1winbind_selinux(8) SELinux Policy winbind winbind_selinux(8)
2
6 winbind_selinux - Security Enhanced Linux Policy for the winbind pro‐
7 cesses
8
10 Security-Enhanced Linux secures the winbind processes via flexible
11 mandatory access control.
12 The winbind processes execute with the winbind_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep winbind_t
20
24 The winbind_t SELinux type can be entered via the winbind_exec_t file
25 type.
26 The default entrypoint paths for the winbind_t domain are the follow‐
28 ing:
29 /usr/sbin/winbindd
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 winbind policy is very flexible allowing users to setup their winbind
40 processes in as secure a method as possible.
41 The following process types are defined for winbind:
43 winbind_helper_t, winbind_t
45 Note: semanage permissive -a winbind_t can be used to make the process
47 type winbind_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
53 SELinux policy is customizable based on least access required. winbind
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run winbind with the tightest access possi‐
56 ble.
57 If you want to allow all daemons to write corefiles to /, you must turn
61 on the allow_daemons_dump_core boolean. Disabled by default.
62 setsebool -P allow_daemons_dump_core 1
64 If you want to allow all daemons to use tcp wrappers, you must turn on
68 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
69 setsebool -P allow_daemons_use_tcp_wrapper 1
71 If you want to allow all daemons the ability to read/write terminals,
75 you must turn on the allow_daemons_use_tty boolean. Disabled by
76 default.
77 setsebool -P allow_daemons_use_tty 1
79 If you want to allow all domains to use other domains file descriptors,
83 you must turn on the allow_domain_fd_use boolean. Enabled by default.
84 setsebool -P allow_domain_fd_use 1
86 If you want to allow confined applications to run with kerberos, you
90 must turn on the allow_kerberos boolean. Enabled by default.
91 setsebool -P allow_kerberos 1
93 If you want to allow sysadm to debug or ptrace all processes, you must
97 turn on the allow_ptrace boolean. Disabled by default.
98 setsebool -P allow_ptrace 1
100 If you want to allow system to run with NIS, you must turn on the
104 allow_ypbind boolean. Disabled by default.
105 setsebool -P allow_ypbind 1
107 If you want to enable cluster mode for daemons, you must turn on the
111 daemons_enable_cluster_mode boolean. Disabled by default.
112 setsebool -P daemons_enable_cluster_mode 1
114 If you want to allow all domains to have the kernel load modules, you
118 must turn on the domain_kernel_load_modules boolean. Disabled by
119 default.
120 setsebool -P domain_kernel_load_modules 1
122 If you want to allow all domains to execute in fips_mode, you must turn
126 on the fips_mode boolean. Enabled by default.
127 setsebool -P fips_mode 1
129 If you want to enable reading of urandom for all domains, you must turn
133 on the global_ssp boolean. Disabled by default.
134 setsebool -P global_ssp 1
136 If you want to enable support for upstart as the init program, you must
140 turn on the init_upstart boolean. Enabled by default.
141 setsebool -P init_upstart 1
143 If you want to allow confined applications to use nscd shared memory,
147 you must turn on the nscd_use_shm boolean. Enabled by default.
148 setsebool -P nscd_use_shm 1
150
154 The SELinux process type winbind_t can manage files labeled with the
155 following file types. The paths listed are the default paths for these
156 file types. Note the processes UID still need to have DAC permissions.
157 auth_cache_t
159 /var/cache/coolkey(/.*)?
161 cluster_conf_t
163 /etc/cluster(/.*)?
165 cluster_var_lib_t
167 /var/lib(64)?/openais(/.*)?
169 /var/lib(64)?/pengine(/.*)?
170 /var/lib(64)?/corosync(/.*)?
171 /usr/lib(64)?/heartbeat(/.*)?
172 /var/lib(64)?/heartbeat(/.*)?
173 /var/lib(64)?/pacemaker(/.*)?
174 /var/lib/cluster(/.*)?
175 cluster_var_run_t
177 /var/run/crm(/.*)?
179 /var/run/cman_.*
180 /var/run/rsctmp(/.*)?
181 /var/run/aisexec.*
182 /var/run/heartbeat(/.*)?
183 /var/run/cpglockd.pid
184 /var/run/corosync.pid
185 /var/run/rgmanager.pid
186 /var/run/cluster/rgmanager.sk
187 ctdbd_var_lib_t
189 /etc/ctdb(/.*)?
191 /var/ctdb(/.*)?
192 /var/ctdbd(/.*)?
193 /var/lib/ctdb(/.*)?
194 /var/lib/ctdbd(/.*)?
195 faillog_t
197 /var/log/btmp.*
199 /var/log/faillog.*
200 /var/log/tallylog.*
201 /var/run/faillock(/.*)?
202 initrc_tmp_t
204 mnt_t
207 /mnt(/[^/]*)
209 /mnt(/[^/]*)?
210 /rhev(/[^/]*)?
211 /media(/[^/]*)
212 /media(/[^/]*)?
213 /etc/rhgb(/.*)?
214 /media/.hal-.*
215 /net
216 /afs
217 /rhev
218 /misc
219 pcscd_var_run_t
221 /var/run/pcscd.events(/.*)?
223 /var/run/pcscd.pid
224 /var/run/pcscd.pub
225 /var/run/pcscd.comm
226 root_t
228 /
230 /initrd
231 samba_log_t
233 /var/log/samba(/.*)?
235 samba_secrets_t
237 /etc/samba/smbpasswd
239 /etc/samba/passdb.tdb
240 /etc/samba/MACHINE.SID
241 /etc/samba/secrets.tdb
242 samba_var_t
244 /var/nmbd(/.*)?
246 /var/lib/samba(/.*)?
247 /var/cache/samba(/.*)?
248 smbd_tmp_t
250 smbd_var_run_t
253 /var/run/samba(/.*)?
255 /var/run/smbd.pid
256 /var/run/samba/smbd.pid
257 /var/run/samba/brlock.tdb
258 /var/run/samba/locking.tdb
259 /var/run/samba/gencache.tdb
260 /var/run/samba/sessionid.tdb
261 /var/run/samba/share_info.tdb
262 /var/run/samba/connections.tdb
263 tmp_t
265 /tmp
267 /usr/tmp
268 /var/tmp
269 /tmp-inst
270 /var/tmp-inst
271 /var/tmp/vi.recover
272 user_home_t
274 /home/[^/]*/.+
276 /home/staff/.+
277 user_tmp_t
279 /tmp/gconfd-.*
281 /tmp/gconfd-staff
282 winbind_log_t
284 winbind_var_run_t
287 /var/run/winbindd(/.*)?
289 /var/lib/samba/winbindd_privileged(/.*)?
290 /var/cache/samba/winbindd_privileged(/.*)?
291
294 SELinux requires files to have an extended attribute to define the file
295 type.
296 You can see the context of a file using the -Z option to ls
298 Policy governs the access confined processes have to these files.
300 SELinux winbind policy is very flexible allowing users to setup their
301 winbind processes in as secure a method as possible.
302 STANDARD FILE CONTEXT
304 SELinux defines the file context types for the winbind, if you wanted
306 to store files with these types in a diffent paths, you need to execute
307 the semanage command to sepecify alternate labeling and then use
308 restorecon to put the labels on disk.
309 semanage fcontext -a -t winbind_var_run_t '/srv/mywinbind_con‐
311 tent(/.*)?'
312 restorecon -R -v /srv/mywinbind_content
313 Note: SELinux often uses regular expressions to specify labels that
315 match multiple files.
316 The following file types are defined for winbind:
318 winbind_exec_t
322 - Set files with the winbind_exec_t type, if you want to transition an
324 executable to the winbind_t domain.
325 winbind_helper_exec_t
329 - Set files with the winbind_helper_exec_t type, if you want to transi‐
331 tion an executable to the winbind_helper_t domain.
332 winbind_log_t
336 - Set files with the winbind_log_t type, if you want to treat the data
338 as winbind log data, usually stored under the /var/log directory.
339 winbind_var_run_t
343 - Set files with the winbind_var_run_t type, if you want to store the
345 winbind files under the /run or /var/run directory.
346 Paths:
349 /var/run/winbindd(/.*)?, /var/lib/samba/winbindd_privileged(/.*)?,
350 /var/cache/samba/winbindd_privileged(/.*)?
351 Note: File context can be temporarily modified with the chcon command.
354 If you want to permanently change the file context you need to use the
355 semanage fcontext command. This will modify the SELinux labeling data‐
356 base. You will need to use restorecon to apply the labels.
357
360 semanage fcontext can also be used to manipulate default file context
361 mappings.
362 semanage permissive can also be used to manipulate whether or not a
364 process type is permissive.
365 semanage module can also be used to enable/disable/install/remove pol‐
367 icy modules.
368 semanage boolean can also be used to manipulate the booleans
370 system-config-selinux is a GUI tool available to customize SELinux pol‐
373 icy settings.
374
377 This manual page was auto-generated using sepolicy manpage .
378
381 selinux(8), winbind(8), semanage(8), restorecon(8), chcon(1) , setse‐
382 bool(8), winbind_helper_selinux(8)
383winbind 15-06-03 winbind_selinux(8)