afs_selinux(8)

1afs_selinux(8)                SELinux Policy afs                afs_selinux(8)
2
3
4

NAME

6       afs_selinux - Security Enhanced Linux Policy for the afs processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the afs processes via flexible manda‐
10       tory access control.
11
12       The afs processes execute with the afs_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep afs_t
19
20
21

ENTRYPOINTS

23       The afs_t SELinux type can be entered via the afs_exec_t file type.
24
25       The default entrypoint paths for the afs_t domain are the following:
26
27       /usr/sbin/afsd, /usr/vice/etc/afsd
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       afs policy is very flexible allowing users to setup their afs processes
37       in as secure a method as possible.
38
39       The following process types are defined for afs:
40
41       afs_t, afs_bosserver_t, afs_fsserver_t, afs_kaserver_t, afs_ptserver_t, afs_vlserver_t
42
43       Note: semanage permissive -a afs_t can be used to make the process type
44       afs_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  afs
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run afs with the tightest access possible.
52
53
54
55       If you want to allow all daemons to write corefiles to /, you must turn
56       on the daemons_dump_core boolean. Disabled by default.
57
58       setsebool -P daemons_dump_core 1
59
60
61
62       If you want to enable cluster mode for daemons, you must  turn  on  the
63       daemons_enable_cluster_mode boolean. Enabled by default.
64
65       setsebool -P daemons_enable_cluster_mode 1
66
67
68
69       If  you want to allow all daemons to use tcp wrappers, you must turn on
70       the daemons_use_tcp_wrapper boolean. Disabled by default.
71
72       setsebool -P daemons_use_tcp_wrapper 1
73
74
75
76       If you want to allow all daemons the ability to  read/write  terminals,
77       you must turn on the daemons_use_tty boolean. Disabled by default.
78
79       setsebool -P daemons_use_tty 1
80
81
82
83       If  you  want  to deny any process from ptracing or debugging any other
84       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
85       default.
86
87       setsebool -P deny_ptrace 1
88
89
90
91       If  you  want  to  allow  any  process  to mmap any file on system with
92       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
93       ean. Enabled by default.
94
95       setsebool -P domain_can_mmap_files 1
96
97
98
99       If  you want to allow all domains write to kmsg_device, while kernel is
100       executed with systemd.log_target=kmsg parameter, you must turn  on  the
101       domain_can_write_kmsg boolean. Disabled by default.
102
103       setsebool -P domain_can_write_kmsg 1
104
105
106
107       If you want to allow all domains to use other domains file descriptors,
108       you must turn on the domain_fd_use boolean. Enabled by default.
109
110       setsebool -P domain_fd_use 1
111
112
113
114       If you want to allow all domains to have the kernel load  modules,  you
115       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
116       default.
117
118       setsebool -P domain_kernel_load_modules 1
119
120
121
122       If you want to allow all domains to execute in fips_mode, you must turn
123       on the fips_mode boolean. Enabled by default.
124
125       setsebool -P fips_mode 1
126
127
128
129       If you want to enable reading of urandom for all domains, you must turn
130       on the global_ssp boolean. Disabled by default.
131
132       setsebool -P global_ssp 1
133
134
135
136       If you want to allow confined applications to use nscd  shared  memory,
137       you must turn on the nscd_use_shm boolean. Disabled by default.
138
139       setsebool -P nscd_use_shm 1
140
141
142

PORT TYPES

144       SELinux defines port types to represent TCP and UDP ports.
145
146       You  can  see  the  types associated with a port by using the following
147       command:
148
149       semanage port -l
150
151
152       Policy governs the access  confined  processes  have  to  these  ports.
153       SELinux  afs  policy is very flexible allowing users to setup their afs
154       processes in as secure a method as possible.
155
156       The following port types are defined for afs:
157
158
159       afs3_callback_port_t
160
161
162
163       Default Defined Ports:
164                 tcp 7001
165                 udp 7001
166
167
168       afs_bos_port_t
169
170
171
172       Default Defined Ports:
173                 udp 7007
174
175
176       afs_fs_port_t
177
178
179
180       Default Defined Ports:
181                 tcp 2040
182                 udp 7000,7005
183
184
185       afs_ka_port_t
186
187
188
189       Default Defined Ports:
190                 udp 7004
191
192
193       afs_pt_port_t
194
195
196
197       Default Defined Ports:
198                 tcp 7002
199                 udp 7002
200
201
202       afs_vl_port_t
203
204
205
206       Default Defined Ports:
207                 udp 7003
208

MANAGED FILES

210       The SELinux process type afs_t can manage files labeled with  the  fol‐
211       lowing  file  types.   The paths listed are the default paths for these
212       file types.  Note the processes UID still need to have DAC permissions.
213
214       afs_cache_t
215
216            /var/cache/(open)?afs(/.*)?
217            /usr/vice/cache(/.*)?
218
219       cluster_conf_t
220
221            /etc/cluster(/.*)?
222
223       cluster_var_lib_t
224
225            /var/lib/pcsd(/.*)?
226            /var/lib/cluster(/.*)?
227            /var/lib/openais(/.*)?
228            /var/lib/pengine(/.*)?
229            /var/lib/corosync(/.*)?
230            /usr/lib/heartbeat(/.*)?
231            /var/lib/heartbeat(/.*)?
232            /var/lib/pacemaker(/.*)?
233
234       cluster_var_run_t
235
236            /var/run/crm(/.*)?
237            /var/run/cman_.*
238            /var/run/rsctmp(/.*)?
239            /var/run/aisexec.*
240            /var/run/heartbeat(/.*)?
241            /var/run/corosync-qnetd(/.*)?
242            /var/run/corosync-qdevice(/.*)?
243            /var/run/cpglockd.pid
244            /var/run/corosync.pid
245            /var/run/rgmanager.pid
246            /var/run/cluster/rgmanager.sk
247
248       etc_runtime_t
249
250            /[^/]+
251            /etc/mtab.*
252            /etc/blkid(/.*)?
253            /etc/nologin.*
254            /etc/.fstab.hal..+
255            /halt
256            /fastboot
257            /poweroff
258            /etc/cmtab
259            /forcefsck
260            /.autofsck
261            /.suspended
262            /fsckoptions
263            /var/.updated
264            /etc/.updated
265            /.autorelabel
266            /etc/securetty
267            /etc/nohotplug
268            /etc/killpower
269            /etc/ioctl.save
270            /etc/fstab.REVOKE
271            /etc/network/ifstate
272            /etc/sysconfig/hwconf
273            /etc/ptal/ptal-printd-like
274            /etc/sysconfig/iptables.save
275            /etc/xorg.conf.d/00-system-setup-keyboard.conf
276            /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
277
278       root_t
279
280            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
281            /
282            /initrd
283
284       unlabeled_t
285
286
287

FILE CONTEXTS

289       SELinux requires files to have an extended attribute to define the file
290       type.
291
292       You can see the context of a file using the -Z option to ls
293
294       Policy  governs  the  access  confined  processes  have to these files.
295       SELinux afs policy is very flexible allowing users to setup  their  afs
296       processes in as secure a method as possible.
297
298       STANDARD FILE CONTEXT
299
300       SELinux  defines  the  file context types for the afs, if you wanted to
301       store files with these types in a diffent paths, you  need  to  execute
302       the  semanage  command  to  sepecify  alternate  labeling  and then use
303       restorecon to put the labels on disk.
304
305       semanage fcontext -a -t afs_vl_db_t '/srv/myafs_content(/.*)?'
306       restorecon -R -v /srv/myafs_content
307
308       Note: SELinux often uses regular expressions  to  specify  labels  that
309       match multiple files.
310
311       The following file types are defined for afs:
312
313
314
315       afs_bosserver_exec_t
316
317       -  Set files with the afs_bosserver_exec_t type, if you want to transi‐
318       tion an executable to the afs_bosserver_t domain.
319
320
321       Paths:
322            /usr/sbin/bosserver, /usr/afs/bin/bosserver
323
324
325       afs_cache_t
326
327       - Set files with the afs_cache_t type, if you want to store  the  files
328       under the /var/cache directory.
329
330
331       Paths:
332            /var/cache/(open)?afs(/.*)?, /usr/vice/cache(/.*)?
333
334
335       afs_config_t
336
337       -  Set files with the afs_config_t type, if you want to treat the files
338       as afs configuration data, usually stored under the /etc directory.
339
340
341       Paths:
342            /etc/(open)?afs(/.*)?, /usr/afs/etc(/.*)?, /usr/afs/local(/.*)?
343
344
345       afs_dbdir_t
346
347       - Set files with the afs_dbdir_t type, if you want to treat  the  files
348       as afs dbdir data.
349
350
351
352       afs_exec_t
353
354       - Set files with the afs_exec_t type, if you want to transition an exe‐
355       cutable to the afs_t domain.
356
357
358       Paths:
359            /usr/sbin/afsd, /usr/vice/etc/afsd
360
361
362       afs_files_t
363
364       - Set files with the afs_files_t type, if you want to treat  the  files
365       as afs content.
366
367
368       Paths:
369            /usr/afs(/.*)?, /vicepa, /vicepb, /vicepc
370
371
372       afs_fsserver_exec_t
373
374       -  Set  files with the afs_fsserver_exec_t type, if you want to transi‐
375       tion an executable to the afs_fsserver_t domain.
376
377
378       Paths:
379            /usr/afs/bin/salvager, /usr/afs/bin/volserver,  /usr/afs/bin/file‐
380            server,     /usr/afs/bin/dasalvager,     /usr/afs/bin/davolserver,
381            /usr/afs/bin/dafileserver,             /usr/afs/bin/salvageserver,
382            /usr/libexec/openafs/salvager,     /usr/libexec/openafs/volserver,
383            /usr/libexec/openafs/fileserver
384
385
386       afs_initrc_exec_t
387
388       - Set files with the afs_initrc_exec_t type, if you want to  transition
389       an executable to the afs_initrc_t domain.
390
391
392       Paths:
393            /etc/rc.d/init.d/(open)?afs, /etc/rc.d/init.d/openafs-client
394
395
396       afs_ka_db_t
397
398       -  Set  files with the afs_ka_db_t type, if you want to treat the files
399       as afs ka database content.
400
401
402
403       afs_kaserver_exec_t
404
405       - Set files with the afs_kaserver_exec_t type, if you want  to  transi‐
406       tion an executable to the afs_kaserver_t domain.
407
408
409       Paths:
410            /usr/afs/bin/kaserver, /usr/libexec/openafs/kaserver
411
412
413       afs_logfile_t
414
415       - Set files with the afs_logfile_t type, if you want to treat the files
416       as afs logfile data.
417
418
419
420       afs_pt_db_t
421
422       - Set files with the afs_pt_db_t type, if you want to treat  the  files
423       as afs pt database content.
424
425
426
427       afs_ptserver_exec_t
428
429       -  Set  files with the afs_ptserver_exec_t type, if you want to transi‐
430       tion an executable to the afs_ptserver_t domain.
431
432
433       Paths:
434            /usr/afs/bin/ptserver, /usr/libexec/openafs/ptserver
435
436
437       afs_vl_db_t
438
439       - Set files with the afs_vl_db_t type, if you want to treat  the  files
440       as afs vl database content.
441
442
443
444       afs_vlserver_exec_t
445
446       -  Set  files with the afs_vlserver_exec_t type, if you want to transi‐
447       tion an executable to the afs_vlserver_t domain.
448
449
450       Paths:
451            /usr/afs/bin/vlserver, /usr/libexec/openafs/vlserver
452
453
454       Note: File context can be temporarily modified with the chcon  command.
455       If  you want to permanently change the file context you need to use the
456       semanage fcontext command.  This will modify the SELinux labeling data‐
457       base.  You will need to use restorecon to apply the labels.
458
459

COMMANDS

461       semanage  fcontext  can also be used to manipulate default file context
462       mappings.
463
464       semanage permissive can also be used to manipulate  whether  or  not  a
465       process type is permissive.
466
467       semanage  module can also be used to enable/disable/install/remove pol‐
468       icy modules.
469
470       semanage port can also be used to manipulate the port definitions
471
472       semanage boolean can also be used to manipulate the booleans
473
474
475       system-config-selinux is a GUI tool available to customize SELinux pol‐
476       icy settings.
477
478

AUTHOR

480       This manual page was auto-generated using sepolicy manpage .
481
482