1winbind_selinux(8)          SELinux Policy winbind          winbind_selinux(8)
2
3
4

NAME

6       winbind_selinux  -  Security Enhanced Linux Policy for the winbind pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  winbind  processes  via  flexible
11       mandatory access control.
12
13       The  winbind processes execute with the winbind_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep winbind_t
20
21
22

ENTRYPOINTS

24       The  winbind_t  SELinux type can be entered via the winbind_exec_t file
25       type.
26
27       The default entrypoint paths for the winbind_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/winbindd
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       winbind  policy  is very flexible allowing users to setup their winbind
40       processes in as secure a method as possible.
41
42       The following process types are defined for winbind:
43
44       winbind_t, winbind_helper_t
45
46       Note: semanage permissive -a winbind_t can be used to make the  process
47       type  winbind_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  winbind
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run winbind with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66
67       If  you  want  to  allow  system  to run with NIS, you must turn on the
68       nis_enabled boolean. Disabled by default.
69
70       setsebool -P nis_enabled 1
71
72
73

MANAGED FILES

75       The SELinux process type winbind_t can manage files  labeled  with  the
76       following file types.  The paths listed are the default paths for these
77       file types.  Note the processes UID still need to have DAC permissions.
78
79       auth_cache_t
80
81            /var/cache/coolkey(/.*)?
82
83       cluster_conf_t
84
85            /etc/cluster(/.*)?
86
87       cluster_var_lib_t
88
89            /var/lib/pcsd(/.*)?
90            /var/lib/cluster(/.*)?
91            /var/lib/openais(/.*)?
92            /var/lib/pengine(/.*)?
93            /var/lib/corosync(/.*)?
94            /usr/lib/heartbeat(/.*)?
95            /var/lib/heartbeat(/.*)?
96            /var/lib/pacemaker(/.*)?
97
98       cluster_var_run_t
99
100            /var/run/crm(/.*)?
101            /var/run/cman_.*
102            /var/run/rsctmp(/.*)?
103            /var/run/aisexec.*
104            /var/run/heartbeat(/.*)?
105            /var/run/pcsd-ruby.socket
106            /var/run/corosync-qnetd(/.*)?
107            /var/run/corosync-qdevice(/.*)?
108            /var/run/corosync.pid
109            /var/run/cpglockd.pid
110            /var/run/rgmanager.pid
111            /var/run/cluster/rgmanager.sk
112
113       ctdbd_var_lib_t
114
115            /var/lib/ctdb(/.*)?
116            /var/lib/ctdbd(/.*)?
117
118       faillog_t
119
120            /var/log/btmp.*
121            /var/log/faillog.*
122            /var/log/tallylog.*
123            /var/run/faillock(/.*)?
124
125       krb5_host_rcache_t
126
127            /var/tmp/krb5_0.rcache2
128            /var/cache/krb5rcache(/.*)?
129            /var/tmp/nfs_0
130            /var/tmp/DNS_25
131            /var/tmp/host_0
132            /var/tmp/imap_0
133            /var/tmp/HTTP_23
134            /var/tmp/HTTP_48
135            /var/tmp/ldap_55
136            /var/tmp/ldap_487
137            /var/tmp/ldapmap1_0
138
139       krb5_keytab_t
140
141            /var/kerberos/krb5(/.*)?
142            /etc/krb5.keytab
143            /etc/krb5kdc/kadm5.keytab
144            /var/kerberos/krb5kdc/kadm5.keytab
145
146       root_t
147
148            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
149            /
150            /initrd
151
152       samba_log_t
153
154            /var/log/samba(/.*)?
155
156       samba_secrets_t
157
158            /etc/samba/smbpasswd
159            /etc/samba/passdb.tdb
160            /etc/samba/MACHINE.SID
161            /etc/samba/secrets.tdb
162
163       smbd_tmp_t
164
165
166       smbd_var_run_t
167
168            /var/run/samba(/.*)?
169            /var/run/samba/smbd.pid
170            /var/run/samba/brlock.tdb
171            /var/run/samba/locking.tdb
172            /var/run/samba/gencache.tdb
173            /var/run/samba/sessionid.tdb
174            /var/run/samba/share_info.tdb
175            /var/run/samba/connections.tdb
176
177       user_home_t
178
179            /home/[^/]+/.+
180
181       user_tmp_t
182
183            /dev/shm/mono.*
184            /var/run/user(/.*)?
185            /tmp/.ICE-unix(/.*)?
186            /tmp/.X11-unix(/.*)?
187            /dev/shm/pulse-shm.*
188            /tmp/.X0-lock
189            /tmp/hsperfdata_root
190            /var/tmp/hsperfdata_root
191            /home/[^/]+/tmp
192            /home/[^/]+/.tmp
193            /tmp/gconfd-[^/]+
194
195       winbind_log_t
196
197
198       winbind_var_run_t
199
200            /var/run/winbindd(/.*)?
201            /var/run/samba/winbindd(/.*)?
202            /var/lib/samba/winbindd_privileged(/.*)?
203            /var/cache/samba/winbindd_privileged(/.*)?
204
205

FILE CONTEXTS

207       SELinux requires files to have an extended attribute to define the file
208       type.
209
210       You can see the context of a file using the -Z option to ls
211
212       Policy  governs  the  access  confined  processes  have to these files.
213       SELinux winbind policy is very flexible allowing users to  setup  their
214       winbind processes in as secure a method as possible.
215
216       STANDARD FILE CONTEXT
217
218       SELinux  defines  the file context types for the winbind, if you wanted
219       to store files with these types in a diffent paths, you need to execute
220       the  semanage  command  to sepecify alternate labeling and then use re‐
221       storecon to put the labels on disk.
222
223       semanage  fcontext   -a   -t   winbind_var_run_t   '/srv/mywinbind_con‐
224       tent(/.*)?'
225       restorecon -R -v /srv/mywinbind_content
226
227       Note:  SELinux  often  uses  regular expressions to specify labels that
228       match multiple files.
229
230       The following file types are defined for winbind:
231
232
233
234       winbind_exec_t
235
236       - Set files with the winbind_exec_t type, if you want to transition  an
237       executable to the winbind_t domain.
238
239
240
241       winbind_helper_exec_t
242
243       - Set files with the winbind_helper_exec_t type, if you want to transi‐
244       tion an executable to the winbind_helper_t domain.
245
246
247
248       winbind_log_t
249
250       - Set files with the winbind_log_t type, if you want to treat the  data
251       as winbind log data, usually stored under the /var/log directory.
252
253
254
255       winbind_var_run_t
256
257       -  Set  files with the winbind_var_run_t type, if you want to store the
258       winbind files under the /run or /var/run directory.
259
260
261       Paths:
262            /var/run/winbindd(/.*)?,            /var/run/samba/winbindd(/.*)?,
263            /var/lib/samba/winbindd_privileged(/.*)?,    /var/cache/samba/win‐
264            bindd_privileged(/.*)?
265
266
267       Note: File context can be temporarily modified with the chcon  command.
268       If  you want to permanently change the file context you need to use the
269       semanage fcontext command.  This will modify the SELinux labeling data‐
270       base.  You will need to use restorecon to apply the labels.
271
272

COMMANDS

274       semanage  fcontext  can also be used to manipulate default file context
275       mappings.
276
277       semanage permissive can also be used to manipulate  whether  or  not  a
278       process type is permissive.
279
280       semanage  module can also be used to enable/disable/install/remove pol‐
281       icy modules.
282
283       semanage boolean can also be used to manipulate the booleans
284
285
286       system-config-selinux is a GUI tool available to customize SELinux pol‐
287       icy settings.
288
289

AUTHOR

291       This manual page was auto-generated using sepolicy manpage .
292
293

SEE ALSO

295       selinux(8),  winbind(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
296       icy(8), setsebool(8), winbind_helper_selinux(8)
297
298
299
300winbind                            21-06-09                 winbind_selinux(8)
Impressum