1afs_selinux(8)                SELinux Policy afs                afs_selinux(8)
2
3
4

NAME

6       afs_selinux - Security Enhanced Linux Policy for the afs processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the afs processes via flexible manda‐
10       tory access control.
11
12       The afs processes execute with the afs_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep afs_t
19
20
21

ENTRYPOINTS

23       The afs_t SELinux type can be entered via the afs_exec_t file type.
24
25       The default entrypoint paths for the afs_t domain are the following:
26
27       /usr/sbin/afsd, /usr/vice/etc/afsd
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       afs policy is very flexible allowing users to setup their afs processes
37       in as secure a method as possible.
38
39       The following process types are defined for afs:
40
41       afs_t, afs_bosserver_t, afs_fsserver_t, afs_kaserver_t, afs_ptserver_t, afs_vlserver_t
42
43       Note: semanage permissive -a afs_t can be used to make the process type
44       afs_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  afs
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run afs with the tightest access possible.
52
53
54
55       If you want to allow all domains to execute in fips_mode, you must turn
56       on the fips_mode boolean. Enabled by default.
57
58       setsebool -P fips_mode 1
59
60
61
62       If you want to allow confined applications to use nscd  shared  memory,
63       you must turn on the nscd_use_shm boolean. Enabled by default.
64
65       setsebool -P nscd_use_shm 1
66
67
68

PORT TYPES

70       SELinux defines port types to represent TCP and UDP ports.
71
72       You  can  see  the  types associated with a port by using the following
73       command:
74
75       semanage port -l
76
77
78       Policy governs the access  confined  processes  have  to  these  ports.
79       SELinux  afs  policy is very flexible allowing users to setup their afs
80       processes in as secure a method as possible.
81
82       The following port types are defined for afs:
83
84
85       afs3_callback_port_t
86
87
88
89       Default Defined Ports:
90                 tcp 7001
91                 udp 7001
92
93
94       afs_bos_port_t
95
96
97
98       Default Defined Ports:
99                 udp 7007
100
101
102       afs_fs_port_t
103
104
105
106       Default Defined Ports:
107                 tcp 2040
108                 udp 7000,7005
109
110
111       afs_ka_port_t
112
113
114
115       Default Defined Ports:
116                 udp 7004
117
118
119       afs_pt_port_t
120
121
122
123       Default Defined Ports:
124                 tcp 7002
125                 udp 7002
126
127
128       afs_vl_port_t
129
130
131
132       Default Defined Ports:
133                 udp 7003
134

MANAGED FILES

136       The SELinux process type afs_t can manage files labeled with  the  fol‐
137       lowing  file  types.   The paths listed are the default paths for these
138       file types.  Note the processes UID still need to have DAC permissions.
139
140       afs_cache_t
141
142            /var/cache/(open)?afs(/.*)?
143            /usr/vice/cache(/.*)?
144
145       cluster_conf_t
146
147            /etc/cluster(/.*)?
148
149       cluster_var_lib_t
150
151            /var/lib/pcsd(/.*)?
152            /var/lib/cluster(/.*)?
153            /var/lib/openais(/.*)?
154            /var/lib/pengine(/.*)?
155            /var/lib/corosync(/.*)?
156            /usr/lib/heartbeat(/.*)?
157            /var/lib/heartbeat(/.*)?
158            /var/lib/pacemaker(/.*)?
159
160       cluster_var_run_t
161
162            /var/run/crm(/.*)?
163            /var/run/cman_.*
164            /var/run/rsctmp(/.*)?
165            /var/run/aisexec.*
166            /var/run/heartbeat(/.*)?
167            /var/run/corosync-qnetd(/.*)?
168            /var/run/corosync-qdevice(/.*)?
169            /var/run/corosync.pid
170            /var/run/cpglockd.pid
171            /var/run/rgmanager.pid
172            /var/run/cluster/rgmanager.sk
173
174       etc_runtime_t
175
176            /[^/]+
177            /etc/mtab.*
178            /etc/blkid(/.*)?
179            /etc/nologin.*
180            /etc/.fstab.hal..+
181            /halt
182            /fastboot
183            /poweroff
184            /.autofsck
185            /etc/cmtab
186            /forcefsck
187            /.suspended
188            /fsckoptions
189            /.autorelabel
190            /etc/.updated
191            /var/.updated
192            /etc/killpower
193            /etc/nohotplug
194            /etc/securetty
195            /etc/ioctl.save
196            /etc/fstab.REVOKE
197            /etc/network/ifstate
198            /etc/sysconfig/hwconf
199            /etc/ptal/ptal-printd-like
200            /etc/sysconfig/iptables.save
201            /etc/xorg.conf.d/00-system-setup-keyboard.conf
202            /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
203
204       root_t
205
206            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
207            /
208            /initrd
209
210       unlabeled_t
211
212
213

FILE CONTEXTS

215       SELinux requires files to have an extended attribute to define the file
216       type.
217
218       You can see the context of a file using the -Z option to ls
219
220       Policy  governs  the  access  confined  processes  have to these files.
221       SELinux afs policy is very flexible allowing users to setup  their  afs
222       processes in as secure a method as possible.
223
224       STANDARD FILE CONTEXT
225
226       SELinux  defines  the  file context types for the afs, if you wanted to
227       store files with these types in a diffent paths, you  need  to  execute
228       the  semanage  command  to  sepecify  alternate  labeling  and then use
229       restorecon to put the labels on disk.
230
231       semanage fcontext -a -t afs_vl_db_t '/srv/myafs_content(/.*)?'
232       restorecon -R -v /srv/myafs_content
233
234       Note: SELinux often uses regular expressions  to  specify  labels  that
235       match multiple files.
236
237       The following file types are defined for afs:
238
239
240
241       afs_bosserver_exec_t
242
243       -  Set files with the afs_bosserver_exec_t type, if you want to transi‐
244       tion an executable to the afs_bosserver_t domain.
245
246
247       Paths:
248            /usr/sbin/bosserver, /usr/afs/bin/bosserver
249
250
251       afs_cache_t
252
253       - Set files with the afs_cache_t type, if you want to store  the  files
254       under the /var/cache directory.
255
256
257       Paths:
258            /var/cache/(open)?afs(/.*)?, /usr/vice/cache(/.*)?
259
260
261       afs_config_t
262
263       -  Set files with the afs_config_t type, if you want to treat the files
264       as afs configuration data, usually stored under the /etc directory.
265
266
267       Paths:
268            /etc/(open)?afs(/.*)?, /usr/afs/etc(/.*)?, /usr/afs/local(/.*)?
269
270
271       afs_dbdir_t
272
273       - Set files with the afs_dbdir_t type, if you want to treat  the  files
274       as afs dbdir data.
275
276
277
278       afs_exec_t
279
280       - Set files with the afs_exec_t type, if you want to transition an exe‐
281       cutable to the afs_t domain.
282
283
284       Paths:
285            /usr/sbin/afsd, /usr/vice/etc/afsd
286
287
288       afs_files_t
289
290       - Set files with the afs_files_t type, if you want to treat  the  files
291       as afs content.
292
293
294       Paths:
295            /usr/afs(/.*)?, /vicepa, /vicepb, /vicepc
296
297
298       afs_fsserver_exec_t
299
300       -  Set  files with the afs_fsserver_exec_t type, if you want to transi‐
301       tion an executable to the afs_fsserver_t domain.
302
303
304       Paths:
305            /usr/afs/bin/salvager, /usr/afs/bin/volserver, /usr/afs/bin/dasal‐
306            vager,      /usr/afs/bin/fileserver,     /usr/afs/bin/davolserver,
307            /usr/afs/bin/dafileserver,             /usr/afs/bin/salvageserver,
308            /usr/libexec/openafs/salvager,     /usr/libexec/openafs/volserver,
309            /usr/libexec/openafs/fileserver
310
311
312       afs_initrc_exec_t
313
314       - Set files with the afs_initrc_exec_t type, if you want to  transition
315       an executable to the afs_initrc_t domain.
316
317
318       Paths:
319            /etc/rc.d/init.d/(open)?afs, /etc/rc.d/init.d/openafs-client
320
321
322       afs_ka_db_t
323
324       -  Set  files with the afs_ka_db_t type, if you want to treat the files
325       as afs ka database content.
326
327
328
329       afs_kaserver_exec_t
330
331       - Set files with the afs_kaserver_exec_t type, if you want  to  transi‐
332       tion an executable to the afs_kaserver_t domain.
333
334
335       Paths:
336            /usr/afs/bin/kaserver, /usr/libexec/openafs/kaserver
337
338
339       afs_logfile_t
340
341       - Set files with the afs_logfile_t type, if you want to treat the files
342       as afs logfile data.
343
344
345
346       afs_pt_db_t
347
348       - Set files with the afs_pt_db_t type, if you want to treat  the  files
349       as afs pt database content.
350
351
352
353       afs_ptserver_exec_t
354
355       -  Set  files with the afs_ptserver_exec_t type, if you want to transi‐
356       tion an executable to the afs_ptserver_t domain.
357
358
359       Paths:
360            /usr/afs/bin/ptserver, /usr/libexec/openafs/ptserver
361
362
363       afs_vl_db_t
364
365       - Set files with the afs_vl_db_t type, if you want to treat  the  files
366       as afs vl database content.
367
368
369
370       afs_vlserver_exec_t
371
372       -  Set  files with the afs_vlserver_exec_t type, if you want to transi‐
373       tion an executable to the afs_vlserver_t domain.
374
375
376       Paths:
377            /usr/afs/bin/vlserver, /usr/libexec/openafs/vlserver
378
379
380       Note: File context can be temporarily modified with the chcon  command.
381       If  you want to permanently change the file context you need to use the
382       semanage fcontext command.  This will modify the SELinux labeling data‐
383       base.  You will need to use restorecon to apply the labels.
384
385

COMMANDS

387       semanage  fcontext  can also be used to manipulate default file context
388       mappings.
389
390       semanage permissive can also be used to manipulate  whether  or  not  a
391       process type is permissive.
392
393       semanage  module can also be used to enable/disable/install/remove pol‐
394       icy modules.
395
396       semanage port can also be used to manipulate the port definitions
397
398       semanage boolean can also be used to manipulate the booleans
399
400
401       system-config-selinux is a GUI tool available to customize SELinux pol‐
402       icy settings.
403
404

AUTHOR

406       This manual page was auto-generated using sepolicy manpage .
407
408

SEE ALSO

410       selinux(8),  afs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
411       setsebool(8),    afs_bosserver_selinux(8),    afs_bosserver_selinux(8),
412       afs_fsserver_selinux(8),                       afs_fsserver_selinux(8),
413       afs_kaserver_selinux(8),                       afs_kaserver_selinux(8),
414       afs_ptserver_selinux(8),                       afs_ptserver_selinux(8),
415       afs_vlserver_selinux(8), afs_vlserver_selinux(8)
416
417
418
419afs                                19-10-08                     afs_selinux(8)
Impressum