Provided by: golf_601.4.41-1_amd64 
NAME
SELinux - Golf documentation (SELinux)
DESCRIPTION
If you do not use SELinux, you can ignore this.
SELinux is MAC (Mandatory Access Control) system, which means anything that isn't allowed is prohibited.
This is as opposed to DAC, Discretionary Access Control, where everything is allowed except what's
prohibited. MAC generally works on top of DAC, and they are expected to work in a complementary fashion.
Golf deploys both methods for enhanced security.
Golf comes with a SELinux policy out-of-the-box, which covers its general functioning. However, you can
write any code with Golf, and if you are using SELinux, you may run afoul of its other policies, which
may not be conducive to your code. In that case, use temporarily a permissive mode (via setenforce), and
then audit2allow to get a clue on what is the issue and then take action to allow what's requested.
Note that OpenSUSE package does not come with SELinux policy as of this release, because OpenSUSE at this
time does not come with a default base policy and SELinux installation.
GENERAL
Golf policy files (including .te, .fc files, while .if file is empty) can be found here:
ls $(gg -l)/selinux/*.{te,fc}
As a part of installing Golf, the following SELinux types will be installed:
• ggfile_t: all files within Golf directory (/var/lib/gg) are labeled with this type.
• gg_t: domain type (process type) of all Golf executables that communicate with other processes (be
it Unix or TCP sockets). Only files labeled ggfile_t can run as this process type.
• ggport_t: port type that any Golf process is allowed to bind to, accept and listen. No other
process types are allowed to do so. Golf policy:
• allows Golf processes unconfined access. This is expected as Golf is a general purpose
framework. It means you do not have to do anything to connect to database, use files, connect to
other servers etc.
• allows web servers (httpd_t domain type) to connect to sockets labeled with ggfile_t, but does
not allow any other access. This allows communication between reverse-proxy web servers and Golf
applications.
• allows web servers to connect to any Golf process that is listening on a TCP port (see gg), but
does not allow any other access (i.e. to any other ports). Golf policy allows normal functioning
of Golf features only, but does not introduce any unnecessary privileges to the rest of the
system.
Note: Golf installation does not distribute .pp (compile) policy files, because it is not
currently part of distro repos. Due to changes in SELinux and difference in versions installed
across derived distros, Golf will compile source .te and .fc files during the installation,
ensuring the best possibility of successful SELinux policy setup.
UNIX DOMAIN SOCKETS
Using Unix domain sockets for Golf processes to communicate with a web server (see gg) is the
default method and no further action is needed.
UNIX TCP SOCKETS
Using TCP sockets for Golf processes to communicate with a web server (see gg) requires you to
label such ports as ggport_t, for example if you plan to use port 2109:
sudo semanage port -a -t ggport_t -p tcp 2109
When you no longer need a port, for example if you are switching to another port (for instance
2209), remove the old one and add the new one:
sudo semanage port -d -t ggport_t -p tcp 2109
sudo semanage port -a -t ggport_t -p tcp 2209
CHANGING OR ADDING DIRECTORIES
If you are adding directories to be used by Golf program, or changing a directory, for example
using a different storage instead of /var/lib/gg (see directories), you need to label files in
new directories:
sudo semanage fcontext -a -t ggfile_t "/your/new/dir(/.*)?"
sudo restorecon -R /your/new/dir
To remove context from such directories (if you are not using them anymore), use:
sudo semanage fcontext -d -t ggfile_t "/your/new/dir(/.*)?"
sudo restorecon -R /your/new/dir
SEE ALSO
SELinux
SELinux See all documentation
$DATE $VERSION GOLF(2gg)