amanda_selinux(8)

1amanda_selinux(8)            SELinux Policy amanda           amanda_selinux(8)
2
3
4

NAME

6       amanda_selinux  -  Security  Enhanced  Linux Policy for the amanda pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  amanda  processes  via  flexible
11       mandatory access control.
12
13       The  amanda  processes  execute with the amanda_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep amanda_t
20
21
22

ENTRYPOINTS

24       The  amanda_t  SELinux  type can be entered via the amanda_inetd_exec_t
25       file type.
26
27       The default entrypoint paths for the amanda_t domain are the following:
28
29       /usr/sbin/amandad,  /usr/lib/amanda/amandad,  /usr/lib/amanda/amindexd,
30       /usr/lib/amanda/amidxtaped
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       amanda  policy  is  very  flexible allowing users to setup their amanda
40       processes in as secure a method as possible.
41
42       The following process types are defined for amanda:
43
44       amanda_t, amanda_recover_t
45
46       Note: semanage permissive -a amanda_t can be used to make  the  process
47       type  amanda_t  permissive.  SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy is customizable based on least access required.  amanda
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate the policy and run amanda with the tightest access possible.
56
57
58
59       If you want to allow users to resolve user passwd entries directly from
60       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
61       gin_nsswitch_use_ldap boolean. Disabled by default.
62
63       setsebool -P authlogin_nsswitch_use_ldap 1
64
65
66
67       If you want to allow all daemons to write corefiles to /, you must turn
68       on the daemons_dump_core boolean. Disabled by default.
69
70       setsebool -P daemons_dump_core 1
71
72
73
74       If you want to enable cluster mode for daemons, you must  turn  on  the
75       daemons_enable_cluster_mode boolean. Enabled by default.
76
77       setsebool -P daemons_enable_cluster_mode 1
78
79
80
81       If  you want to allow all daemons to use tcp wrappers, you must turn on
82       the daemons_use_tcp_wrapper boolean. Disabled by default.
83
84       setsebool -P daemons_use_tcp_wrapper 1
85
86
87
88       If you want to allow all daemons the ability to  read/write  terminals,
89       you must turn on the daemons_use_tty boolean. Disabled by default.
90
91       setsebool -P daemons_use_tty 1
92
93
94
95       If  you  want  to deny any process from ptracing or debugging any other
96       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
97       default.
98
99       setsebool -P deny_ptrace 1
100
101
102
103       If  you  want  to  allow  any  process  to mmap any file on system with
104       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
105       ean. Enabled by default.
106
107       setsebool -P domain_can_mmap_files 1
108
109
110
111       If  you want to allow all domains write to kmsg_device, while kernel is
112       executed with systemd.log_target=kmsg parameter, you must turn  on  the
113       domain_can_write_kmsg boolean. Disabled by default.
114
115       setsebool -P domain_can_write_kmsg 1
116
117
118
119       If you want to allow all domains to use other domains file descriptors,
120       you must turn on the domain_fd_use boolean. Enabled by default.
121
122       setsebool -P domain_fd_use 1
123
124
125
126       If you want to allow all domains to have the kernel load  modules,  you
127       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
128       default.
129
130       setsebool -P domain_kernel_load_modules 1
131
132
133
134       If you want to allow all domains to execute in fips_mode, you must turn
135       on the fips_mode boolean. Enabled by default.
136
137       setsebool -P fips_mode 1
138
139
140
141       If you want to enable reading of urandom for all domains, you must turn
142       on the global_ssp boolean. Disabled by default.
143
144       setsebool -P global_ssp 1
145
146
147
148       If you want to allow confined applications to run  with  kerberos,  you
149       must turn on the kerberos_enabled boolean. Enabled by default.
150
151       setsebool -P kerberos_enabled 1
152
153
154
155       If  you  want  to  allow  system  to run with NIS, you must turn on the
156       nis_enabled boolean. Disabled by default.
157
158       setsebool -P nis_enabled 1
159
160
161
162       If you want to allow confined applications to use nscd  shared  memory,
163       you must turn on the nscd_use_shm boolean. Disabled by default.
164
165       setsebool -P nscd_use_shm 1
166
167
168

PORT TYPES

170       SELinux defines port types to represent TCP and UDP ports.
171
172       You  can  see  the  types associated with a port by using the following
173       command:
174
175       semanage port -l
176
177
178       Policy governs the access  confined  processes  have  to  these  ports.
179       SELinux  amanda  policy  is very flexible allowing users to setup their
180       amanda processes in as secure a method as possible.
181
182       The following port types are defined for amanda:
183
184
185       amanda_port_t
186
187
188
189       Default Defined Ports:
190                 tcp 10080-10083
191                 udp 10080-10082
192

MANAGED FILES

194       The SELinux process type amanda_t can manage  files  labeled  with  the
195       following file types.  The paths listed are the default paths for these
196       file types.  Note the processes UID still need to have DAC permissions.
197
198       amanda_amandates_t
199
200            /etc/amandates
201
202       amanda_data_t
203
204            /etc/amanda/.*/index(/.*)?
205            /etc/amanda/.*/tapelist(/.*)?
206            /var/lib/amanda/[^/]+(/.*)?
207            /etc/amanda/DailySet1(/.*)?
208
209       amanda_dumpdates_t
210
211            /etc/dumpdates
212
213       amanda_gnutarlists_t
214
215            /var/lib/amanda/gnutar-lists(/.*)?
216
217       amanda_log_t
218
219            /var/log/amanda(/.*)?
220            /var/lib/amanda/[^/]*/log(/.*)?
221
222       amanda_tmp_t
223
224
225       amanda_tmpfs_t
226
227
228       amanda_var_lib_t
229
230            /var/lib/amanda/[^/]+/index(/.*)?
231            /var/lib/amanda
232
233       cluster_conf_t
234
235            /etc/cluster(/.*)?
236
237       cluster_var_lib_t
238
239            /var/lib/pcsd(/.*)?
240            /var/lib/cluster(/.*)?
241            /var/lib/openais(/.*)?
242            /var/lib/pengine(/.*)?
243            /var/lib/corosync(/.*)?
244            /usr/lib/heartbeat(/.*)?
245            /var/lib/heartbeat(/.*)?
246            /var/lib/pacemaker(/.*)?
247
248       cluster_var_run_t
249
250            /var/run/crm(/.*)?
251            /var/run/cman_.*
252            /var/run/rsctmp(/.*)?
253            /var/run/aisexec.*
254            /var/run/heartbeat(/.*)?
255            /var/run/corosync-qnetd(/.*)?
256            /var/run/corosync-qdevice(/.*)?
257            /var/run/cpglockd.pid
258            /var/run/corosync.pid
259            /var/run/rgmanager.pid
260            /var/run/cluster/rgmanager.sk
261
262       root_t
263
264            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
265            /
266            /initrd
267
268

FILE CONTEXTS

270       SELinux requires files to have an extended attribute to define the file
271       type.
272
273       You can see the context of a file using the -Z option to ls
274
275       Policy  governs  the  access  confined  processes  have to these files.
276       SELinux amanda policy is very flexible allowing users  to  setup  their
277       amanda processes in as secure a method as possible.
278
279       EQUIVALENCE DIRECTORIES
280
281
282       amanda  policy  stores  data with multiple different file context types
283       under the /var/lib/amanda/[^/]+ directory.  If you would like to  store
284       the  data  in a different directory you can use the semanage command to
285       create an equivalence mapping.  If you wanted to store this data  under
286       the /srv dirctory you would execute the following command:
287
288       semanage fcontext -a -e /var/lib/amanda/[^/]+ /srv/]+
289       restorecon -R -v /srv/]+
290
291       STANDARD FILE CONTEXT
292
293       SELinux defines the file context types for the amanda, if you wanted to
294       store files with these types in a diffent paths, you  need  to  execute
295       the  semanage  command  to  sepecify  alternate  labeling  and then use
296       restorecon to put the labels on disk.
297
298       semanage fcontext -a -t amanda_var_lib_t '/srv/myamanda_content(/.*)?'
299       restorecon -R -v /srv/myamanda_content
300
301       Note: SELinux often uses regular expressions  to  specify  labels  that
302       match multiple files.
303
304       The following file types are defined for amanda:
305
306
307
308       amanda_amandates_t
309
310       -  Set files with the amanda_amandates_t type, if you want to treat the
311       files as amanda amandates data.
312
313
314
315       amanda_config_t
316
317       - Set files with the amanda_config_t type, if you  want  to  treat  the
318       files  as  amanda  configuration  data,  usually  stored under the /etc
319       directory.
320
321
322       Paths:
323            /etc/amanda(/.*)?, /var/lib/amanda/.amandahosts
324
325
326       amanda_data_t
327
328       - Set files with the amanda_data_t type, if you want to treat the files
329       as amanda content.
330
331
332       Paths:
333            /etc/amanda/.*/index(/.*)?,         /etc/amanda/.*/tapelist(/.*)?,
334            /var/lib/amanda/[^/]+(/.*)?, /etc/amanda/DailySet1(/.*)?
335
336
337       amanda_dumpdates_t
338
339       - Set files with the amanda_dumpdates_t type, if you want to treat  the
340       files as amanda dumpdates data.
341
342
343
344       amanda_exec_t
345
346       -  Set  files with the amanda_exec_t type, if you want to transition an
347       executable to the amanda_t domain.
348
349
350
351       amanda_gnutarlists_t
352
353       - Set files with the amanda_gnutarlists_t type, if you  want  to  treat
354       the files as amanda gnutarlists data.
355
356
357
358       amanda_inetd_exec_t
359
360       -  Set  files with the amanda_inetd_exec_t type, if you want to transi‐
361       tion an executable to the amanda_inetd_t domain.
362
363
364       Paths:
365            /usr/sbin/amandad, /usr/lib/amanda/amandad,  /usr/lib/amanda/amin‐
366            dexd, /usr/lib/amanda/amidxtaped
367
368
369       amanda_log_t
370
371       -  Set  files with the amanda_log_t type, if you want to treat the data
372       as amanda log data, usually stored under the /var/log directory.
373
374
375       Paths:
376            /var/log/amanda(/.*)?, /var/lib/amanda/[^/]*/log(/.*)?
377
378
379       amanda_recover_dir_t
380
381       - Set files with the amanda_recover_dir_t type, if you  want  to  treat
382       the files as amanda recover dir data.
383
384
385
386       amanda_recover_exec_t
387
388       - Set files with the amanda_recover_exec_t type, if you want to transi‐
389       tion an executable to the amanda_recover_t domain.
390
391
392
393       amanda_tmp_t
394
395       - Set files with the amanda_tmp_t type, if you  want  to  store  amanda
396       temporary files in the /tmp directories.
397
398
399
400       amanda_tmpfs_t
401
402       -  Set  files with the amanda_tmpfs_t type, if you want to store amanda
403       files on a tmpfs file system.
404
405
406
407       amanda_unit_file_t
408
409       - Set files with the amanda_unit_file_t type, if you want to treat  the
410       files as amanda unit content.
411
412
413
414       amanda_usr_lib_t
415
416       -  Set  files  with the amanda_usr_lib_t type, if you want to treat the
417       files as amanda usr lib data.
418
419
420
421       amanda_var_lib_t
422
423       - Set files with the amanda_var_lib_t type, if you want  to  store  the
424       amanda files under the /var/lib directory.
425
426
427       Paths:
428            /var/lib/amanda/[^/]+/index(/.*)?, /var/lib/amanda
429
430
431       Note:  File context can be temporarily modified with the chcon command.
432       If you want to permanently change the file context you need to use  the
433       semanage fcontext command.  This will modify the SELinux labeling data‐
434       base.  You will need to use restorecon to apply the labels.
435
436

COMMANDS

438       semanage fcontext can also be used to manipulate default  file  context
439       mappings.
440
441       semanage  permissive  can  also  be used to manipulate whether or not a
442       process type is permissive.
443
444       semanage module can also be used to enable/disable/install/remove  pol‐
445       icy modules.
446
447       semanage port can also be used to manipulate the port definitions
448
449       semanage boolean can also be used to manipulate the booleans
450
451
452       system-config-selinux is a GUI tool available to customize SELinux pol‐
453       icy settings.
454
455

AUTHOR

457       This manual page was auto-generated using sepolicy manpage .
458
459