1rabbitmq_selinux(8) SELinux Policy rabbitmq rabbitmq_selinux(8)
2
3
4
6 rabbitmq_selinux - Security Enhanced Linux Policy for the rabbitmq pro‐
7 cesses
8
10 Security-Enhanced Linux secures the rabbitmq processes via flexible
11 mandatory access control.
12
13 The rabbitmq processes execute with the rabbitmq_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep rabbitmq_t
20
21
22
24 The rabbitmq_t SELinux type can be entered via the rabbitmq_exec_t file
25 type.
26
27 The default entrypoint paths for the rabbitmq_t domain are the follow‐
28 ing:
29
30 /usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 rabbitmq policy is very flexible allowing users to setup their rabbitmq
40 processes in as secure a method as possible.
41
42 The following process types are defined for rabbitmq:
43
44 rabbitmq_t
45
46 Note: semanage permissive -a rabbitmq_t can be used to make the process
47 type rabbitmq_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. rab‐
54 bitmq policy is extremely flexible and has several booleans that allow
55 you to manipulate the policy and run rabbitmq with the tightest access
56 possible.
57
58
59
60 If you want to dontaudit all daemons scheduling requests (setsched,
61 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
62 Enabled by default.
63
64 setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Enabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
90 SELinux defines port types to represent TCP and UDP ports.
91
92 You can see the types associated with a port by using the following
93 command:
94
95 semanage port -l
96
97
98 Policy governs the access confined processes have to these ports.
99 SELinux rabbitmq policy is very flexible allowing users to setup their
100 rabbitmq processes in as secure a method as possible.
101
102 The following port types are defined for rabbitmq:
103
104
105 rabbitmq_port_t
106
107
108
109 Default Defined Ports:
110 tcp 25672
111
113 The SELinux process type rabbitmq_t can manage files labeled with the
114 following file types. The paths listed are the default paths for these
115 file types. Note the processes UID still need to have DAC permissions.
116
117 cluster_conf_t
118
119 /etc/cluster(/.*)?
120
121 cluster_var_lib_t
122
123 /var/lib/pcsd(/.*)?
124 /var/lib/cluster(/.*)?
125 /var/lib/openais(/.*)?
126 /var/lib/pengine(/.*)?
127 /var/lib/corosync(/.*)?
128 /usr/lib/heartbeat(/.*)?
129 /var/lib/heartbeat(/.*)?
130 /var/lib/pacemaker(/.*)?
131
132 cluster_var_run_t
133
134 /var/run/crm(/.*)?
135 /var/run/cman_.*
136 /var/run/rsctmp(/.*)?
137 /var/run/aisexec.*
138 /var/run/heartbeat(/.*)?
139 /var/run/pcsd-ruby.socket
140 /var/run/corosync-qnetd(/.*)?
141 /var/run/corosync-qdevice(/.*)?
142 /var/run/corosync.pid
143 /var/run/cpglockd.pid
144 /var/run/rgmanager.pid
145 /var/run/cluster/rgmanager.sk
146
147 faillog_t
148
149 /var/log/btmp.*
150 /var/log/faillog.*
151 /var/log/tallylog.*
152 /var/run/faillock(/.*)?
153
154 krb5_host_rcache_t
155
156 /var/tmp/krb5_0.rcache2
157 /var/cache/krb5rcache(/.*)?
158 /var/tmp/nfs_0
159 /var/tmp/DNS_25
160 /var/tmp/host_0
161 /var/tmp/imap_0
162 /var/tmp/HTTP_23
163 /var/tmp/HTTP_48
164 /var/tmp/ldap_55
165 /var/tmp/ldap_487
166 /var/tmp/ldapmap1_0
167
168 lastlog_t
169
170 /var/log/lastlog.*
171
172 rabbitmq_conf_t
173
174 /etc/rabbitmq(/.*)?
175
176 rabbitmq_tmp_t
177
178
179 rabbitmq_tmpfs_t
180
181
182 rabbitmq_var_lib_t
183
184 /var/lib/rabbitmq(/.*)?
185
186 rabbitmq_var_lock_t
187
188
189 rabbitmq_var_log_t
190
191 /var/log/rabbitmq(/.*)?
192
193 rabbitmq_var_run_t
194
195 /var/run/rabbitmq(/.*)?
196
197 root_t
198
199 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
200 /
201 /initrd
202
203 security_t
204
205 /selinux
206
207
209 SELinux requires files to have an extended attribute to define the file
210 type.
211
212 You can see the context of a file using the -Z option to ls
213
214 Policy governs the access confined processes have to these files.
215 SELinux rabbitmq policy is very flexible allowing users to setup their
216 rabbitmq processes in as secure a method as possible.
217
218 STANDARD FILE CONTEXT
219
220 SELinux defines the file context types for the rabbitmq, if you wanted
221 to store files with these types in a different paths, you need to exe‐
222 cute the semanage command to specify alternate labeling and then use
223 restorecon to put the labels on disk.
224
225 semanage fcontext -a -t rabbitmq_exec_t '/srv/rabbitmq/content(/.*)?'
226 restorecon -R -v /srv/myrabbitmq_content
227
228 Note: SELinux often uses regular expressions to specify labels that
229 match multiple files.
230
231 The following file types are defined for rabbitmq:
232
233
234
235 rabbitmq_conf_t
236
237 - Set files with the rabbitmq_conf_t type, if you want to treat the
238 files as rabbitmq configuration data, usually stored under the /etc di‐
239 rectory.
240
241
242
243 rabbitmq_exec_t
244
245 - Set files with the rabbitmq_exec_t type, if you want to transition an
246 executable to the rabbitmq_t domain.
247
248
249
250 rabbitmq_initrc_exec_t
251
252 - Set files with the rabbitmq_initrc_exec_t type, if you want to tran‐
253 sition an executable to the rabbitmq_initrc_t domain.
254
255
256
257 rabbitmq_tmp_t
258
259 - Set files with the rabbitmq_tmp_t type, if you want to store rabbitmq
260 temporary files in the /tmp directories.
261
262
263
264 rabbitmq_tmpfs_t
265
266 - Set files with the rabbitmq_tmpfs_t type, if you want to store rab‐
267 bitmq files on a tmpfs file system.
268
269
270
271 rabbitmq_unit_file_t
272
273 - Set files with the rabbitmq_unit_file_t type, if you want to treat
274 the files as rabbitmq unit content.
275
276
277
278 rabbitmq_var_lib_t
279
280 - Set files with the rabbitmq_var_lib_t type, if you want to store the
281 rabbitmq files under the /var/lib directory.
282
283
284
285 rabbitmq_var_lock_t
286
287 - Set files with the rabbitmq_var_lock_t type, if you want to treat the
288 files as rabbitmq var lock data, stored under the /var/lock directory
289
290
291
292 rabbitmq_var_log_t
293
294 - Set files with the rabbitmq_var_log_t type, if you want to treat the
295 data as rabbitmq var log data, usually stored under the /var/log direc‐
296 tory.
297
298
299
300 rabbitmq_var_run_t
301
302 - Set files with the rabbitmq_var_run_t type, if you want to store the
303 rabbitmq files under the /run or /var/run directory.
304
305
306
307 Note: File context can be temporarily modified with the chcon command.
308 If you want to permanently change the file context you need to use the
309 semanage fcontext command. This will modify the SELinux labeling data‐
310 base. You will need to use restorecon to apply the labels.
311
312
314 semanage fcontext can also be used to manipulate default file context
315 mappings.
316
317 semanage permissive can also be used to manipulate whether or not a
318 process type is permissive.
319
320 semanage module can also be used to enable/disable/install/remove pol‐
321 icy modules.
322
323 semanage port can also be used to manipulate the port definitions
324
325 semanage boolean can also be used to manipulate the booleans
326
327
328 system-config-selinux is a GUI tool available to customize SELinux pol‐
329 icy settings.
330
331
333 This manual page was auto-generated using sepolicy manpage .
334
335
337 selinux(8), rabbitmq(8), semanage(8), restorecon(8), chcon(1), sepol‐
338 icy(8), setsebool(8)
339
340
341
342rabbitmq 23-12-15 rabbitmq_selinux(8)