1winbind_selinux(8) SELinux Policy winbind winbind_selinux(8)
2
3
4
6 winbind_selinux - Security Enhanced Linux Policy for the winbind pro‐
7 cesses
8
10 Security-Enhanced Linux secures the winbind processes via flexible
11 mandatory access control.
12
13 The winbind processes execute with the winbind_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep winbind_t
20
21
22
24 The winbind_t SELinux type can be entered via the winbind_exec_t file
25 type.
26
27 The default entrypoint paths for the winbind_t domain are the follow‐
28 ing:
29
30 /usr/sbin/winbindd
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 winbind policy is very flexible allowing users to setup their winbind
40 processes in as secure a method as possible.
41
42 The following process types are defined for winbind:
43
44 winbind_helper_t, winbind_t
45
46 Note: semanage permissive -a winbind_t can be used to make the process
47 type winbind_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. winbind
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run winbind with the tightest access possi‐
56 ble.
57
58
59
60 If you want to allow all daemons to write corefiles to /, you must turn
61 on the allow_daemons_dump_core boolean. Disabled by default.
62
63 setsebool -P allow_daemons_dump_core 1
64
65
66
67 If you want to allow all daemons to use tcp wrappers, you must turn on
68 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
69
70 setsebool -P allow_daemons_use_tcp_wrapper 1
71
72
73
74 If you want to allow all daemons the ability to read/write terminals,
75 you must turn on the allow_daemons_use_tty boolean. Disabled by
76 default.
77
78 setsebool -P allow_daemons_use_tty 1
79
80
81
82 If you want to allow all domains to use other domains file descriptors,
83 you must turn on the allow_domain_fd_use boolean. Enabled by default.
84
85 setsebool -P allow_domain_fd_use 1
86
87
88
89 If you want to allow confined applications to run with kerberos, you
90 must turn on the allow_kerberos boolean. Enabled by default.
91
92 setsebool -P allow_kerberos 1
93
94
95
96 If you want to allow sysadm to debug or ptrace all processes, you must
97 turn on the allow_ptrace boolean. Disabled by default.
98
99 setsebool -P allow_ptrace 1
100
101
102
103 If you want to allow system to run with NIS, you must turn on the
104 allow_ypbind boolean. Disabled by default.
105
106 setsebool -P allow_ypbind 1
107
108
109
110 If you want to enable cluster mode for daemons, you must turn on the
111 daemons_enable_cluster_mode boolean. Disabled by default.
112
113 setsebool -P daemons_enable_cluster_mode 1
114
115
116
117 If you want to allow all domains to have the kernel load modules, you
118 must turn on the domain_kernel_load_modules boolean. Disabled by
119 default.
120
121 setsebool -P domain_kernel_load_modules 1
122
123
124
125 If you want to allow all domains to execute in fips_mode, you must turn
126 on the fips_mode boolean. Enabled by default.
127
128 setsebool -P fips_mode 1
129
130
131
132 If you want to enable reading of urandom for all domains, you must turn
133 on the global_ssp boolean. Disabled by default.
134
135 setsebool -P global_ssp 1
136
137
138
139 If you want to enable support for upstart as the init program, you must
140 turn on the init_upstart boolean. Enabled by default.
141
142 setsebool -P init_upstart 1
143
144
145
146 If you want to allow confined applications to use nscd shared memory,
147 you must turn on the nscd_use_shm boolean. Enabled by default.
148
149 setsebool -P nscd_use_shm 1
150
151
152
154 The SELinux process type winbind_t can manage files labeled with the
155 following file types. The paths listed are the default paths for these
156 file types. Note the processes UID still need to have DAC permissions.
157
158 auth_cache_t
159
160 /var/cache/coolkey(/.*)?
161
162 cluster_conf_t
163
164 /etc/cluster(/.*)?
165
166 cluster_var_lib_t
167
168 /var/lib(64)?/openais(/.*)?
169 /var/lib(64)?/pengine(/.*)?
170 /var/lib(64)?/corosync(/.*)?
171 /usr/lib(64)?/heartbeat(/.*)?
172 /var/lib(64)?/heartbeat(/.*)?
173 /var/lib(64)?/pacemaker(/.*)?
174 /var/lib/cluster(/.*)?
175
176 cluster_var_run_t
177
178 /var/run/crm(/.*)?
179 /var/run/cman_.*
180 /var/run/rsctmp(/.*)?
181 /var/run/aisexec.*
182 /var/run/heartbeat(/.*)?
183 /var/run/cpglockd.pid
184 /var/run/corosync.pid
185 /var/run/rgmanager.pid
186 /var/run/cluster/rgmanager.sk
187
188 ctdbd_var_lib_t
189
190 /etc/ctdb(/.*)?
191 /var/ctdb(/.*)?
192 /var/ctdbd(/.*)?
193 /var/lib/ctdb(/.*)?
194 /var/lib/ctdbd(/.*)?
195
196 faillog_t
197
198 /var/log/btmp.*
199 /var/log/faillog.*
200 /var/log/tallylog.*
201 /var/run/faillock(/.*)?
202
203 initrc_tmp_t
204
205
206 mnt_t
207
208 /mnt(/[^/]*)
209 /mnt(/[^/]*)?
210 /rhev(/[^/]*)?
211 /media(/[^/]*)
212 /media(/[^/]*)?
213 /etc/rhgb(/.*)?
214 /media/.hal-.*
215 /net
216 /afs
217 /rhev
218 /misc
219
220 pcscd_var_run_t
221
222 /var/run/pcscd.events(/.*)?
223 /var/run/pcscd.pid
224 /var/run/pcscd.pub
225 /var/run/pcscd.comm
226
227 root_t
228
229 /
230 /initrd
231
232 samba_log_t
233
234 /var/log/samba(/.*)?
235
236 samba_secrets_t
237
238 /etc/samba/smbpasswd
239 /etc/samba/passdb.tdb
240 /etc/samba/MACHINE.SID
241 /etc/samba/secrets.tdb
242
243 samba_var_t
244
245 /var/nmbd(/.*)?
246 /var/lib/samba(/.*)?
247 /var/cache/samba(/.*)?
248
249 smbd_tmp_t
250
251
252 smbd_var_run_t
253
254 /var/run/samba(/.*)?
255 /var/run/smbd.pid
256 /var/run/samba/smbd.pid
257 /var/run/samba/brlock.tdb
258 /var/run/samba/locking.tdb
259 /var/run/samba/gencache.tdb
260 /var/run/samba/sessionid.tdb
261 /var/run/samba/share_info.tdb
262 /var/run/samba/connections.tdb
263
264 tmp_t
265
266 /tmp
267 /usr/tmp
268 /var/tmp
269 /tmp-inst
270 /var/tmp-inst
271 /var/tmp/vi.recover
272
273 user_home_t
274
275 /home/[^/]*/.+
276 /home/staff/.+
277
278 user_tmp_t
279
280 /tmp/gconfd-.*
281 /tmp/gconfd-staff
282
283 winbind_log_t
284
285
286 winbind_var_run_t
287
288 /var/run/winbindd(/.*)?
289 /var/lib/samba/winbindd_privileged(/.*)?
290 /var/cache/samba/winbindd_privileged(/.*)?
291
292
294 SELinux requires files to have an extended attribute to define the file
295 type.
296
297 You can see the context of a file using the -Z option to ls
298
299 Policy governs the access confined processes have to these files.
300 SELinux winbind policy is very flexible allowing users to setup their
301 winbind processes in as secure a method as possible.
302
303 STANDARD FILE CONTEXT
304
305 SELinux defines the file context types for the winbind, if you wanted
306 to store files with these types in a diffent paths, you need to execute
307 the semanage command to sepecify alternate labeling and then use
308 restorecon to put the labels on disk.
309
310 semanage fcontext -a -t winbind_var_run_t '/srv/mywinbind_con‐
311 tent(/.*)?'
312 restorecon -R -v /srv/mywinbind_content
313
314 Note: SELinux often uses regular expressions to specify labels that
315 match multiple files.
316
317 The following file types are defined for winbind:
318
319
320
321 winbind_exec_t
322
323 - Set files with the winbind_exec_t type, if you want to transition an
324 executable to the winbind_t domain.
325
326
327
328 winbind_helper_exec_t
329
330 - Set files with the winbind_helper_exec_t type, if you want to transi‐
331 tion an executable to the winbind_helper_t domain.
332
333
334
335 winbind_log_t
336
337 - Set files with the winbind_log_t type, if you want to treat the data
338 as winbind log data, usually stored under the /var/log directory.
339
340
341
342 winbind_var_run_t
343
344 - Set files with the winbind_var_run_t type, if you want to store the
345 winbind files under the /run or /var/run directory.
346
347
348 Paths:
349 /var/run/winbindd(/.*)?, /var/lib/samba/winbindd_privileged(/.*)?,
350 /var/cache/samba/winbindd_privileged(/.*)?
351
352
353 Note: File context can be temporarily modified with the chcon command.
354 If you want to permanently change the file context you need to use the
355 semanage fcontext command. This will modify the SELinux labeling data‐
356 base. You will need to use restorecon to apply the labels.
357
358
360 semanage fcontext can also be used to manipulate default file context
361 mappings.
362
363 semanage permissive can also be used to manipulate whether or not a
364 process type is permissive.
365
366 semanage module can also be used to enable/disable/install/remove pol‐
367 icy modules.
368
369 semanage boolean can also be used to manipulate the booleans
370
371
372 system-config-selinux is a GUI tool available to customize SELinux pol‐
373 icy settings.
374
375
377 This manual page was auto-generated using sepolicy manpage .
378
379
381 selinux(8), winbind(8), semanage(8), restorecon(8), chcon(1) , setse‐
382 bool(8), winbind_helper_selinux(8)
383
384
385
386winbind 15-06-03 winbind_selinux(8)