|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
[
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
]>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
This file is part of firewalld.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
Copyright (C) 2010-2013 Red Hat, Inc.
|
|
Packit |
a8ec6b |
Authors:
|
|
Packit |
a8ec6b |
Thomas Woerner <twoerner@redhat.com>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
This program is free software; you can redistribute it and/or modify
|
|
Packit |
a8ec6b |
it under the terms of the GNU General Public License as published by
|
|
Packit |
a8ec6b |
the Free Software Foundation; either version 2 of the License, or
|
|
Packit |
a8ec6b |
(at your option) any later version.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
This program is distributed in the hope that it will be useful,
|
|
Packit |
a8ec6b |
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
a8ec6b |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit |
a8ec6b |
GNU General Public License for more details.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
You should have received a copy of the GNU General Public License
|
|
Packit |
a8ec6b |
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit |
a8ec6b |
-->
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<refentry id="firewalld.lockdown-whitelist">
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<refentryinfo>
|
|
Packit |
a8ec6b |
<title>firewalld.lockdown-whitelist</title>
|
|
Packit |
a8ec6b |
<productname>firewalld</productname>
|
|
Packit |
a8ec6b |
&authors;
|
|
Packit |
a8ec6b |
</refentryinfo>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<refmeta>
|
|
Packit |
a8ec6b |
<refentrytitle>firewalld.lockdown-whitelist</refentrytitle>
|
|
Packit |
a8ec6b |
<manvolnum>5</manvolnum>
|
|
Packit |
a8ec6b |
</refmeta>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<refnamediv>
|
|
Packit |
a8ec6b |
<refname>firewalld.lockdown-whitelist</refname>
|
|
Packit |
a8ec6b |
<refpurpose>firewalld lockdown whitelist configuration file</refpurpose>
|
|
Packit |
a8ec6b |
</refnamediv>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<refsynopsisdiv>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
<programlisting>
|
|
Packit |
a8ec6b |
<filename><config.sysconfdir/>/firewalld/lockdown-whitelists.xml</filename>
|
|
Packit |
a8ec6b |
</programlisting>
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
</refsynopsisdiv>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<refsect1 id="description">
|
|
Packit |
a8ec6b |
<title>Description</title>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
The firewalld lockdown-whitelist configuration file contains the selinux contexts, commands, users and user ids that are white-listed when firewalld lockdown feature is enabled (see <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> and <citerefentry><refentrytitle>firewall-cmd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
This example configuration file shows the structure of an lockdown-whitelist file:
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<programlisting>
|
|
Packit |
a8ec6b |
<?xml version="1.0" encoding="utf-8"?>
|
|
Packit |
a8ec6b |
<whitelist>
|
|
Packit |
a8ec6b |
<selinux context="<replaceable>selinuxcontext</replaceable>"/>
|
|
Packit |
a8ec6b |
<command name="<replaceable>commandline</replaceable>[*]"/>
|
|
Packit |
a8ec6b |
<user {name="<replaceable>username</replaceable>|id="<replaceable>userid</replaceable>"}/>
|
|
Packit |
a8ec6b |
</whitelist>
|
|
Packit |
a8ec6b |
</programlisting>
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
</refsect1>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<refsect1 id="options">
|
|
Packit |
a8ec6b |
<title>Options</title>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
The config can contain these tags and attributes. Some of them are mandatory, others optional.
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<refsect2 id="options_whitelist">
|
|
Packit |
a8ec6b |
<title>whitelist</title>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
The mandatory whitelist start and end tag defines the lockdown-whitelist. This tag can only be used once in a lockdown-whitelist configuration file. There are no attributes for this.
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
</refsect2>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<refsect2 id="options_selinux">
|
|
Packit |
a8ec6b |
<title>selinux</title>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
Is an optional empty-element tag and can be used several times to have more than one selinux contexts entries. A selinux entry has exactly one attribute:
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<variablelist>
|
|
Packit |
a8ec6b |
<varlistentry>
|
|
Packit |
a8ec6b |
<term>context="<replaceable>string</replaceable>"</term>
|
|
Packit |
a8ec6b |
<listitem>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
The context is the security (SELinux) context of a running application or service.
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
To get the context of a running application use <command>ps -e --context</command> and search for the application that should be white-listed.
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
Warning: If the context of an application is unconfined, then this will open access for more than the desired application.
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
</listitem>
|
|
Packit |
a8ec6b |
</varlistentry>
|
|
Packit |
a8ec6b |
</variablelist>
|
|
Packit |
a8ec6b |
</refsect2>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<refsect2 id="options_command">
|
|
Packit |
a8ec6b |
<title>command</title>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
Is an optional empty-element tag and can be used several times to have more than one command entry. A command entry has exactly one attribute:
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<variablelist>
|
|
Packit |
a8ec6b |
<varlistentry>
|
|
Packit |
a8ec6b |
<term>name="<replaceable>string</replaceable>"</term>
|
|
Packit |
a8ec6b |
<listitem>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
The command <replaceable>string</replaceable> is a complete command line including path and also attributes.
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
If a command entry ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
Commands for user root and others is not always the same, the used path depends on the use of the <envar>PATH</envar> environment variable.
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
</listitem>
|
|
Packit |
a8ec6b |
</varlistentry>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
</variablelist>
|
|
Packit |
a8ec6b |
</refsect2>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<refsect2 id="options_user">
|
|
Packit |
a8ec6b |
<title>user</title>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
Is an optional empty-element tag and can be used several times to white-list more than one user. A user entry has exactly one attribute of these:
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<variablelist>
|
|
Packit |
a8ec6b |
<varlistentry>
|
|
Packit |
a8ec6b |
<term>name="<replaceable>string</replaceable>"</term>
|
|
Packit |
a8ec6b |
<listitem>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
The user with the name <replaceable>string</replaceable> will be white-listed.
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
</listitem>
|
|
Packit |
a8ec6b |
</varlistentry>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
<varlistentry>
|
|
Packit |
a8ec6b |
<term>id="<replaceable>integer</replaceable>"</term>
|
|
Packit |
a8ec6b |
<listitem>
|
|
Packit |
a8ec6b |
<para>
|
|
Packit |
a8ec6b |
The user with the id <replaceable>userid</replaceable> will be white-listed.
|
|
Packit |
a8ec6b |
</para>
|
|
Packit |
a8ec6b |
</listitem>
|
|
Packit |
a8ec6b |
</varlistentry>
|
|
Packit |
a8ec6b |
</variablelist>
|
|
Packit |
a8ec6b |
</refsect2>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
</refsect1>
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
&seealso;
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
¬e;;
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
</refentry>
|