drbd_selinux(8)

1drbd_selinux(8)               SELinux Policy drbd              drbd_selinux(8)
2
3
4

NAME

6       drbd_selinux - Security Enhanced Linux Policy for the drbd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the drbd processes via flexible manda‐
10       tory access control.
11
12       The drbd processes execute with the drbd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep drbd_t
19
20
21

ENTRYPOINTS

23       The drbd_t SELinux type can be entered via the drbd_exec_t file type.
24
25       The default entrypoint paths for the drbd_t domain are the following:
26
27       /sbin/drbdadm, /sbin/drbdsetup, /usr/sbin/drbdadm, /usr/sbin/drbdsetup,
28       /usr/lib/ocf/resource.d/linbit/drbd
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       drbd  policy  is  very flexible allowing users to setup their drbd pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for drbd:
41
42       drbd_t
43
44       Note: semanage permissive -a drbd_t can be used  to  make  the  process
45       type  drbd_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  drbd
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run drbd with the tightest access possible.
54
55
56
57       If you want to allow users to resolve user passwd entries directly from
58       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
59       gin_nsswitch_use_ldap boolean. Disabled by default.
60
61       setsebool -P authlogin_nsswitch_use_ldap 1
62
63
64
65       If you want to allow all daemons to write corefiles to /, you must turn
66       on the daemons_dump_core boolean. Disabled by default.
67
68       setsebool -P daemons_dump_core 1
69
70
71
72       If you want to enable cluster mode for daemons, you must  turn  on  the
73       daemons_enable_cluster_mode boolean. Enabled by default.
74
75       setsebool -P daemons_enable_cluster_mode 1
76
77
78
79       If  you want to allow all daemons to use tcp wrappers, you must turn on
80       the daemons_use_tcp_wrapper boolean. Disabled by default.
81
82       setsebool -P daemons_use_tcp_wrapper 1
83
84
85
86       If you want to allow all daemons the ability to  read/write  terminals,
87       you must turn on the daemons_use_tty boolean. Disabled by default.
88
89       setsebool -P daemons_use_tty 1
90
91
92
93       If  you  want  to deny any process from ptracing or debugging any other
94       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
95       default.
96
97       setsebool -P deny_ptrace 1
98
99
100
101       If  you  want  to  allow  any  process  to mmap any file on system with
102       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
103       ean. Enabled by default.
104
105       setsebool -P domain_can_mmap_files 1
106
107
108
109       If  you want to allow all domains write to kmsg_device, while kernel is
110       executed with systemd.log_target=kmsg parameter, you must turn  on  the
111       domain_can_write_kmsg boolean. Disabled by default.
112
113       setsebool -P domain_can_write_kmsg 1
114
115
116
117       If you want to allow all domains to use other domains file descriptors,
118       you must turn on the domain_fd_use boolean. Enabled by default.
119
120       setsebool -P domain_fd_use 1
121
122
123
124       If you want to allow all domains to have the kernel load  modules,  you
125       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
126       default.
127
128       setsebool -P domain_kernel_load_modules 1
129
130
131
132       If you want to allow all domains to execute in fips_mode, you must turn
133       on the fips_mode boolean. Enabled by default.
134
135       setsebool -P fips_mode 1
136
137
138
139       If you want to enable reading of urandom for all domains, you must turn
140       on the global_ssp boolean. Disabled by default.
141
142       setsebool -P global_ssp 1
143
144
145
146       If you want to allow confined applications to run  with  kerberos,  you
147       must turn on the kerberos_enabled boolean. Enabled by default.
148
149       setsebool -P kerberos_enabled 1
150
151
152
153       If  you  want  to  allow  system  to run with NIS, you must turn on the
154       nis_enabled boolean. Disabled by default.
155
156       setsebool -P nis_enabled 1
157
158
159
160       If you want to allow confined applications to use nscd  shared  memory,
161       you must turn on the nscd_use_shm boolean. Disabled by default.
162
163       setsebool -P nscd_use_shm 1
164
165
166
167       If  you  want  to  disable  kernel module loading, you must turn on the
168       secure_mode_insmod boolean. Enabled by default.
169
170       setsebool -P secure_mode_insmod 1
171
172
173

MANAGED FILES

175       The SELinux process type drbd_t can manage files labeled with the  fol‐
176       lowing  file  types.   The paths listed are the default paths for these
177       file types.  Note the processes UID still need to have DAC permissions.
178
179       cluster_conf_t
180
181            /etc/cluster(/.*)?
182
183       cluster_tmpfs_t
184
185
186       cluster_var_lib_t
187
188            /var/lib/pcsd(/.*)?
189            /var/lib/cluster(/.*)?
190            /var/lib/openais(/.*)?
191            /var/lib/pengine(/.*)?
192            /var/lib/corosync(/.*)?
193            /usr/lib/heartbeat(/.*)?
194            /var/lib/heartbeat(/.*)?
195            /var/lib/pacemaker(/.*)?
196
197       cluster_var_run_t
198
199            /var/run/crm(/.*)?
200            /var/run/cman_.*
201            /var/run/rsctmp(/.*)?
202            /var/run/aisexec.*
203            /var/run/heartbeat(/.*)?
204            /var/run/corosync-qnetd(/.*)?
205            /var/run/corosync-qdevice(/.*)?
206            /var/run/cpglockd.pid
207            /var/run/corosync.pid
208            /var/run/rgmanager.pid
209            /var/run/cluster/rgmanager.sk
210
211       drbd_lock_t
212
213            /var/lock/subsys/drbd
214
215       drbd_tmp_t
216
217
218       drbd_var_lib_t
219
220            /var/lib/drbd(/.*)?
221
222       drbd_var_run_t
223
224            /var/run/drbd(/.*)?
225
226       root_t
227
228            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
229            /
230            /initrd
231
232

FILE CONTEXTS

234       SELinux requires files to have an extended attribute to define the file
235       type.
236
237       You can see the context of a file using the -Z option to ls
238
239       Policy  governs  the  access  confined  processes  have to these files.
240       SELinux drbd policy is very flexible allowing users to setup their drbd
241       processes in as secure a method as possible.
242
243       STANDARD FILE CONTEXT
244
245       SELinux  defines  the file context types for the drbd, if you wanted to
246       store files with these types in a diffent paths, you  need  to  execute
247       the  semanage  command  to  sepecify  alternate  labeling  and then use
248       restorecon to put the labels on disk.
249
250       semanage fcontext -a -t drbd_var_run_t '/srv/mydrbd_content(/.*)?'
251       restorecon -R -v /srv/mydrbd_content
252
253       Note: SELinux often uses regular expressions  to  specify  labels  that
254       match multiple files.
255
256       The following file types are defined for drbd:
257
258
259
260       drbd_exec_t
261
262       -  Set  files  with  the drbd_exec_t type, if you want to transition an
263       executable to the drbd_t domain.
264
265
266       Paths:
267            /sbin/drbdadm, /sbin/drbdsetup, /usr/sbin/drbdadm, /usr/sbin/drbd‐
268            setup, /usr/lib/ocf/resource.d/linbit/drbd
269
270
271       drbd_initrc_exec_t
272
273       - Set files with the drbd_initrc_exec_t type, if you want to transition
274       an executable to the drbd_initrc_t domain.
275
276
277
278       drbd_lock_t
279
280       - Set files with the drbd_lock_t type, if you want to treat  the  files
281       as drbd lock data, stored under the /var/lock directory
282
283
284
285       drbd_tmp_t
286
287       -  Set files with the drbd_tmp_t type, if you want to store drbd tempo‐
288       rary files in the /tmp directories.
289
290
291
292       drbd_var_lib_t
293
294       - Set files with the drbd_var_lib_t type, if you want to store the drbd
295       files under the /var/lib directory.
296
297
298
299       drbd_var_run_t
300
301       - Set files with the drbd_var_run_t type, if you want to store the drbd
302       files under the /run or /var/run directory.
303
304
305
306       Note: File context can be temporarily modified with the chcon  command.
307       If  you want to permanently change the file context you need to use the
308       semanage fcontext command.  This will modify the SELinux labeling data‐
309       base.  You will need to use restorecon to apply the labels.
310
311

COMMANDS

313       semanage  fcontext  can also be used to manipulate default file context
314       mappings.
315
316       semanage permissive can also be used to manipulate  whether  or  not  a
317       process type is permissive.
318
319       semanage  module can also be used to enable/disable/install/remove pol‐
320       icy modules.
321
322       semanage boolean can also be used to manipulate the booleans
323
324
325       system-config-selinux is a GUI tool available to customize SELinux pol‐
326       icy settings.
327
328

AUTHOR

330       This manual page was auto-generated using sepolicy manpage .
331
332