1winbind_selinux(8) SELinux Policy winbind winbind_selinux(8)
2
3
4
6 winbind_selinux - Security Enhanced Linux Policy for the winbind pro‐
7 cesses
8
10 Security-Enhanced Linux secures the winbind processes via flexible
11 mandatory access control.
12
13 The winbind processes execute with the winbind_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep winbind_t
20
21
22
24 The winbind_t SELinux type can be entered via the winbind_exec_t file
25 type.
26
27 The default entrypoint paths for the winbind_t domain are the follow‐
28 ing:
29
30 /usr/sbin/winbindd
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 winbind policy is very flexible allowing users to setup their winbind
40 processes in as secure a method as possible.
41
42 The following process types are defined for winbind:
43
44 winbind_t, winbind_helper_t, winbind_rpcd_t
45
46 Note: semanage permissive -a winbind_t can be used to make the process
47 type winbind_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. winbind
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run winbind with the tightest access possi‐
56 ble.
57
58
59
60 If you want to allow all domains to execute in fips_mode, you must turn
61 on the fips_mode boolean. Enabled by default.
62
63 setsebool -P fips_mode 1
64
65
66
67 If you want to allow system to run with NIS, you must turn on the
68 nis_enabled boolean. Disabled by default.
69
70 setsebool -P nis_enabled 1
71
72
73
75 The SELinux process type winbind_t can manage files labeled with the
76 following file types. The paths listed are the default paths for these
77 file types. Note the processes UID still need to have DAC permissions.
78
79 auth_cache_t
80
81 /var/cache/coolkey(/.*)?
82
83 cluster_conf_t
84
85 /etc/cluster(/.*)?
86
87 cluster_var_lib_t
88
89 /var/lib/pcsd(/.*)?
90 /var/lib/cluster(/.*)?
91 /var/lib/openais(/.*)?
92 /var/lib/pengine(/.*)?
93 /var/lib/corosync(/.*)?
94 /usr/lib/heartbeat(/.*)?
95 /var/lib/heartbeat(/.*)?
96 /var/lib/pacemaker(/.*)?
97
98 cluster_var_run_t
99
100 /var/run/crm(/.*)?
101 /var/run/cman_.*
102 /var/run/rsctmp(/.*)?
103 /var/run/aisexec.*
104 /var/run/heartbeat(/.*)?
105 /var/run/pcsd-ruby.socket
106 /var/run/corosync-qnetd(/.*)?
107 /var/run/corosync-qdevice(/.*)?
108 /var/run/corosync.pid
109 /var/run/cpglockd.pid
110 /var/run/rgmanager.pid
111 /var/run/cluster/rgmanager.sk
112
113 ctdbd_var_lib_t
114
115 /var/lib/ctdb(/.*)?
116 /var/lib/ctdbd(/.*)?
117
118 faillog_t
119
120 /var/log/btmp.*
121 /var/log/faillog.*
122 /var/log/tallylog.*
123 /var/run/faillock(/.*)?
124
125 krb5_host_rcache_t
126
127 /var/tmp/krb5_0.rcache2
128 /var/cache/krb5rcache(/.*)?
129 /var/tmp/nfs_0
130 /var/tmp/DNS_25
131 /var/tmp/host_0
132 /var/tmp/imap_0
133 /var/tmp/HTTP_23
134 /var/tmp/HTTP_48
135 /var/tmp/ldap_55
136 /var/tmp/ldap_487
137 /var/tmp/ldapmap1_0
138
139 krb5_keytab_t
140
141 /var/kerberos/krb5(/.*)?
142 /etc/krb5.keytab
143 /etc/krb5kdc/kadm5.keytab
144 /var/kerberos/krb5kdc/kadm5.keytab
145
146 root_t
147
148 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
149 /
150 /initrd
151
152 samba_log_t
153
154 /var/log/samba(/.*)?
155
156 samba_secrets_t
157
158 /etc/samba/smbpasswd
159 /etc/samba/passdb.tdb
160 /etc/samba/MACHINE.SID
161 /etc/samba/secrets.tdb
162
163 smbd_tmp_t
164
165
166 smbd_var_run_t
167
168 /var/run/samba(/.*)?
169 /var/run/samba/smbd.pid
170 /var/run/samba/brlock.tdb
171 /var/run/samba/locking.tdb
172 /var/run/samba/gencache.tdb
173 /var/run/samba/sessionid.tdb
174 /var/run/samba/share_info.tdb
175 /var/run/samba/connections.tdb
176
177 user_home_t
178
179 /home/[^/]+/.+
180
181 user_tmp_t
182
183 /dev/shm/mono.*
184 /var/run/user/[^/]+
185 /tmp/.ICE-unix(/.*)?
186 /tmp/.X11-unix(/.*)?
187 /dev/shm/pulse-shm.*
188 /tmp/.X0-lock
189 /var/run/user
190 /tmp/hsperfdata_root
191 /var/tmp/hsperfdata_root
192 /home/[^/]+/tmp
193 /home/[^/]+/.tmp
194 /var/run/user/[0-9]+
195 /tmp/gconfd-[^/]+
196
197 winbind_log_t
198
199
200 winbind_var_run_t
201
202 /var/run/winbindd(/.*)?
203 /var/run/samba/winbindd(/.*)?
204 /var/lib/samba/winbindd_privileged(/.*)?
205 /var/cache/samba/winbindd_privileged(/.*)?
206
207
209 SELinux requires files to have an extended attribute to define the file
210 type.
211
212 You can see the context of a file using the -Z option to ls
213
214 Policy governs the access confined processes have to these files.
215 SELinux winbind policy is very flexible allowing users to setup their
216 winbind processes in as secure a method as possible.
217
218 STANDARD FILE CONTEXT
219
220 SELinux defines the file context types for the winbind, if you wanted
221 to store files with these types in a diffent paths, you need to execute
222 the semanage command to specify alternate labeling and then use re‐
223 storecon to put the labels on disk.
224
225 semanage fcontext -a -t winbind_var_run_t '/srv/mywinbind_con‐
226 tent(/.*)?'
227 restorecon -R -v /srv/mywinbind_content
228
229 Note: SELinux often uses regular expressions to specify labels that
230 match multiple files.
231
232 The following file types are defined for winbind:
233
234
235
236 winbind_exec_t
237
238 - Set files with the winbind_exec_t type, if you want to transition an
239 executable to the winbind_t domain.
240
241
242
243 winbind_helper_exec_t
244
245 - Set files with the winbind_helper_exec_t type, if you want to transi‐
246 tion an executable to the winbind_helper_t domain.
247
248
249
250 winbind_log_t
251
252 - Set files with the winbind_log_t type, if you want to treat the data
253 as winbind log data, usually stored under the /var/log directory.
254
255
256
257 winbind_rpcd_exec_t
258
259 - Set files with the winbind_rpcd_exec_t type, if you want to transi‐
260 tion an executable to the winbind_rpcd_t domain.
261
262
263 Paths:
264 /usr/libexec/samba/rpcd_lsad, /usr/libexec/samba/samba-dcerpcd
265
266
267 winbind_rpcd_var_run_t
268
269 - Set files with the winbind_rpcd_var_run_t type, if you want to store
270 the winbind rpcd files under the /run or /var/run directory.
271
272
273
274 winbind_var_run_t
275
276 - Set files with the winbind_var_run_t type, if you want to store the
277 winbind files under the /run or /var/run directory.
278
279
280 Paths:
281 /var/run/winbindd(/.*)?, /var/run/samba/winbindd(/.*)?,
282 /var/lib/samba/winbindd_privileged(/.*)?, /var/cache/samba/win‐
283 bindd_privileged(/.*)?
284
285
286 Note: File context can be temporarily modified with the chcon command.
287 If you want to permanently change the file context you need to use the
288 semanage fcontext command. This will modify the SELinux labeling data‐
289 base. You will need to use restorecon to apply the labels.
290
291
293 semanage fcontext can also be used to manipulate default file context
294 mappings.
295
296 semanage permissive can also be used to manipulate whether or not a
297 process type is permissive.
298
299 semanage module can also be used to enable/disable/install/remove pol‐
300 icy modules.
301
302 semanage boolean can also be used to manipulate the booleans
303
304
305 system-config-selinux is a GUI tool available to customize SELinux pol‐
306 icy settings.
307
308
310 This manual page was auto-generated using sepolicy manpage .
311
312
314 selinux(8), winbind(8), semanage(8), restorecon(8), chcon(1), sepol‐
315 icy(8), setsebool(8), winbind_helper_selinux(8), win‐
316 bind_rpcd_selinux(8)
317
318
319
320winbind 23-02-03 winbind_selinux(8)