1lvm_selinux(8) SELinux Policy lvm lvm_selinux(8)
2
3
4
6 lvm_selinux - Security Enhanced Linux Policy for the lvm processes
7
9 Security-Enhanced Linux secures the lvm processes via flexible manda‐
10 tory access control.
11
12 The lvm processes execute with the lvm_t SELinux type. You can check if
13 you have these processes running by executing the ps command with the
14 -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep lvm_t
19
20
21
23 The lvm_t SELinux type can be entered via the lvm_exec_t file type.
24
25 The default entrypoint paths for the lvm_t domain are the following:
26
27 /lib/lvm-10/.*, /lib/lvm-200/.*, /usr/lib/lvm-10/.*,
28 /usr/lib/lvm-200/.*, /usr/lib/systemd/system-generators/lvm2.*,
29 /sbin/lvm, /sbin/lvs, /sbin/pvs, /sbin/vgs, /sbin/vgck, /sbin/dmraid,
30 /sbin/kpartx, /sbin/lvmsar, /sbin/lvscan, /sbin/pvdata, /sbin/pvmove,
31 /sbin/pvscan, /sbin/vgscan, /sbin/dmsetup, /sbin/e2fsadm,
32 /sbin/lvmetad, /sbin/lvmsadc, /sbin/vgmerge, /sbin/vgsplit,
33 /usr/sbin/lvm, /usr/sbin/lvs, /usr/sbin/pvs, /usr/sbin/vgs,
34 /sbin/lvchange, /sbin/lvcreate, /sbin/lvextend, /sbin/lvmpolld,
35 /sbin/lvreduce, /sbin/lvremove, /sbin/lvrename, /sbin/lvresize,
36 /sbin/pvchange, /sbin/pvcreate, /sbin/pvremove, /sbin/vgchange,
37 /sbin/vgcreate, /sbin/vgexport, /sbin/vgextend, /sbin/vgimport,
38 /sbin/vgreduce, /sbin/vgremove, /sbin/vgrename, /usr/sbin/vgck,
39 /sbin/lvdisplay, /sbin/lvmchange, /sbin/pvdisplay, /sbin/vgdisplay,
40 /sbin/vgmknodes, /sbin/vgwrapper, /sbin/cryptsetup, /sbin/lvm.static,
41 /sbin/multipathd, /usr/sbin/dmraid, /usr/sbin/kpartx, /usr/sbin/lvmsar,
42 /usr/sbin/lvscan, /usr/sbin/pvdata, /usr/sbin/pvmove, /usr/sbin/pvscan,
43 /usr/sbin/vgscan, /sbin/lvmdiskscan, /sbin/mount.crypt, /sbin/vgcfg‐
44 backup, /usr/sbin/dmsetup, /usr/sbin/e2fsadm, /usr/sbin/lvmetad,
45 /usr/sbin/lvmsadc, /usr/sbin/vgmerge, /usr/sbin/vgsplit,
46 /sbin/umount.crypt, /sbin/vgcfgrestore, /usr/sbin/dmeventd,
47 /usr/sbin/lvchange, /usr/sbin/lvcreate, /usr/sbin/lvextend,
48 /usr/sbin/lvmlockd, /usr/sbin/lvmpolld, /usr/sbin/lvreduce,
49 /usr/sbin/lvremove, /usr/sbin/lvrename, /usr/sbin/lvresize,
50 /usr/sbin/pvchange, /usr/sbin/pvcreate, /usr/sbin/pvremove,
51 /usr/sbin/vgchange, /usr/sbin/vgcreate, /usr/sbin/vgexport,
52 /usr/sbin/vgextend, /usr/sbin/vgimport, /usr/sbin/vgreduce,
53 /usr/sbin/vgremove, /usr/sbin/vgrename, /sbin/lvmiopversion,
54 /sbin/vgscan.static, /usr/sbin/lvdisplay, /usr/sbin/lvmchange,
55 /usr/sbin/pvdisplay, /usr/sbin/vgdisplay, /usr/sbin/vgmknodes,
56 /usr/sbin/vgwrapper, /sbin/dmsetup.static, /usr/sbin/cryptsetup,
57 /usr/sbin/lvm.static, /usr/sbin/multipathd, /sbin/vgchange.static,
58 /usr/sbin/lvmdiskscan, /usr/sbin/mount.crypt, /usr/sbin/vgcfgbackup,
59 /sbin/multipath.static, /usr/sbin/vgcfgrestore, /usr/sbin/lvmiopver‐
60 sion, /usr/sbin/vgscan.static, /usr/sbin/dmsetup.static,
61 /usr/sbin/vgchange.static, /usr/lib/storaged/storaged, /usr/sbin/multi‐
62 path.static, /lib/udev/udisks-lvm-pv-export, /usr/libexec/stor‐
63 aged/storaged, /usr/lib/udev/udisks-lvm-pv-export, /usr/lib/sys‐
64 temd/systemd-cryptsetup, /usr/lib/storaged/storaged-lvm-helper
65
67 SELinux defines process types (domains) for each process running on the
68 system
69
70 You can see the context of a process using the -Z option to ps
71
72 Policy governs the access confined processes have to files. SELinux
73 lvm policy is very flexible allowing users to setup their lvm processes
74 in as secure a method as possible.
75
76 The following process types are defined for lvm:
77
78 lvm_t
79
80 Note: semanage permissive -a lvm_t can be used to make the process type
81 lvm_t permissive. SELinux does not deny access to permissive process
82 types, but the AVC (SELinux denials) messages are still generated.
83
84
86 SELinux policy is customizable based on least access required. lvm
87 policy is extremely flexible and has several booleans that allow you to
88 manipulate the policy and run lvm with the tightest access possible.
89
90
91
92 If you want to allow users to resolve user passwd entries directly from
93 ldap rather then using a sssd server, you must turn on the authlo‐
94 gin_nsswitch_use_ldap boolean. Disabled by default.
95
96 setsebool -P authlogin_nsswitch_use_ldap 1
97
98
99
100 If you want to deny user domains applications to map a memory region as
101 both executable and writable, this is dangerous and the executable
102 should be reported in bugzilla, you must turn on the deny_execmem bool‐
103 ean. Enabled by default.
104
105 setsebool -P deny_execmem 1
106
107
108
109 If you want to allow all domains to execute in fips_mode, you must turn
110 on the fips_mode boolean. Enabled by default.
111
112 setsebool -P fips_mode 1
113
114
115
116 If you want to allow confined applications to run with kerberos, you
117 must turn on the kerberos_enabled boolean. Enabled by default.
118
119 setsebool -P kerberos_enabled 1
120
121
122
123 If you want to control the ability to mmap a low area of the address
124 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
125 the mmap_low_allowed boolean. Disabled by default.
126
127 setsebool -P mmap_low_allowed 1
128
129
130
131 If you want to allow system to run with NIS, you must turn on the
132 nis_enabled boolean. Disabled by default.
133
134 setsebool -P nis_enabled 1
135
136
137
138 If you want to allow confined applications to use nscd shared memory,
139 you must turn on the nscd_use_shm boolean. Disabled by default.
140
141 setsebool -P nscd_use_shm 1
142
143
144
145 If you want to disable kernel module loading, you must turn on the
146 secure_mode_insmod boolean. Enabled by default.
147
148 setsebool -P secure_mode_insmod 1
149
150
151
152 If you want to allow unconfined executables to make their heap memory
153 executable. Doing this is a really bad idea. Probably indicates a
154 badly coded executable, but could indicate an attack. This executable
155 should be reported in bugzilla, you must turn on the selin‐
156 uxuser_execheap boolean. Disabled by default.
157
158 setsebool -P selinuxuser_execheap 1
159
160
161
162 If you want to allow unconfined executables to make their stack exe‐
163 cutable. This should never, ever be necessary. Probably indicates a
164 badly coded executable, but could indicate an attack. This executable
165 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
166 stack boolean. Enabled by default.
167
168 setsebool -P selinuxuser_execstack 1
169
170
171
173 The SELinux process type lvm_t can manage files labeled with the fol‐
174 lowing file types. The paths listed are the default paths for these
175 file types. Note the processes UID still need to have DAC permissions.
176
177 file_type
178
179 all files on the system
180
181
183 SELinux requires files to have an extended attribute to define the file
184 type.
185
186 You can see the context of a file using the -Z option to ls
187
188 Policy governs the access confined processes have to these files.
189 SELinux lvm policy is very flexible allowing users to setup their lvm
190 processes in as secure a method as possible.
191
192 EQUIVALENCE DIRECTORIES
193
194
195 lvm policy stores data with multiple different file context types under
196 the /var/run/multipathd directory. If you would like to store the data
197 in a different directory you can use the semanage command to create an
198 equivalence mapping. If you wanted to store this data under the /srv
199 dirctory you would execute the following command:
200
201 semanage fcontext -a -e /var/run/multipathd /srv/multipathd
202 restorecon -R -v /srv/multipathd
203
204 STANDARD FILE CONTEXT
205
206 SELinux defines the file context types for the lvm, if you wanted to
207 store files with these types in a diffent paths, you need to execute
208 the semanage command to sepecify alternate labeling and then use
209 restorecon to put the labels on disk.
210
211 semanage fcontext -a -t lvm_unit_file_t '/srv/mylvm_content(/.*)?'
212 restorecon -R -v /srv/mylvm_content
213
214 Note: SELinux often uses regular expressions to specify labels that
215 match multiple files.
216
217 The following file types are defined for lvm:
218
219
220
221 lvm_etc_t
222
223 - Set files with the lvm_etc_t type, if you want to store lvm files in
224 the /etc directories.
225
226
227
228 lvm_exec_t
229
230 - Set files with the lvm_exec_t type, if you want to transition an exe‐
231 cutable to the lvm_t domain.
232
233
234 Paths:
235 /lib/lvm-10/.*, /lib/lvm-200/.*, /usr/lib/lvm-10/.*,
236 /usr/lib/lvm-200/.*, /usr/lib/systemd/system-generators/lvm2.*,
237 /sbin/lvm, /sbin/lvs, /sbin/pvs, /sbin/vgs, /sbin/vgck,
238 /sbin/dmraid, /sbin/kpartx, /sbin/lvmsar, /sbin/lvscan,
239 /sbin/pvdata, /sbin/pvmove, /sbin/pvscan, /sbin/vgscan,
240 /sbin/dmsetup, /sbin/e2fsadm, /sbin/lvmetad, /sbin/lvmsadc,
241 /sbin/vgmerge, /sbin/vgsplit, /usr/sbin/lvm, /usr/sbin/lvs,
242 /usr/sbin/pvs, /usr/sbin/vgs, /sbin/lvchange, /sbin/lvcreate,
243 /sbin/lvextend, /sbin/lvmpolld, /sbin/lvreduce, /sbin/lvremove,
244 /sbin/lvrename, /sbin/lvresize, /sbin/pvchange, /sbin/pvcreate,
245 /sbin/pvremove, /sbin/vgchange, /sbin/vgcreate, /sbin/vgexport,
246 /sbin/vgextend, /sbin/vgimport, /sbin/vgreduce, /sbin/vgremove,
247 /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /sbin/lvmchange,
248 /sbin/pvdisplay, /sbin/vgdisplay, /sbin/vgmknodes, /sbin/vgwrap‐
249 per, /sbin/cryptsetup, /sbin/lvm.static, /sbin/multipathd,
250 /usr/sbin/dmraid, /usr/sbin/kpartx, /usr/sbin/lvmsar,
251 /usr/sbin/lvscan, /usr/sbin/pvdata, /usr/sbin/pvmove,
252 /usr/sbin/pvscan, /usr/sbin/vgscan, /sbin/lvmdiskscan,
253 /sbin/mount.crypt, /sbin/vgcfgbackup, /usr/sbin/dmsetup,
254 /usr/sbin/e2fsadm, /usr/sbin/lvmetad, /usr/sbin/lvmsadc,
255 /usr/sbin/vgmerge, /usr/sbin/vgsplit, /sbin/umount.crypt,
256 /sbin/vgcfgrestore, /usr/sbin/dmeventd, /usr/sbin/lvchange,
257 /usr/sbin/lvcreate, /usr/sbin/lvextend, /usr/sbin/lvmlockd,
258 /usr/sbin/lvmpolld, /usr/sbin/lvreduce, /usr/sbin/lvremove,
259 /usr/sbin/lvrename, /usr/sbin/lvresize, /usr/sbin/pvchange,
260 /usr/sbin/pvcreate, /usr/sbin/pvremove, /usr/sbin/vgchange,
261 /usr/sbin/vgcreate, /usr/sbin/vgexport, /usr/sbin/vgextend,
262 /usr/sbin/vgimport, /usr/sbin/vgreduce, /usr/sbin/vgremove,
263 /usr/sbin/vgrename, /sbin/lvmiopversion, /sbin/vgscan.static,
264 /usr/sbin/lvdisplay, /usr/sbin/lvmchange, /usr/sbin/pvdisplay,
265 /usr/sbin/vgdisplay, /usr/sbin/vgmknodes, /usr/sbin/vgwrapper,
266 /sbin/dmsetup.static, /usr/sbin/cryptsetup, /usr/sbin/lvm.static,
267 /usr/sbin/multipathd, /sbin/vgchange.static,
268 /usr/sbin/lvmdiskscan, /usr/sbin/mount.crypt, /usr/sbin/vgcfg‐
269 backup, /sbin/multipath.static, /usr/sbin/vgcfgrestore,
270 /usr/sbin/lvmiopversion, /usr/sbin/vgscan.static,
271 /usr/sbin/dmsetup.static, /usr/sbin/vgchange.static,
272 /usr/lib/storaged/storaged, /usr/sbin/multipath.static,
273 /lib/udev/udisks-lvm-pv-export, /usr/libexec/storaged/storaged,
274 /usr/lib/udev/udisks-lvm-pv-export, /usr/lib/systemd/systemd-
275 cryptsetup, /usr/lib/storaged/storaged-lvm-helper
276
277
278 lvm_lock_t
279
280 - Set files with the lvm_lock_t type, if you want to treat the files as
281 lvm lock data, stored under the /var/lock directory
282
283
284 Paths:
285 /etc/lvm/lock(/.*)?, /var/lock/lvm(/.*)?, /var/lock/dmraid(/.*)?
286
287
288 lvm_metadata_t
289
290 - Set files with the lvm_metadata_t type, if you want to treat the
291 files as lvm metadata data.
292
293
294 Paths:
295 /etc/lvmtab(/.*)?, /etc/lvmtab.d(/.*)?, /etc/lvm/cache(/.*)?,
296 /etc/multipath(/.*)?, /etc/lvm/backup(/.*)?, /etc/lvm/ar‐
297 chive(/.*)?, /var/cache/multipathd(/.*)?, /etc/lvm/.cache
298
299
300 lvm_tmp_t
301
302 - Set files with the lvm_tmp_t type, if you want to store lvm temporary
303 files in the /tmp directories.
304
305
306
307 lvm_unit_file_t
308
309 - Set files with the lvm_unit_file_t type, if you want to treat the
310 files as lvm unit content.
311
312
313 Paths:
314 /usr/lib/systemd/system/lvm2.*.service, /usr/lib/systemd/genera‐
315 tor/lvm.*
316
317
318 lvm_var_lib_t
319
320 - Set files with the lvm_var_lib_t type, if you want to store the lvm
321 files under the /var/lib directory.
322
323
324
325 lvm_var_run_t
326
327 - Set files with the lvm_var_run_t type, if you want to store the lvm
328 files under the /run or /var/run directory.
329
330
331 Paths:
332 /var/run/lvm(/.*)?, /var/run/dmevent.*, /var/run/storaged(/.*)?,
333 /var/run/multipathd(/.*)?, /var/run/multipathd.sock
334
335
336 Note: File context can be temporarily modified with the chcon command.
337 If you want to permanently change the file context you need to use the
338 semanage fcontext command. This will modify the SELinux labeling data‐
339 base. You will need to use restorecon to apply the labels.
340
341
343 semanage fcontext can also be used to manipulate default file context
344 mappings.
345
346 semanage permissive can also be used to manipulate whether or not a
347 process type is permissive.
348
349 semanage module can also be used to enable/disable/install/remove pol‐
350 icy modules.
351
352 semanage boolean can also be used to manipulate the booleans
353
354
355 system-config-selinux is a GUI tool available to customize SELinux pol‐
356 icy settings.
357
358
360 This manual page was auto-generated using sepolicy manpage .
361
362
364 selinux(8), lvm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
365 setsebool(8)
366
367
368
369lvm 19-06-18 lvm_selinux(8)