1fsadm_selinux(8) SELinux Policy fsadm fsadm_selinux(8)
2
6 fsadm_selinux - Security Enhanced Linux Policy for the fsadm processes
7
9 Security-Enhanced Linux secures the fsadm processes via flexible manda‐
10 tory access control.
11 The fsadm processes execute with the fsadm_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep fsadm_t
19
23 The fsadm_t SELinux type can be entered via the fsadm_exec_t file type.
24 The default entrypoint paths for the fsadm_t domain are the following:
26 /sbin/fsck.*, /sbin/jfs_.*, /sbin/mkfs.*, /sbin/dump.exfat,
28 /sbin/tune.exfat, /sbin/swapon.*, /sbin/resize.*fs, /sbin/losetup.*,
29 /usr/sbin/fsck.*, /usr/sbin/jfs_.*, /usr/sbin/mkfs.*,
30 /usr/sbin/dump.exfat, /usr/sbin/tune.exfat, /sbin/reiserfs(ck|tune),
31 /usr/sbin/swapon.*, /usr/sbin/resize.*fs, /usr/sbin/losetup.*,
32 /usr/sbin/reiserfs(ck|tune), /sbin/dump, /sbin/blkid, /sbin/fdisk,
33 /sbin/partx, /sbin/cfdisk, /sbin/e2fsck, /sbin/e4fsck, /sbin/findfs,
34 /sbin/hdparm, /sbin/lsraid, /sbin/mke2fs, /sbin/mke4fs, /sbin/mkraid,
35 /sbin/parted, /sbin/sfdisk, /usr/bin/raw, /sbin/dosfsck, /sbin/e2label,
36 /sbin/mkdosfs, /sbin/swapoff, /sbin/tune2fs, /sbin/blockdev,
37 /sbin/dumpe2fs, /usr/sbin/dump, /sbin/partprobe, /sbin/raidstart,
38 /sbin/scsi_info, /usr/sbin/blkid, /usr/sbin/fdisk, /usr/sbin/partx,
39 /sbin/exfatlabel, /sbin/mkreiserfs, /sbin/xfs_growfs, /usr/sbin/cfdisk,
40 /usr/sbin/e2fsck, /usr/sbin/e4fsck, /usr/sbin/findfs, /usr/sbin/hdparm,
41 /usr/sbin/lsraid, /usr/sbin/mke2fs, /usr/sbin/mke4fs, /usr/sbin/mkraid,
42 /usr/sbin/parted, /usr/sbin/sfdisk, /sbin/e2mmpstatus, /sbin/install-
43 mbr, /sbin/raidautorun, /usr/bin/syslinux, /usr/sbin/dosfsck,
44 /usr/sbin/e2label, /usr/sbin/mkdosfs, /usr/sbin/mkudffs,
45 /usr/sbin/swapoff, /usr/sbin/tune2fs, /sbin/make_reiser4,
46 /usr/sbin/blockdev, /usr/sbin/dumpe2fs, /usr/sbin/pktsetup,
47 /usr/sbin/smartctl, /usr/sbin/udflabel, /usr/sbin/partprobe,
48 /usr/sbin/raidstart, /usr/sbin/scsi_info, /usr/sbin/exfatlabel,
49 /usr/sbin/mkreiserfs, /usr/sbin/xfs_growfs, /usr/sbin/clubufflush,
50 /usr/sbin/e2mmpstatus, /usr/sbin/install-mbr, /usr/sbin/raidautorun,
51 /usr/sbin/make_reiser4, /usr/bin/partition_uuid,
52 /usr/bin/scsi_unique_id, /usr/sbin/pktcdvd-check, /usr/lib/systemd/sys‐
53 temd-fsck, /usr/lib/systemd/systemd-growfs, /usr/lib/systemd/systemd-
54 makefs
55
57 SELinux defines process types (domains) for each process running on the
58 system
59 You can see the context of a process using the -Z option to ps
61 Policy governs the access confined processes have to files. SELinux
63 fsadm policy is very flexible allowing users to setup their fsadm pro‐
64 cesses in as secure a method as possible.
65 The following process types are defined for fsadm:
67 fsadm_t
69 Note: semanage permissive -a fsadm_t can be used to make the process
71 type fsadm_t permissive. SELinux does not deny access to permissive
72 process types, but the AVC (SELinux denials) messages are still gener‐
73 ated.
74
77 SELinux policy is customizable based on least access required. fsadm
78 policy is extremely flexible and has several booleans that allow you to
79 manipulate the policy and run fsadm with the tightest access possible.
80 If you want to deny user domains applications to map a memory region as
84 both executable and writable, this is dangerous and the executable
85 should be reported in bugzilla, you must turn on the deny_execmem bool‐
86 ean. Disabled by default.
87 setsebool -P deny_execmem 1
89 If you want to control the ability to mmap a low area of the address
93 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
94 the mmap_low_allowed boolean. Disabled by default.
95 setsebool -P mmap_low_allowed 1
97 If you want to allow system to run with NIS, you must turn on the
101 nis_enabled boolean. Disabled by default.
102 setsebool -P nis_enabled 1
104 If you want to disable kernel module loading, you must turn on the se‐
108 cure_mode_insmod boolean. Disabled by default.
109 setsebool -P secure_mode_insmod 1
111 If you want to allow unconfined executables to make their heap memory
115 executable. Doing this is a really bad idea. Probably indicates a
116 badly coded executable, but could indicate an attack. This executable
117 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
118 echeap boolean. Disabled by default.
119 setsebool -P selinuxuser_execheap 1
121 If you want to allow unconfined executables to make their stack exe‐
125 cutable. This should never, ever be necessary. Probably indicates a
126 badly coded executable, but could indicate an attack. This executable
127 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
128 stack boolean. Enabled by default.
129 setsebool -P selinuxuser_execstack 1
131
135 The SELinux process type fsadm_t can manage files labeled with the fol‐
136 lowing file types. The paths listed are the default paths for these
137 file types. Note the processes UID still need to have DAC permissions.
138 file_type
140 all files on the system
142
145 SELinux requires files to have an extended attribute to define the file
146 type.
147 You can see the context of a file using the -Z option to ls
149 Policy governs the access confined processes have to these files.
151 SELinux fsadm policy is very flexible allowing users to setup their
152 fsadm processes in as secure a method as possible.
153 STANDARD FILE CONTEXT
155 SELinux defines the file context types for the fsadm, if you wanted to
157 store files with these types in a different paths, you need to execute
158 the semanage command to specify alternate labeling and then use re‐
159 storecon to put the labels on disk.
160 semanage fcontext -a -t fsadm_exec_t '/srv/fsadm/content(/.*)?'
162 restorecon -R -v /srv/myfsadm_content
163 Note: SELinux often uses regular expressions to specify labels that
165 match multiple files.
166 The following file types are defined for fsadm:
168 fsadm_exec_t
172 - Set files with the fsadm_exec_t type, if you want to transition an
174 executable to the fsadm_t domain.
175 Paths:
178 /sbin/fsck.*, /sbin/jfs_.*, /sbin/mkfs.*, /sbin/dump.exfat,
179 /sbin/tune.exfat, /sbin/swapon.*, /sbin/resize.*fs, /sbin/los‐
180 etup.*, /usr/sbin/fsck.*, /usr/sbin/jfs_.*, /usr/sbin/mkfs.*,
181 /usr/sbin/dump.exfat, /usr/sbin/tune.exfat, /sbin/reis‐
182 erfs(ck|tune), /usr/sbin/swapon.*, /usr/sbin/resize.*fs,
183 /usr/sbin/losetup.*, /usr/sbin/reiserfs(ck|tune), /sbin/dump,
184 /sbin/blkid, /sbin/fdisk, /sbin/partx, /sbin/cfdisk, /sbin/e2fsck,
185 /sbin/e4fsck, /sbin/findfs, /sbin/hdparm, /sbin/lsraid,
186 /sbin/mke2fs, /sbin/mke4fs, /sbin/mkraid, /sbin/parted,
187 /sbin/sfdisk, /usr/bin/raw, /sbin/dosfsck, /sbin/e2label,
188 /sbin/mkdosfs, /sbin/swapoff, /sbin/tune2fs, /sbin/blockdev,
189 /sbin/dumpe2fs, /usr/sbin/dump, /sbin/partprobe, /sbin/raidstart,
190 /sbin/scsi_info, /usr/sbin/blkid, /usr/sbin/fdisk,
191 /usr/sbin/partx, /sbin/exfatlabel, /sbin/mkreiserfs,
192 /sbin/xfs_growfs, /usr/sbin/cfdisk, /usr/sbin/e2fsck,
193 /usr/sbin/e4fsck, /usr/sbin/findfs, /usr/sbin/hdparm,
194 /usr/sbin/lsraid, /usr/sbin/mke2fs, /usr/sbin/mke4fs,
195 /usr/sbin/mkraid, /usr/sbin/parted, /usr/sbin/sfdisk, /sbin/e2mmp‐
196 status, /sbin/install-mbr, /sbin/raidautorun, /usr/bin/syslinux,
197 /usr/sbin/dosfsck, /usr/sbin/e2label, /usr/sbin/mkdosfs,
198 /usr/sbin/mkudffs, /usr/sbin/swapoff, /usr/sbin/tune2fs,
199 /sbin/make_reiser4, /usr/sbin/blockdev, /usr/sbin/dumpe2fs,
200 /usr/sbin/pktsetup, /usr/sbin/smartctl, /usr/sbin/udflabel,
201 /usr/sbin/partprobe, /usr/sbin/raidstart, /usr/sbin/scsi_info,
202 /usr/sbin/exfatlabel, /usr/sbin/mkreiserfs, /usr/sbin/xfs_growfs,
203 /usr/sbin/clubufflush, /usr/sbin/e2mmpstatus, /usr/sbin/install-
204 mbr, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/bin/par‐
205 tition_uuid, /usr/bin/scsi_unique_id, /usr/sbin/pktcdvd-check,
206 /usr/lib/systemd/systemd-fsck, /usr/lib/systemd/systemd-growfs,
207 /usr/lib/systemd/systemd-makefs
208 fsadm_log_t
211 - Set files with the fsadm_log_t type, if you want to treat the data as
213 fsadm log data, usually stored under the /var/log directory.
214 fsadm_tmp_t
218 - Set files with the fsadm_tmp_t type, if you want to store fsadm tem‐
220 porary files in the /tmp directories.
221 fsadm_tmpfs_t
225 - Set files with the fsadm_tmpfs_t type, if you want to store fsadm
227 files on a tmpfs file system.
228 fsadm_var_run_t
232 - Set files with the fsadm_var_run_t type, if you want to store the
234 fsadm files under the /run or /var/run directory.
235 Paths:
238 /var/run/fsck(/.*)?, /var/run/blkid(/.*)?
239 Note: File context can be temporarily modified with the chcon command.
242 If you want to permanently change the file context you need to use the
243 semanage fcontext command. This will modify the SELinux labeling data‐
244 base. You will need to use restorecon to apply the labels.
245
248 semanage fcontext can also be used to manipulate default file context
249 mappings.
250 semanage permissive can also be used to manipulate whether or not a
252 process type is permissive.
253 semanage module can also be used to enable/disable/install/remove pol‐
255 icy modules.
256 semanage boolean can also be used to manipulate the booleans
258 system-config-selinux is a GUI tool available to customize SELinux pol‐
261 icy settings.
262
265 This manual page was auto-generated using sepolicy manpage .
266
269 selinux(8), fsadm(8), semanage(8), restorecon(8), chcon(1), sepol‐
270 icy(8), setsebool(8)
271fsadm 23-10-20 fsadm_selinux(8)