Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

26.2. Types

The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following types are used with OpenShift. Different types allow you to configure flexible access:

Process types

openshift_t
The OpenShift process is associated with the openshift_t SELinux type.

Types on executables

openshift_cgroup_read_exec_t
SELinux allows files with this type to transition an executable to the openshift_cgroup_read_t domain.
openshift_cron_exec_t
SELinux allows files with this type to transition an executable to the openshift_cron_t domain.
openshift_initrc_exec_t
SELinux allows files with this type to transition an executable to the openshift_initrc_t domain.

Writable types

openshift_cgroup_read_tmp_t
This type allows OpenShift control groups (cgroup) read and access temporary files in the /tmp directory.
openshift_cron_tmp_t
This type allows storing temporary files of the OpenShift cron jobs in /tmp.
openshift_initrc_tmp_t
This type allows storing the OpenShift initrc temporary files in /tmp.
openshift_log_t
Files with this type are treated as OpenShift log data, usually stored under the /var/log/ directory.
openshift_rw_file_t
OpenShift have permission to read and to write to files labeled with this type.
openshift_tmp_t
This type is used for storing the OpenShift temporary files in /tmp.
openshift_tmpfs_t
This type allows storing the OpenShift data on a tmpfs file system.
openshift_var_lib_t
This type allows storing the OpenShift files in the /var/lib/ directory.
openshift_var_run_t
This type allows storing the OpenShift files in the /run/ or /var/run/ directory.