1afs_selinux(8)                SELinux Policy afs                afs_selinux(8)
2
3
4

NAME

6       afs_selinux - Security Enhanced Linux Policy for the afs processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the afs processes via flexible manda‐
10       tory access control.
11
12       The afs processes execute with the afs_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep afs_t
19
20
21

ENTRYPOINTS

23       The afs_t SELinux type can be entered via the afs_exec_t file type.
24
25       The default entrypoint paths for the afs_t domain are the following:
26
27       /usr/sbin/afsd, /usr/vice/etc/afsd
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       afs policy is very flexible allowing users to setup their afs processes
37       in as secure a method as possible.
38
39       The following process types are defined for afs:
40
41       afs_t, afs_bosserver_t, afs_fsserver_t, afs_kaserver_t, afs_ptserver_t, afs_vlserver_t
42
43       Note: semanage permissive -a afs_t can be used to make the process type
44       afs_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  afs
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run afs with the tightest access possible.
52
53
54
55       If you want to allow all domains to execute in fips_mode, you must turn
56       on the fips_mode boolean. Enabled by default.
57
58       setsebool -P fips_mode 1
59
60
61
62       If you want to allow confined applications to use nscd  shared  memory,
63       you must turn on the nscd_use_shm boolean. Disabled by default.
64
65       setsebool -P nscd_use_shm 1
66
67
68

PORT TYPES

70       SELinux defines port types to represent TCP and UDP ports.
71
72       You  can  see  the  types associated with a port by using the following
73       command:
74
75       semanage port -l
76
77
78       Policy governs the access  confined  processes  have  to  these  ports.
79       SELinux  afs  policy is very flexible allowing users to setup their afs
80       processes in as secure a method as possible.
81
82       The following port types are defined for afs:
83
84
85       afs3_callback_port_t
86
87
88
89       Default Defined Ports:
90                 tcp 7001
91                 udp 7001
92
93
94       afs_bos_port_t
95
96
97
98       Default Defined Ports:
99                 udp 7007
100
101
102       afs_fs_port_t
103
104
105
106       Default Defined Ports:
107                 tcp 2040
108                 udp 7000,7005
109
110
111       afs_ka_port_t
112
113
114
115       Default Defined Ports:
116                 udp 7004
117
118
119       afs_pt_port_t
120
121
122
123       Default Defined Ports:
124                 tcp 7002
125                 udp 7002
126
127
128       afs_vl_port_t
129
130
131
132       Default Defined Ports:
133                 udp 7003
134

MANAGED FILES

136       The SELinux process type afs_t can manage files labeled with  the  fol‐
137       lowing  file  types.   The paths listed are the default paths for these
138       file types.  Note the processes UID still need to have DAC permissions.
139
140       cluster_conf_t
141
142            /etc/cluster(/.*)?
143
144       cluster_var_lib_t
145
146            /var/lib/pcsd(/.*)?
147            /var/lib/cluster(/.*)?
148            /var/lib/openais(/.*)?
149            /var/lib/pengine(/.*)?
150            /var/lib/corosync(/.*)?
151            /usr/lib/heartbeat(/.*)?
152            /var/lib/heartbeat(/.*)?
153            /var/lib/pacemaker(/.*)?
154
155       cluster_var_run_t
156
157            /var/run/crm(/.*)?
158            /var/run/cman_.*
159            /var/run/rsctmp(/.*)?
160            /var/run/aisexec.*
161            /var/run/heartbeat(/.*)?
162            /var/run/corosync-qnetd(/.*)?
163            /var/run/corosync-qdevice(/.*)?
164            /var/run/corosync.pid
165            /var/run/cpglockd.pid
166            /var/run/rgmanager.pid
167            /var/run/cluster/rgmanager.sk
168
169       root_t
170
171            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
172            /
173            /initrd
174
175       unlabeled_t
176
177
178

FILE CONTEXTS

180       SELinux requires files to have an extended attribute to define the file
181       type.
182
183       You can see the context of a file using the -Z option to ls
184
185       Policy  governs  the  access  confined  processes  have to these files.
186       SELinux afs policy is very flexible allowing users to setup  their  afs
187       processes in as secure a method as possible.
188
189       STANDARD FILE CONTEXT
190
191       SELinux  defines  the  file context types for the afs, if you wanted to
192       store files with these types in a diffent paths, you  need  to  execute
193       the  semanage  command  to  sepecify  alternate  labeling  and then use
194       restorecon to put the labels on disk.
195
196       semanage fcontext -a -t afs_vl_db_t '/srv/myafs_content(/.*)?'
197       restorecon -R -v /srv/myafs_content
198
199       Note: SELinux often uses regular expressions  to  specify  labels  that
200       match multiple files.
201
202       The following file types are defined for afs:
203
204
205
206       afs_bosserver_exec_t
207
208       -  Set files with the afs_bosserver_exec_t type, if you want to transi‐
209       tion an executable to the afs_bosserver_t domain.
210
211
212       Paths:
213            /usr/sbin/bosserver, /usr/afs/bin/bosserver
214
215
216       afs_cache_t
217
218       - Set files with the afs_cache_t type, if you want to store  the  files
219       under the /var/cache directory.
220
221
222       Paths:
223            /var/cache/(open)?afs(/.*)?, /usr/vice/cache(/.*)?
224
225
226       afs_config_t
227
228       -  Set files with the afs_config_t type, if you want to treat the files
229       as afs configuration data, usually stored under the /etc directory.
230
231
232       Paths:
233            /etc/(open)?afs(/.*)?, /usr/afs/etc(/.*)?, /usr/afs/local(/.*)?
234
235
236       afs_dbdir_t
237
238       - Set files with the afs_dbdir_t type, if you want to treat  the  files
239       as afs dbdir data.
240
241
242
243       afs_exec_t
244
245       - Set files with the afs_exec_t type, if you want to transition an exe‐
246       cutable to the afs_t domain.
247
248
249       Paths:
250            /usr/sbin/afsd, /usr/vice/etc/afsd
251
252
253       afs_files_t
254
255       - Set files with the afs_files_t type, if you want to treat  the  files
256       as afs content.
257
258
259       Paths:
260            /usr/afs(/.*)?, /vicepa, /vicepb, /vicepc
261
262
263       afs_fsserver_exec_t
264
265       -  Set  files with the afs_fsserver_exec_t type, if you want to transi‐
266       tion an executable to the afs_fsserver_t domain.
267
268
269       Paths:
270            /usr/afs/bin/salvager, /usr/afs/bin/volserver, /usr/afs/bin/dasal‐
271            vager,      /usr/afs/bin/fileserver,     /usr/afs/bin/davolserver,
272            /usr/afs/bin/dafileserver,             /usr/afs/bin/salvageserver,
273            /usr/libexec/openafs/salvager,     /usr/libexec/openafs/volserver,
274            /usr/libexec/openafs/fileserver
275
276
277       afs_initrc_exec_t
278
279       - Set files with the afs_initrc_exec_t type, if you want to  transition
280       an executable to the afs_initrc_t domain.
281
282
283       Paths:
284            /etc/rc.d/init.d/(open)?afs, /etc/rc.d/init.d/openafs-client
285
286
287       afs_ka_db_t
288
289       -  Set  files with the afs_ka_db_t type, if you want to treat the files
290       as afs ka database content.
291
292
293
294       afs_kaserver_exec_t
295
296       - Set files with the afs_kaserver_exec_t type, if you want  to  transi‐
297       tion an executable to the afs_kaserver_t domain.
298
299
300       Paths:
301            /usr/afs/bin/kaserver, /usr/libexec/openafs/kaserver
302
303
304       afs_logfile_t
305
306       - Set files with the afs_logfile_t type, if you want to treat the files
307       as afs logfile data.
308
309
310
311       afs_pt_db_t
312
313       - Set files with the afs_pt_db_t type, if you want to treat  the  files
314       as afs pt database content.
315
316
317
318       afs_ptserver_exec_t
319
320       -  Set  files with the afs_ptserver_exec_t type, if you want to transi‐
321       tion an executable to the afs_ptserver_t domain.
322
323
324       Paths:
325            /usr/afs/bin/ptserver, /usr/libexec/openafs/ptserver
326
327
328       afs_vl_db_t
329
330       - Set files with the afs_vl_db_t type, if you want to treat  the  files
331       as afs vl database content.
332
333
334
335       afs_vlserver_exec_t
336
337       -  Set  files with the afs_vlserver_exec_t type, if you want to transi‐
338       tion an executable to the afs_vlserver_t domain.
339
340
341       Paths:
342            /usr/afs/bin/vlserver, /usr/libexec/openafs/vlserver
343
344
345       Note: File context can be temporarily modified with the chcon  command.
346       If  you want to permanently change the file context you need to use the
347       semanage fcontext command.  This will modify the SELinux labeling data‐
348       base.  You will need to use restorecon to apply the labels.
349
350

COMMANDS

352       semanage  fcontext  can also be used to manipulate default file context
353       mappings.
354
355       semanage permissive can also be used to manipulate  whether  or  not  a
356       process type is permissive.
357
358       semanage  module can also be used to enable/disable/install/remove pol‐
359       icy modules.
360
361       semanage port can also be used to manipulate the port definitions
362
363       semanage boolean can also be used to manipulate the booleans
364
365
366       system-config-selinux is a GUI tool available to customize SELinux pol‐
367       icy settings.
368
369

AUTHOR

371       This manual page was auto-generated using sepolicy manpage .
372
373

SEE ALSO

375       selinux(8),  afs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
376       setsebool(8),    afs_bosserver_selinux(8),    afs_bosserver_selinux(8),
377       afs_fsserver_selinux(8),                       afs_fsserver_selinux(8),
378       afs_kaserver_selinux(8),                       afs_kaserver_selinux(8),
379       afs_ptserver_selinux(8),                       afs_ptserver_selinux(8),
380       afs_vlserver_selinux(8), afs_vlserver_selinux(8)
381
382
383
384afs                                21-03-26                     afs_selinux(8)
Impressum