|
Server : Apache System : Linux server.mata-lashes.com 3.10.0-1160.90.1.el7.x86_64 #1 SMP Thu May 4 15:21:22 UTC 2023 x86_64 User : matalashes ( 1004) PHP Version : 8.1.29 Disable Function : NONE Directory : /usr/share/selinux/devel/html/ |
Upload File : |
<!-- Creator : groff version 1.22.2 -->
<!-- CreationDate: Mon Nov 16 16:50:06 2020 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta name="generator" content="groff -Thtml, see www.gnu.org">
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<meta name="Content-Style" content="text/css">
<style type="text/css">
p { margin-top: 0; margin-bottom: 0; vertical-align: top }
pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
table { margin-top: 0; margin-bottom: 0; vertical-align: top }
h1 { text-align: center }
</style>
<title>git_session_selinux</title>
</head>
<body>
<h1 align="center">git_session_selinux</h1>
<a href="#NAME">NAME</a><br>
<a href="#DESCRIPTION">DESCRIPTION</a><br>
<a href="#ENTRYPOINTS">ENTRYPOINTS</a><br>
<a href="#PROCESS TYPES">PROCESS TYPES</a><br>
<a href="#BOOLEANS">BOOLEANS</a><br>
<a href="#COMMANDS">COMMANDS</a><br>
<a href="#AUTHOR">AUTHOR</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>
<hr>
<h2>NAME
<a name="NAME"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">git_session_selinux
− Security Enhanced Linux Policy for the git_session
processes</p>
<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">Security-Enhanced
Linux secures the git_session processes via flexible
mandatory access control.</p>
<p style="margin-left:11%; margin-top: 1em">The git_session
processes execute with the git_session_t SELinux type. You
can check if you have these processes running by executing
the <b>ps</b> command with the <b>−Z</b>
qualifier.</p>
<p style="margin-left:11%; margin-top: 1em">For
example:</p>
<p style="margin-left:11%; margin-top: 1em"><b>ps -eZ |
grep git_session_t</b></p>
<h2>ENTRYPOINTS
<a name="ENTRYPOINTS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">The
git_session_t SELinux type can be entered via the
<b>gitd_exec_t</b> file type.</p>
<p style="margin-left:11%; margin-top: 1em">The default
entrypoint paths for the git_session_t domain are the
following:</p>
<p style="margin-left:11%; margin-top: 1em">/usr/libexec/git-core/git-daemon</p>
<h2>PROCESS TYPES
<a name="PROCESS TYPES"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">SELinux defines
process types (domains) for each process running on the
system</p>
<p style="margin-left:11%; margin-top: 1em">You can see the
context of a process using the <b>−Z</b> option to
<b>ps</b></p>
<p style="margin-left:11%; margin-top: 1em">Policy governs
the access confined processes have to files. SELinux
git_session policy is very flexible allowing users to setup
their git_session processes in as secure a method as
possible.</p>
<p style="margin-left:11%; margin-top: 1em">The following
process types are defined for git_session:</p>
<p style="margin-left:11%; margin-top: 1em"><b>git_session_t</b></p>
<p style="margin-left:11%; margin-top: 1em">Note:
<b>semanage permissive -a git_session_t</b> can be used to
make the process type git_session_t permissive. SELinux does
not deny access to permissive process types, but the AVC
(SELinux denials) messages are still generated.</p>
<h2>BOOLEANS
<a name="BOOLEANS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">SELinux policy
is customizable based on least access required. git_session
policy is extremely flexible and has several booleans that
allow you to manipulate the policy and run git_session with
the tightest access possible.</p>
<p style="margin-left:11%; margin-top: 1em">If you want to
determine whether Git session daemon can bind TCP sockets to
all unreserved ports, you must turn on the
git_session_bind_all_unreserved_ports boolean. Disabled by
default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
git_session_bind_all_unreserved_ports 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
determine whether calling user domains can execute Git
daemon in the git_session_t domain, you must turn on the
git_session_users boolean. Disabled by default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
git_session_users 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
allow users to resolve user passwd entries directly from
ldap rather then using a sssd server, you must turn on the
authlogin_nsswitch_use_ldap boolean. Disabled by
default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
authlogin_nsswitch_use_ldap 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
deny any process from ptracing or debugging any other
processes, you must turn on the deny_ptrace boolean. Enabled
by default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
deny_ptrace 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
allow any process to mmap any file on system with attribute
file_type, you must turn on the domain_can_mmap_files
boolean. Enabled by default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
domain_can_mmap_files 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
allow all domains write to kmsg_device, while kernel is
executed with systemd.log_target=kmsg parameter, you must
turn on the domain_can_write_kmsg boolean. Disabled by
default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
domain_can_write_kmsg 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
allow all domains to use other domains file descriptors, you
must turn on the domain_fd_use boolean. Enabled by
default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
domain_fd_use 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
allow all domains to have the kernel load modules, you must
turn on the domain_kernel_load_modules boolean. Disabled by
default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
domain_kernel_load_modules 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
allow all domains to execute in fips_mode, you must turn on
the fips_mode boolean. Enabled by default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
fips_mode 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
enable reading of urandom for all domains, you must turn on
the global_ssp boolean. Disabled by default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
global_ssp 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
allow confined applications to run with kerberos, you must
turn on the kerberos_enabled boolean. Enabled by
default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
kerberos_enabled 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
allow system to run with NIS, you must turn on the
nis_enabled boolean. Disabled by default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
nis_enabled 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
allow confined applications to use nscd shared memory, you
must turn on the nscd_use_shm boolean. Disabled by
default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
nscd_use_shm 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
support NFS home directories, you must turn on the
use_nfs_home_dirs boolean. Disabled by default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
use_nfs_home_dirs 1</b></p>
<p style="margin-left:11%; margin-top: 1em">If you want to
support SAMBA home directories, you must turn on the
use_samba_home_dirs boolean. Disabled by default.</p>
<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
use_samba_home_dirs 1</b></p>
<h2>COMMANDS
<a name="COMMANDS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>semanage
fcontext</b> can also be used to manipulate default file
context mappings.</p>
<p style="margin-left:11%; margin-top: 1em"><b>semanage
permissive</b> can also be used to manipulate whether or not
a process type is permissive.</p>
<p style="margin-left:11%; margin-top: 1em"><b>semanage
module</b> can also be used to enable/disable/install/remove
policy modules.</p>
<p style="margin-left:11%; margin-top: 1em"><b>semanage
boolean</b> can also be used to manipulate the booleans</p>
<p style="margin-left:11%; margin-top: 1em"><b>system-config-selinux</b>
is a GUI tool available to customize SELinux policy
settings.</p>
<h2>AUTHOR
<a name="AUTHOR"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">This manual
page was auto-generated using <b>sepolicy manpage .</b></p>
<h2>SEE ALSO
<a name="SEE ALSO"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">selinux(8),
git_session(8), semanage(8), restorecon(8), chcon(1),
sepolicy(8) , setsebool(8)</p>
<hr>
</body>
</html>