1clvmd_selinux(8) SELinux Policy clvmd clvmd_selinux(8)
2
6 clvmd_selinux - Security Enhanced Linux Policy for the clvmd processes
7
9 Security-Enhanced Linux secures the clvmd processes via flexible manda‐
10 tory access control.
11 The clvmd processes execute with the clvmd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep clvmd_t
19
23 The clvmd_t SELinux type can be entered via the clvmd_exec_t file type.
24 The default entrypoint paths for the clvmd_t domain are the following:
26 /usr/sbin/clvmd
28
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux
36 clvmd policy is very flexible allowing users to setup their clvmd pro‐
37 cesses in as secure a method as possible.
38 The following process types are defined for clvmd:
40 clvmd_t
42 Note: semanage permissive -a clvmd_t can be used to make the process
44 type clvmd_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
50 SELinux policy is customizable based on least access required. clvmd
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run clvmd with the tightest access possible.
53 If you want to dontaudit all daemons scheduling requests (setsched,
57 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
58 Enabled by default.
59 setsebool -P daemons_dontaudit_scheduling 1
61 If you want to deny user domains applications to map a memory region as
65 both executable and writable, this is dangerous and the executable
66 should be reported in bugzilla, you must turn on the deny_execmem bool‐
67 ean. Disabled by default.
68 setsebool -P deny_execmem 1
70 If you want to control the ability to mmap a low area of the address
74 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
75 the mmap_low_allowed boolean. Disabled by default.
76 setsebool -P mmap_low_allowed 1
78 If you want to allow system to run with NIS, you must turn on the
82 nis_enabled boolean. Disabled by default.
83 setsebool -P nis_enabled 1
85 If you want to disable kernel module loading, you must turn on the se‐
89 cure_mode_insmod boolean. Disabled by default.
90 setsebool -P secure_mode_insmod 1
92 If you want to allow unconfined executables to make their heap memory
96 executable. Doing this is a really bad idea. Probably indicates a
97 badly coded executable, but could indicate an attack. This executable
98 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
99 echeap boolean. Disabled by default.
100 setsebool -P selinuxuser_execheap 1
102 If you want to allow unconfined executables to make their stack exe‐
106 cutable. This should never, ever be necessary. Probably indicates a
107 badly coded executable, but could indicate an attack. This executable
108 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
109 stack boolean. Enabled by default.
110 setsebool -P selinuxuser_execstack 1
112
116 The SELinux process type clvmd_t can manage files labeled with the fol‐
117 lowing file types. The paths listed are the default paths for these
118 file types. Note the processes UID still need to have DAC permissions.
119 file_type
121 all files on the system
123
126 SELinux requires files to have an extended attribute to define the file
127 type.
128 You can see the context of a file using the -Z option to ls
130 Policy governs the access confined processes have to these files.
132 SELinux clvmd policy is very flexible allowing users to setup their
133 clvmd processes in as secure a method as possible.
134 STANDARD FILE CONTEXT
136 SELinux defines the file context types for the clvmd, if you wanted to
138 store files with these types in a different paths, you need to execute
139 the semanage command to specify alternate labeling and then use re‐
140 storecon to put the labels on disk.
141 semanage fcontext -a -t clvmd_exec_t '/srv/clvmd/content(/.*)?'
143 restorecon -R -v /srv/myclvmd_content
144 Note: SELinux often uses regular expressions to specify labels that
146 match multiple files.
147 The following file types are defined for clvmd:
149 clvmd_exec_t
153 - Set files with the clvmd_exec_t type, if you want to transition an
155 executable to the clvmd_t domain.
156 clvmd_initrc_exec_t
160 - Set files with the clvmd_initrc_exec_t type, if you want to transi‐
162 tion an executable to the clvmd_initrc_t domain.
163 clvmd_tmpfs_t
167 - Set files with the clvmd_tmpfs_t type, if you want to store clvmd
169 files on a tmpfs file system.
170 clvmd_var_run_t
174 - Set files with the clvmd_var_run_t type, if you want to store the
176 clvmd files under the /run or /var/run directory.
177 Note: File context can be temporarily modified with the chcon command.
181 If you want to permanently change the file context you need to use the
182 semanage fcontext command. This will modify the SELinux labeling data‐
183 base. You will need to use restorecon to apply the labels.
184
187 semanage fcontext can also be used to manipulate default file context
188 mappings.
189 semanage permissive can also be used to manipulate whether or not a
191 process type is permissive.
192 semanage module can also be used to enable/disable/install/remove pol‐
194 icy modules.
195 semanage boolean can also be used to manipulate the booleans
197 system-config-selinux is a GUI tool available to customize SELinux pol‐
200 icy settings.
201
204 This manual page was auto-generated using sepolicy manpage .
205
208 selinux(8), clvmd(8), semanage(8), restorecon(8), chcon(1), sepol‐
209 icy(8), setsebool(8)
210clvmd 23-10-20 clvmd_selinux(8)