1rabbitmq_selinux(8)         SELinux Policy rabbitmq        rabbitmq_selinux(8)
2
3
4

NAME

6       rabbitmq_selinux - Security Enhanced Linux Policy for the rabbitmq pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  rabbitmq  processes  via  flexible
11       mandatory access control.
12
13       The  rabbitmq  processes  execute with the rabbitmq_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep rabbitmq_t
20
21
22

ENTRYPOINTS

24       The rabbitmq_t SELinux type can be entered via the rabbitmq_exec_t file
25       type.
26
27       The default entrypoint paths for the rabbitmq_t domain are the  follow‐
28       ing:
29
30       /usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       rabbitmq policy is very flexible allowing users to setup their rabbitmq
40       processes in as secure a method as possible.
41
42       The following process types are defined for rabbitmq:
43
44       rabbitmq_t
45
46       Note: semanage permissive -a rabbitmq_t can be used to make the process
47       type  rabbitmq_t permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is  customizable based on least access required.  rab‐
54       bitmq policy is extremely flexible and has several booleans that  allow
55       you  to manipulate the policy and run rabbitmq with the tightest access
56       possible.
57
58
59
60       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
61       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
62       Enabled by default.
63
64       setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Enabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88

PORT TYPES

90       SELinux defines port types to represent TCP and UDP ports.
91
92       You  can  see  the  types associated with a port by using the following
93       command:
94
95       semanage port -l
96
97
98       Policy governs the access  confined  processes  have  to  these  ports.
99       SELinux  rabbitmq policy is very flexible allowing users to setup their
100       rabbitmq processes in as secure a method as possible.
101
102       The following port types are defined for rabbitmq:
103
104
105       rabbitmq_port_t
106
107
108
109       Default Defined Ports:
110                 tcp 25672
111

MANAGED FILES

113       The SELinux process type rabbitmq_t can manage files labeled  with  the
114       following file types.  The paths listed are the default paths for these
115       file types.  Note the processes UID still need to have DAC permissions.
116
117       cluster_conf_t
118
119            /etc/cluster(/.*)?
120
121       cluster_var_lib_t
122
123            /var/lib/pcsd(/.*)?
124            /var/lib/cluster(/.*)?
125            /var/lib/openais(/.*)?
126            /var/lib/pengine(/.*)?
127            /var/lib/corosync(/.*)?
128            /usr/lib/heartbeat(/.*)?
129            /var/lib/heartbeat(/.*)?
130            /var/lib/pacemaker(/.*)?
131
132       cluster_var_run_t
133
134            /var/run/crm(/.*)?
135            /var/run/cman_.*
136            /var/run/rsctmp(/.*)?
137            /var/run/aisexec.*
138            /var/run/heartbeat(/.*)?
139            /var/run/pcsd-ruby.socket
140            /var/run/corosync-qnetd(/.*)?
141            /var/run/corosync-qdevice(/.*)?
142            /var/run/corosync.pid
143            /var/run/cpglockd.pid
144            /var/run/rgmanager.pid
145            /var/run/cluster/rgmanager.sk
146
147       faillog_t
148
149            /var/log/btmp.*
150            /var/log/faillog.*
151            /var/log/tallylog.*
152            /var/run/faillock(/.*)?
153
154       krb5_host_rcache_t
155
156            /var/tmp/krb5_0.rcache2
157            /var/cache/krb5rcache(/.*)?
158            /var/tmp/nfs_0
159            /var/tmp/DNS_25
160            /var/tmp/host_0
161            /var/tmp/imap_0
162            /var/tmp/HTTP_23
163            /var/tmp/HTTP_48
164            /var/tmp/ldap_55
165            /var/tmp/ldap_487
166            /var/tmp/ldapmap1_0
167
168       lastlog_t
169
170            /var/log/lastlog.*
171
172       rabbitmq_conf_t
173
174            /etc/rabbitmq(/.*)?
175
176       rabbitmq_tmp_t
177
178
179       rabbitmq_tmpfs_t
180
181
182       rabbitmq_var_lib_t
183
184            /var/lib/rabbitmq(/.*)?
185
186       rabbitmq_var_lock_t
187
188
189       rabbitmq_var_log_t
190
191            /var/log/rabbitmq(/.*)?
192
193       rabbitmq_var_run_t
194
195            /var/run/rabbitmq(/.*)?
196
197       root_t
198
199            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
200            /
201            /initrd
202
203       security_t
204
205            /selinux
206
207

FILE CONTEXTS

209       SELinux requires files to have an extended attribute to define the file
210       type.
211
212       You can see the context of a file using the -Z option to ls
213
214       Policy  governs  the  access  confined  processes  have to these files.
215       SELinux rabbitmq policy is very flexible allowing users to setup  their
216       rabbitmq processes in as secure a method as possible.
217
218       STANDARD FILE CONTEXT
219
220       SELinux  defines the file context types for the rabbitmq, if you wanted
221       to store files with these types in a different paths, you need to  exe‐
222       cute  the  semanage  command to specify alternate labeling and then use
223       restorecon to put the labels on disk.
224
225       semanage fcontext -a -t rabbitmq_exec_t '/srv/rabbitmq/content(/.*)?'
226       restorecon -R -v /srv/myrabbitmq_content
227
228       Note: SELinux often uses regular expressions  to  specify  labels  that
229       match multiple files.
230
231       The following file types are defined for rabbitmq:
232
233
234
235       rabbitmq_conf_t
236
237       -  Set  files  with  the rabbitmq_conf_t type, if you want to treat the
238       files as rabbitmq configuration data, usually stored under the /etc di‐
239       rectory.
240
241
242
243       rabbitmq_exec_t
244
245       - Set files with the rabbitmq_exec_t type, if you want to transition an
246       executable to the rabbitmq_t domain.
247
248
249
250       rabbitmq_initrc_exec_t
251
252       - Set files with the rabbitmq_initrc_exec_t type, if you want to  tran‐
253       sition an executable to the rabbitmq_initrc_t domain.
254
255
256
257       rabbitmq_tmp_t
258
259       - Set files with the rabbitmq_tmp_t type, if you want to store rabbitmq
260       temporary files in the /tmp directories.
261
262
263
264       rabbitmq_tmpfs_t
265
266       - Set files with the rabbitmq_tmpfs_t type, if you want to  store  rab‐
267       bitmq files on a tmpfs file system.
268
269
270
271       rabbitmq_unit_file_t
272
273       -  Set  files  with the rabbitmq_unit_file_t type, if you want to treat
274       the files as rabbitmq unit content.
275
276
277
278       rabbitmq_var_lib_t
279
280       - Set files with the rabbitmq_var_lib_t type, if you want to store  the
281       rabbitmq files under the /var/lib directory.
282
283
284
285       rabbitmq_var_lock_t
286
287       - Set files with the rabbitmq_var_lock_t type, if you want to treat the
288       files as rabbitmq var lock data, stored under the /var/lock directory
289
290
291
292       rabbitmq_var_log_t
293
294       - Set files with the rabbitmq_var_log_t type, if you want to treat  the
295       data as rabbitmq var log data, usually stored under the /var/log direc‐
296       tory.
297
298
299
300       rabbitmq_var_run_t
301
302       - Set files with the rabbitmq_var_run_t type, if you want to store  the
303       rabbitmq files under the /run or /var/run directory.
304
305
306
307       Note:  File context can be temporarily modified with the chcon command.
308       If you want to permanently change the file context you need to use  the
309       semanage fcontext command.  This will modify the SELinux labeling data‐
310       base.  You will need to use restorecon to apply the labels.
311
312

COMMANDS

314       semanage fcontext can also be used to manipulate default  file  context
315       mappings.
316
317       semanage  permissive  can  also  be used to manipulate whether or not a
318       process type is permissive.
319
320       semanage module can also be used to enable/disable/install/remove  pol‐
321       icy modules.
322
323       semanage port can also be used to manipulate the port definitions
324
325       semanage boolean can also be used to manipulate the booleans
326
327
328       system-config-selinux is a GUI tool available to customize SELinux pol‐
329       icy settings.
330
331

AUTHOR

333       This manual page was auto-generated using sepolicy manpage .
334
335

SEE ALSO

337       selinux(8), rabbitmq(8), semanage(8), restorecon(8),  chcon(1),  sepol‐
338       icy(8), setsebool(8)
339
340
341
342rabbitmq                           23-12-15                rabbitmq_selinux(8)
Impressum