avahi_selinux(8)

1avahi_selinux(8)             SELinux Policy avahi             avahi_selinux(8)
2
3
4

NAME

6       avahi_selinux - Security Enhanced Linux Policy for the avahi processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the avahi processes via flexible manda‐
10       tory access control.
11
12       The avahi processes execute with the  avahi_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep avahi_t
19
20
21

ENTRYPOINTS

23       The avahi_t SELinux type can be entered via the avahi_exec_t file type.
24
25       The default entrypoint paths for the avahi_t domain are the following:
26
27       /usr/sbin/avahi-daemon,    /usr/sbin/avahi-autoipd,    /usr/sbin/avahi-
28       dnsconfd
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       avahi  policy is very flexible allowing users to setup their avahi pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for avahi:
41
42       avahi_t
43
44       Note: semanage permissive -a avahi_t can be used to  make  the  process
45       type  avahi_t  permissive.  SELinux  does not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is customizable based on least access required.  avahi
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run avahi with the tightest access possible.
54
55
56
57       If you want to allow users to resolve user passwd entries directly from
58       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
59       gin_nsswitch_use_ldap boolean. Disabled by default.
60
61       setsebool -P authlogin_nsswitch_use_ldap 1
62
63
64
65       If you want to allow all daemons to write corefiles to /, you must turn
66       on the daemons_dump_core boolean. Disabled by default.
67
68       setsebool -P daemons_dump_core 1
69
70
71
72       If you want to enable cluster mode for daemons, you must  turn  on  the
73       daemons_enable_cluster_mode boolean. Enabled by default.
74
75       setsebool -P daemons_enable_cluster_mode 1
76
77
78
79       If  you want to allow all daemons to use tcp wrappers, you must turn on
80       the daemons_use_tcp_wrapper boolean. Disabled by default.
81
82       setsebool -P daemons_use_tcp_wrapper 1
83
84
85
86       If you want to allow all daemons the ability to  read/write  terminals,
87       you must turn on the daemons_use_tty boolean. Disabled by default.
88
89       setsebool -P daemons_use_tty 1
90
91
92
93       If  you  want  to deny any process from ptracing or debugging any other
94       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
95       default.
96
97       setsebool -P deny_ptrace 1
98
99
100
101       If  you  want  to  allow  any  process  to mmap any file on system with
102       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
103       ean. Enabled by default.
104
105       setsebool -P domain_can_mmap_files 1
106
107
108
109       If  you want to allow all domains write to kmsg_device, while kernel is
110       executed with systemd.log_target=kmsg parameter, you must turn  on  the
111       domain_can_write_kmsg boolean. Disabled by default.
112
113       setsebool -P domain_can_write_kmsg 1
114
115
116
117       If you want to allow all domains to use other domains file descriptors,
118       you must turn on the domain_fd_use boolean. Enabled by default.
119
120       setsebool -P domain_fd_use 1
121
122
123
124       If you want to allow all domains to have the kernel load  modules,  you
125       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
126       default.
127
128       setsebool -P domain_kernel_load_modules 1
129
130
131
132       If you want to allow all domains to execute in fips_mode, you must turn
133       on the fips_mode boolean. Enabled by default.
134
135       setsebool -P fips_mode 1
136
137
138
139       If you want to enable reading of urandom for all domains, you must turn
140       on the global_ssp boolean. Disabled by default.
141
142       setsebool -P global_ssp 1
143
144
145
146       If you want to allow Apache to communicate with avahi service via dbus,
147       you must turn on the httpd_dbus_avahi boolean. Disabled by default.
148
149       setsebool -P httpd_dbus_avahi 1
150
151
152
153       If  you  want  to allow confined applications to run with kerberos, you
154       must turn on the kerberos_enabled boolean. Enabled by default.
155
156       setsebool -P kerberos_enabled 1
157
158
159
160       If you want to allow system to run with  NIS,  you  must  turn  on  the
161       nis_enabled boolean. Disabled by default.
162
163       setsebool -P nis_enabled 1
164
165
166
167       If  you  want to allow confined applications to use nscd shared memory,
168       you must turn on the nscd_use_shm boolean. Disabled by default.
169
170       setsebool -P nscd_use_shm 1
171
172
173

MANAGED FILES

175       The SELinux process type avahi_t can manage files labeled with the fol‐
176       lowing  file  types.   The paths listed are the default paths for these
177       file types.  Note the processes UID still need to have DAC permissions.
178
179       avahi_var_lib_t
180
181            /var/lib/avahi-autoipd(/.*)?
182
183       avahi_var_run_t
184
185            /var/run/avahi-daemon(/.*)?
186
187       cluster_conf_t
188
189            /etc/cluster(/.*)?
190
191       cluster_var_lib_t
192
193            /var/lib/pcsd(/.*)?
194            /var/lib/cluster(/.*)?
195            /var/lib/openais(/.*)?
196            /var/lib/pengine(/.*)?
197            /var/lib/corosync(/.*)?
198            /usr/lib/heartbeat(/.*)?
199            /var/lib/heartbeat(/.*)?
200            /var/lib/pacemaker(/.*)?
201
202       cluster_var_run_t
203
204            /var/run/crm(/.*)?
205            /var/run/cman_.*
206            /var/run/rsctmp(/.*)?
207            /var/run/aisexec.*
208            /var/run/heartbeat(/.*)?
209            /var/run/corosync-qnetd(/.*)?
210            /var/run/corosync-qdevice(/.*)?
211            /var/run/cpglockd.pid
212            /var/run/corosync.pid
213            /var/run/rgmanager.pid
214            /var/run/cluster/rgmanager.sk
215
216       net_conf_t
217
218            /etc/hosts[^/]*
219            /etc/yp.conf.*
220            /etc/denyhosts.*
221            /etc/hosts.deny.*
222            /etc/resolv.conf.*
223            /etc/.resolv.conf.*
224            /etc/resolv-secure.conf.*
225            /var/run/systemd/network(/.*)?
226            /etc/sysconfig/networking(/.*)?
227            /etc/sysconfig/network-scripts(/.*)?
228            /etc/sysconfig/network-scripts/.*resolv.conf
229            /var/run/NetworkManager/resolv.conf.*
230            /etc/ethers
231            /etc/ntp.conf
232            /var/run/systemd/resolve/resolv.conf
233
234       root_t
235
236            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
237            /
238            /initrd
239
240

FILE CONTEXTS

242       SELinux requires files to have an extended attribute to define the file
243       type.
244
245       You can see the context of a file using the -Z option to ls
246
247       Policy  governs  the  access  confined  processes  have to these files.
248       SELinux avahi policy is very flexible allowing  users  to  setup  their
249       avahi processes in as secure a method as possible.
250
251       STANDARD FILE CONTEXT
252
253       SELinux  defines the file context types for the avahi, if you wanted to
254       store files with these types in a diffent paths, you  need  to  execute
255       the  semanage  command  to  sepecify  alternate  labeling  and then use
256       restorecon to put the labels on disk.
257
258       semanage fcontext -a -t avahi_var_run_t '/srv/myavahi_content(/.*)?'
259       restorecon -R -v /srv/myavahi_content
260
261       Note: SELinux often uses regular expressions  to  specify  labels  that
262       match multiple files.
263
264       The following file types are defined for avahi:
265
266
267
268       avahi_exec_t
269
270       -  Set  files  with the avahi_exec_t type, if you want to transition an
271       executable to the avahi_t domain.
272
273
274       Paths:
275            /usr/sbin/avahi-daemon, /usr/sbin/avahi-autoipd,  /usr/sbin/avahi-
276            dnsconfd
277
278
279       avahi_initrc_exec_t
280
281       -  Set  files with the avahi_initrc_exec_t type, if you want to transi‐
282       tion an executable to the avahi_initrc_t domain.
283
284
285
286       avahi_unit_file_t
287
288       - Set files with the avahi_unit_file_t type, if you want to  treat  the
289       files as avahi unit content.
290
291
292
293       avahi_var_lib_t
294
295       -  Set  files  with  the avahi_var_lib_t type, if you want to store the
296       avahi files under the /var/lib directory.
297
298
299
300       avahi_var_run_t
301
302       - Set files with the avahi_var_run_t type, if you  want  to  store  the
303       avahi files under the /run or /var/run directory.
304
305
306
307       Note:  File context can be temporarily modified with the chcon command.
308       If you want to permanently change the file context you need to use  the
309       semanage fcontext command.  This will modify the SELinux labeling data‐
310       base.  You will need to use restorecon to apply the labels.
311
312

COMMANDS

314       semanage fcontext can also be used to manipulate default  file  context
315       mappings.
316
317       semanage  permissive  can  also  be used to manipulate whether or not a
318       process type is permissive.
319
320       semanage module can also be used to enable/disable/install/remove  pol‐
321       icy modules.
322
323       semanage boolean can also be used to manipulate the booleans
324
325
326       system-config-selinux is a GUI tool available to customize SELinux pol‐
327       icy settings.
328
329

AUTHOR

331       This manual page was auto-generated using sepolicy manpage .
332
333