[

]>

  This file is part of firewalld.

  Copyright (C) 2010-2013 Red Hat, Inc.

  Authors:

  Thomas Woerner <twoerner@redhat.com>

  This program is free software; you can redistribute it and/or modify

  it under the terms of the GNU General Public License as published by

  the Free Software Foundation; either version 2 of the License, or

  (at your option) any later version.

  This program is distributed in the hope that it will be useful,

  but WITHOUT ANY WARRANTY; without even the implied warranty of

  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License

  along with this program.  If not, see <http://www.gnu.org/licenses/>.

-->

<refentry id="firewalld.lockdown-whitelist">

  <refentryinfo>

    <title>firewalld.lockdown-whitelist</title>

    <productname>firewalld</productname>

    &authors;

  </refentryinfo>

  <refmeta>

    <refentrytitle>firewalld.lockdown-whitelist</refentrytitle>

    <manvolnum>5</manvolnum>

  </refmeta>

  <refnamediv>

    <refname>firewalld.lockdown-whitelist</refname>

    <refpurpose>firewalld lockdown whitelist configuration file</refpurpose>

  </refnamediv>

  <refsynopsisdiv>

    <para>

      <programlisting>

<filename><config.sysconfdir/>/firewalld/lockdown-whitelists.xml</filename>

      </programlisting>

    </para>

  </refsynopsisdiv>

  <refsect1 id="description">

    <title>Description</title>

    <para>

      The firewalld lockdown-whitelist configuration file contains the selinux contexts, commands, users and user ids that are white-listed when firewalld lockdown feature is enabled (see <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> and <citerefentry><refentrytitle>firewall-cmd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).

    </para>

    <para>

      This example configuration file shows the structure of an lockdown-whitelist file:

      <programlisting>

<?xml version="1.0" encoding="utf-8"?>

<whitelist>

  <selinux context="<replaceable>selinuxcontext</replaceable>"/>

  <command name="<replaceable>commandline</replaceable>[*]"/>

  <user {name="<replaceable>username</replaceable>|id="<replaceable>userid</replaceable>"}/>

</whitelist>

      </programlisting>

    </para>

  </refsect1>

  <refsect1 id="options">

    <title>Options</title>

    <para>

      The config can contain these tags and attributes. Some of them are mandatory, others optional.

    </para>

    <refsect2 id="options_whitelist">

      <title>whitelist</title>

      <para>

	The mandatory whitelist start and end tag defines the lockdown-whitelist. This tag can only be used once in a lockdown-whitelist configuration file. There are no attributes for this.

      </para>

    </refsect2>

    <refsect2 id="options_selinux">

      <title>selinux</title>

      <para>

	Is an optional empty-element tag and can be used several times to have more than one selinux contexts entries. A selinux entry has exactly one attribute:

      </para>

      <variablelist>

	<varlistentry>

	  <term>context="<replaceable>string</replaceable>"</term>

          <listitem>

	    <para>

	      The context is the security (SELinux) context of a running application or service.

	    </para>

	    <para>

	      To get the context of a running application use <command>ps -e --context</command> and search for the application that should be white-listed.

	    </para>

	    <para>

	      Warning: If the context of an application is unconfined, then this will open access for more than the desired application. 

	    </para>

	  </listitem>

	</varlistentry>

      </variablelist>

    </refsect2>

    <refsect2 id="options_command">

      <title>command</title>

      <para>

	Is an optional empty-element tag and can be used several times to have more than one command entry. A command entry has exactly one attribute:

      </para>

      <variablelist>

	<varlistentry>

	  <term>name="<replaceable>string</replaceable>"</term>

          <listitem>

	    <para>

	      The command <replaceable>string</replaceable> is a complete command line including path and also attributes.

	    </para>

	    <para>

	      If a command entry ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.

	    </para>

	    <para>

	      Commands for user root and others is not always the same, the used path depends on the use of the <envar>PATH</envar> environment variable.

	    </para>

	  </listitem>

	</varlistentry>

      </variablelist>

    </refsect2>

    <refsect2 id="options_user">

      <title>user</title>

      <para>

	Is an optional empty-element tag and can be used several times to white-list more than one user. A user entry has exactly one attribute of these:

      </para>

      <variablelist>

	<varlistentry>

	  <term>name="<replaceable>string</replaceable>"</term>

          <listitem>

	    <para>

	      The user with the name <replaceable>string</replaceable> will be white-listed.

	    </para>

	  </listitem>

	</varlistentry>

	<varlistentry>

	  <term>id="<replaceable>integer</replaceable>"</term>

          <listitem>

	    <para>

	      The user with the id <replaceable>userid</replaceable> will be white-listed.

	    </para>

	  </listitem>

	</varlistentry>

      </variablelist>

    </refsect2>

  </refsect1>

  &seealso;

  ¬e;;

</refentry>