1rtas_errd_selinux(8) SELinux Policy rtas_errd rtas_errd_selinux(8)
2
3
4
6 rtas_errd_selinux - Security Enhanced Linux Policy for the rtas_errd
7 processes
8
10 Security-Enhanced Linux secures the rtas_errd processes via flexible
11 mandatory access control.
12
13 The rtas_errd processes execute with the rtas_errd_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep rtas_errd_t
20
21
22
24 The rtas_errd_t SELinux type can be entered via the rtas_errd_exec_t
25 file type.
26
27 The default entrypoint paths for the rtas_errd_t domain are the follow‐
28 ing:
29
30 /usr/sbin/rtas_errd, /usr/libexec/ppc64-diag/rtas_errd
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 rtas_errd policy is very flexible allowing users to setup their
40 rtas_errd processes in as secure a method as possible.
41
42 The following process types are defined for rtas_errd:
43
44 rtas_errd_t
45
46 Note: semanage permissive -a rtas_errd_t can be used to make the
47 process type rtas_errd_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required.
54 rtas_errd policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run rtas_errd with the tightest
56 access possible.
57
58
59
60 If you want to dontaudit all daemons scheduling requests (setsched,
61 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
62 Enabled by default.
63
64 setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68 If you want to deny user domains applications to map a memory region as
69 both executable and writable, this is dangerous and the executable
70 should be reported in bugzilla, you must turn on the deny_execmem bool‐
71 ean. Disabled by default.
72
73 setsebool -P deny_execmem 1
74
75
76
77 If you want to control the ability to mmap a low area of the address
78 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
79 the mmap_low_allowed boolean. Disabled by default.
80
81 setsebool -P mmap_low_allowed 1
82
83
84
85 If you want to allow system to run with NIS, you must turn on the
86 nis_enabled boolean. Disabled by default.
87
88 setsebool -P nis_enabled 1
89
90
91
92 If you want to disable kernel module loading, you must turn on the se‐
93 cure_mode_insmod boolean. Disabled by default.
94
95 setsebool -P secure_mode_insmod 1
96
97
98
99 If you want to allow unconfined executables to make their heap memory
100 executable. Doing this is a really bad idea. Probably indicates a
101 badly coded executable, but could indicate an attack. This executable
102 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
103 echeap boolean. Disabled by default.
104
105 setsebool -P selinuxuser_execheap 1
106
107
108
109 If you want to allow unconfined executables to make their stack exe‐
110 cutable. This should never, ever be necessary. Probably indicates a
111 badly coded executable, but could indicate an attack. This executable
112 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
113 stack boolean. Enabled by default.
114
115 setsebool -P selinuxuser_execstack 1
116
117
118
120 The SELinux process type rtas_errd_t can manage files labeled with the
121 following file types. The paths listed are the default paths for these
122 file types. Note the processes UID still need to have DAC permissions.
123
124 file_type
125
126 all files on the system
127
128
130 SELinux requires files to have an extended attribute to define the file
131 type.
132
133 You can see the context of a file using the -Z option to ls
134
135 Policy governs the access confined processes have to these files.
136 SELinux rtas_errd policy is very flexible allowing users to setup their
137 rtas_errd processes in as secure a method as possible.
138
139 STANDARD FILE CONTEXT
140
141 SELinux defines the file context types for the rtas_errd, if you wanted
142 to store files with these types in a different paths, you need to exe‐
143 cute the semanage command to specify alternate labeling and then use
144 restorecon to put the labels on disk.
145
146 semanage fcontext -a -t rtas_errd_exec_t '/srv/rtas_errd/content(/.*)?'
147 restorecon -R -v /srv/myrtas_errd_content
148
149 Note: SELinux often uses regular expressions to specify labels that
150 match multiple files.
151
152 The following file types are defined for rtas_errd:
153
154
155
156 rtas_errd_exec_t
157
158 - Set files with the rtas_errd_exec_t type, if you want to transition
159 an executable to the rtas_errd_t domain.
160
161
162 Paths:
163 /usr/sbin/rtas_errd, /usr/libexec/ppc64-diag/rtas_errd
164
165
166 rtas_errd_log_t
167
168 - Set files with the rtas_errd_log_t type, if you want to treat the
169 data as rtas errd log data, usually stored under the /var/log direc‐
170 tory.
171
172
173 Paths:
174 /var/log/platform.*, /var/log/rtas_errd.*, /var/log/epow_status.*
175
176
177 rtas_errd_tmp_t
178
179 - Set files with the rtas_errd_tmp_t type, if you want to store rtas
180 errd temporary files in the /tmp directories.
181
182
183
184 rtas_errd_tmpfs_t
185
186 - Set files with the rtas_errd_tmpfs_t type, if you want to store rtas
187 errd files on a tmpfs file system.
188
189
190
191 rtas_errd_unit_file_t
192
193 - Set files with the rtas_errd_unit_file_t type, if you want to treat
194 the files as rtas errd unit content.
195
196
197
198 rtas_errd_var_lock_t
199
200 - Set files with the rtas_errd_var_lock_t type, if you want to treat
201 the files as rtas errd var lock data, stored under the /var/lock direc‐
202 tory
203
204
205 Paths:
206 /var/lock/.*librtas, /var/lock/subsys/rtas_errd
207
208
209 rtas_errd_var_run_t
210
211 - Set files with the rtas_errd_var_run_t type, if you want to store the
212 rtas errd files under the /run or /var/run directory.
213
214
215
216 Note: File context can be temporarily modified with the chcon command.
217 If you want to permanently change the file context you need to use the
218 semanage fcontext command. This will modify the SELinux labeling data‐
219 base. You will need to use restorecon to apply the labels.
220
221
223 semanage fcontext can also be used to manipulate default file context
224 mappings.
225
226 semanage permissive can also be used to manipulate whether or not a
227 process type is permissive.
228
229 semanage module can also be used to enable/disable/install/remove pol‐
230 icy modules.
231
232 semanage boolean can also be used to manipulate the booleans
233
234
235 system-config-selinux is a GUI tool available to customize SELinux pol‐
236 icy settings.
237
238
240 This manual page was auto-generated using sepolicy manpage .
241
242
244 selinux(8), rtas_errd(8), semanage(8), restorecon(8), chcon(1), sepol‐
245 icy(8), setsebool(8)
246
247
248
249rtas_errd 23-12-15 rtas_errd_selinux(8)