nova_selinux(8) nova SELinux Policy documentation nova_selinux(8)NAMEnova_selinux - Security Enhanced Linux Policy for the nova processes
DESCRIPTION
Security-Enhanced Linux secures the nova processes via flexible manda‐
tory access control.
NSSWITCH DOMAIN
If you want to allow users to login using a sssd serve for the
nova_console_t, nova_cert_t, you must turn on the authlogin_nss‐
witch_use_ldap boolean.
setsebool -P authlogin_nsswitch_use_ldap 1
If you want to allow confined applications to run with kerberos for the
nova_console_t, nova_cert_t, you must turn on the allow_kerberos bool‐
ean.
setsebool -P allow_kerberos 1
If you want to allow system to run with NI for the nova_console_t,
nova_cert_t, you must turn on the allow_ypbind boolean.
setsebool -P allow_ypbind 1
FILE CONTEXTS
SELinux requires files to have an extended attribute to define the file
type.
You can see the context of a file using the -Z option to ls
Policy governs the access confined processes have to these files.
SELinux nova policy is very flexible allowing users to setup their nova
processes in as secure a method as possible.
The following file types are defined for nova:
nova_ajax_exec_t
- Set files with the nova_ajax_exec_t type, if you want to transition
an executable to the nova_ajax_t domain.
nova_ajax_tmp_t
- Set files with the nova_ajax_tmp_t type, if you want to store nova
ajax temporary files in the /tmp directories.
nova_ajax_unit_file_t
- Set files with the nova_ajax_unit_file_t type, if you want to treat
the files as nova ajax unit content.
nova_api_exec_t
- Set files with the nova_api_exec_t type, if you want to transition an
executable to the nova_api_t domain.
Paths:
/usr/bin/nova-api, /usr//bin/nova-api-metadata
nova_api_tmp_t
- Set files with the nova_api_tmp_t type, if you want to store nova api
temporary files in the /tmp directories.
nova_api_unit_file_t
- Set files with the nova_api_unit_file_t type, if you want to treat
the files as nova api unit content.
Paths:
/usr/lib/systemd/system/openstack-nova-metadata-api.service.*,
/usr/lib/systemd/system/openstack-nova-api.*
nova_cert_exec_t
- Set files with the nova_cert_exec_t type, if you want to transition
an executable to the nova_cert_t domain.
nova_cert_tmp_t
- Set files with the nova_cert_tmp_t type, if you want to store nova
cert temporary files in the /tmp directories.
nova_cert_unit_file_t
- Set files with the nova_cert_unit_file_t type, if you want to treat
the files as nova cert unit content.
nova_compute_exec_t
- Set files with the nova_compute_exec_t type, if you want to transi‐
tion an executable to the nova_compute_t domain.
nova_compute_tmp_t
- Set files with the nova_compute_tmp_t type, if you want to store nova
compute temporary files in the /tmp directories.
nova_compute_unit_file_t
- Set files with the nova_compute_unit_file_t type, if you want to
treat the files as nova compute unit content.
nova_console_exec_t
- Set files with the nova_console_exec_t type, if you want to transi‐
tion an executable to the nova_console_t domain.
nova_console_tmp_t
- Set files with the nova_console_tmp_t type, if you want to store nova
console temporary files in the /tmp directories.
nova_console_unit_file_t
- Set files with the nova_console_unit_file_t type, if you want to
treat the files as nova console unit content.
nova_direct_exec_t
- Set files with the nova_direct_exec_t type, if you want to transition
an executable to the nova_direct_t domain.
nova_direct_tmp_t
- Set files with the nova_direct_tmp_t type, if you want to store nova
direct temporary files in the /tmp directories.
nova_direct_unit_file_t
- Set files with the nova_direct_unit_file_t type, if you want to treat
the files as nova direct unit content.
nova_log_t
- Set files with the nova_log_t type, if you want to treat the data as
nova log data, usually stored under the /var/log directory.
nova_network_exec_t
- Set files with the nova_network_exec_t type, if you want to transi‐
tion an executable to the nova_network_t domain.
nova_network_tmp_t
- Set files with the nova_network_tmp_t type, if you want to store nova
network temporary files in the /tmp directories.
nova_network_unit_file_t
- Set files with the nova_network_unit_file_t type, if you want to
treat the files as nova network unit content.
nova_objectstore_exec_t
- Set files with the nova_objectstore_exec_t type, if you want to tran‐
sition an executable to the nova_objectstore_t domain.
nova_objectstore_tmp_t
- Set files with the nova_objectstore_tmp_t type, if you want to store
nova objectstore temporary files in the /tmp directories.
nova_objectstore_unit_file_t
- Set files with the nova_objectstore_unit_file_t type, if you want to
treat the files as nova objectstore unit content.
nova_scheduler_exec_t
- Set files with the nova_scheduler_exec_t type, if you want to transi‐
tion an executable to the nova_scheduler_t domain.
nova_scheduler_tmp_t
- Set files with the nova_scheduler_tmp_t type, if you want to store
nova scheduler temporary files in the /tmp directories.
nova_scheduler_unit_file_t
- Set files with the nova_scheduler_unit_file_t type, if you want to
treat the files as nova scheduler unit content.
nova_var_lib_t
- Set files with the nova_var_lib_t type, if you want to store the nova
files under the /var/lib directory.
nova_var_run_t
- Set files with the nova_var_run_t type, if you want to store the nova
files under the /run directory.
nova_vncproxy_exec_t
- Set files with the nova_vncproxy_exec_t type, if you want to transi‐
tion an executable to the nova_vncproxy_t domain.
Paths:
/usr/bin/nova-vncproxy, /usr/bin/nova-xvpvncproxy
nova_vncproxy_tmp_t
- Set files with the nova_vncproxy_tmp_t type, if you want to store
nova vncproxy temporary files in the /tmp directories.
nova_vncproxy_unit_file_t
- Set files with the nova_vncproxy_unit_file_t type, if you want to
treat the files as nova vncproxy unit content.
Paths:
/usr/lib/systemd/system/openstack-nova-xvpvncproxy.*,
/usr/lib/systemd/system/openstack-nova-vncproxy.*
nova_volume_exec_t
- Set files with the nova_volume_exec_t type, if you want to transition
an executable to the nova_volume_t domain.
nova_volume_tmp_t
- Set files with the nova_volume_tmp_t type, if you want to store nova
volume temporary files in the /tmp directories.
nova_volume_unit_file_t
- Set files with the nova_volume_unit_file_t type, if you want to treat
the files as nova volume unit content.
Note: File context can be temporarily modified with the chcon command.
If you want to permanantly change the file context you need to use the
semanage fcontext command. This will modify the SELinux labeling data‐
base. You will need to use restorecon to apply the labels.
PROCESS TYPES
SELinux defines process types (domains) for each process running on the
system
You can see the context of a process using the -Z option to ps
Policy governs the access confined processes have to files. SELinux
nova policy is very flexible allowing users to setup their nova pro‐
cesses in as secure a method as possible.
The following process types are defined for nova:
nova_api_t, nova_compute_t, nova_console_t, nova_network_t, nova_objectstore_t, nova_vncproxy_t, nova_volume_t, nova_scheduler_t, nova_ajax_t, nova_cert_t, nova_direct_t
Note: semanage permissive -a PROCESS_TYPE can be used to make a process
type permissive. Permissive process types are not denied access by
SELinux. AVC messages will still be generated.
COMMANDS
semanage fcontext can also be used to manipulate default file context
mappings.
semanage permissive can also be used to manipulate whether or not a
process type is permissive.
semanage module can also be used to enable/disable/install/remove pol‐
icy modules.
system-config-selinux is a GUI tool available to customize SELinux pol‐
icy settings.
AUTHOR
This manual page was autogenerated by genman.py.
SEE ALSOselinux(8), nova(8), semanage(8), restorecon(8), chcon(1)dwalsh@redhat.com nova nova_selinux(8)