1amanda_selinux(8) SELinux Policy amanda amanda_selinux(8)
2
6 amanda_selinux - Security Enhanced Linux Policy for the amanda pro‐
7 cesses
8
10 Security-Enhanced Linux secures the amanda processes via flexible
11 mandatory access control.
12 The amanda processes execute with the amanda_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep amanda_t
20
24 The amanda_t SELinux type can be entered via the amanda_inetd_exec_t
25 file type.
26 The default entrypoint paths for the amanda_t domain are the following:
28 /usr/sbin/amandad, /usr/lib/amanda/amandad, /usr/lib/amanda/amindexd,
30 /usr/lib/amanda/amidxtaped
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 amanda policy is very flexible allowing users to setup their amanda
40 processes in as secure a method as possible.
41 The following process types are defined for amanda:
43 amanda_t, amanda_recover_t
45 Note: semanage permissive -a amanda_t can be used to make the process
47 type amanda_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
53 SELinux policy is customizable based on least access required. amanda
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run amanda with the tightest access possible.
56 If you want to dontaudit all daemons scheduling requests (setsched,
60 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
61 Enabled by default.
62 setsebool -P daemons_dontaudit_scheduling 1
64 If you want to allow all domains to execute in fips_mode, you must turn
68 on the fips_mode boolean. Enabled by default.
69 setsebool -P fips_mode 1
71 If you want to allow system to run with NIS, you must turn on the
75 nis_enabled boolean. Disabled by default.
76 setsebool -P nis_enabled 1
78
82 SELinux defines port types to represent TCP and UDP ports.
83 You can see the types associated with a port by using the following
85 command:
86 semanage port -l
88 Policy governs the access confined processes have to these ports.
91 SELinux amanda policy is very flexible allowing users to setup their
92 amanda processes in as secure a method as possible.
93 The following port types are defined for amanda:
95 amanda_port_t
98 Default Defined Ports:
102 tcp 10080-10083
103 udp 10080-10082
104
106 The SELinux process type amanda_t can manage files labeled with the
107 following file types. The paths listed are the default paths for these
108 file types. Note the processes UID still need to have DAC permissions.
109 cluster_conf_t
111 /etc/cluster(/.*)?
113 cluster_var_lib_t
115 /var/lib/pcsd(/.*)?
117 /var/lib/cluster(/.*)?
118 /var/lib/openais(/.*)?
119 /var/lib/pengine(/.*)?
120 /var/lib/corosync(/.*)?
121 /usr/lib/heartbeat(/.*)?
122 /var/lib/heartbeat(/.*)?
123 /var/lib/pacemaker(/.*)?
124 cluster_var_run_t
126 /var/run/crm(/.*)?
128 /var/run/cman_.*
129 /var/run/rsctmp(/.*)?
130 /var/run/aisexec.*
131 /var/run/heartbeat(/.*)?
132 /var/run/pcsd-ruby.socket
133 /var/run/corosync-qnetd(/.*)?
134 /var/run/corosync-qdevice(/.*)?
135 /var/run/corosync.pid
136 /var/run/cpglockd.pid
137 /var/run/rgmanager.pid
138 /var/run/cluster/rgmanager.sk
139 krb5_host_rcache_t
141 /var/tmp/krb5_0.rcache2
143 /var/cache/krb5rcache(/.*)?
144 /var/tmp/nfs_0
145 /var/tmp/DNS_25
146 /var/tmp/host_0
147 /var/tmp/imap_0
148 /var/tmp/HTTP_23
149 /var/tmp/HTTP_48
150 /var/tmp/ldap_55
151 /var/tmp/ldap_487
152 /var/tmp/ldapmap1_0
153 root_t
155 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
157 /
158 /initrd
159
162 SELinux requires files to have an extended attribute to define the file
163 type.
164 You can see the context of a file using the -Z option to ls
166 Policy governs the access confined processes have to these files.
168 SELinux amanda policy is very flexible allowing users to setup their
169 amanda processes in as secure a method as possible.
170 EQUIVALENCE DIRECTORIES
172 amanda policy stores data with multiple different file context types
175 under the /var/lib/amanda directory. If you would like to store the
176 data in a different directory you can use the semanage command to cre‐
177 ate an equivalence mapping. If you wanted to store this data under the
178 /srv directory you would execute the following command:
179 semanage fcontext -a -e /var/lib/amanda /srv/amanda
181 restorecon -R -v /srv/amanda
182 STANDARD FILE CONTEXT
184 SELinux defines the file context types for the amanda, if you wanted to
186 store files with these types in a different paths, you need to execute
187 the semanage command to specify alternate labeling and then use re‐
188 storecon to put the labels on disk.
189 semanage fcontext -a -t amanda_exec_t '/srv/amanda/content(/.*)?'
191 restorecon -R -v /srv/myamanda_content
192 Note: SELinux often uses regular expressions to specify labels that
194 match multiple files.
195 The following file types are defined for amanda:
197 amanda_amandates_t
201 - Set files with the amanda_amandates_t type, if you want to treat the
203 files as amanda amandates data.
204 amanda_config_t
208 - Set files with the amanda_config_t type, if you want to treat the
210 files as amanda configuration data, usually stored under the /etc di‐
211 rectory.
212 Paths:
215 /etc/amanda(/.*)?, /var/lib/amanda/.amandahosts
216 amanda_data_t
219 - Set files with the amanda_data_t type, if you want to treat the files
221 as amanda content.
222 Paths:
225 /etc/amanda/.*/index(/.*)?, /etc/amanda/.*/tapelist(/.*)?,
226 /var/lib/amanda/[^/]+(/.*)?, /etc/amanda/DailySet1(/.*)?
227 amanda_dumpdates_t
230 - Set files with the amanda_dumpdates_t type, if you want to treat the
232 files as amanda dumpdates data.
233 amanda_exec_t
237 - Set files with the amanda_exec_t type, if you want to transition an
239 executable to the amanda_t domain.
240 amanda_gnutarlists_t
244 - Set files with the amanda_gnutarlists_t type, if you want to treat
246 the files as amanda gnutarlists data.
247 amanda_inetd_exec_t
251 - Set files with the amanda_inetd_exec_t type, if you want to transi‐
253 tion an executable to the amanda_inetd_t domain.
254 Paths:
257 /usr/sbin/amandad, /usr/lib/amanda/amandad, /usr/lib/amanda/amin‐
258 dexd, /usr/lib/amanda/amidxtaped
259 amanda_log_t
262 - Set files with the amanda_log_t type, if you want to treat the data
264 as amanda log data, usually stored under the /var/log directory.
265 Paths:
268 /var/log/amanda(/.*)?, /var/lib/amanda/[^/]*/log(/.*)?
269 amanda_recover_dir_t
272 - Set files with the amanda_recover_dir_t type, if you want to treat
274 the files as amanda recover dir data.
275 amanda_recover_exec_t
279 - Set files with the amanda_recover_exec_t type, if you want to transi‐
281 tion an executable to the amanda_recover_t domain.
282 amanda_tmp_t
286 - Set files with the amanda_tmp_t type, if you want to store amanda
288 temporary files in the /tmp directories.
289 amanda_tmpfs_t
293 - Set files with the amanda_tmpfs_t type, if you want to store amanda
295 files on a tmpfs file system.
296 amanda_unit_file_t
300 - Set files with the amanda_unit_file_t type, if you want to treat the
302 files as amanda unit content.
303 amanda_usr_lib_t
307 - Set files with the amanda_usr_lib_t type, if you want to treat the
309 files as amanda usr lib data.
310 amanda_var_lib_t
314 - Set files with the amanda_var_lib_t type, if you want to store the
316 amanda files under the /var/lib directory.
317 Paths:
320 /var/lib/amanda(/.*)?, /var/lib/amanda/[^/]+/index(/.*)?,
321 /var/lib/xfsdump/inventory(/.*)?, /var/lib/amanda
322 Note: File context can be temporarily modified with the chcon command.
325 If you want to permanently change the file context you need to use the
326 semanage fcontext command. This will modify the SELinux labeling data‐
327 base. You will need to use restorecon to apply the labels.
328
331 semanage fcontext can also be used to manipulate default file context
332 mappings.
333 semanage permissive can also be used to manipulate whether or not a
335 process type is permissive.
336 semanage module can also be used to enable/disable/install/remove pol‐
338 icy modules.
339 semanage port can also be used to manipulate the port definitions
341 semanage boolean can also be used to manipulate the booleans
343 system-config-selinux is a GUI tool available to customize SELinux pol‐
346 icy settings.
347
350 This manual page was auto-generated using sepolicy manpage .
351
354 selinux(8), amanda(8), semanage(8), restorecon(8), chcon(1), sepol‐
355 icy(8), setsebool(8), amanda_recover_selinux(8), amanda_re‐
356 cover_selinux(8)
357amanda 23-10-20 amanda_selinux(8)