_exec_t
25 file type.
26 The default entrypoint paths for the pkcs_slotd_t domain are the fol‐
28 lowing:
29 /usr/sbin/pkcsslotd
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 pkcs_slotd policy is very flexible allowing users to setup their
40 pkcs_slotd processes in as secure a method as possible.
41 The following process types are defined for pkcs_slotd:
43 pkcs_slotd_t
45 Note: semanage permissive -a pkcs_slotd_t can be used to make the
47 process type pkcs_slotd_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
53 SELinux policy is customizable based on least access required.
54 pkcs_slotd policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run pkcs_slotd with the tightest
56 access possible.
57 If you want to dontaudit all daemons scheduling requests (setsched,
61 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
62 Enabled by default.
63 setsebool -P daemons_dontaudit_scheduling 1
65 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70 setsebool -P fips_mode 1
72 If you want to allow httpd to use opencryptoki, you must turn on the
76 httpd_use_opencryptoki boolean. Disabled by default.
77 setsebool -P httpd_use_opencryptoki 1
79 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84 setsebool -P nis_enabled 1
86
90 The SELinux process type pkcs_slotd_t can manage files labeled with the
91 following file types. The paths listed are the default paths for these
92 file types. Note the processes UID still need to have DAC permissions.
93 cluster_conf_t
95 /etc/cluster(/.*)?
97 cluster_var_lib_t
99 /var/lib/pcsd(/.*)?
101 /var/lib/cluster(/.*)?
102 /var/lib/openais(/.*)?
103 /var/lib/pengine(/.*)?
104 /var/lib/corosync(/.*)?
105 /usr/lib/heartbeat(/.*)?
106 /var/lib/heartbeat(/.*)?
107 /var/lib/pacemaker(/.*)?
108 cluster_var_run_t
110 /var/run/crm(/.*)?
112 /var/run/cman_.*
113 /var/run/rsctmp(/.*)?
114 /var/run/aisexec.*
115 /var/run/heartbeat(/.*)?
116 /var/run/pcsd-ruby.socket
117 /var/run/corosync-qnetd(/.*)?
118 /var/run/corosync-qdevice(/.*)?
119 /var/run/corosync.pid
120 /var/run/cpglockd.pid
121 /var/run/rgmanager.pid
122 /var/run/cluster/rgmanager.sk
123 krb5_host_rcache_t
125 /var/tmp/krb5_0.rcache2
127 /var/cache/krb5rcache(/.*)?
128 /var/tmp/nfs_0
129 /var/tmp/DNS_25
130 /var/tmp/host_0
131 /var/tmp/imap_0
132 /var/tmp/HTTP_23
133 /var/tmp/HTTP_48
134 /var/tmp/ldap_55
135 /var/tmp/ldap_487
136 /var/tmp/ldapmap1_0
137 pkcs_slotd_lock_t
139 /var/lock/opencryptoki(/.*)?
141 pkcs_slotd_log_t
143 /var/log/opencryptoki(/.*)?
145 pkcs_slotd_tmp_t
147 pkcs_slotd_tmpfs_t
150 /dev/shm/var.lib.opencryptoki.*
152 pkcs_slotd_var_lib_t
154 /var/lib/opencryptoki(/.*)?
156 pkcs_slotd_var_run_t
158 /var/run/pkcsslotd.*
160 /var/run/opencryptoki(/.*)?
161 root_t
163 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
165 /
166 /initrd
167
170 SELinux requires files to have an extended attribute to define the file
171 type.
172 You can see the context of a file using the -Z option to ls
174 Policy governs the access confined processes have to these files.
176 SELinux pkcs_slotd policy is very flexible allowing users to setup
177 their pkcs_slotd processes in as secure a method as possible.
178 STANDARD FILE CONTEXT
180 SELinux defines the file context types for the pkcs_slotd, if you
182 wanted to store files with these types in a different paths, you need
183 to execute the semanage command to specify alternate labeling and then
184 use restorecon to put the labels on disk.
185 semanage fcontext -a -t pkcs_slotd_exec_t '/srv/pkcs_slotd/con‐
187 tent(/.*)?'
188 restorecon -R -v /srv/mypkcs_slotd_content
189 Note: SELinux often uses regular expressions to specify labels that
191 match multiple files.
192 The following file types are defined for pkcs_slotd:
194 pkcs_slotd_exec_t
198 - Set files with the pkcs_slotd_exec_t type, if you want to transition
200 an executable to the pkcs_slotd_t domain.
201 pkcs_slotd_initrc_exec_t
205 - Set files with the pkcs_slotd_initrc_exec_t type, if you want to
207 transition an executable to the pkcs_slotd_initrc_t domain.
208 pkcs_slotd_lock_t
212 - Set files with the pkcs_slotd_lock_t type, if you want to treat the
214 files as pkcs slotd lock data, stored under the /var/lock directory
215 pkcs_slotd_log_t
219 - Set files with the pkcs_slotd_log_t type, if you want to treat the
221 data as pkcs slotd log data, usually stored under the /var/log direc‐
222 tory.
223 pkcs_slotd_tmp_t
227 - Set files with the pkcs_slotd_tmp_t type, if you want to store pkcs
229 slotd temporary files in the /tmp directories.
230 pkcs_slotd_tmpfs_t
234 - Set files with the pkcs_slotd_tmpfs_t type, if you want to store pkcs
236 slotd files on a tmpfs file system.
237 pkcs_slotd_unit_file_t
241 - Set files with the pkcs_slotd_unit_file_t type, if you want to treat
243 the files as pkcs slotd unit content.
244 pkcs_slotd_var_lib_t
248 - Set files with the pkcs_slotd_var_lib_t type, if you want to store
250 the pkcs slotd files under the /var/lib directory.
251 pkcs_slotd_var_run_t
255 - Set files with the pkcs_slotd_var_run_t type, if you want to store
257 the pkcs slotd files under the /run or /var/run directory.
258 Paths:
261 /var/run/pkcsslotd.*, /var/run/opencryptoki(/.*)?
262 Note: File context can be temporarily modified with the chcon command.
265 If you want to permanently change the file context you need to use the
266 semanage fcontext command. This will modify the SELinux labeling data‐
267 base. You will need to use restorecon to apply the labels.
268
271 semanage fcontext can also be used to manipulate default file context
272 mappings.
273 semanage permissive can also be used to manipulate whether or not a
275 process type is permissive.
276 semanage module can also be used to enable/disable/install/remove pol‐
278 icy modules.
279 semanage boolean can also be used to manipulate the booleans
281 system-config-selinux is a GUI tool available to customize SELinux pol‐
284 icy settings.
285
288 This manual page was auto-generated using sepolicy manpage .
289
292 selinux(8), pkcs_slotd(8), semanage(8), restorecon(8), chcon(1), sepol‐
293 icy(8), setsebool(8)
294pkcs_slotd 23-12-15 pkcs_slotd_selinux(8)