1afs_selinux(8)                SELinux Policy afs                afs_selinux(8)
2
3
4

NAME

6       afs_selinux - Security Enhanced Linux Policy for the afs processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the afs processes via flexible manda‐
10       tory access control.
11
12       The afs processes execute with the afs_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep afs_t
19
20
21

ENTRYPOINTS

23       The afs_t SELinux type can be entered via the afs_exec_t file type.
24
25       The default entrypoint paths for the afs_t domain are the following:
26
27       /usr/sbin/afsd, /usr/vice/etc/afsd
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       afs policy is very flexible allowing users to setup their afs processes
37       in as secure a method as possible.
38
39       The following process types are defined for afs:
40
41       afs_kaserver_t, afs_t, afs_fsserver_t, afs_bosserver_t, afs_vlserver_t, afs_ptserver_t
42
43       Note: semanage permissive -a afs_t can be used to make the process type
44       afs_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  afs
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run afs with the tightest access possible.
52
53
54
55       If you want to allow all daemons to write corefiles to /, you must turn
56       on the allow_daemons_dump_core boolean. Disabled by default.
57
58       setsebool -P allow_daemons_dump_core 1
59
60
61
62       If you want to allow all daemons to use tcp wrappers, you must turn  on
63       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
64
65       setsebool -P allow_daemons_use_tcp_wrapper 1
66
67
68
69       If  you  want to allow all daemons the ability to read/write terminals,
70       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
71       default.
72
73       setsebool -P allow_daemons_use_tty 1
74
75
76
77       If you want to allow all domains to use other domains file descriptors,
78       you must turn on the allow_domain_fd_use boolean. Enabled by default.
79
80       setsebool -P allow_domain_fd_use 1
81
82
83
84       If you want to allow sysadm to debug or ptrace all processes, you  must
85       turn on the allow_ptrace boolean. Disabled by default.
86
87       setsebool -P allow_ptrace 1
88
89
90
91       If  you  want  to enable cluster mode for daemons, you must turn on the
92       daemons_enable_cluster_mode boolean. Disabled by default.
93
94       setsebool -P daemons_enable_cluster_mode 1
95
96
97
98       If you want to allow all domains to have the kernel load  modules,  you
99       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
100       default.
101
102       setsebool -P domain_kernel_load_modules 1
103
104
105
106       If you want to allow all domains to execute in fips_mode, you must turn
107       on the fips_mode boolean. Enabled by default.
108
109       setsebool -P fips_mode 1
110
111
112
113       If you want to enable reading of urandom for all domains, you must turn
114       on the global_ssp boolean. Disabled by default.
115
116       setsebool -P global_ssp 1
117
118
119
120       If you want to enable support for upstart as the init program, you must
121       turn on the init_upstart boolean. Enabled by default.
122
123       setsebool -P init_upstart 1
124
125
126

PORT TYPES

128       SELinux defines port types to represent TCP and UDP ports.
129
130       You  can  see  the  types associated with a port by using the following
131       command:
132
133       semanage port -l
134
135
136       Policy governs the access  confined  processes  have  to  these  ports.
137       SELinux  afs  policy is very flexible allowing users to setup their afs
138       processes in as secure a method as possible.
139
140       The following port types are defined for afs:
141
142
143       afs_bos_port_t
144
145
146
147       Default Defined Ports:
148                 udp 7007
149
150
151       afs_client_port_t
152
153
154
155       Default Defined Ports:
156                 udp 7001
157
158
159       afs_fs_port_t
160
161
162
163       Default Defined Ports:
164                 tcp 2040
165                 udp 7000,7005
166
167
168       afs_ka_port_t
169
170
171
172       Default Defined Ports:
173                 udp 7004
174
175
176       afs_pt_port_t
177
178
179
180       Default Defined Ports:
181                 udp 7002
182
183
184       afs_vl_port_t
185
186
187
188       Default Defined Ports:
189                 udp 7003
190

MANAGED FILES

192       The SELinux process type afs_t can manage files labeled with  the  fol‐
193       lowing  file  types.   The paths listed are the default paths for these
194       file types.  Note the processes UID still need to have DAC permissions.
195
196       afs_cache_t
197
198            /var/cache/afs(/.*)?
199            /usr/vice/cache(/.*)?
200
201       cluster_conf_t
202
203            /etc/cluster(/.*)?
204
205       cluster_var_lib_t
206
207            /var/lib(64)?/openais(/.*)?
208            /var/lib(64)?/pengine(/.*)?
209            /var/lib(64)?/corosync(/.*)?
210            /usr/lib(64)?/heartbeat(/.*)?
211            /var/lib(64)?/heartbeat(/.*)?
212            /var/lib(64)?/pacemaker(/.*)?
213            /var/lib/cluster(/.*)?
214
215       cluster_var_run_t
216
217            /var/run/crm(/.*)?
218            /var/run/cman_.*
219            /var/run/rsctmp(/.*)?
220            /var/run/aisexec.*
221            /var/run/heartbeat(/.*)?
222            /var/run/cpglockd.pid
223            /var/run/corosync.pid
224            /var/run/rgmanager.pid
225            /var/run/cluster/rgmanager.sk
226
227       etc_runtime_t
228
229            /[^/]+
230            /etc/mtab.*
231            /etc/blkid(/.*)?
232            /etc/nologin.*
233            /etc/zipl.conf.*
234            /etc/smartd.conf.*
235            /etc/.fstab.hal..+
236            /etc/sysconfig/ip6?tables.save
237            /halt
238            /etc/motd
239            /fastboot
240            /poweroff
241            /etc/issue
242            /etc/cmtab
243            /forcefsck
244            /.autofsck
245            /.suspended
246            /fsckoptions
247            /etc/HOSTNAME
248            /.autorelabel
249            /etc/securetty
250            /etc/nohotplug
251            /etc/issue.net
252            /etc/killpower
253            /etc/ioctl.save
254            /etc/reader.conf
255            /etc/fstab.REVOKE
256            /etc/mtab.fuselock
257            /etc/network/ifstate
258            /etc/sysconfig/hwconf
259            /etc/ptal/ptal-printd-like
260            /etc/xorg.conf.d/00-system-setup-keyboard.conf
261
262       initrc_tmp_t
263
264
265       mnt_t
266
267            /mnt(/[^/]*)
268            /mnt(/[^/]*)?
269            /rhev(/[^/]*)?
270            /media(/[^/]*)
271            /media(/[^/]*)?
272            /etc/rhgb(/.*)?
273            /media/.hal-.*
274            /net
275            /afs
276            /rhev
277            /misc
278
279       root_t
280
281            /
282            /initrd
283
284       tmp_t
285
286            /tmp
287            /usr/tmp
288            /var/tmp
289            /tmp-inst
290            /var/tmp-inst
291            /var/tmp/vi.recover
292
293       unlabeled_t
294
295
296

FILE CONTEXTS

298       SELinux requires files to have an extended attribute to define the file
299       type.
300
301       You can see the context of a file using the -Z option to ls
302
303       Policy  governs  the  access  confined  processes  have to these files.
304       SELinux afs policy is very flexible allowing users to setup  their  afs
305       processes in as secure a method as possible.
306
307       STANDARD FILE CONTEXT
308
309       SELinux  defines  the  file context types for the afs, if you wanted to
310       store files with these types in a diffent paths, you  need  to  execute
311       the  semanage  command  to  sepecify  alternate  labeling  and then use
312       restorecon to put the labels on disk.
313
314       semanage fcontext -a -t afs_vl_db_t '/srv/myafs_content(/.*)?'
315       restorecon -R -v /srv/myafs_content
316
317       Note: SELinux often uses regular expressions  to  specify  labels  that
318       match multiple files.
319
320       The following file types are defined for afs:
321
322
323
324       afs_bosserver_exec_t
325
326       -  Set files with the afs_bosserver_exec_t type, if you want to transi‐
327       tion an executable to the afs_bosserver_t domain.
328
329
330
331       afs_cache_t
332
333       - Set files with the afs_cache_t type, if you want to store  the  files
334       under the /var/cache directory.
335
336
337       Paths:
338            /var/cache/afs(/.*)?, /usr/vice/cache(/.*)?
339
340
341       afs_config_t
342
343       -  Set files with the afs_config_t type, if you want to treat the files
344       as afs configuration data, usually stored under the /etc directory.
345
346
347       Paths:
348            /usr/afs/etc(/.*)?, /usr/afs/local(/.*)?
349
350
351       afs_dbdir_t
352
353       - Set files with the afs_dbdir_t type, if you want to treat  the  files
354       as afs dbdir data.
355
356
357
358       afs_exec_t
359
360       - Set files with the afs_exec_t type, if you want to transition an exe‐
361       cutable to the afs_t domain.
362
363
364       Paths:
365            /usr/sbin/afsd, /usr/vice/etc/afsd
366
367
368       afs_files_t
369
370       - Set files with the afs_files_t type, if you want to treat  the  files
371       as afs content.
372
373
374       Paths:
375            /usr/afs(/.*)?, /vicepa, /vicepb, /vicepc
376
377
378       afs_fsserver_exec_t
379
380       -  Set  files with the afs_fsserver_exec_t type, if you want to transi‐
381       tion an executable to the afs_fsserver_t domain.
382
383
384       Paths:
385            /usr/afs/bin/salvager, /usr/afs/bin/volserver,  /usr/afs/bin/file‐
386            server,     /usr/afs/bin/dasalvager,     /usr/afs/bin/davolserver,
387            /usr/afs/bin/dafileserver, /usr/afs/bin/salvageserver
388
389
390       afs_initrc_exec_t
391
392       - Set files with the afs_initrc_exec_t type, if you want to  transition
393       an executable to the afs_initrc_t domain.
394
395
396       Paths:
397            /etc/rc.d/init.d/afs, /etc/rc.d/init.d/openafs-client
398
399
400       afs_ka_db_t
401
402       -  Set  files with the afs_ka_db_t type, if you want to treat the files
403       as afs ka database content.
404
405
406
407       afs_kaserver_exec_t
408
409       - Set files with the afs_kaserver_exec_t type, if you want  to  transi‐
410       tion an executable to the afs_kaserver_t domain.
411
412
413
414       afs_logfile_t
415
416       - Set files with the afs_logfile_t type, if you want to treat the files
417       as afs logfile data.
418
419
420
421       afs_pt_db_t
422
423       - Set files with the afs_pt_db_t type, if you want to treat  the  files
424       as afs pt database content.
425
426
427
428       afs_ptserver_exec_t
429
430       -  Set  files with the afs_ptserver_exec_t type, if you want to transi‐
431       tion an executable to the afs_ptserver_t domain.
432
433
434
435       afs_vl_db_t
436
437       - Set files with the afs_vl_db_t type, if you want to treat  the  files
438       as afs vl database content.
439
440
441
442       afs_vlserver_exec_t
443
444       -  Set  files with the afs_vlserver_exec_t type, if you want to transi‐
445       tion an executable to the afs_vlserver_t domain.
446
447
448
449       Note: File context can be temporarily modified with the chcon  command.
450       If  you want to permanently change the file context you need to use the
451       semanage fcontext command.  This will modify the SELinux labeling data‐
452       base.  You will need to use restorecon to apply the labels.
453
454

COMMANDS

456       semanage  fcontext  can also be used to manipulate default file context
457       mappings.
458
459       semanage permissive can also be used to manipulate  whether  or  not  a
460       process type is permissive.
461
462       semanage  module can also be used to enable/disable/install/remove pol‐
463       icy modules.
464
465       semanage port can also be used to manipulate the port definitions
466
467       semanage boolean can also be used to manipulate the booleans
468
469
470       system-config-selinux is a GUI tool available to customize SELinux pol‐
471       icy settings.
472
473

AUTHOR

475       This manual page was auto-generated using sepolicy manpage .
476
477

SEE ALSO

479       selinux(8),  afs(8),  semanage(8),  restorecon(8),  chcon(1)  ,  setse‐
480       bool(8),      afs_bosserver_selinux(8),       afs_bosserver_selinux(8),
481       afs_fsserver_selinux(8),                       afs_fsserver_selinux(8),
482       afs_kaserver_selinux(8),                       afs_kaserver_selinux(8),
483       afs_ptserver_selinux(8),                       afs_ptserver_selinux(8),
484       afs_vlserver_selinux(8), afs_vlserver_selinux(8)
485
486
487
488afs                                15-06-03                     afs_selinux(8)
Impressum