About Selinux; Viewing Selinux Policies For Subsystems - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION:
- Using manual (48 pages) ,
- Agents manual (146 pages) ,
- Manual (124 pages)
Table of Contents
Advertisement
Chapter 13. Basic Subsystem Management
13.8.1. About SELinux
Basically, SELinux identifies objects on a system, which can be files, directories, users, processes,
sockets, or any other thing on a Linux host. These objects correspond to the Linux API objects. Each
object is then mapped to a security context, which defines the type of object it is and how it is allowed
to function on the Linux server.
System processes run within SELinux domains. Each domain has a set of rules that defines how
the SELinux domain interacts with other SELinux objects on the system. This set of rules, then,
determines which resources a process may access and what operations it may perform on those
resources.
For Certificate System, each subsystem type runs within a specific domain for that subsystem type.
Every instance of that subsystem type belongs to the same SELinux domain, regardless of how many
instances are on the system For example, if there are three CAs installed on a server, all three belong
to the pki_ca_t SELinux domain.
The rules and definitions for all the subsystems comprise the overall Certificate System SELinux
policy. The SELinux policy is delivered in a separate RPM package (pki-selinux), which is installed
as a prerequisite for the other Certificate System subsystem packages.
Certificate System SELinux policies are already configured when the subsystems are installed, and
all SELinux policies are updated every time a subsystem is added with pkicreate or removed with
pkiremove.
# types that the process runs as and the domain
type pki-ca_t, pki-ca_process;
type pki-ca_exec_t, pki-ca_executable;
domain_type(pki-ca_t)
init_daemon_domain(pki-ca_t, pki-ca_exec_t)
# types for config files
type pki-ca_etc_rw_t, pki-ca_config;
files_type(pki-ca_etc_rw_t)
#types for the ports we need to use.
type pki-ca_port_t;
corenet_port(pki-ca_port_t)
# This is for /etc/pki-ca/tomcat.conf:
can_exec(pki-ca_t, pki-ca_tomcat_exec_t)
Example 13.4. Excerpts of the CA SELinux Policy
The Certificate System subsystems run with SELinux set in enforcing mode, meaning that Certificate
System operations can be successfully performed even when all SELinux rules are required to be
followed.
By default, the Certificate System subsystems run confined by SELinux policies.
13.8.2. Viewing SELinux Policies for Subsystems
All Certificate System policies are installed with the pki-selinux package and are located in the
/usr/share/selinux/modules/ directory, in the pki.pp file. The configured policies can be
viewed using the SELinux Administration GUI.
1. Open the Systems menu.
320
Advertisement
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Related Products for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat CERTIFICATE 7.2 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
- Red Hat CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR
- Red Hat CERTIFICATE 7.3 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
- Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE
- Red Hat CERTIFICATE 8.0 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE
- Red Hat CLUSTER SUITE - CONFIGURING AND MANAGING A CLUSTER 2006
- Red Hat CLUSTER MANAGER - INSTALLATION AND
- Red Hat Cluster Suite
- Red Hat Application Server
- Red Hat APPLICATION SERVER - JONAS
- Red Hat APPLICATION STACK 1.1 RELEASE
- Red Hat APPLICATION STACK 1.2 RELEASE
- Red Hat APPLICATION STACK 1.3 RELEASE
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?
Questions and answers