1mdadm_selinux(8)             SELinux Policy mdadm             mdadm_selinux(8)
2
3
4

NAME

6       mdadm_selinux - Security Enhanced Linux Policy for the mdadm processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the mdadm processes via flexible manda‐
10       tory access control.
11
12       The mdadm processes execute with the  mdadm_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep mdadm_t
19
20
21

ENTRYPOINTS

23       The mdadm_t SELinux type can be entered via the mdadm_exec_t file type.
24
25       The default entrypoint paths for the mdadm_t domain are the following:
26
27       /sbin/mdadm, /sbin/mdmon,  /sbin/mdmpd,  /sbin/iprdump,  /sbin/iprinit,
28       /sbin/iprupdate,   /usr/sbin/mdadm,  /usr/sbin/mdmpd,  /usr/sbin/mdmon,
29       /sbin/raid-check,         /usr/sbin/iprdump,         /usr/sbin/iprinit,
30       /usr/sbin/iprupdate, /usr/sbin/raid-check
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       mdadm  policy is very flexible allowing users to setup their mdadm pro‐
40       cesses in as secure a method as possible.
41
42       The following process types are defined for mdadm:
43
44       mdadm_t
45
46       Note: semanage permissive -a mdadm_t can be used to  make  the  process
47       type  mdadm_t  permissive.  SELinux  does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is customizable based on least access required.  mdadm
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate the policy and run mdadm with the tightest access possible.
56
57
58
59       If you want to allow users to resolve user passwd entries directly from
60       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
61       gin_nsswitch_use_ldap boolean. Disabled by default.
62
63       setsebool -P authlogin_nsswitch_use_ldap 1
64
65
66
67       If you want to allow all daemons to write corefiles to /, you must turn
68       on the daemons_dump_core boolean. Disabled by default.
69
70       setsebool -P daemons_dump_core 1
71
72
73
74       If you want to enable cluster mode for daemons, you must  turn  on  the
75       daemons_enable_cluster_mode boolean. Enabled by default.
76
77       setsebool -P daemons_enable_cluster_mode 1
78
79
80
81       If  you want to allow all daemons to use tcp wrappers, you must turn on
82       the daemons_use_tcp_wrapper boolean. Disabled by default.
83
84       setsebool -P daemons_use_tcp_wrapper 1
85
86
87
88       If you want to allow all daemons the ability to  read/write  terminals,
89       you must turn on the daemons_use_tty boolean. Disabled by default.
90
91       setsebool -P daemons_use_tty 1
92
93
94
95       If  you  want  to deny any process from ptracing or debugging any other
96       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
97       default.
98
99       setsebool -P deny_ptrace 1
100
101
102
103       If  you  want  to  allow  any  process  to mmap any file on system with
104       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
105       ean. Enabled by default.
106
107       setsebool -P domain_can_mmap_files 1
108
109
110
111       If  you want to allow all domains write to kmsg_device, while kernel is
112       executed with systemd.log_target=kmsg parameter, you must turn  on  the
113       domain_can_write_kmsg boolean. Disabled by default.
114
115       setsebool -P domain_can_write_kmsg 1
116
117
118
119       If you want to allow all domains to use other domains file descriptors,
120       you must turn on the domain_fd_use boolean. Enabled by default.
121
122       setsebool -P domain_fd_use 1
123
124
125
126       If you want to allow all domains to have the kernel load  modules,  you
127       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
128       default.
129
130       setsebool -P domain_kernel_load_modules 1
131
132
133
134       If you want to allow all domains to execute in fips_mode, you must turn
135       on the fips_mode boolean. Enabled by default.
136
137       setsebool -P fips_mode 1
138
139
140
141       If you want to enable reading of urandom for all domains, you must turn
142       on the global_ssp boolean. Disabled by default.
143
144       setsebool -P global_ssp 1
145
146
147
148       If you want to allow confined applications to run  with  kerberos,  you
149       must turn on the kerberos_enabled boolean. Enabled by default.
150
151       setsebool -P kerberos_enabled 1
152
153
154
155       If  you  want  to  allow  system  to run with NIS, you must turn on the
156       nis_enabled boolean. Disabled by default.
157
158       setsebool -P nis_enabled 1
159
160
161
162       If you want to allow confined applications to use nscd  shared  memory,
163       you must turn on the nscd_use_shm boolean. Disabled by default.
164
165       setsebool -P nscd_use_shm 1
166
167
168

MANAGED FILES

170       The SELinux process type mdadm_t can manage files labeled with the fol‐
171       lowing file types.  The paths listed are the default  paths  for  these
172       file types.  Note the processes UID still need to have DAC permissions.
173
174       cgroup_t
175
176            /sys/fs/cgroup
177
178       cluster_conf_t
179
180            /etc/cluster(/.*)?
181
182       cluster_var_lib_t
183
184            /var/lib/pcsd(/.*)?
185            /var/lib/cluster(/.*)?
186            /var/lib/openais(/.*)?
187            /var/lib/pengine(/.*)?
188            /var/lib/corosync(/.*)?
189            /usr/lib/heartbeat(/.*)?
190            /var/lib/heartbeat(/.*)?
191            /var/lib/pacemaker(/.*)?
192
193       cluster_var_run_t
194
195            /var/run/crm(/.*)?
196            /var/run/cman_.*
197            /var/run/rsctmp(/.*)?
198            /var/run/aisexec.*
199            /var/run/heartbeat(/.*)?
200            /var/run/corosync-qnetd(/.*)?
201            /var/run/corosync-qdevice(/.*)?
202            /var/run/cpglockd.pid
203            /var/run/corosync.pid
204            /var/run/rgmanager.pid
205            /var/run/cluster/rgmanager.sk
206
207       kdump_lock_t
208
209            /var/lock/kdump(/.*)?
210
211       kdumpctl_tmp_t
212
213
214       mdadm_conf_t
215
216            /etc/mdadm.conf
217            /etc/mdadm.conf.anacbak
218
219       mdadm_log_t
220
221            /var/log/iprdump.*
222            /var/log/iprdbg
223
224       mdadm_tmp_t
225
226
227       mdadm_tmpfs_t
228
229
230       mdadm_var_run_t
231
232            /dev/md/.*
233            /var/run/mdadm(/.*)?
234            /dev/.mdadm.map
235
236       root_t
237
238            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
239            /
240            /initrd
241
242       sysfs_t
243
244            /sys(/.*)?
245
246       systemd_passwd_var_run_t
247
248            /var/run/systemd/ask-password(/.*)?
249            /var/run/systemd/ask-password-block(/.*)?
250
251

FILE CONTEXTS

253       SELinux requires files to have an extended attribute to define the file
254       type.
255
256       You can see the context of a file using the -Z option to ls
257
258       Policy governs the access  confined  processes  have  to  these  files.
259       SELinux  mdadm  policy  is  very flexible allowing users to setup their
260       mdadm processes in as secure a method as possible.
261
262       STANDARD FILE CONTEXT
263
264       SELinux defines the file context types for the mdadm, if you wanted  to
265       store  files  with  these types in a diffent paths, you need to execute
266       the semanage command  to  sepecify  alternate  labeling  and  then  use
267       restorecon to put the labels on disk.
268
269       semanage fcontext -a -t mdadm_var_run_t '/srv/mymdadm_content(/.*)?'
270       restorecon -R -v /srv/mymdadm_content
271
272       Note:  SELinux  often  uses  regular expressions to specify labels that
273       match multiple files.
274
275       The following file types are defined for mdadm:
276
277
278
279       mdadm_conf_t
280
281       - Set files with the mdadm_conf_t type, if you want to treat the  files
282       as mdadm configuration data, usually stored under the /etc directory.
283
284
285       Paths:
286            /etc/mdadm.conf, /etc/mdadm.conf.anacbak
287
288
289       mdadm_exec_t
290
291       -  Set  files  with the mdadm_exec_t type, if you want to transition an
292       executable to the mdadm_t domain.
293
294
295       Paths:
296            /sbin/mdadm,     /sbin/mdmon,     /sbin/mdmpd,      /sbin/iprdump,
297            /sbin/iprinit,  /sbin/iprupdate, /usr/sbin/mdadm, /usr/sbin/mdmpd,
298            /usr/sbin/mdmon,       /sbin/raid-check,        /usr/sbin/iprdump,
299            /usr/sbin/iprinit, /usr/sbin/iprupdate, /usr/sbin/raid-check
300
301
302       mdadm_initrc_exec_t
303
304       -  Set  files with the mdadm_initrc_exec_t type, if you want to transi‐
305       tion an executable to the mdadm_initrc_t domain.
306
307
308
309       mdadm_log_t
310
311       - Set files with the mdadm_log_t type, if you want to treat the data as
312       mdadm log data, usually stored under the /var/log directory.
313
314
315       Paths:
316            /var/log/iprdump.*, /var/log/iprdbg
317
318
319       mdadm_tmp_t
320
321       -  Set files with the mdadm_tmp_t type, if you want to store mdadm tem‐
322       porary files in the /tmp directories.
323
324
325
326       mdadm_tmpfs_t
327
328       - Set files with the mdadm_tmpfs_t type, if you  want  to  store  mdadm
329       files on a tmpfs file system.
330
331
332
333       mdadm_unit_file_t
334
335       -  Set  files with the mdadm_unit_file_t type, if you want to treat the
336       files as mdadm unit content.
337
338
339       Paths:
340            /usr/lib/systemd/system/mdmon@.*,  /usr/lib/systemd/system/mdmoni‐
341            tor.*
342
343
344       mdadm_var_run_t
345
346       -  Set  files  with  the mdadm_var_run_t type, if you want to store the
347       mdadm files under the /run or /var/run directory.
348
349
350       Paths:
351            /dev/md/.*, /var/run/mdadm(/.*)?, /dev/.mdadm.map
352
353
354       Note: File context can be temporarily modified with the chcon  command.
355       If  you want to permanently change the file context you need to use the
356       semanage fcontext command.  This will modify the SELinux labeling data‐
357       base.  You will need to use restorecon to apply the labels.
358
359

COMMANDS

361       semanage  fcontext  can also be used to manipulate default file context
362       mappings.
363
364       semanage permissive can also be used to manipulate  whether  or  not  a
365       process type is permissive.
366
367       semanage  module can also be used to enable/disable/install/remove pol‐
368       icy modules.
369
370       semanage boolean can also be used to manipulate the booleans
371
372
373       system-config-selinux is a GUI tool available to customize SELinux pol‐
374       icy settings.
375
376

AUTHOR

378       This manual page was auto-generated using sepolicy manpage .
379
380

SEE ALSO

382       selinux(8), mdadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
383       , setsebool(8)
384
385
386
387mdadm                              19-04-25                   mdadm_selinux(8)
Impressum