lvm_selinux(8)

1lvm_selinux(8)                SELinux Policy lvm                lvm_selinux(8)
2
3
4

NAME

6       lvm_selinux - Security Enhanced Linux Policy for the lvm processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the lvm processes via flexible manda‐
10       tory access control.
11
12       The lvm processes execute with the lvm_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep lvm_t
19
20
21

ENTRYPOINTS

23       The lvm_t SELinux type can be entered via the lvm_exec_t file type.
24
25       The default entrypoint paths for the lvm_t domain are the following:
26
27       /lib/lvm-10/.*,          /lib/lvm-200/.*,           /usr/lib/lvm-10/.*,
28       /usr/lib/lvm-200/.*,         /usr/lib/systemd/system-generators/lvm2.*,
29       /sbin/lvm, /sbin/lvs, /sbin/pvs, /sbin/vgs,  /sbin/vgck,  /sbin/dmraid,
30       /sbin/kpartx,  /sbin/lvmsar,  /sbin/lvscan, /sbin/pvdata, /sbin/pvmove,
31       /sbin/pvscan,     /sbin/vgscan,      /sbin/dmsetup,      /sbin/e2fsadm,
32       /sbin/lvmetad,     /sbin/lvmsadc,     /sbin/vgmerge,     /sbin/vgsplit,
33       /usr/sbin/lvm,     /usr/sbin/lvs,     /usr/sbin/pvs,     /usr/sbin/vgs,
34       /sbin/lvchange,    /sbin/lvcreate,    /sbin/lvextend,   /sbin/lvmpolld,
35       /sbin/lvreduce,   /sbin/lvremove,    /sbin/lvrename,    /sbin/lvresize,
36       /sbin/pvchange,    /sbin/pvcreate,    /sbin/pvremove,   /sbin/vgchange,
37       /sbin/vgcreate,   /sbin/vgexport,    /sbin/vgextend,    /sbin/vgimport,
38       /sbin/vgreduce,    /sbin/vgremove,    /sbin/vgrename,   /usr/sbin/vgck,
39       /sbin/lvdisplay,  /sbin/lvmchange,  /sbin/pvdisplay,   /sbin/vgdisplay,
40       /sbin/vgmknodes,  /sbin/vgwrapper,  /sbin/cryptsetup, /sbin/lvm.static,
41       /sbin/multipathd, /usr/sbin/dmraid, /usr/sbin/kpartx, /usr/sbin/lvmsar,
42       /usr/sbin/lvscan, /usr/sbin/pvdata, /usr/sbin/pvmove, /usr/sbin/pvscan,
43       /usr/sbin/vgscan,  /sbin/lvmdiskscan,  /sbin/mount.crypt,  /sbin/vgcfg‐
44       backup,    /usr/sbin/dmsetup,   /usr/sbin/e2fsadm,   /usr/sbin/lvmetad,
45       /usr/sbin/lvmsadc,        /usr/sbin/vgmerge,         /usr/sbin/vgsplit,
46       /sbin/umount.crypt,       /sbin/vgcfgrestore,       /usr/sbin/dmeventd,
47       /usr/sbin/lvchange,       /usr/sbin/lvcreate,       /usr/sbin/lvextend,
48       /usr/sbin/lvmlockd,       /usr/sbin/lvmpolld,       /usr/sbin/lvreduce,
49       /usr/sbin/lvremove,       /usr/sbin/lvrename,       /usr/sbin/lvresize,
50       /usr/sbin/pvchange,       /usr/sbin/pvcreate,       /usr/sbin/pvremove,
51       /usr/sbin/vgchange,       /usr/sbin/vgcreate,       /usr/sbin/vgexport,
52       /usr/sbin/vgextend,       /usr/sbin/vgimport,       /usr/sbin/vgreduce,
53       /usr/sbin/vgremove,      /usr/sbin/vgrename,       /sbin/lvmiopversion,
54       /sbin/vgscan.static,      /usr/sbin/lvdisplay,     /usr/sbin/lvmchange,
55       /usr/sbin/pvdisplay,     /usr/sbin/vgdisplay,      /usr/sbin/vgmknodes,
56       /usr/sbin/vgwrapper,     /sbin/dmsetup.static,    /usr/sbin/cryptsetup,
57       /usr/sbin/lvm.static,   /usr/sbin/multipathd,    /sbin/vgchange.static,
58       /usr/sbin/lvmdiskscan,   /usr/sbin/mount.crypt,  /usr/sbin/vgcfgbackup,
59       /sbin/multipath.static,  /usr/sbin/vgcfgrestore,   /usr/sbin/lvmiopver‐
60       sion,         /usr/sbin/vgscan.static,        /usr/sbin/dmsetup.static,
61       /usr/sbin/vgchange.static, /usr/lib/storaged/storaged, /usr/sbin/multi‐
62       path.static,     /lib/udev/udisks-lvm-pv-export,     /usr/libexec/stor‐
63       aged/storaged,    /usr/lib/udev/udisks-lvm-pv-export,     /usr/lib/sys‐
64       temd/systemd-cryptsetup, /usr/lib/storaged/storaged-lvm-helper
65

PROCESS TYPES

67       SELinux defines process types (domains) for each process running on the
68       system
69
70       You can see the context of a process using the -Z option to ps
71
72       Policy governs the access confined processes have  to  files.   SELinux
73       lvm policy is very flexible allowing users to setup their lvm processes
74       in as secure a method as possible.
75
76       The following process types are defined for lvm:
77
78       lvm_t
79
80       Note: semanage permissive -a lvm_t can be used to make the process type
81       lvm_t  permissive.  SELinux  does not deny access to permissive process
82       types, but the AVC (SELinux denials) messages are still generated.
83
84

BOOLEANS

86       SELinux policy is customizable based on  least  access  required.   lvm
87       policy is extremely flexible and has several booleans that allow you to
88       manipulate the policy and run lvm with the tightest access possible.
89
90
91
92       If you want to allow users to resolve user passwd entries directly from
93       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
94       gin_nsswitch_use_ldap boolean. Disabled by default.
95
96       setsebool -P authlogin_nsswitch_use_ldap 1
97
98
99
100       If you want to deny user domains applications to map a memory region as
101       both  executable  and  writable,  this  is dangerous and the executable
102       should be reported in bugzilla, you must turn on the deny_execmem bool‐
103       ean. Enabled by default.
104
105       setsebool -P deny_execmem 1
106
107
108
109       If you want to allow all domains to execute in fips_mode, you must turn
110       on the fips_mode boolean. Enabled by default.
111
112       setsebool -P fips_mode 1
113
114
115
116       If you want to allow confined applications to run  with  kerberos,  you
117       must turn on the kerberos_enabled boolean. Enabled by default.
118
119       setsebool -P kerberos_enabled 1
120
121
122
123       If  you  want  to control the ability to mmap a low area of the address
124       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
125       the mmap_low_allowed boolean. Disabled by default.
126
127       setsebool -P mmap_low_allowed 1
128
129
130
131       If  you  want  to  allow  system  to run with NIS, you must turn on the
132       nis_enabled boolean. Disabled by default.
133
134       setsebool -P nis_enabled 1
135
136
137
138       If you want to allow confined applications to use nscd  shared  memory,
139       you must turn on the nscd_use_shm boolean. Enabled by default.
140
141       setsebool -P nscd_use_shm 1
142
143
144
145       If  you  want  to  disable  kernel module loading, you must turn on the
146       secure_mode_insmod boolean. Enabled by default.
147
148       setsebool -P secure_mode_insmod 1
149
150
151
152       If you want to allow unconfined executables to make their  heap  memory
153       executable.   Doing  this  is  a  really bad idea. Probably indicates a
154       badly coded executable, but could indicate an attack.  This  executable
155       should   be   reported  in  bugzilla,  you  must  turn  on  the  selin‐
156       uxuser_execheap boolean. Disabled by default.
157
158       setsebool -P selinuxuser_execheap 1
159
160
161
162       If you want to allow unconfined executables to make  their  stack  exe‐
163       cutable.   This  should  never, ever be necessary. Probably indicates a
164       badly coded executable, but could indicate an attack.  This  executable
165       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
166       stack boolean. Enabled by default.
167
168       setsebool -P selinuxuser_execstack 1
169
170
171

MANAGED FILES

173       The SELinux process type lvm_t can manage files labeled with  the  fol‐
174       lowing  file  types.   The paths listed are the default paths for these
175       file types.  Note the processes UID still need to have DAC permissions.
176
177       file_type
178
179            all files on the system
180
181

FILE CONTEXTS

183       SELinux requires files to have an extended attribute to define the file
184       type.
185
186       You can see the context of a file using the -Z option to ls
187
188       Policy  governs  the  access  confined  processes  have to these files.
189       SELinux lvm policy is very flexible allowing users to setup  their  lvm
190       processes in as secure a method as possible.
191
192       EQUIVALENCE DIRECTORIES
193
194
195       lvm policy stores data with multiple different file context types under
196       the /var/run/multipathd directory.  If you would like to store the data
197       in  a different directory you can use the semanage command to create an
198       equivalence mapping.  If you wanted to store this data under  the  /srv
199       dirctory you would execute the following command:
200
201       semanage fcontext -a -e /var/run/multipathd /srv/multipathd
202       restorecon -R -v /srv/multipathd
203
204       STANDARD FILE CONTEXT
205
206       SELinux  defines  the  file context types for the lvm, if you wanted to
207       store files with these types in a diffent paths, you  need  to  execute
208       the  semanage  command  to  sepecify  alternate  labeling  and then use
209       restorecon to put the labels on disk.
210
211       semanage fcontext -a -t lvm_unit_file_t '/srv/mylvm_content(/.*)?'
212       restorecon -R -v /srv/mylvm_content
213
214       Note: SELinux often uses regular expressions  to  specify  labels  that
215       match multiple files.
216
217       The following file types are defined for lvm:
218
219
220
221       lvm_etc_t
222
223       -  Set files with the lvm_etc_t type, if you want to store lvm files in
224       the /etc directories.
225
226
227
228       lvm_exec_t
229
230       - Set files with the lvm_exec_t type, if you want to transition an exe‐
231       cutable to the lvm_t domain.
232
233
234       Paths:
235            /lib/lvm-10/.*,        /lib/lvm-200/.*,        /usr/lib/lvm-10/.*,
236            /usr/lib/lvm-200/.*,    /usr/lib/systemd/system-generators/lvm2.*,
237            /sbin/lvm,    /sbin/lvs,    /sbin/pvs,    /sbin/vgs,   /sbin/vgck,
238            /sbin/dmraid,    /sbin/kpartx,     /sbin/lvmsar,     /sbin/lvscan,
239            /sbin/pvdata,     /sbin/pvmove,     /sbin/pvscan,    /sbin/vgscan,
240            /sbin/dmsetup,   /sbin/e2fsadm,   /sbin/lvmetad,    /sbin/lvmsadc,
241            /sbin/vgmerge,    /sbin/vgsplit,   /usr/sbin/lvm,   /usr/sbin/lvs,
242            /usr/sbin/pvs,  /usr/sbin/vgs,   /sbin/lvchange,   /sbin/lvcreate,
243            /sbin/lvextend,  /sbin/lvmpolld,  /sbin/lvreduce,  /sbin/lvremove,
244            /sbin/lvrename,  /sbin/lvresize,  /sbin/pvchange,  /sbin/pvcreate,
245            /sbin/pvremove,  /sbin/vgchange,  /sbin/vgcreate,  /sbin/vgexport,
246            /sbin/vgextend,  /sbin/vgimport,  /sbin/vgreduce,  /sbin/vgremove,
247            /sbin/vgrename,  /usr/sbin/vgck, /sbin/lvdisplay, /sbin/lvmchange,
248            /sbin/pvdisplay, /sbin/vgdisplay,  /sbin/vgmknodes,  /sbin/vgwrap‐
249            per,    /sbin/cryptsetup,    /sbin/lvm.static,   /sbin/multipathd,
250            /usr/sbin/dmraid,       /usr/sbin/kpartx,        /usr/sbin/lvmsar,
251            /usr/sbin/lvscan,        /usr/sbin/pvdata,       /usr/sbin/pvmove,
252            /usr/sbin/pvscan,       /usr/sbin/vgscan,       /sbin/lvmdiskscan,
253            /sbin/mount.crypt,      /sbin/vgcfgbackup,      /usr/sbin/dmsetup,
254            /usr/sbin/e2fsadm,      /usr/sbin/lvmetad,      /usr/sbin/lvmsadc,
255            /usr/sbin/vgmerge,      /usr/sbin/vgsplit,     /sbin/umount.crypt,
256            /sbin/vgcfgrestore,    /usr/sbin/dmeventd,     /usr/sbin/lvchange,
257            /usr/sbin/lvcreate,     /usr/sbin/lvextend,    /usr/sbin/lvmlockd,
258            /usr/sbin/lvmpolld,    /usr/sbin/lvreduce,     /usr/sbin/lvremove,
259            /usr/sbin/lvrename,     /usr/sbin/lvresize,    /usr/sbin/pvchange,
260            /usr/sbin/pvcreate,    /usr/sbin/pvremove,     /usr/sbin/vgchange,
261            /usr/sbin/vgcreate,     /usr/sbin/vgexport,    /usr/sbin/vgextend,
262            /usr/sbin/vgimport,    /usr/sbin/vgreduce,     /usr/sbin/vgremove,
263            /usr/sbin/vgrename,    /sbin/lvmiopversion,   /sbin/vgscan.static,
264            /usr/sbin/lvdisplay,   /usr/sbin/lvmchange,   /usr/sbin/pvdisplay,
265            /usr/sbin/vgdisplay,   /usr/sbin/vgmknodes,   /usr/sbin/vgwrapper,
266            /sbin/dmsetup.static, /usr/sbin/cryptsetup,  /usr/sbin/lvm.static,
267            /usr/sbin/multipathd,                       /sbin/vgchange.static,
268            /usr/sbin/lvmdiskscan,   /usr/sbin/mount.crypt,   /usr/sbin/vgcfg‐
269            backup,       /sbin/multipath.static,      /usr/sbin/vgcfgrestore,
270            /usr/sbin/lvmiopversion,                  /usr/sbin/vgscan.static,
271            /usr/sbin/dmsetup.static,               /usr/sbin/vgchange.static,
272            /usr/lib/storaged/storaged,            /usr/sbin/multipath.static,
273            /lib/udev/udisks-lvm-pv-export,    /usr/libexec/storaged/storaged,
274            /usr/lib/udev/udisks-lvm-pv-export,      /usr/lib/systemd/systemd-
275            cryptsetup, /usr/lib/storaged/storaged-lvm-helper
276
277
278       lvm_lock_t
279
280       - Set files with the lvm_lock_t type, if you want to treat the files as
281       lvm lock data, stored under the /var/lock directory
282
283
284       Paths:
285            /etc/lvm/lock(/.*)?, /var/lock/lvm(/.*)?, /var/lock/dmraid(/.*)?
286
287
288       lvm_metadata_t
289
290       - Set files with the lvm_metadata_t type, if  you  want  to  treat  the
291       files as lvm metadata data.
292
293
294       Paths:
295            /etc/lvmtab(/.*)?,    /etc/lvmtab.d(/.*)?,   /etc/lvm/cache(/.*)?,
296            /etc/multipath(/.*)?,     /etc/lvm/backup(/.*)?,      /etc/lvm/ar‐
297            chive(/.*)?, /var/cache/multipathd(/.*)?, /etc/lvm/.cache
298
299
300       lvm_tmp_t
301
302       - Set files with the lvm_tmp_t type, if you want to store lvm temporary
303       files in the /tmp directories.
304
305
306
307       lvm_unit_file_t
308
309       - Set files with the lvm_unit_file_t type, if you  want  to  treat  the
310       files as lvm unit content.
311
312
313       Paths:
314            /usr/lib/systemd/system/lvm2.*.service,   /usr/lib/systemd/genera‐
315            tor/lvm.*
316
317
318       lvm_var_lib_t
319
320       - Set files with the lvm_var_lib_t type, if you want to store  the  lvm
321       files under the /var/lib directory.
322
323
324
325       lvm_var_run_t
326
327       -  Set  files with the lvm_var_run_t type, if you want to store the lvm
328       files under the /run or /var/run directory.
329
330
331       Paths:
332            /var/run/lvm(/.*)?,  /var/run/dmevent.*,  /var/run/storaged(/.*)?,
333            /var/run/multipathd(/.*)?, /var/run/multipathd.sock
334
335
336       Note:  File context can be temporarily modified with the chcon command.
337       If you want to permanently change the file context you need to use  the
338       semanage fcontext command.  This will modify the SELinux labeling data‐
339       base.  You will need to use restorecon to apply the labels.
340
341

COMMANDS

343       semanage fcontext can also be used to manipulate default  file  context
344       mappings.
345
346       semanage  permissive  can  also  be used to manipulate whether or not a
347       process type is permissive.
348
349       semanage module can also be used to enable/disable/install/remove  pol‐
350       icy modules.
351
352       semanage boolean can also be used to manipulate the booleans
353
354
355       system-config-selinux is a GUI tool available to customize SELinux pol‐
356       icy settings.
357
358

AUTHOR

360       This manual page was auto-generated using sepolicy manpage .
361
362