1fsadm_selinux(8)             SELinux Policy fsadm             fsadm_selinux(8)
2
3
4

NAME

6       fsadm_selinux - Security Enhanced Linux Policy for the fsadm processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the fsadm processes via flexible manda‐
10       tory access control.
11
12       The fsadm processes execute with the  fsadm_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep fsadm_t
19
20
21

ENTRYPOINTS

23       The fsadm_t SELinux type can be entered via the fsadm_exec_t file type.
24
25       The default entrypoint paths for the fsadm_t domain are the following:
26
27       /sbin/fsck.*,  /sbin/jfs_.*,  /sbin/mkfs.*,  /sbin/swapon.*,  /sbin/re‐
28       size.*fs,    /sbin/losetup.*,    /usr/sbin/fsck.*,    /usr/sbin/jfs_.*,
29       /usr/sbin/mkfs.*,     /sbin/reiserfs(ck|tune),      /usr/sbin/swapon.*,
30       /usr/sbin/resize.*fs, /usr/sbin/losetup.*, /usr/sbin/reiserfs(ck|tune),
31       /sbin/dump,  /sbin/blkid,   /sbin/fdisk,   /sbin/partx,   /sbin/cfdisk,
32       /sbin/e2fsck,  /sbin/e4fsck,  /sbin/findfs, /sbin/hdparm, /sbin/lsraid,
33       /sbin/mke2fs, /sbin/mke4fs, /sbin/mkraid,  /sbin/parted,  /sbin/sfdisk,
34       /usr/bin/raw,      /sbin/dosfsck,     /sbin/e2label,     /sbin/mkdosfs,
35       /sbin/swapoff,    /sbin/tune2fs,    /sbin/blockdev,     /sbin/dumpe2fs,
36       /usr/sbin/dump,   /sbin/partprobe,   /sbin/raidstart,  /sbin/scsi_info,
37       /usr/sbin/blkid,  /usr/sbin/fdisk,  /usr/sbin/partx,  /sbin/mkreiserfs,
38       /sbin/xfs_growfs, /usr/sbin/cfdisk, /usr/sbin/e2fsck, /usr/sbin/e4fsck,
39       /usr/sbin/findfs, /usr/sbin/hdparm, /usr/sbin/lsraid, /usr/sbin/mke2fs,
40       /usr/sbin/mke4fs, /usr/sbin/mkraid, /usr/sbin/parted, /usr/sbin/sfdisk,
41       /sbin/e2mmpstatus, /sbin/install-mbr, /sbin/raidautorun,  /usr/bin/sys‐
42       linux,    /usr/sbin/dosfsck,    /usr/sbin/e2label,   /usr/sbin/mkdosfs,
43       /usr/sbin/swapoff,        /usr/sbin/tune2fs,        /sbin/make_reiser4,
44       /usr/sbin/blockdev,       /usr/sbin/dumpe2fs,       /usr/sbin/smartctl,
45       /usr/sbin/partprobe,     /usr/sbin/raidstart,      /usr/sbin/scsi_info,
46       /usr/sbin/mkreiserfs,    /usr/sbin/xfs_growfs,   /usr/sbin/clubufflush,
47       /usr/sbin/e2mmpstatus,  /usr/sbin/install-mbr,   /usr/sbin/raidautorun,
48       /usr/sbin/make_reiser4,                        /usr/bin/partition_uuid,
49       /usr/bin/scsi_unique_id,  /usr/lib/systemd/systemd-fsck,  /usr/lib/sys‐
50       temd/systemd-growfs, /usr/lib/systemd/systemd-makefs
51

PROCESS TYPES

53       SELinux defines process types (domains) for each process running on the
54       system
55
56       You can see the context of a process using the -Z option to ps
57
58       Policy governs the access confined processes have  to  files.   SELinux
59       fsadm  policy is very flexible allowing users to setup their fsadm pro‐
60       cesses in as secure a method as possible.
61
62       The following process types are defined for fsadm:
63
64       fsadm_t
65
66       Note: semanage permissive -a fsadm_t can be used to  make  the  process
67       type  fsadm_t  permissive.  SELinux  does not deny access to permissive
68       process types, but the AVC (SELinux denials) messages are still  gener‐
69       ated.
70
71

BOOLEANS

73       SELinux  policy  is customizable based on least access required.  fsadm
74       policy is extremely flexible and has several booleans that allow you to
75       manipulate the policy and run fsadm with the tightest access possible.
76
77
78
79       If you want to deny user domains applications to map a memory region as
80       both executable and writable, this  is  dangerous  and  the  executable
81       should be reported in bugzilla, you must turn on the deny_execmem bool‐
82       ean. Enabled by default.
83
84       setsebool -P deny_execmem 1
85
86
87
88       If you want to control the ability to mmap a low area  of  the  address
89       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
90       the mmap_low_allowed boolean. Disabled by default.
91
92       setsebool -P mmap_low_allowed 1
93
94
95
96       If you want to disable kernel module loading, you must turn on the  se‐
97       cure_mode_insmod boolean. Enabled by default.
98
99       setsebool -P secure_mode_insmod 1
100
101
102
103       If  you  want to allow unconfined executables to make their heap memory
104       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
105       badly  coded  executable, but could indicate an attack. This executable
106       should be reported in bugzilla, you must turn  on  the  selinuxuser_ex‐
107       echeap boolean. Disabled by default.
108
109       setsebool -P selinuxuser_execheap 1
110
111
112
113       If  you  want  to allow unconfined executables to make their stack exe‐
114       cutable.  This should never, ever be necessary.  Probably  indicates  a
115       badly  coded  executable, but could indicate an attack. This executable
116       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
117       stack boolean. Enabled by default.
118
119       setsebool -P selinuxuser_execstack 1
120
121
122

MANAGED FILES

124       The SELinux process type fsadm_t can manage files labeled with the fol‐
125       lowing file types.  The paths listed are the default  paths  for  these
126       file types.  Note the processes UID still need to have DAC permissions.
127
128       file_type
129
130            all files on the system
131
132

FILE CONTEXTS

134       SELinux requires files to have an extended attribute to define the file
135       type.
136
137       You can see the context of a file using the -Z option to ls
138
139       Policy governs the access  confined  processes  have  to  these  files.
140       SELinux  fsadm  policy  is  very flexible allowing users to setup their
141       fsadm processes in as secure a method as possible.
142
143       STANDARD FILE CONTEXT
144
145       SELinux defines the file context types for the fsadm, if you wanted  to
146       store  files  with  these types in a diffent paths, you need to execute
147       the semanage command to sepecify alternate labeling and  then  use  re‐
148       storecon to put the labels on disk.
149
150       semanage fcontext -a -t fsadm_tmpfs_t '/srv/myfsadm_content(/.*)?'
151       restorecon -R -v /srv/myfsadm_content
152
153       Note:  SELinux  often  uses  regular expressions to specify labels that
154       match multiple files.
155
156       The following file types are defined for fsadm:
157
158
159
160       fsadm_exec_t
161
162       - Set files with the fsadm_exec_t type, if you want  to  transition  an
163       executable to the fsadm_t domain.
164
165
166       Paths:
167            /sbin/fsck.*,    /sbin/jfs_.*,    /sbin/mkfs.*,    /sbin/swapon.*,
168            /sbin/resize.*fs,        /sbin/losetup.*,        /usr/sbin/fsck.*,
169            /usr/sbin/jfs_.*,    /usr/sbin/mkfs.*,    /sbin/reiserfs(ck|tune),
170            /usr/sbin/swapon.*,   /usr/sbin/resize.*fs,   /usr/sbin/losetup.*,
171            /usr/sbin/reiserfs(ck|tune), /sbin/dump, /sbin/blkid, /sbin/fdisk,
172            /sbin/partx,     /sbin/cfdisk,     /sbin/e2fsck,     /sbin/e4fsck,
173            /sbin/findfs,     /sbin/hdparm,     /sbin/lsraid,    /sbin/mke2fs,
174            /sbin/mke4fs,    /sbin/mkraid,     /sbin/parted,     /sbin/sfdisk,
175            /usr/bin/raw,    /sbin/dosfsck,    /sbin/e2label,   /sbin/mkdosfs,
176            /sbin/swapoff,  /sbin/tune2fs,   /sbin/blockdev,   /sbin/dumpe2fs,
177            /usr/sbin/dump, /sbin/partprobe, /sbin/raidstart, /sbin/scsi_info,
178            /usr/sbin/blkid, /usr/sbin/fdisk,  /usr/sbin/partx,  /sbin/mkreis‐
179            erfs,    /sbin/xfs_growfs,   /usr/sbin/cfdisk,   /usr/sbin/e2fsck,
180            /usr/sbin/e4fsck,       /usr/sbin/findfs,        /usr/sbin/hdparm,
181            /usr/sbin/lsraid,        /usr/sbin/mke2fs,       /usr/sbin/mke4fs,
182            /usr/sbin/mkraid, /usr/sbin/parted, /usr/sbin/sfdisk, /sbin/e2mmp‐
183            status,  /sbin/install-mbr,  /sbin/raidautorun, /usr/bin/syslinux,
184            /usr/sbin/dosfsck,      /usr/sbin/e2label,      /usr/sbin/mkdosfs,
185            /usr/sbin/swapoff,      /usr/sbin/tune2fs,     /sbin/make_reiser4,
186            /usr/sbin/blockdev,    /usr/sbin/dumpe2fs,     /usr/sbin/smartctl,
187            /usr/sbin/partprobe,   /usr/sbin/raidstart,   /usr/sbin/scsi_info,
188            /usr/sbin/mkreiserfs, /usr/sbin/xfs_growfs, /usr/sbin/clubufflush,
189            /usr/sbin/e2mmpstatus,   /usr/sbin/install-mbr,  /usr/sbin/raidau‐
190            torun,      /usr/sbin/make_reiser4,       /usr/bin/partition_uuid,
191            /usr/bin/scsi_unique_id,            /usr/lib/systemd/systemd-fsck,
192            /usr/lib/systemd/systemd-growfs, /usr/lib/systemd/systemd-makefs
193
194
195       fsadm_log_t
196
197       - Set files with the fsadm_log_t type, if you want to treat the data as
198       fsadm log data, usually stored under the /var/log directory.
199
200
201
202       fsadm_tmp_t
203
204       -  Set files with the fsadm_tmp_t type, if you want to store fsadm tem‐
205       porary files in the /tmp directories.
206
207
208
209       fsadm_tmpfs_t
210
211       - Set files with the fsadm_tmpfs_t type, if you  want  to  store  fsadm
212       files on a tmpfs file system.
213
214
215
216       fsadm_var_run_t
217
218       -  Set  files  with  the fsadm_var_run_t type, if you want to store the
219       fsadm files under the /run or /var/run directory.
220
221
222
223       Note: File context can be temporarily modified with the chcon  command.
224       If  you want to permanently change the file context you need to use the
225       semanage fcontext command.  This will modify the SELinux labeling data‐
226       base.  You will need to use restorecon to apply the labels.
227
228

COMMANDS

230       semanage  fcontext  can also be used to manipulate default file context
231       mappings.
232
233       semanage permissive can also be used to manipulate  whether  or  not  a
234       process type is permissive.
235
236       semanage  module can also be used to enable/disable/install/remove pol‐
237       icy modules.
238
239       semanage boolean can also be used to manipulate the booleans
240
241
242       system-config-selinux is a GUI tool available to customize SELinux pol‐
243       icy settings.
244
245

AUTHOR

247       This manual page was auto-generated using sepolicy manpage .
248
249

SEE ALSO

251       selinux(8),  fsadm(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
252       icy(8), setsebool(8)
253
254
255
256fsadm                              21-06-09                   fsadm_selinux(8)
Impressum