selinux-policy/targeted/attrib.te

564 lines
19 KiB
Plaintext
Raw Normal View History

2005-10-21 18:05:21 +00:00
#
# Declarations for type attributes.
#
# A type attribute can be used to identify a set of types with a similar
# property. Each type can have any number of attributes, and each
# attribute can be associated with any number of types. Attributes are
# explicitly declared here, and can then be associated with particular
# types in type declarations. Attribute names can then be used throughout
# the configuration to express the set of types that are associated with
# the attribute. Attributes have no implicit meaning to SELinux. The
# meaning of all attributes are completely defined through their
# usage within the configuration, but should be documented here as
# comments preceding the attribute declaration.
#####################
# Attributes for MLS:
#
# Common Terminology
# MLS Range: low-high
# low referred to as "Effective Sensitivity Label (SL)"
# high referred to as "Clearance SL"
#
# File System MLS attributes/privileges
#
# Grant MLS read access to files not dominated by the process Effective SL
attribute mlsfileread;
# Grant MLS read access to files which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsfilereadtoclr;
# Grant MLS write access to files not equal to the Effective SL
attribute mlsfilewrite;
# Grant MLS write access to files which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsfilewritetoclr;
# Grant MLS ability to change file label to a new label which dominates
# the old label
attribute mlsfileupgrade;
# Grant MLS ability to change file label to a new label which is
# dominated by or incomparable to the old label
attribute mlsfiledowngrade;
#
# Network MLS attributes/privileges
#
# Grant MLS read access to packets not dominated by the process Effective SL
attribute mlsnetread;
# Grant MLS read access to packets which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsnetreadtoclr;
# Grant MLS write access to packets not equal to the Effective SL
attribute mlsnetwrite;
# Grant MLS write access to packets which dominate the Effective SL
# and are dominated by the process Clearance SL
attribute mlsnetwritetoclr;
# Grant MLS read access to packets from hosts or interfaces which dominate
# or incomparable to the process Effective SL
attribute mlsnetrecvall;
# Grant MLS ability to change socket label to a new label which dominates
# the old label
attribute mlsnetupgrade;
# Grant MLS ability to change socket label to a new label which is
# dominated by or incomparable to the old label
attribute mlsnetdowngrade;
#
# IPC MLS attributes/privileges
#
# Grant MLS read access to IPC objects not dominated by the process Effective SL
attribute mlsipcread;
# Grant MLS read access to IPC objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsipcreadtoclr;
# Grant MLS write access to IPC objects not equal to the process Effective SL
attribute mlsipcwrite;
# Grant MLS write access to IPC objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsipcwritetoclr;
#
# Process MLS attributes/privileges
#
# Grant MLS read access to processes not dominated by the process Effective SL
attribute mlsprocread;
# Grant MLS read access to processes which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsprocreadtoclr;
# Grant MLS write access to processes not equal to the Effective SL
attribute mlsprocwrite;
# Grant MLS write access to processes which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsprocwritetoclr;
# Grant MLS ability to change Effective SL or Clearance SL of process to a
# label dominated by the Clearance SL
attribute mlsprocsetsl;
#
# X Window MLS attributes/privileges
#
# Grant MLS read access to X objects not dominated by the process Effective SL
attribute mlsxwinread;
# Grant MLS read access to X objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsxwinreadtoclr;
# Grant MLS write access to X objects not equal to the process Effective SL
attribute mlsxwinwrite;
# Grant MLS write access to X objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsxwinwritetoclr;
# Grant MLS read access to X properties not dominated by
# the process Effective SL
attribute mlsxwinreadproperty;
# Grant MLS write access to X properties not equal to the process Effective SL
attribute mlsxwinwriteproperty;
# Grant MLS read access to X colormaps not dominated by
# the process Effective SL
attribute mlsxwinreadcolormap;
# Grant MLS write access to X colormaps not equal to the process Effective SL
attribute mlsxwinwritecolormap;
# Grant MLS write access to X xinputs not equal to the process Effective SL
attribute mlsxwinwritexinput;
# Grant MLS read/write access to objects which internally arbitrate MLS
attribute mlstrustedobject;
#
# Both of the following attributes are needed for a range transition to succeed
#
# Grant ability for the current domain to change SL upon process transition
attribute privrangetrans;
# Grant ability for the new process domain to change SL upon process transition
attribute mlsrangetrans;
#########################
# Attributes for domains:
#
# The domain attribute identifies every type that can be
# assigned to a process. This attribute is used in TE rules
# that should be applied to all domains, e.g. permitting
# init to kill all processes.
attribute domain;
# The daemon attribute identifies domains for system processes created via
# the daemon_domain, daemon_base_domain, and init_service_domain macros.
attribute daemon;
# The privuser attribute identifies every domain that can
# change its SELinux user identity. This attribute is used
# in the constraints configuration. NOTE: This attribute
# is not required for domains that merely change the Linux
# uid attributes, only for domains that must change the
# SELinux user identity. Also note that this attribute makes
# no sense without the privrole attribute.
attribute privuser;
# The privrole attribute identifies every domain that can
# change its SELinux role. This attribute is used in the
# constraints configuration.
attribute privrole;
# The userspace_objmgr attribute identifies every domain
# which enforces its own policy.
attribute userspace_objmgr;
# The priv_system_role attribute identifies every domain that can
# change role from a user role to system_r role, and identity from a user
# identity to system_u. It is used in the constraints configuration.
attribute priv_system_role;
# The privowner attribute identifies every domain that can
# assign a different SELinux user identity to a file, or that
# can create a file with an identity that is not the same as the
# process identity. This attribute is used in the constraints
# configuration.
attribute privowner;
# The privlog attribute identifies every domain that can
# communicate with syslogd through its Unix domain socket.
# There is an assertion that other domains can not do it,
# and an allow rule to permit it
attribute privlog;
# The privmodule attribute identifies every domain that can run
# modprobe, there is an assertion that other domains can not do it,
# and an allow rule to permit it
attribute privmodule;
# The privsysmod attribute identifies every domain that can have the
# sys_module capability
attribute privsysmod;
# The privmem attribute identifies every domain that can
# access kernel memory devices.
# This attribute is used in the TE assertions to verify
# that such access is limited to domains that are explicitly
# tagged with this attribute.
attribute privmem;
# The privkmsg attribute identifies every domain that can
# read kernel messages (/proc/kmsg)
# This attribute is used in the TE assertions to verify
# that such access is limited to domains that are explicitly
# tagged with this attribute.
attribute privkmsg;
# The privfd attribute identifies every domain that should have
# file handles inherited widely (IE sshd_t and getty_t).
attribute privfd;
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;
# The auth attribute identifies every domain that needs
# to read /etc/shadow, and grants the permission.
attribute auth;
# The auth_bool attribute identifies every domain that can
# read /etc/shadow if its boolean is set;
attribute auth_bool;
# The auth_write attribute identifies every domain that can have write or
# relabel access to /etc/shadow, but does not grant it.
attribute auth_write;
# The auth_chkpwd attribute identifies every system domain that can
# authenticate users by running unix_chkpwd
attribute auth_chkpwd;
# The change_context attribute identifies setfiles_t, restorecon_t, and other
# system domains that change the context of most/all files on the system
attribute change_context;
# The etc_writer attribute identifies every domain that can write to etc_t
attribute etc_writer;
# The sysctl_kernel_writer attribute identifies domains that can write to
# sysctl_kernel_t, in addition the admin attribute is permitted write access
attribute sysctl_kernel_writer;
# the sysctl_net_writer attribute identifies domains that can write to
# sysctl_net_t files.
attribute sysctl_net_writer;
# The sysctl_type attribute identifies every type that is assigned
# to a sysctl entry. This can be used in allow rules to grant
# permissions to all sysctl entries without enumerating each individual
# type, but should be used with care.
attribute sysctl_type;
# The admin attribute identifies every administrator domain.
# It is used in TE assertions when verifying that only administrator
# domains have certain permissions.
# This attribute is presently associated with sysadm_t and
# certain administrator utility domains.
# XXX The use of this attribute should be reviewed for consistency.
# XXX Might want to partition into several finer-grained attributes
# XXX used in different assertions within assert.te.
attribute admin;
# The secadmin attribute identifies every security administrator domain.
# It is used in TE assertions when verifying that only administrator
# domains have certain permissions.
# This attribute is presently associated with sysadm_t and secadm_t
attribute secadmin;
# The userdomain attribute identifies every user domain, presently
# user_t and sysadm_t. It is used in TE rules that should be applied
# to all user domains.
attribute userdomain;
# for a small domain that can only be used for newrole
attribute user_mini_domain;
# pty for the mini domain
attribute mini_pty_type;
# pty created by a server such as sshd
attribute server_pty;
# attribute for all non-administrative devpts types
attribute userpty_type;
# The user_tty_type identifies every type for a tty or pty owned by an
# unpriviledged user
attribute user_tty_type;
# The admin_tty_type identifies every type for a tty or pty owned by a
# priviledged user
attribute admin_tty_type;
# The user_crond_domain attribute identifies every user_crond domain, presently
# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
# applied to all user domains.
attribute user_crond_domain;
# The unpriv_userdomain identifies non-administrative users (default user_t)
attribute unpriv_userdomain;
# This attribute is for the main user home directory for unpriv users
attribute user_home_dir_type;
# The gphdomain attribute identifies every gnome-pty-helper derived
# domain. It is used in TE rules to permit inheritance and use of
# descriptors created by these domains.
attribute gphdomain;
# The fs_domain identifies every domain that may directly access a fixed disk
attribute fs_domain;
# This attribute is for all domains for the userhelper program.
attribute userhelperdomain;
############################
# Attributes for file types:
#
# The file_type attribute identifies all types assigned to files
# in persistent filesystems. It is used in TE rules to permit
# the association of all such file types with persistent filesystem
# types, and to permit certain domains to access all such types as
# appropriate.
attribute file_type;
# The secure_file_type attribute identifies files
# which will be treated with a higer level of security.
# Most domains will be prevented from manipulating files in this domain
attribute secure_file_type;
# The device_type attribute identifies all types assigned to device nodes
attribute device_type;
# The proc_fs attribute identifies all types that may be assigned to
# files under /proc.
attribute proc_fs;
# The dev_fs attribute identifies all types that may be assigned to
# files, sockets, or pipes under /dev.
attribute dev_fs;
# The sysadmfile attribute identifies all types assigned to files
# that should be completely accessible to administrators. It is used
# in TE rules to grant such access for administrator domains.
attribute sysadmfile;
# The secadmfile attribute identifies all types assigned to files
# that should be only accessible to security administrators. It is used
# in TE rules to grant such access for security administrator domains.
attribute secadmfile;
# The fs_type attribute identifies all types assigned to filesystems
# (not limited to persistent filesystems).
# It is used in TE rules to permit certain domains to mount
# any filesystem and to permit most domains to obtain the
# overall filesystem statistics.
attribute fs_type;
# The mount_point attribute identifies all types that can serve
# as a mount point (for the mount binary). It is used in the mount
# policy to grant mounton permission, and in other domains to grant
# getattr permission over all the mount points.
attribute mount_point;
# The exec_type attribute identifies all types assigned
# to entrypoint executables for domains. This attribute is
# used in TE rules and assertions that should be applied to all
# such executables.
attribute exec_type;
# The tmpfile attribute identifies all types assigned to temporary
# files. This attribute is used in TE rules to grant certain
# domains the ability to remove all such files (e.g. init, crond).
attribute tmpfile;
# The user_tmpfile attribute identifies all types associated with temporary
# files for unpriv_userdomain domains.
attribute user_tmpfile;
# for the user_xserver_tmp_t etc
attribute xserver_tmpfile;
# The tmpfsfile attribute identifies all types defined for tmpfs
# type transitions.
# It is used in TE rules to grant certain domains the ability to
# access all such files.
attribute tmpfsfile;
# The home_type attribute identifies all types assigned to home
# directories. This attribute is used in TE rules to grant certain
# domains the ability to access all home directory types.
attribute home_type;
# This attribute is for the main user home directory /home/user, to
# distinguish it from sub-dirs. Often you want a process to be able to
# read the user home directory but not read the regular directories under it.
attribute home_dir_type;
# The ttyfile attribute identifies all types assigned to ttys.
# It is used in TE rules to grant certain domains the ability to
# access all ttys.
attribute ttyfile;
# The ptyfile attribute identifies all types assigned to ptys.
# It is used in TE rules to grant certain domains the ability to
# access all ptys.
attribute ptyfile;
# The pidfile attribute identifies all types assigned to pid files.
# It is used in TE rules to grant certain domains the ability to
# access all such files.
attribute pidfile;
############################
# Attributes for network types:
#
# The socket_type attribute identifies all types assigned to
# kernel-created sockets. Ordinary sockets are assigned the
# domain of the creating process.
# XXX This attribute is unused. Remove?
attribute socket_type;
# Identifies all types assigned to port numbers to control binding.
attribute port_type;
# Identifies all types assigned to reserved port (<1024) numbers to control binding.
attribute reserved_port_type;
# Identifies all types assigned to network interfaces to control
# operations on the interface (XXX obsolete, not supported via LSM)
# and to control traffic sent or received on the interface.
attribute netif_type;
# Identifies all default types assigned to packets received
# on network interfaces.
attribute netmsg_type;
# Identifies all types assigned to network nodes/hosts to control
# traffic sent to or received from the node.
attribute node_type;
# Identifier for log files or directories that only exist for log files.
attribute logfile;
# Identifier for lock files (/var/lock/*) or directories that only exist for
# lock files.
attribute lockfile;
##############################
# Attributes for security policy types:
#
# The login_contexts attribute idenitifies the files used
# to define default contexts for login types (e.g., login, cron).
attribute login_contexts;
# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
# sysadm_mail_t, etc)
attribute user_mail_domain;
# Identifies domains that can transition to system_mail_t
attribute privmail;
# Type for non-sysadm home directory
attribute user_home_type;
# For domains that are part of a mail server and need to read user files and
# fifos, and inherit file handles to enable user email to get to the mail
# spool
attribute mta_user_agent;
# For domains that are part of a mail server for delivering messages to the
# user
attribute mta_delivery_agent;
# For domains that make outbound TCP port 25 connections to send mail from the
# mail server.
attribute mail_server_sender;
# For a mail server process that takes TCP connections on port 25
attribute mail_server_domain;
# For web clients such as netscape and squid
attribute web_client_domain;
# For X Window System server domains
attribute xserver;
# For X Window System client domains
attribute xclient;
# For X Window System protocol extensions
attribute xextension;
# For X Window System property types
attribute xproperty;
#
# For file systems that do not have extended attributes but need to be
# r/w by users
#
attribute noexattrfile;
#
# For filetypes that the usercan read
#
attribute usercanread;
#
# For serial devices
#
attribute serial_device;
# Attribute to designate unrestricted access
attribute unrestricted;
# Attribute to designate can transition to unconfined_t
attribute unconfinedtrans;
# For clients of nscd.
attribute nscd_client_domain;
# For clients of nscd that can use shmem interface.
attribute nscd_shmem_domain;
# For labeling of content for httpd. This attribute is only used by
# the httpd_unified domain, which says treat all httpdcontent the
# same. If you want content to be served in a "non-unified" system
# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
# your policy.
attribute httpdcontent;
# For labeling of domains whos transition can be disabled
attribute transitionbool;
# For labeling of file_context domains which users can change files to rather
# then the default file context. These file_context can survive a relabeling
# of the file system.
attribute customizable;
##############################
# Attributes for polyinstatiation support:
#
# For labeling types that are to be polyinstantiated
attribute polydir;
# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;
# And labeling for the member directories
attribute polymember;