1afs_selinux(8)                SELinux Policy afs                afs_selinux(8)
2
3
4

NAME

6       afs_selinux - Security Enhanced Linux Policy for the afs processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the afs processes via flexible manda‐
10       tory access control.
11
12       The afs processes execute with the afs_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep afs_t
19
20
21

ENTRYPOINTS

23       The afs_t SELinux type can be entered via the afs_exec_t file type.
24
25       The default entrypoint paths for the afs_t domain are the following:
26
27       /usr/sbin/afsd, /usr/vice/etc/afsd
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       afs policy is very flexible allowing users to setup their afs processes
37       in as secure a method as possible.
38
39       The following process types are defined for afs:
40
41       afs_t, afs_bosserver_t, afs_fsserver_t, afs_kaserver_t, afs_ptserver_t, afs_vlserver_t
42
43       Note: semanage permissive -a afs_t can be used to make the process type
44       afs_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  afs
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run afs with the tightest access possible.
52
53
54
55       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
56       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
57       Enabled by default.
58
59       setsebool -P daemons_dontaudit_scheduling 1
60
61
62
63       If you want to allow all domains to execute in fips_mode, you must turn
64       on the fips_mode boolean. Enabled by default.
65
66       setsebool -P fips_mode 1
67
68
69
70       If you want to allow confined applications to use nscd  shared  memory,
71       you must turn on the nscd_use_shm boolean. Enabled by default.
72
73       setsebool -P nscd_use_shm 1
74
75
76

PORT TYPES

78       SELinux defines port types to represent TCP and UDP ports.
79
80       You  can  see  the  types associated with a port by using the following
81       command:
82
83       semanage port -l
84
85
86       Policy governs the access  confined  processes  have  to  these  ports.
87       SELinux  afs  policy is very flexible allowing users to setup their afs
88       processes in as secure a method as possible.
89
90       The following port types are defined for afs:
91
92
93       afs3_callback_port_t
94
95
96
97       Default Defined Ports:
98                 tcp 7001
99                 udp 7001
100
101
102       afs_bos_port_t
103
104
105
106       Default Defined Ports:
107                 udp 7007
108
109
110       afs_fs_port_t
111
112
113
114       Default Defined Ports:
115                 tcp 2040
116                 udp 7000,7005
117
118
119       afs_ka_port_t
120
121
122
123       Default Defined Ports:
124                 udp 7004
125
126
127       afs_pt_port_t
128
129
130
131       Default Defined Ports:
132                 tcp 7002
133                 udp 7002
134
135
136       afs_vl_port_t
137
138
139
140       Default Defined Ports:
141                 udp 7003
142

MANAGED FILES

144       The SELinux process type afs_t can manage files labeled with  the  fol‐
145       lowing  file  types.   The paths listed are the default paths for these
146       file types.  Note the processes UID still need to have DAC permissions.
147
148       cluster_conf_t
149
150            /etc/cluster(/.*)?
151
152       cluster_var_lib_t
153
154            /var/lib/pcsd(/.*)?
155            /var/lib/cluster(/.*)?
156            /var/lib/openais(/.*)?
157            /var/lib/pengine(/.*)?
158            /var/lib/corosync(/.*)?
159            /usr/lib/heartbeat(/.*)?
160            /var/lib/heartbeat(/.*)?
161            /var/lib/pacemaker(/.*)?
162
163       cluster_var_run_t
164
165            /var/run/crm(/.*)?
166            /var/run/cman_.*
167            /var/run/rsctmp(/.*)?
168            /var/run/aisexec.*
169            /var/run/heartbeat(/.*)?
170            /var/run/pcsd-ruby.socket
171            /var/run/corosync-qnetd(/.*)?
172            /var/run/corosync-qdevice(/.*)?
173            /var/run/corosync.pid
174            /var/run/cpglockd.pid
175            /var/run/rgmanager.pid
176            /var/run/cluster/rgmanager.sk
177
178       root_t
179
180            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
181            /
182            /initrd
183
184       unlabeled_t
185
186
187

FILE CONTEXTS

189       SELinux requires files to have an extended attribute to define the file
190       type.
191
192       You can see the context of a file using the -Z option to ls
193
194       Policy  governs  the  access  confined  processes  have to these files.
195       SELinux afs policy is very flexible allowing users to setup  their  afs
196       processes in as secure a method as possible.
197
198       STANDARD FILE CONTEXT
199
200       SELinux  defines  the  file context types for the afs, if you wanted to
201       store files with these types in a different paths, you need to  execute
202       the  semanage  command  to  specify alternate labeling and then use re‐
203       storecon to put the labels on disk.
204
205       semanage fcontext -a -t afs_exec_t '/srv/afs/content(/.*)?'
206       restorecon -R -v /srv/myafs_content
207
208       Note: SELinux often uses regular expressions  to  specify  labels  that
209       match multiple files.
210
211       The following file types are defined for afs:
212
213
214
215       afs_bosserver_exec_t
216
217       -  Set files with the afs_bosserver_exec_t type, if you want to transi‐
218       tion an executable to the afs_bosserver_t domain.
219
220
221       Paths:
222            /usr/sbin/bosserver, /usr/afs/bin/bosserver
223
224
225       afs_cache_t
226
227       - Set files with the afs_cache_t type, if you want to store  the  files
228       under the /var/cache directory.
229
230
231       Paths:
232            /var/cache/(open)?afs(/.*)?, /usr/vice/cache(/.*)?
233
234
235       afs_config_t
236
237       -  Set files with the afs_config_t type, if you want to treat the files
238       as afs configuration data, usually stored under the /etc directory.
239
240
241       Paths:
242            /etc/(open)?afs(/.*)?, /usr/afs/etc(/.*)?, /usr/afs/local(/.*)?
243
244
245       afs_dbdir_t
246
247       - Set files with the afs_dbdir_t type, if you want to treat  the  files
248       as afs dbdir data.
249
250
251
252       afs_exec_t
253
254       - Set files with the afs_exec_t type, if you want to transition an exe‐
255       cutable to the afs_t domain.
256
257
258       Paths:
259            /usr/sbin/afsd, /usr/vice/etc/afsd
260
261
262       afs_files_t
263
264       - Set files with the afs_files_t type, if you want to treat  the  files
265       as afs content.
266
267
268       Paths:
269            /usr/afs(/.*)?, /vicepa, /vicepb, /vicepc
270
271
272       afs_fsserver_exec_t
273
274       -  Set  files with the afs_fsserver_exec_t type, if you want to transi‐
275       tion an executable to the afs_fsserver_t domain.
276
277
278       Paths:
279            /usr/afs/bin/salvager, /usr/afs/bin/volserver, /usr/afs/bin/dasal‐
280            vager,      /usr/afs/bin/fileserver,     /usr/afs/bin/davolserver,
281            /usr/afs/bin/dafileserver,             /usr/afs/bin/salvageserver,
282            /usr/libexec/openafs/salvager,     /usr/libexec/openafs/volserver,
283            /usr/libexec/openafs/fileserver
284
285
286       afs_initrc_exec_t
287
288       - Set files with the afs_initrc_exec_t type, if you want to  transition
289       an executable to the afs_initrc_t domain.
290
291
292       Paths:
293            /etc/rc.d/init.d/(open)?afs, /etc/rc.d/init.d/openafs-client
294
295
296       afs_ka_db_t
297
298       -  Set  files with the afs_ka_db_t type, if you want to treat the files
299       as afs ka database content.
300
301
302
303       afs_kaserver_exec_t
304
305       - Set files with the afs_kaserver_exec_t type, if you want  to  transi‐
306       tion an executable to the afs_kaserver_t domain.
307
308
309       Paths:
310            /usr/afs/bin/kaserver, /usr/libexec/openafs/kaserver
311
312
313       afs_logfile_t
314
315       - Set files with the afs_logfile_t type, if you want to treat the files
316       as afs logfile data.
317
318
319
320       afs_pt_db_t
321
322       - Set files with the afs_pt_db_t type, if you want to treat  the  files
323       as afs pt database content.
324
325
326
327       afs_ptserver_exec_t
328
329       -  Set  files with the afs_ptserver_exec_t type, if you want to transi‐
330       tion an executable to the afs_ptserver_t domain.
331
332
333       Paths:
334            /usr/afs/bin/ptserver, /usr/libexec/openafs/ptserver
335
336
337       afs_vl_db_t
338
339       - Set files with the afs_vl_db_t type, if you want to treat  the  files
340       as afs vl database content.
341
342
343
344       afs_vlserver_exec_t
345
346       -  Set  files with the afs_vlserver_exec_t type, if you want to transi‐
347       tion an executable to the afs_vlserver_t domain.
348
349
350       Paths:
351            /usr/afs/bin/vlserver, /usr/libexec/openafs/vlserver
352
353
354       Note: File context can be temporarily modified with the chcon  command.
355       If  you want to permanently change the file context you need to use the
356       semanage fcontext command.  This will modify the SELinux labeling data‐
357       base.  You will need to use restorecon to apply the labels.
358
359

COMMANDS

361       semanage  fcontext  can also be used to manipulate default file context
362       mappings.
363
364       semanage permissive can also be used to manipulate  whether  or  not  a
365       process type is permissive.
366
367       semanage  module can also be used to enable/disable/install/remove pol‐
368       icy modules.
369
370       semanage port can also be used to manipulate the port definitions
371
372       semanage boolean can also be used to manipulate the booleans
373
374
375       system-config-selinux is a GUI tool available to customize SELinux pol‐
376       icy settings.
377
378

AUTHOR

380       This manual page was auto-generated using sepolicy manpage .
381
382

SEE ALSO

384       selinux(8),  afs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
385       setsebool(8),    afs_bosserver_selinux(8),    afs_bosserver_selinux(8),
386       afs_fsserver_selinux(8),                       afs_fsserver_selinux(8),
387       afs_kaserver_selinux(8),        afs_kaserver_selinux(8),        afs_pt‐
388       server_selinux(8),   afs_ptserver_selinux(8),  afs_vlserver_selinux(8),
389       afs_vlserver_selinux(8)
390
391
392
393afs                                23-10-20                     afs_selinux(8)
Impressum