1avahi_selinux(8) SELinux Policy avahi avahi_selinux(8)
2
3
4
6 avahi_selinux - Security Enhanced Linux Policy for the avahi processes
7
9 Security-Enhanced Linux secures the avahi processes via flexible manda‐
10 tory access control.
11
12 The avahi processes execute with the avahi_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep avahi_t
19
20
21
23 The avahi_t SELinux type can be entered via the avahi_exec_t file type.
24
25 The default entrypoint paths for the avahi_t domain are the following:
26
27 /usr/sbin/avahi-daemon, /usr/sbin/avahi-autoipd, /usr/sbin/avahi-
28 dnsconfd
29
31 SELinux defines process types (domains) for each process running on the
32 system
33
34 You can see the context of a process using the -Z option to ps
35
36 Policy governs the access confined processes have to files. SELinux
37 avahi policy is very flexible allowing users to setup their avahi pro‐
38 cesses in as secure a method as possible.
39
40 The following process types are defined for avahi:
41
42 avahi_t
43
44 Note: semanage permissive -a avahi_t can be used to make the process
45 type avahi_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
49
51 SELinux policy is customizable based on least access required. avahi
52 policy is extremely flexible and has several booleans that allow you to
53 manipulate the policy and run avahi with the tightest access possible.
54
55
56
57 If you want to allow users to resolve user passwd entries directly from
58 ldap rather then using a sssd server, you must turn on the authlo‐
59 gin_nsswitch_use_ldap boolean. Disabled by default.
60
61 setsebool -P authlogin_nsswitch_use_ldap 1
62
63
64
65 If you want to allow all domains to execute in fips_mode, you must turn
66 on the fips_mode boolean. Enabled by default.
67
68 setsebool -P fips_mode 1
69
70
71
72 If you want to allow Apache to communicate with avahi service via dbus,
73 you must turn on the httpd_dbus_avahi boolean. Disabled by default.
74
75 setsebool -P httpd_dbus_avahi 1
76
77
78
79 If you want to allow confined applications to run with kerberos, you
80 must turn on the kerberos_enabled boolean. Enabled by default.
81
82 setsebool -P kerberos_enabled 1
83
84
85
86 If you want to allow system to run with NIS, you must turn on the
87 nis_enabled boolean. Disabled by default.
88
89 setsebool -P nis_enabled 1
90
91
92
93 If you want to allow confined applications to use nscd shared memory,
94 you must turn on the nscd_use_shm boolean. Disabled by default.
95
96 setsebool -P nscd_use_shm 1
97
98
99
101 The SELinux process type avahi_t can manage files labeled with the fol‐
102 lowing file types. The paths listed are the default paths for these
103 file types. Note the processes UID still need to have DAC permissions.
104
105 avahi_var_lib_t
106
107 /var/lib/avahi-autoipd(/.*)?
108
109 avahi_var_run_t
110
111 /var/run/avahi-daemon(/.*)?
112
113 cluster_conf_t
114
115 /etc/cluster(/.*)?
116
117 cluster_var_lib_t
118
119 /var/lib/pcsd(/.*)?
120 /var/lib/cluster(/.*)?
121 /var/lib/openais(/.*)?
122 /var/lib/pengine(/.*)?
123 /var/lib/corosync(/.*)?
124 /usr/lib/heartbeat(/.*)?
125 /var/lib/heartbeat(/.*)?
126 /var/lib/pacemaker(/.*)?
127
128 cluster_var_run_t
129
130 /var/run/crm(/.*)?
131 /var/run/cman_.*
132 /var/run/rsctmp(/.*)?
133 /var/run/aisexec.*
134 /var/run/heartbeat(/.*)?
135 /var/run/corosync-qnetd(/.*)?
136 /var/run/corosync-qdevice(/.*)?
137 /var/run/corosync.pid
138 /var/run/cpglockd.pid
139 /var/run/rgmanager.pid
140 /var/run/cluster/rgmanager.sk
141
142 net_conf_t
143
144 /etc/hosts[^/]*
145 /etc/yp.conf.*
146 /etc/denyhosts.*
147 /etc/hosts.deny.*
148 /etc/resolv.conf.*
149 /etc/.resolv.conf.*
150 /etc/resolv-secure.conf.*
151 /var/run/cloud-init(/.*)?
152 /var/run/systemd/network(/.*)?
153 /etc/sysconfig/networking(/.*)?
154 /etc/sysconfig/network-scripts(/.*)?
155 /etc/sysconfig/network-scripts/.*resolv.conf
156 /var/run/NetworkManager/resolv.conf.*
157 /etc/ethers
158 /etc/ntp.conf
159 /var/run/systemd/resolve/resolv.conf
160 /var/run/systemd/resolve/stub-resolv.conf
161
162 root_t
163
164 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
165 /
166 /initrd
167
168
170 SELinux requires files to have an extended attribute to define the file
171 type.
172
173 You can see the context of a file using the -Z option to ls
174
175 Policy governs the access confined processes have to these files.
176 SELinux avahi policy is very flexible allowing users to setup their
177 avahi processes in as secure a method as possible.
178
179 STANDARD FILE CONTEXT
180
181 SELinux defines the file context types for the avahi, if you wanted to
182 store files with these types in a diffent paths, you need to execute
183 the semanage command to sepecify alternate labeling and then use
184 restorecon to put the labels on disk.
185
186 semanage fcontext -a -t avahi_unit_file_t '/srv/myavahi_content(/.*)?'
187 restorecon -R -v /srv/myavahi_content
188
189 Note: SELinux often uses regular expressions to specify labels that
190 match multiple files.
191
192 The following file types are defined for avahi:
193
194
195
196 avahi_exec_t
197
198 - Set files with the avahi_exec_t type, if you want to transition an
199 executable to the avahi_t domain.
200
201
202 Paths:
203 /usr/sbin/avahi-daemon, /usr/sbin/avahi-autoipd, /usr/sbin/avahi-
204 dnsconfd
205
206
207 avahi_initrc_exec_t
208
209 - Set files with the avahi_initrc_exec_t type, if you want to transi‐
210 tion an executable to the avahi_initrc_t domain.
211
212
213
214 avahi_unit_file_t
215
216 - Set files with the avahi_unit_file_t type, if you want to treat the
217 files as avahi unit content.
218
219
220
221 avahi_var_lib_t
222
223 - Set files with the avahi_var_lib_t type, if you want to store the
224 avahi files under the /var/lib directory.
225
226
227
228 avahi_var_run_t
229
230 - Set files with the avahi_var_run_t type, if you want to store the
231 avahi files under the /run or /var/run directory.
232
233
234
235 Note: File context can be temporarily modified with the chcon command.
236 If you want to permanently change the file context you need to use the
237 semanage fcontext command. This will modify the SELinux labeling data‐
238 base. You will need to use restorecon to apply the labels.
239
240
242 semanage fcontext can also be used to manipulate default file context
243 mappings.
244
245 semanage permissive can also be used to manipulate whether or not a
246 process type is permissive.
247
248 semanage module can also be used to enable/disable/install/remove pol‐
249 icy modules.
250
251 semanage boolean can also be used to manipulate the booleans
252
253
254 system-config-selinux is a GUI tool available to customize SELinux pol‐
255 icy settings.
256
257
259 This manual page was auto-generated using sepolicy manpage .
260
261
263 selinux(8), avahi(8), semanage(8), restorecon(8), chcon(1), sepol‐
264 icy(8), setsebool(8)
265
266
267
268avahi 19-05-30 avahi_selinux(8)