1afs_selinux(8)                SELinux Policy afs                afs_selinux(8)
2
3
4

NAME

6       afs_selinux - Security Enhanced Linux Policy for the afs processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the afs processes via flexible manda‐
10       tory access control.
11
12       The afs processes execute with the afs_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep afs_t
19
20
21

ENTRYPOINTS

23       The afs_t SELinux type can be entered via the afs_exec_t file type.
24
25       The default entrypoint paths for the afs_t domain are the following:
26
27       /usr/sbin/afsd, /usr/vice/etc/afsd
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       afs policy is very flexible allowing users to setup their afs processes
37       in as secure a method as possible.
38
39       The following process types are defined for afs:
40
41       afs_t, afs_bosserver_t, afs_fsserver_t, afs_kaserver_t, afs_ptserver_t, afs_vlserver_t
42
43       Note: semanage permissive -a afs_t can be used to make the process type
44       afs_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  afs
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run afs with the tightest access possible.
52
53
54
55       If you want to allow all domains to execute in fips_mode, you must turn
56       on the fips_mode boolean. Enabled by default.
57
58       setsebool -P fips_mode 1
59
60
61
62       If you want to allow confined applications to use nscd  shared  memory,
63       you must turn on the nscd_use_shm boolean. Enabled by default.
64
65       setsebool -P nscd_use_shm 1
66
67
68

PORT TYPES

70       SELinux defines port types to represent TCP and UDP ports.
71
72       You  can  see  the  types associated with a port by using the following
73       command:
74
75       semanage port -l
76
77
78       Policy governs the access  confined  processes  have  to  these  ports.
79       SELinux  afs  policy is very flexible allowing users to setup their afs
80       processes in as secure a method as possible.
81
82       The following port types are defined for afs:
83
84
85       afs3_callback_port_t
86
87
88
89       Default Defined Ports:
90                 tcp 7001
91                 udp 7001
92
93
94       afs_bos_port_t
95
96
97
98       Default Defined Ports:
99                 udp 7007
100
101
102       afs_fs_port_t
103
104
105
106       Default Defined Ports:
107                 tcp 2040
108                 udp 7000,7005
109
110
111       afs_ka_port_t
112
113
114
115       Default Defined Ports:
116                 udp 7004
117
118
119       afs_pt_port_t
120
121
122
123       Default Defined Ports:
124                 tcp 7002
125                 udp 7002
126
127
128       afs_vl_port_t
129
130
131
132       Default Defined Ports:
133                 udp 7003
134

MANAGED FILES

136       The SELinux process type afs_t can manage files labeled with  the  fol‐
137       lowing  file  types.   The paths listed are the default paths for these
138       file types.  Note the processes UID still need to have DAC permissions.
139
140       cluster_conf_t
141
142            /etc/cluster(/.*)?
143
144       cluster_var_lib_t
145
146            /var/lib/pcsd(/.*)?
147            /var/lib/cluster(/.*)?
148            /var/lib/openais(/.*)?
149            /var/lib/pengine(/.*)?
150            /var/lib/corosync(/.*)?
151            /usr/lib/heartbeat(/.*)?
152            /var/lib/heartbeat(/.*)?
153            /var/lib/pacemaker(/.*)?
154
155       cluster_var_run_t
156
157            /var/run/crm(/.*)?
158            /var/run/cman_.*
159            /var/run/rsctmp(/.*)?
160            /var/run/aisexec.*
161            /var/run/heartbeat(/.*)?
162            /var/run/pcsd-ruby.socket
163            /var/run/corosync-qnetd(/.*)?
164            /var/run/corosync-qdevice(/.*)?
165            /var/run/corosync.pid
166            /var/run/cpglockd.pid
167            /var/run/rgmanager.pid
168            /var/run/cluster/rgmanager.sk
169
170       root_t
171
172            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
173            /
174            /initrd
175
176       unlabeled_t
177
178
179

FILE CONTEXTS

181       SELinux requires files to have an extended attribute to define the file
182       type.
183
184       You can see the context of a file using the -Z option to ls
185
186       Policy  governs  the  access  confined  processes  have to these files.
187       SELinux afs policy is very flexible allowing users to setup  their  afs
188       processes in as secure a method as possible.
189
190       STANDARD FILE CONTEXT
191
192       SELinux  defines  the  file context types for the afs, if you wanted to
193       store files with these types in a diffent paths, you  need  to  execute
194       the  semanage  command  to  specify alternate labeling and then use re‐
195       storecon to put the labels on disk.
196
197       semanage fcontext -a -t afs_vl_db_t '/srv/myafs_content(/.*)?'
198       restorecon -R -v /srv/myafs_content
199
200       Note: SELinux often uses regular expressions  to  specify  labels  that
201       match multiple files.
202
203       The following file types are defined for afs:
204
205
206
207       afs_bosserver_exec_t
208
209       -  Set files with the afs_bosserver_exec_t type, if you want to transi‐
210       tion an executable to the afs_bosserver_t domain.
211
212
213       Paths:
214            /usr/sbin/bosserver, /usr/afs/bin/bosserver
215
216
217       afs_cache_t
218
219       - Set files with the afs_cache_t type, if you want to store  the  files
220       under the /var/cache directory.
221
222
223       Paths:
224            /var/cache/(open)?afs(/.*)?, /usr/vice/cache(/.*)?
225
226
227       afs_config_t
228
229       -  Set files with the afs_config_t type, if you want to treat the files
230       as afs configuration data, usually stored under the /etc directory.
231
232
233       Paths:
234            /etc/(open)?afs(/.*)?, /usr/afs/etc(/.*)?, /usr/afs/local(/.*)?
235
236
237       afs_dbdir_t
238
239       - Set files with the afs_dbdir_t type, if you want to treat  the  files
240       as afs dbdir data.
241
242
243
244       afs_exec_t
245
246       - Set files with the afs_exec_t type, if you want to transition an exe‐
247       cutable to the afs_t domain.
248
249
250       Paths:
251            /usr/sbin/afsd, /usr/vice/etc/afsd
252
253
254       afs_files_t
255
256       - Set files with the afs_files_t type, if you want to treat  the  files
257       as afs content.
258
259
260       Paths:
261            /usr/afs(/.*)?, /vicepa, /vicepb, /vicepc
262
263
264       afs_fsserver_exec_t
265
266       -  Set  files with the afs_fsserver_exec_t type, if you want to transi‐
267       tion an executable to the afs_fsserver_t domain.
268
269
270       Paths:
271            /usr/afs/bin/salvager, /usr/afs/bin/volserver, /usr/afs/bin/dasal‐
272            vager,      /usr/afs/bin/fileserver,     /usr/afs/bin/davolserver,
273            /usr/afs/bin/dafileserver,             /usr/afs/bin/salvageserver,
274            /usr/libexec/openafs/salvager,     /usr/libexec/openafs/volserver,
275            /usr/libexec/openafs/fileserver
276
277
278       afs_initrc_exec_t
279
280       - Set files with the afs_initrc_exec_t type, if you want to  transition
281       an executable to the afs_initrc_t domain.
282
283
284       Paths:
285            /etc/rc.d/init.d/(open)?afs, /etc/rc.d/init.d/openafs-client
286
287
288       afs_ka_db_t
289
290       -  Set  files with the afs_ka_db_t type, if you want to treat the files
291       as afs ka database content.
292
293
294
295       afs_kaserver_exec_t
296
297       - Set files with the afs_kaserver_exec_t type, if you want  to  transi‐
298       tion an executable to the afs_kaserver_t domain.
299
300
301       Paths:
302            /usr/afs/bin/kaserver, /usr/libexec/openafs/kaserver
303
304
305       afs_logfile_t
306
307       - Set files with the afs_logfile_t type, if you want to treat the files
308       as afs logfile data.
309
310
311
312       afs_pt_db_t
313
314       - Set files with the afs_pt_db_t type, if you want to treat  the  files
315       as afs pt database content.
316
317
318
319       afs_ptserver_exec_t
320
321       -  Set  files with the afs_ptserver_exec_t type, if you want to transi‐
322       tion an executable to the afs_ptserver_t domain.
323
324
325       Paths:
326            /usr/afs/bin/ptserver, /usr/libexec/openafs/ptserver
327
328
329       afs_vl_db_t
330
331       - Set files with the afs_vl_db_t type, if you want to treat  the  files
332       as afs vl database content.
333
334
335
336       afs_vlserver_exec_t
337
338       -  Set  files with the afs_vlserver_exec_t type, if you want to transi‐
339       tion an executable to the afs_vlserver_t domain.
340
341
342       Paths:
343            /usr/afs/bin/vlserver, /usr/libexec/openafs/vlserver
344
345
346       Note: File context can be temporarily modified with the chcon  command.
347       If  you want to permanently change the file context you need to use the
348       semanage fcontext command.  This will modify the SELinux labeling data‐
349       base.  You will need to use restorecon to apply the labels.
350
351

COMMANDS

353       semanage  fcontext  can also be used to manipulate default file context
354       mappings.
355
356       semanage permissive can also be used to manipulate  whether  or  not  a
357       process type is permissive.
358
359       semanage  module can also be used to enable/disable/install/remove pol‐
360       icy modules.
361
362       semanage port can also be used to manipulate the port definitions
363
364       semanage boolean can also be used to manipulate the booleans
365
366
367       system-config-selinux is a GUI tool available to customize SELinux pol‐
368       icy settings.
369
370

AUTHOR

372       This manual page was auto-generated using sepolicy manpage .
373
374

SEE ALSO

376       selinux(8),  afs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
377       setsebool(8),    afs_bosserver_selinux(8),    afs_bosserver_selinux(8),
378       afs_fsserver_selinux(8),                       afs_fsserver_selinux(8),
379       afs_kaserver_selinux(8),        afs_kaserver_selinux(8),        afs_pt‐
380       server_selinux(8),   afs_ptserver_selinux(8),  afs_vlserver_selinux(8),
381       afs_vlserver_selinux(8)
382
383
384
385afs                                21-11-19                     afs_selinux(8)
Impressum