1drbd_selinux(8)               SELinux Policy drbd              drbd_selinux(8)
2
3
4

NAME

6       drbd_selinux - Security Enhanced Linux Policy for the drbd processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the drbd processes via flexible manda‐
10       tory access control.
11
12       The drbd processes execute with the drbd_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep drbd_t
19
20
21

ENTRYPOINTS

23       The drbd_t SELinux type can be entered via the drbd_exec_t file type.
24
25       The default entrypoint paths for the drbd_t domain are the following:
26
27       /sbin/drbdadm, /sbin/drbdsetup, /usr/sbin/drbdadm, /usr/sbin/drbdsetup,
28       /usr/lib/ocf/resource.d/linbit/drbd
29

PROCESS TYPES

31       SELinux defines process types (domains) for each process running on the
32       system
33
34       You can see the context of a process using the -Z option to ps
35
36       Policy governs the access confined processes have  to  files.   SELinux
37       drbd  policy  is  very flexible allowing users to setup their drbd pro‐
38       cesses in as secure a method as possible.
39
40       The following process types are defined for drbd:
41
42       drbd_t
43
44       Note: semanage permissive -a drbd_t can be used  to  make  the  process
45       type  drbd_t  permissive.  SELinux  does  not deny access to permissive
46       process types, but the AVC (SELinux denials) messages are still  gener‐
47       ated.
48
49

BOOLEANS

51       SELinux  policy  is  customizable based on least access required.  drbd
52       policy is extremely flexible and has several booleans that allow you to
53       manipulate the policy and run drbd with the tightest access possible.
54
55
56
57       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
58       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
59       Enabled by default.
60
61       setsebool -P daemons_dontaudit_scheduling 1
62
63
64
65       If you want to allow all domains to execute in fips_mode, you must turn
66       on the fips_mode boolean. Enabled by default.
67
68       setsebool -P fips_mode 1
69
70
71
72       If you want to allow system to run with  NIS,  you  must  turn  on  the
73       nis_enabled boolean. Disabled by default.
74
75       setsebool -P nis_enabled 1
76
77
78
79       If  you want to disable kernel module loading, you must turn on the se‐
80       cure_mode_insmod boolean. Disabled by default.
81
82       setsebool -P secure_mode_insmod 1
83
84
85

MANAGED FILES

87       The SELinux process type drbd_t can manage files labeled with the  fol‐
88       lowing  file  types.   The paths listed are the default paths for these
89       file types.  Note the processes UID still need to have DAC permissions.
90
91       cluster_conf_t
92
93            /etc/cluster(/.*)?
94
95       cluster_tmpfs_t
96
97
98       cluster_var_lib_t
99
100            /var/lib/pcsd(/.*)?
101            /var/lib/cluster(/.*)?
102            /var/lib/openais(/.*)?
103            /var/lib/pengine(/.*)?
104            /var/lib/corosync(/.*)?
105            /usr/lib/heartbeat(/.*)?
106            /var/lib/heartbeat(/.*)?
107            /var/lib/pacemaker(/.*)?
108
109       cluster_var_run_t
110
111            /var/run/crm(/.*)?
112            /var/run/cman_.*
113            /var/run/rsctmp(/.*)?
114            /var/run/aisexec.*
115            /var/run/heartbeat(/.*)?
116            /var/run/pcsd-ruby.socket
117            /var/run/corosync-qnetd(/.*)?
118            /var/run/corosync-qdevice(/.*)?
119            /var/run/corosync.pid
120            /var/run/cpglockd.pid
121            /var/run/rgmanager.pid
122            /var/run/cluster/rgmanager.sk
123
124       drbd_lock_t
125
126            /var/lock/subsys/drbd
127
128       drbd_tmp_t
129
130
131       drbd_var_lib_t
132
133            /var/lib/drbd(/.*)?
134
135       drbd_var_run_t
136
137            /var/run/drbd(/.*)?
138
139       krb5_host_rcache_t
140
141            /var/tmp/krb5_0.rcache2
142            /var/cache/krb5rcache(/.*)?
143            /var/tmp/nfs_0
144            /var/tmp/DNS_25
145            /var/tmp/host_0
146            /var/tmp/imap_0
147            /var/tmp/HTTP_23
148            /var/tmp/HTTP_48
149            /var/tmp/ldap_55
150            /var/tmp/ldap_487
151            /var/tmp/ldapmap1_0
152
153       root_t
154
155            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
156            /
157            /initrd
158
159

FILE CONTEXTS

161       SELinux requires files to have an extended attribute to define the file
162       type.
163
164       You can see the context of a file using the -Z option to ls
165
166       Policy  governs  the  access  confined  processes  have to these files.
167       SELinux drbd policy is very flexible allowing users to setup their drbd
168       processes in as secure a method as possible.
169
170       STANDARD FILE CONTEXT
171
172       SELinux  defines  the file context types for the drbd, if you wanted to
173       store files with these types in a different paths, you need to  execute
174       the  semanage  command  to  specify alternate labeling and then use re‐
175       storecon to put the labels on disk.
176
177       semanage fcontext -a -t drbd_exec_t '/srv/drbd/content(/.*)?'
178       restorecon -R -v /srv/mydrbd_content
179
180       Note: SELinux often uses regular expressions  to  specify  labels  that
181       match multiple files.
182
183       The following file types are defined for drbd:
184
185
186
187       drbd_exec_t
188
189       - Set files with the drbd_exec_t type, if you want to transition an ex‐
190       ecutable to the drbd_t domain.
191
192
193       Paths:
194            /sbin/drbdadm, /sbin/drbdsetup, /usr/sbin/drbdadm, /usr/sbin/drbd‐
195            setup, /usr/lib/ocf/resource.d/linbit/drbd
196
197
198       drbd_initrc_exec_t
199
200       - Set files with the drbd_initrc_exec_t type, if you want to transition
201       an executable to the drbd_initrc_t domain.
202
203
204
205       drbd_lock_t
206
207       - Set files with the drbd_lock_t type, if you want to treat  the  files
208       as drbd lock data, stored under the /var/lock directory
209
210
211
212       drbd_tmp_t
213
214       -  Set files with the drbd_tmp_t type, if you want to store drbd tempo‐
215       rary files in the /tmp directories.
216
217
218
219       drbd_var_lib_t
220
221       - Set files with the drbd_var_lib_t type, if you want to store the drbd
222       files under the /var/lib directory.
223
224
225
226       drbd_var_run_t
227
228       - Set files with the drbd_var_run_t type, if you want to store the drbd
229       files under the /run or /var/run directory.
230
231
232
233       Note: File context can be temporarily modified with the chcon  command.
234       If  you want to permanently change the file context you need to use the
235       semanage fcontext command.  This will modify the SELinux labeling data‐
236       base.  You will need to use restorecon to apply the labels.
237
238

COMMANDS

240       semanage  fcontext  can also be used to manipulate default file context
241       mappings.
242
243       semanage permissive can also be used to manipulate  whether  or  not  a
244       process type is permissive.
245
246       semanage  module can also be used to enable/disable/install/remove pol‐
247       icy modules.
248
249       semanage boolean can also be used to manipulate the booleans
250
251
252       system-config-selinux is a GUI tool available to customize SELinux pol‐
253       icy settings.
254
255

AUTHOR

257       This manual page was auto-generated using sepolicy manpage .
258
259

SEE ALSO

261       selinux(8), drbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
262       setsebool(8)
263
264
265
266drbd                               23-10-20                    drbd_selinux(8)
Impressum