1amanda_selinux(8)            SELinux Policy amanda           amanda_selinux(8)
2
3
4

NAME

6       amanda_selinux  -  Security  Enhanced  Linux Policy for the amanda pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  amanda  processes  via  flexible
11       mandatory access control.
12
13       The  amanda  processes  execute with the amanda_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep amanda_t
20
21
22

ENTRYPOINTS

24       The  amanda_t  SELinux  type  can  be  entered  via  the amanda_exec_t,
25       amanda_inetd_exec_t file types.
26
27       The default entrypoint paths for the amanda_t domain are the following:
28
29       /usr/lib(64)?/amanda/.+,                  /usr/lib(64)?/amanda/amandad,
30       /usr/lib(64)?/amanda/amindexd, /usr/lib(64)?/amanda/amidxtaped
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       amanda  policy  is  very  flexible allowing users to setup their amanda
40       processes in as secure a method as possible.
41
42       The following process types are defined for amanda:
43
44       amanda_t, amanda_recover_t
45
46       Note: semanage permissive -a amanda_t can be used to make  the  process
47       type  amanda_t  permissive.  SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy is customizable based on least access required.  amanda
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate the policy and run amanda with the tightest access possible.
56
57
58
59       If you want to allow all domains to use other domains file descriptors,
60       you must turn on the allow_domain_fd_use boolean. Enabled by default.
61
62       setsebool -P allow_domain_fd_use 1
63
64
65
66       If you want to allow confined applications to run  with  kerberos,  you
67       must turn on the allow_kerberos boolean. Enabled by default.
68
69       setsebool -P allow_kerberos 1
70
71
72
73       If  you want to allow sysadm to debug or ptrace all processes, you must
74       turn on the allow_ptrace boolean. Disabled by default.
75
76       setsebool -P allow_ptrace 1
77
78
79
80       If you want to allow system to run with  NIS,  you  must  turn  on  the
81       allow_ypbind boolean. Disabled by default.
82
83       setsebool -P allow_ypbind 1
84
85
86
87       If  you  want to allow all domains to have the kernel load modules, you
88       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
89       default.
90
91       setsebool -P domain_kernel_load_modules 1
92
93
94
95       If you want to allow all domains to execute in fips_mode, you must turn
96       on the fips_mode boolean. Enabled by default.
97
98       setsebool -P fips_mode 1
99
100
101
102       If you want to enable reading of urandom for all domains, you must turn
103       on the global_ssp boolean. Disabled by default.
104
105       setsebool -P global_ssp 1
106
107
108
109       If  you  want to allow confined applications to use nscd shared memory,
110       you must turn on the nscd_use_shm boolean. Enabled by default.
111
112       setsebool -P nscd_use_shm 1
113
114
115

PORT TYPES

117       SELinux defines port types to represent TCP and UDP ports.
118
119       You can see the types associated with a port  by  using  the  following
120       command:
121
122       semanage port -l
123
124
125       Policy  governs  the  access  confined  processes  have to these ports.
126       SELinux amanda policy is very flexible allowing users  to  setup  their
127       amanda processes in as secure a method as possible.
128
129       The following port types are defined for amanda:
130
131
132       amanda_port_t
133
134
135
136       Default Defined Ports:
137                 tcp 10080-10083
138                 udp 10080-10082
139

MANAGED FILES

141       The  SELinux  process  type  amanda_t can manage files labeled with the
142       following file types.  The paths listed are the default paths for these
143       file types.  Note the processes UID still need to have DAC permissions.
144
145       amanda_amandates_t
146
147            /etc/amandates
148
149       amanda_data_t
150
151            /etc/amanda/.*/index(/.*)?
152            /etc/amanda/.*/tapelist(/.*)?
153            /var/lib/amanda/[^/]+(/.*)?
154
155       amanda_dumpdates_t
156
157            /etc/dumpdates
158
159       amanda_gnutarlists_t
160
161            /var/lib/amanda/gnutar-lists(/.*)?
162
163       amanda_log_t
164
165            /var/log/amanda(/.*)?
166            /var/lib/amanda/[^/]*/log(/.*)?
167
168       amanda_tmp_t
169
170            /tmp/amanda(/.*)?
171
172       amanda_var_lib_t
173
174            /var/lib/amanda/[^/]+/index(/.*)?
175            /var/lib/amanda
176
177       initrc_tmp_t
178
179
180       mnt_t
181
182            /mnt(/[^/]*)
183            /mnt(/[^/]*)?
184            /rhev(/[^/]*)?
185            /media(/[^/]*)
186            /media(/[^/]*)?
187            /etc/rhgb(/.*)?
188            /media/.hal-.*
189            /net
190            /afs
191            /rhev
192            /misc
193
194       tmp_t
195
196            /tmp
197            /usr/tmp
198            /var/tmp
199            /tmp-inst
200            /var/tmp-inst
201            /var/tmp/vi.recover
202
203

FILE CONTEXTS

205       SELinux requires files to have an extended attribute to define the file
206       type.
207
208       You can see the context of a file using the -Z option to ls
209
210       Policy governs the access  confined  processes  have  to  these  files.
211       SELinux  amanda  policy  is very flexible allowing users to setup their
212       amanda processes in as secure a method as possible.
213
214       EQUIVALENCE DIRECTORIES
215
216
217       amanda policy stores data with multiple different  file  context  types
218       under  the /var/lib/amanda/[^/]+ directory.  If you would like to store
219       the data in a different directory you can use the semanage  command  to
220       create  an equivalence mapping.  If you wanted to store this data under
221       the /srv dirctory you would execute the following command:
222
223       semanage fcontext -a -e /var/lib/amanda/[^/]+ /srv/]+
224       restorecon -R -v /srv/]+
225
226       STANDARD FILE CONTEXT
227
228       SELinux defines the file context types for the amanda, if you wanted to
229       store  files  with  these types in a diffent paths, you need to execute
230       the semanage command  to  sepecify  alternate  labeling  and  then  use
231       restorecon to put the labels on disk.
232
233       semanage fcontext -a -t amanda_var_lib_t '/srv/myamanda_content(/.*)?'
234       restorecon -R -v /srv/myamanda_content
235
236       Note:  SELinux  often  uses  regular expressions to specify labels that
237       match multiple files.
238
239       The following file types are defined for amanda:
240
241
242
243       amanda_amandates_t
244
245       - Set files with the amanda_amandates_t type, if you want to treat  the
246       files as amanda amandates data.
247
248
249
250       amanda_config_t
251
252       -  Set  files  with  the amanda_config_t type, if you want to treat the
253       files as amanda configuration  data,  usually  stored  under  the  /etc
254       directory.
255
256
257       Paths:
258            /etc/amanda(/.*)?, /var/lib/amanda/.amandahosts
259
260
261       amanda_data_t
262
263       - Set files with the amanda_data_t type, if you want to treat the files
264       as amanda content.
265
266
267       Paths:
268            /etc/amanda/.*/index(/.*)?,         /etc/amanda/.*/tapelist(/.*)?,
269            /var/lib/amanda/[^/]+(/.*)?
270
271
272       amanda_dumpdates_t
273
274       -  Set files with the amanda_dumpdates_t type, if you want to treat the
275       files as amanda dumpdates data.
276
277
278
279       amanda_exec_t
280
281       - Set files with the amanda_exec_t type, if you want to  transition  an
282       executable to the amanda_t domain.
283
284
285
286       amanda_gnutarlists_t
287
288       -  Set  files  with the amanda_gnutarlists_t type, if you want to treat
289       the files as amanda gnutarlists data.
290
291
292
293       amanda_inetd_exec_t
294
295       - Set files with the amanda_inetd_exec_t type, if you want  to  transi‐
296       tion an executable to the amanda_inetd_t domain.
297
298
299       Paths:
300            /usr/lib(64)?/amanda/amandad,       /usr/lib(64)?/amanda/amindexd,
301            /usr/lib(64)?/amanda/amidxtaped
302
303
304       amanda_log_t
305
306       - Set files with the amanda_log_t type, if you want to treat  the  data
307       as amanda log data, usually stored under the /var/log directory.
308
309
310       Paths:
311            /var/log/amanda(/.*)?, /var/lib/amanda/[^/]*/log(/.*)?
312
313
314       amanda_recover_dir_t
315
316       -  Set  files  with the amanda_recover_dir_t type, if you want to treat
317       the files as amanda recover dir data.
318
319
320
321       amanda_recover_exec_t
322
323       - Set files with the amanda_recover_exec_t type, if you want to transi‐
324       tion an executable to the amanda_recover_t domain.
325
326
327
328       amanda_tmp_t
329
330       -  Set  files  with  the amanda_tmp_t type, if you want to store amanda
331       temporary files in the /tmp directories.
332
333
334
335       amanda_usr_lib_t
336
337       - Set files with the amanda_usr_lib_t type, if you want  to  treat  the
338       files as amanda usr lib data.
339
340
341
342       amanda_var_lib_t
343
344       -  Set  files  with the amanda_var_lib_t type, if you want to store the
345       amanda files under the /var/lib directory.
346
347
348       Paths:
349            /var/lib/amanda/[^/]+/index(/.*)?, /var/lib/amanda
350
351
352       Note: File context can be temporarily modified with the chcon  command.
353       If  you want to permanently change the file context you need to use the
354       semanage fcontext command.  This will modify the SELinux labeling data‐
355       base.  You will need to use restorecon to apply the labels.
356
357

COMMANDS

359       semanage  fcontext  can also be used to manipulate default file context
360       mappings.
361
362       semanage permissive can also be used to manipulate  whether  or  not  a
363       process type is permissive.
364
365       semanage  module can also be used to enable/disable/install/remove pol‐
366       icy modules.
367
368       semanage port can also be used to manipulate the port definitions
369
370       semanage boolean can also be used to manipulate the booleans
371
372
373       system-config-selinux is a GUI tool available to customize SELinux pol‐
374       icy settings.
375
376

AUTHOR

378       This manual page was auto-generated using sepolicy manpage .
379
380

SEE ALSO

382       selinux(8),  amanda(8),  semanage(8),  restorecon(8), chcon(1) , setse‐
383       bool(8), amanda_recover_selinux(8), amanda_recover_selinux(8)
384
385
386
387amanda                             15-06-03                  amanda_selinux(8)
Impressum