564 lines
19 KiB
Plaintext
564 lines
19 KiB
Plaintext
#
|
|
# Declarations for type attributes.
|
|
#
|
|
|
|
# A type attribute can be used to identify a set of types with a similar
|
|
# property. Each type can have any number of attributes, and each
|
|
# attribute can be associated with any number of types. Attributes are
|
|
# explicitly declared here, and can then be associated with particular
|
|
# types in type declarations. Attribute names can then be used throughout
|
|
# the configuration to express the set of types that are associated with
|
|
# the attribute. Attributes have no implicit meaning to SELinux. The
|
|
# meaning of all attributes are completely defined through their
|
|
# usage within the configuration, but should be documented here as
|
|
# comments preceding the attribute declaration.
|
|
|
|
#####################
|
|
# Attributes for MLS:
|
|
#
|
|
|
|
# Common Terminology
|
|
# MLS Range: low-high
|
|
# low referred to as "Effective Sensitivity Label (SL)"
|
|
# high referred to as "Clearance SL"
|
|
|
|
|
|
#
|
|
# File System MLS attributes/privileges
|
|
#
|
|
# Grant MLS read access to files not dominated by the process Effective SL
|
|
attribute mlsfileread;
|
|
# Grant MLS read access to files which dominate the process Effective SL
|
|
# and are dominated by the process Clearance SL
|
|
attribute mlsfilereadtoclr;
|
|
# Grant MLS write access to files not equal to the Effective SL
|
|
attribute mlsfilewrite;
|
|
# Grant MLS write access to files which dominate the process Effective SL
|
|
# and are dominated by the process Clearance SL
|
|
attribute mlsfilewritetoclr;
|
|
# Grant MLS ability to change file label to a new label which dominates
|
|
# the old label
|
|
attribute mlsfileupgrade;
|
|
# Grant MLS ability to change file label to a new label which is
|
|
# dominated by or incomparable to the old label
|
|
attribute mlsfiledowngrade;
|
|
|
|
#
|
|
# Network MLS attributes/privileges
|
|
#
|
|
# Grant MLS read access to packets not dominated by the process Effective SL
|
|
attribute mlsnetread;
|
|
# Grant MLS read access to packets which dominate the process Effective SL
|
|
# and are dominated by the process Clearance SL
|
|
attribute mlsnetreadtoclr;
|
|
# Grant MLS write access to packets not equal to the Effective SL
|
|
attribute mlsnetwrite;
|
|
# Grant MLS write access to packets which dominate the Effective SL
|
|
# and are dominated by the process Clearance SL
|
|
attribute mlsnetwritetoclr;
|
|
# Grant MLS read access to packets from hosts or interfaces which dominate
|
|
# or incomparable to the process Effective SL
|
|
attribute mlsnetrecvall;
|
|
# Grant MLS ability to change socket label to a new label which dominates
|
|
# the old label
|
|
attribute mlsnetupgrade;
|
|
# Grant MLS ability to change socket label to a new label which is
|
|
# dominated by or incomparable to the old label
|
|
attribute mlsnetdowngrade;
|
|
|
|
#
|
|
# IPC MLS attributes/privileges
|
|
#
|
|
# Grant MLS read access to IPC objects not dominated by the process Effective SL
|
|
attribute mlsipcread;
|
|
# Grant MLS read access to IPC objects which dominate the process Effective SL
|
|
# and are dominated by the process Clearance SL
|
|
attribute mlsipcreadtoclr;
|
|
# Grant MLS write access to IPC objects not equal to the process Effective SL
|
|
attribute mlsipcwrite;
|
|
# Grant MLS write access to IPC objects which dominate the process Effective SL
|
|
# and are dominated by the process Clearance SL
|
|
attribute mlsipcwritetoclr;
|
|
|
|
#
|
|
# Process MLS attributes/privileges
|
|
#
|
|
# Grant MLS read access to processes not dominated by the process Effective SL
|
|
attribute mlsprocread;
|
|
# Grant MLS read access to processes which dominate the process Effective SL
|
|
# and are dominated by the process Clearance SL
|
|
attribute mlsprocreadtoclr;
|
|
# Grant MLS write access to processes not equal to the Effective SL
|
|
attribute mlsprocwrite;
|
|
# Grant MLS write access to processes which dominate the process Effective SL
|
|
# and are dominated by the process Clearance SL
|
|
attribute mlsprocwritetoclr;
|
|
# Grant MLS ability to change Effective SL or Clearance SL of process to a
|
|
# label dominated by the Clearance SL
|
|
attribute mlsprocsetsl;
|
|
|
|
#
|
|
# X Window MLS attributes/privileges
|
|
#
|
|
# Grant MLS read access to X objects not dominated by the process Effective SL
|
|
attribute mlsxwinread;
|
|
# Grant MLS read access to X objects which dominate the process Effective SL
|
|
# and are dominated by the process Clearance SL
|
|
attribute mlsxwinreadtoclr;
|
|
# Grant MLS write access to X objects not equal to the process Effective SL
|
|
attribute mlsxwinwrite;
|
|
# Grant MLS write access to X objects which dominate the process Effective SL
|
|
# and are dominated by the process Clearance SL
|
|
attribute mlsxwinwritetoclr;
|
|
# Grant MLS read access to X properties not dominated by
|
|
# the process Effective SL
|
|
attribute mlsxwinreadproperty;
|
|
# Grant MLS write access to X properties not equal to the process Effective SL
|
|
attribute mlsxwinwriteproperty;
|
|
# Grant MLS read access to X colormaps not dominated by
|
|
# the process Effective SL
|
|
attribute mlsxwinreadcolormap;
|
|
# Grant MLS write access to X colormaps not equal to the process Effective SL
|
|
attribute mlsxwinwritecolormap;
|
|
# Grant MLS write access to X xinputs not equal to the process Effective SL
|
|
attribute mlsxwinwritexinput;
|
|
|
|
# Grant MLS read/write access to objects which internally arbitrate MLS
|
|
attribute mlstrustedobject;
|
|
|
|
#
|
|
# Both of the following attributes are needed for a range transition to succeed
|
|
#
|
|
# Grant ability for the current domain to change SL upon process transition
|
|
attribute privrangetrans;
|
|
# Grant ability for the new process domain to change SL upon process transition
|
|
attribute mlsrangetrans;
|
|
|
|
#########################
|
|
# Attributes for domains:
|
|
#
|
|
|
|
# The domain attribute identifies every type that can be
|
|
# assigned to a process. This attribute is used in TE rules
|
|
# that should be applied to all domains, e.g. permitting
|
|
# init to kill all processes.
|
|
attribute domain;
|
|
|
|
# The daemon attribute identifies domains for system processes created via
|
|
# the daemon_domain, daemon_base_domain, and init_service_domain macros.
|
|
attribute daemon;
|
|
|
|
# The privuser attribute identifies every domain that can
|
|
# change its SELinux user identity. This attribute is used
|
|
# in the constraints configuration. NOTE: This attribute
|
|
# is not required for domains that merely change the Linux
|
|
# uid attributes, only for domains that must change the
|
|
# SELinux user identity. Also note that this attribute makes
|
|
# no sense without the privrole attribute.
|
|
attribute privuser;
|
|
|
|
# The privrole attribute identifies every domain that can
|
|
# change its SELinux role. This attribute is used in the
|
|
# constraints configuration.
|
|
attribute privrole;
|
|
|
|
# The userspace_objmgr attribute identifies every domain
|
|
# which enforces its own policy.
|
|
attribute userspace_objmgr;
|
|
|
|
# The priv_system_role attribute identifies every domain that can
|
|
# change role from a user role to system_r role, and identity from a user
|
|
# identity to system_u. It is used in the constraints configuration.
|
|
attribute priv_system_role;
|
|
|
|
# The privowner attribute identifies every domain that can
|
|
# assign a different SELinux user identity to a file, or that
|
|
# can create a file with an identity that is not the same as the
|
|
# process identity. This attribute is used in the constraints
|
|
# configuration.
|
|
attribute privowner;
|
|
|
|
# The privlog attribute identifies every domain that can
|
|
# communicate with syslogd through its Unix domain socket.
|
|
# There is an assertion that other domains can not do it,
|
|
# and an allow rule to permit it
|
|
attribute privlog;
|
|
|
|
# The privmodule attribute identifies every domain that can run
|
|
# modprobe, there is an assertion that other domains can not do it,
|
|
# and an allow rule to permit it
|
|
attribute privmodule;
|
|
|
|
# The privsysmod attribute identifies every domain that can have the
|
|
# sys_module capability
|
|
attribute privsysmod;
|
|
|
|
# The privmem attribute identifies every domain that can
|
|
# access kernel memory devices.
|
|
# This attribute is used in the TE assertions to verify
|
|
# that such access is limited to domains that are explicitly
|
|
# tagged with this attribute.
|
|
attribute privmem;
|
|
|
|
# The privkmsg attribute identifies every domain that can
|
|
# read kernel messages (/proc/kmsg)
|
|
# This attribute is used in the TE assertions to verify
|
|
# that such access is limited to domains that are explicitly
|
|
# tagged with this attribute.
|
|
attribute privkmsg;
|
|
|
|
# The privfd attribute identifies every domain that should have
|
|
# file handles inherited widely (IE sshd_t and getty_t).
|
|
attribute privfd;
|
|
|
|
# The privhome attribute identifies every domain that can create files under
|
|
# regular user home directories in the regular context (IE act on behalf of
|
|
# a user in writing regular files)
|
|
attribute privhome;
|
|
|
|
# The auth attribute identifies every domain that needs
|
|
# to read /etc/shadow, and grants the permission.
|
|
attribute auth;
|
|
|
|
# The auth_bool attribute identifies every domain that can
|
|
# read /etc/shadow if its boolean is set;
|
|
attribute auth_bool;
|
|
|
|
# The auth_write attribute identifies every domain that can have write or
|
|
# relabel access to /etc/shadow, but does not grant it.
|
|
attribute auth_write;
|
|
|
|
# The auth_chkpwd attribute identifies every system domain that can
|
|
# authenticate users by running unix_chkpwd
|
|
attribute auth_chkpwd;
|
|
|
|
# The change_context attribute identifies setfiles_t, restorecon_t, and other
|
|
# system domains that change the context of most/all files on the system
|
|
attribute change_context;
|
|
|
|
# The etc_writer attribute identifies every domain that can write to etc_t
|
|
attribute etc_writer;
|
|
|
|
# The sysctl_kernel_writer attribute identifies domains that can write to
|
|
# sysctl_kernel_t, in addition the admin attribute is permitted write access
|
|
attribute sysctl_kernel_writer;
|
|
|
|
# the sysctl_net_writer attribute identifies domains that can write to
|
|
# sysctl_net_t files.
|
|
attribute sysctl_net_writer;
|
|
|
|
# The sysctl_type attribute identifies every type that is assigned
|
|
# to a sysctl entry. This can be used in allow rules to grant
|
|
# permissions to all sysctl entries without enumerating each individual
|
|
# type, but should be used with care.
|
|
attribute sysctl_type;
|
|
|
|
# The admin attribute identifies every administrator domain.
|
|
# It is used in TE assertions when verifying that only administrator
|
|
# domains have certain permissions.
|
|
# This attribute is presently associated with sysadm_t and
|
|
# certain administrator utility domains.
|
|
# XXX The use of this attribute should be reviewed for consistency.
|
|
# XXX Might want to partition into several finer-grained attributes
|
|
# XXX used in different assertions within assert.te.
|
|
attribute admin;
|
|
|
|
# The secadmin attribute identifies every security administrator domain.
|
|
# It is used in TE assertions when verifying that only administrator
|
|
# domains have certain permissions.
|
|
# This attribute is presently associated with sysadm_t and secadm_t
|
|
attribute secadmin;
|
|
|
|
# The userdomain attribute identifies every user domain, presently
|
|
# user_t and sysadm_t. It is used in TE rules that should be applied
|
|
# to all user domains.
|
|
attribute userdomain;
|
|
|
|
# for a small domain that can only be used for newrole
|
|
attribute user_mini_domain;
|
|
|
|
# pty for the mini domain
|
|
attribute mini_pty_type;
|
|
|
|
# pty created by a server such as sshd
|
|
attribute server_pty;
|
|
|
|
# attribute for all non-administrative devpts types
|
|
attribute userpty_type;
|
|
|
|
# The user_tty_type identifies every type for a tty or pty owned by an
|
|
# unpriviledged user
|
|
attribute user_tty_type;
|
|
|
|
# The admin_tty_type identifies every type for a tty or pty owned by a
|
|
# priviledged user
|
|
attribute admin_tty_type;
|
|
|
|
# The user_crond_domain attribute identifies every user_crond domain, presently
|
|
# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
|
|
# applied to all user domains.
|
|
attribute user_crond_domain;
|
|
|
|
# The unpriv_userdomain identifies non-administrative users (default user_t)
|
|
attribute unpriv_userdomain;
|
|
|
|
# This attribute is for the main user home directory for unpriv users
|
|
attribute user_home_dir_type;
|
|
|
|
# The gphdomain attribute identifies every gnome-pty-helper derived
|
|
# domain. It is used in TE rules to permit inheritance and use of
|
|
# descriptors created by these domains.
|
|
attribute gphdomain;
|
|
|
|
# The fs_domain identifies every domain that may directly access a fixed disk
|
|
attribute fs_domain;
|
|
|
|
# This attribute is for all domains for the userhelper program.
|
|
attribute userhelperdomain;
|
|
|
|
############################
|
|
# Attributes for file types:
|
|
#
|
|
|
|
# The file_type attribute identifies all types assigned to files
|
|
# in persistent filesystems. It is used in TE rules to permit
|
|
# the association of all such file types with persistent filesystem
|
|
# types, and to permit certain domains to access all such types as
|
|
# appropriate.
|
|
attribute file_type;
|
|
|
|
# The secure_file_type attribute identifies files
|
|
# which will be treated with a higer level of security.
|
|
# Most domains will be prevented from manipulating files in this domain
|
|
attribute secure_file_type;
|
|
|
|
# The device_type attribute identifies all types assigned to device nodes
|
|
attribute device_type;
|
|
|
|
# The proc_fs attribute identifies all types that may be assigned to
|
|
# files under /proc.
|
|
attribute proc_fs;
|
|
|
|
# The dev_fs attribute identifies all types that may be assigned to
|
|
# files, sockets, or pipes under /dev.
|
|
attribute dev_fs;
|
|
|
|
# The sysadmfile attribute identifies all types assigned to files
|
|
# that should be completely accessible to administrators. It is used
|
|
# in TE rules to grant such access for administrator domains.
|
|
attribute sysadmfile;
|
|
|
|
# The secadmfile attribute identifies all types assigned to files
|
|
# that should be only accessible to security administrators. It is used
|
|
# in TE rules to grant such access for security administrator domains.
|
|
attribute secadmfile;
|
|
|
|
# The fs_type attribute identifies all types assigned to filesystems
|
|
# (not limited to persistent filesystems).
|
|
# It is used in TE rules to permit certain domains to mount
|
|
# any filesystem and to permit most domains to obtain the
|
|
# overall filesystem statistics.
|
|
attribute fs_type;
|
|
|
|
# The mount_point attribute identifies all types that can serve
|
|
# as a mount point (for the mount binary). It is used in the mount
|
|
# policy to grant mounton permission, and in other domains to grant
|
|
# getattr permission over all the mount points.
|
|
attribute mount_point;
|
|
|
|
# The exec_type attribute identifies all types assigned
|
|
# to entrypoint executables for domains. This attribute is
|
|
# used in TE rules and assertions that should be applied to all
|
|
# such executables.
|
|
attribute exec_type;
|
|
|
|
# The tmpfile attribute identifies all types assigned to temporary
|
|
# files. This attribute is used in TE rules to grant certain
|
|
# domains the ability to remove all such files (e.g. init, crond).
|
|
attribute tmpfile;
|
|
|
|
# The user_tmpfile attribute identifies all types associated with temporary
|
|
# files for unpriv_userdomain domains.
|
|
attribute user_tmpfile;
|
|
|
|
# for the user_xserver_tmp_t etc
|
|
attribute xserver_tmpfile;
|
|
|
|
# The tmpfsfile attribute identifies all types defined for tmpfs
|
|
# type transitions.
|
|
# It is used in TE rules to grant certain domains the ability to
|
|
# access all such files.
|
|
attribute tmpfsfile;
|
|
|
|
# The home_type attribute identifies all types assigned to home
|
|
# directories. This attribute is used in TE rules to grant certain
|
|
# domains the ability to access all home directory types.
|
|
attribute home_type;
|
|
|
|
# This attribute is for the main user home directory /home/user, to
|
|
# distinguish it from sub-dirs. Often you want a process to be able to
|
|
# read the user home directory but not read the regular directories under it.
|
|
attribute home_dir_type;
|
|
|
|
# The ttyfile attribute identifies all types assigned to ttys.
|
|
# It is used in TE rules to grant certain domains the ability to
|
|
# access all ttys.
|
|
attribute ttyfile;
|
|
|
|
# The ptyfile attribute identifies all types assigned to ptys.
|
|
# It is used in TE rules to grant certain domains the ability to
|
|
# access all ptys.
|
|
attribute ptyfile;
|
|
|
|
# The pidfile attribute identifies all types assigned to pid files.
|
|
# It is used in TE rules to grant certain domains the ability to
|
|
# access all such files.
|
|
attribute pidfile;
|
|
|
|
|
|
############################
|
|
# Attributes for network types:
|
|
#
|
|
|
|
# The socket_type attribute identifies all types assigned to
|
|
# kernel-created sockets. Ordinary sockets are assigned the
|
|
# domain of the creating process.
|
|
# XXX This attribute is unused. Remove?
|
|
attribute socket_type;
|
|
|
|
# Identifies all types assigned to port numbers to control binding.
|
|
attribute port_type;
|
|
|
|
# Identifies all types assigned to reserved port (<1024) numbers to control binding.
|
|
attribute reserved_port_type;
|
|
|
|
# Identifies all types assigned to network interfaces to control
|
|
# operations on the interface (XXX obsolete, not supported via LSM)
|
|
# and to control traffic sent or received on the interface.
|
|
attribute netif_type;
|
|
|
|
# Identifies all default types assigned to packets received
|
|
# on network interfaces.
|
|
attribute netmsg_type;
|
|
|
|
# Identifies all types assigned to network nodes/hosts to control
|
|
# traffic sent to or received from the node.
|
|
attribute node_type;
|
|
|
|
# Identifier for log files or directories that only exist for log files.
|
|
attribute logfile;
|
|
|
|
# Identifier for lock files (/var/lock/*) or directories that only exist for
|
|
# lock files.
|
|
attribute lockfile;
|
|
|
|
|
|
|
|
##############################
|
|
# Attributes for security policy types:
|
|
#
|
|
|
|
# The login_contexts attribute idenitifies the files used
|
|
# to define default contexts for login types (e.g., login, cron).
|
|
attribute login_contexts;
|
|
|
|
# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
|
|
# sysadm_mail_t, etc)
|
|
attribute user_mail_domain;
|
|
|
|
# Identifies domains that can transition to system_mail_t
|
|
attribute privmail;
|
|
|
|
# Type for non-sysadm home directory
|
|
attribute user_home_type;
|
|
|
|
# For domains that are part of a mail server and need to read user files and
|
|
# fifos, and inherit file handles to enable user email to get to the mail
|
|
# spool
|
|
attribute mta_user_agent;
|
|
|
|
# For domains that are part of a mail server for delivering messages to the
|
|
# user
|
|
attribute mta_delivery_agent;
|
|
|
|
# For domains that make outbound TCP port 25 connections to send mail from the
|
|
# mail server.
|
|
attribute mail_server_sender;
|
|
|
|
# For a mail server process that takes TCP connections on port 25
|
|
attribute mail_server_domain;
|
|
|
|
# For web clients such as netscape and squid
|
|
attribute web_client_domain;
|
|
|
|
# For X Window System server domains
|
|
attribute xserver;
|
|
|
|
# For X Window System client domains
|
|
attribute xclient;
|
|
|
|
# For X Window System protocol extensions
|
|
attribute xextension;
|
|
|
|
# For X Window System property types
|
|
attribute xproperty;
|
|
|
|
#
|
|
# For file systems that do not have extended attributes but need to be
|
|
# r/w by users
|
|
#
|
|
attribute noexattrfile;
|
|
|
|
#
|
|
# For filetypes that the usercan read
|
|
#
|
|
attribute usercanread;
|
|
|
|
#
|
|
# For serial devices
|
|
#
|
|
attribute serial_device;
|
|
|
|
# Attribute to designate unrestricted access
|
|
attribute unrestricted;
|
|
|
|
# Attribute to designate can transition to unconfined_t
|
|
attribute unconfinedtrans;
|
|
|
|
# For clients of nscd.
|
|
attribute nscd_client_domain;
|
|
|
|
# For clients of nscd that can use shmem interface.
|
|
attribute nscd_shmem_domain;
|
|
|
|
# For labeling of content for httpd. This attribute is only used by
|
|
# the httpd_unified domain, which says treat all httpdcontent the
|
|
# same. If you want content to be served in a "non-unified" system
|
|
# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
|
|
# your policy.
|
|
attribute httpdcontent;
|
|
|
|
# For labeling of domains whos transition can be disabled
|
|
attribute transitionbool;
|
|
|
|
# For labeling of file_context domains which users can change files to rather
|
|
# then the default file context. These file_context can survive a relabeling
|
|
# of the file system.
|
|
attribute customizable;
|
|
|
|
##############################
|
|
# Attributes for polyinstatiation support:
|
|
#
|
|
|
|
# For labeling types that are to be polyinstantiated
|
|
attribute polydir;
|
|
|
|
# And for labeling the parent directories of those polyinstantiated directories
|
|
# This is necessary for remounting the original in the parent to give
|
|
# security aware apps access
|
|
attribute polyparent;
|
|
|
|
# And labeling for the member directories
|
|
attribute polymember;
|
|
|