1winbind_selinux(8)          SELinux Policy winbind          winbind_selinux(8)
2
3
4

NAME

6       winbind_selinux  -  Security Enhanced Linux Policy for the winbind pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  winbind  processes  via  flexible
11       mandatory access control.
12
13       The  winbind processes execute with the winbind_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep winbind_t
20
21
22

ENTRYPOINTS

24       The  winbind_t  SELinux type can be entered via the winbind_exec_t file
25       type.
26
27       The default entrypoint paths for the winbind_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/winbindd
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       winbind  policy  is very flexible allowing users to setup their winbind
40       processes in as secure a method as possible.
41
42       The following process types are defined for winbind:
43
44       winbind_t, winbind_helper_t
45
46       Note: semanage permissive -a winbind_t can be used to make the  process
47       type  winbind_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  winbind
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run winbind with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66
67       If  you  want  to  allow  system  to run with NIS, you must turn on the
68       nis_enabled boolean. Disabled by default.
69
70       setsebool -P nis_enabled 1
71
72
73

MANAGED FILES

75       The SELinux process type winbind_t can manage files  labeled  with  the
76       following file types.  The paths listed are the default paths for these
77       file types.  Note the processes UID still need to have DAC permissions.
78
79       auth_cache_t
80
81            /var/cache/coolkey(/.*)?
82
83       cluster_conf_t
84
85            /etc/cluster(/.*)?
86
87       cluster_var_lib_t
88
89            /var/lib/pcsd(/.*)?
90            /var/lib/cluster(/.*)?
91            /var/lib/openais(/.*)?
92            /var/lib/pengine(/.*)?
93            /var/lib/corosync(/.*)?
94            /usr/lib/heartbeat(/.*)?
95            /var/lib/heartbeat(/.*)?
96            /var/lib/pacemaker(/.*)?
97
98       cluster_var_run_t
99
100            /var/run/crm(/.*)?
101            /var/run/cman_.*
102            /var/run/rsctmp(/.*)?
103            /var/run/aisexec.*
104            /var/run/heartbeat(/.*)?
105            /var/run/pcsd-ruby.socket
106            /var/run/corosync-qnetd(/.*)?
107            /var/run/corosync-qdevice(/.*)?
108            /var/run/corosync.pid
109            /var/run/cpglockd.pid
110            /var/run/rgmanager.pid
111            /var/run/cluster/rgmanager.sk
112
113       ctdbd_var_lib_t
114
115            /var/lib/ctdb(/.*)?
116            /var/lib/ctdbd(/.*)?
117
118       faillog_t
119
120            /var/log/btmp.*
121            /var/log/faillog.*
122            /var/log/tallylog.*
123            /var/run/faillock(/.*)?
124
125       krb5_host_rcache_t
126
127            /var/tmp/krb5_0.rcache2
128            /var/cache/krb5rcache(/.*)?
129            /var/tmp/nfs_0
130            /var/tmp/DNS_25
131            /var/tmp/host_0
132            /var/tmp/imap_0
133            /var/tmp/HTTP_23
134            /var/tmp/HTTP_48
135            /var/tmp/ldap_55
136            /var/tmp/ldap_487
137            /var/tmp/ldapmap1_0
138
139       krb5_keytab_t
140
141            /var/kerberos/krb5(/.*)?
142            /etc/krb5.keytab
143            /etc/krb5kdc/kadm5.keytab
144            /var/kerberos/krb5kdc/kadm5.keytab
145
146       root_t
147
148            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
149            /
150            /initrd
151
152       samba_log_t
153
154            /var/log/samba(/.*)?
155
156       samba_secrets_t
157
158            /etc/samba/smbpasswd
159            /etc/samba/passdb.tdb
160            /etc/samba/MACHINE.SID
161            /etc/samba/secrets.tdb
162
163       smbd_tmp_t
164
165
166       smbd_var_run_t
167
168            /var/run/samba(/.*)?
169            /var/run/samba/smbd.pid
170            /var/run/samba/brlock.tdb
171            /var/run/samba/locking.tdb
172            /var/run/samba/gencache.tdb
173            /var/run/samba/sessionid.tdb
174            /var/run/samba/share_info.tdb
175            /var/run/samba/connections.tdb
176
177       user_home_t
178
179            /home/[^/]+/.+
180
181       user_tmp_t
182
183            /dev/shm/mono.*
184            /var/run/user/[^/]+
185            /tmp/.ICE-unix(/.*)?
186            /tmp/.X11-unix(/.*)?
187            /dev/shm/pulse-shm.*
188            /tmp/.X0-lock
189            /var/run/user
190            /tmp/hsperfdata_root
191            /var/tmp/hsperfdata_root
192            /home/[^/]+/tmp
193            /home/[^/]+/.tmp
194            /var/run/user/[0-9]+
195            /tmp/gconfd-[^/]+
196
197       winbind_log_t
198
199
200       winbind_var_run_t
201
202            /var/run/winbindd(/.*)?
203            /var/run/samba/winbindd(/.*)?
204            /var/lib/samba/winbindd_privileged(/.*)?
205            /var/cache/samba/winbindd_privileged(/.*)?
206
207

FILE CONTEXTS

209       SELinux requires files to have an extended attribute to define the file
210       type.
211
212       You can see the context of a file using the -Z option to ls
213
214       Policy  governs  the  access  confined  processes  have to these files.
215       SELinux winbind policy is very flexible allowing users to  setup  their
216       winbind processes in as secure a method as possible.
217
218       STANDARD FILE CONTEXT
219
220       SELinux  defines  the file context types for the winbind, if you wanted
221       to store files with these types in a diffent paths, you need to execute
222       the  semanage  command  to  specify alternate labeling and then use re‐
223       storecon to put the labels on disk.
224
225       semanage  fcontext   -a   -t   winbind_var_run_t   '/srv/mywinbind_con‐
226       tent(/.*)?'
227       restorecon -R -v /srv/mywinbind_content
228
229       Note:  SELinux  often  uses  regular expressions to specify labels that
230       match multiple files.
231
232       The following file types are defined for winbind:
233
234
235
236       winbind_exec_t
237
238       - Set files with the winbind_exec_t type, if you want to transition  an
239       executable to the winbind_t domain.
240
241
242
243       winbind_helper_exec_t
244
245       - Set files with the winbind_helper_exec_t type, if you want to transi‐
246       tion an executable to the winbind_helper_t domain.
247
248
249
250       winbind_log_t
251
252       - Set files with the winbind_log_t type, if you want to treat the  data
253       as winbind log data, usually stored under the /var/log directory.
254
255
256
257       winbind_var_run_t
258
259       -  Set  files with the winbind_var_run_t type, if you want to store the
260       winbind files under the /run or /var/run directory.
261
262
263       Paths:
264            /var/run/winbindd(/.*)?,            /var/run/samba/winbindd(/.*)?,
265            /var/lib/samba/winbindd_privileged(/.*)?,    /var/cache/samba/win‐
266            bindd_privileged(/.*)?
267
268
269       Note: File context can be temporarily modified with the chcon  command.
270       If  you want to permanently change the file context you need to use the
271       semanage fcontext command.  This will modify the SELinux labeling data‐
272       base.  You will need to use restorecon to apply the labels.
273
274

COMMANDS

276       semanage  fcontext  can also be used to manipulate default file context
277       mappings.
278
279       semanage permissive can also be used to manipulate  whether  or  not  a
280       process type is permissive.
281
282       semanage  module can also be used to enable/disable/install/remove pol‐
283       icy modules.
284
285       semanage boolean can also be used to manipulate the booleans
286
287
288       system-config-selinux is a GUI tool available to customize SELinux pol‐
289       icy settings.
290
291

AUTHOR

293       This manual page was auto-generated using sepolicy manpage .
294
295

SEE ALSO

297       selinux(8),  winbind(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
298       icy(8), setsebool(8), winbind_helper_selinux(8)
299
300
301
302winbind                            22-05-27                 winbind_selinux(8)
Impressum