|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Declarations for type attributes.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# A type attribute can be used to identify a set of types with a similar
|
|
Chris PeBenito |
0fbfa5 |
# property. Each type can have any number of attributes, and each
|
|
Chris PeBenito |
0fbfa5 |
# attribute can be associated with any number of types. Attributes are
|
|
Chris PeBenito |
0fbfa5 |
# explicitly declared here, and can then be associated with particular
|
|
Chris PeBenito |
0fbfa5 |
# types in type declarations. Attribute names can then be used throughout
|
|
Chris PeBenito |
0fbfa5 |
# the configuration to express the set of types that are associated with
|
|
Chris PeBenito |
0fbfa5 |
# the attribute. Except for the MLS attributes, attributes have no implicit
|
|
Chris PeBenito |
0fbfa5 |
# meaning to SELinux. The meaning of all other attributes are completely
|
|
Chris PeBenito |
0fbfa5 |
# defined through their usage within the configuration, but should be
|
|
Chris PeBenito |
0fbfa5 |
# documented here as comments preceding the attribute declaration.
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#####################
|
|
Chris PeBenito |
0fbfa5 |
# Attributes for MLS:
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsfileread;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsfilereadtoclr;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsfilewrite;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsfilewritetoclr;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsfileupgrade;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsfiledowngrade;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsnetread;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsnetreadtoclr;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsnetwrite;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsnetwritetoclr;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsnetupgrade;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsnetdowngrade;
|
|
Chris PeBenito |
2705f9 |
attribute mlsnetrecvall;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsipcread;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsipcreadtoclr;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsipcwrite;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsipcwritetoclr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsprocread;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsprocreadtoclr;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsprocwrite;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsprocwritetoclr;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsprocsetsl;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsxwinread;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsxwinreadtoclr;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsxwinwrite;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsxwinwritetoclr;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsxwinupgrade;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsxwindowngrade;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
attribute mlstrustedobject;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
attribute privrangetrans;
|
|
Chris PeBenito |
0fbfa5 |
attribute mlsrangetrans;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#########################
|
|
Chris PeBenito |
0fbfa5 |
# Attributes for domains:
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The domain attribute identifies every type that can be
|
|
Chris PeBenito |
0fbfa5 |
# assigned to a process. This attribute is used in TE rules
|
|
Chris PeBenito |
0fbfa5 |
# that should be applied to all domains, e.g. permitting
|
|
Chris PeBenito |
0fbfa5 |
# init to kill all processes.
|
|
Chris PeBenito |
0fbfa5 |
attribute domain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The daemon attribute identifies domains for system processes created via
|
|
Chris PeBenito |
0fbfa5 |
# the daemon_domain, daemon_base_domain, and init_service_domain macros.
|
|
Chris PeBenito |
0fbfa5 |
attribute daemon;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The privuser attribute identifies every domain that can
|
|
Chris PeBenito |
0fbfa5 |
# change its SELinux user identity. This attribute is used
|
|
Chris PeBenito |
0fbfa5 |
# in the constraints configuration. NOTE: This attribute
|
|
Chris PeBenito |
0fbfa5 |
# is not required for domains that merely change the Linux
|
|
Chris PeBenito |
0fbfa5 |
# uid attributes, only for domains that must change the
|
|
Chris PeBenito |
0fbfa5 |
# SELinux user identity. Also note that this attribute makes
|
|
Chris PeBenito |
0fbfa5 |
# no sense without the privrole attribute.
|
|
Chris PeBenito |
0fbfa5 |
attribute privuser;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The privrole attribute identifies every domain that can
|
|
Chris PeBenito |
0fbfa5 |
# change its SELinux role. This attribute is used in the
|
|
Chris PeBenito |
0fbfa5 |
# constraints configuration.
|
|
Chris PeBenito |
0fbfa5 |
attribute privrole;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The userspace_objmgr attribute identifies every domain
|
|
Chris PeBenito |
0fbfa5 |
# which enforces its own policy.
|
|
Chris PeBenito |
0fbfa5 |
attribute userspace_objmgr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The priv_system_role attribute identifies every domain that can
|
|
Chris PeBenito |
0fbfa5 |
# change role from a user role to system_r role, and identity from a user
|
|
Chris PeBenito |
0fbfa5 |
# identity to system_u. It is used in the constraints configuration.
|
|
Chris PeBenito |
0fbfa5 |
attribute priv_system_role;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The privowner attribute identifies every domain that can
|
|
Chris PeBenito |
0fbfa5 |
# assign a different SELinux user identity to a file, or that
|
|
Chris PeBenito |
a08248 |
# can create a file with an identity that is not the same as the
|
|
Chris PeBenito |
0fbfa5 |
# process identity. This attribute is used in the constraints
|
|
Chris PeBenito |
0fbfa5 |
# configuration.
|
|
Chris PeBenito |
0fbfa5 |
attribute privowner;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The privlog attribute identifies every domain that can
|
|
Chris PeBenito |
0fbfa5 |
# communicate with syslogd through its Unix domain socket.
|
|
Chris PeBenito |
0fbfa5 |
# There is an assertion that other domains can not do it,
|
|
Chris PeBenito |
0fbfa5 |
# and an allow rule to permit it
|
|
Chris PeBenito |
0fbfa5 |
attribute privlog;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The privmodule attribute identifies every domain that can run
|
|
Chris PeBenito |
0fbfa5 |
# modprobe, there is an assertion that other domains can not do it,
|
|
Chris PeBenito |
0fbfa5 |
# and an allow rule to permit it
|
|
Chris PeBenito |
0fbfa5 |
attribute privmodule;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
5493c2 |
# The privsysmod attribute identifies every domain that can have the
|
|
Chris PeBenito |
5493c2 |
# sys_module capability
|
|
Chris PeBenito |
5493c2 |
attribute privsysmod;
|
|
Chris PeBenito |
5493c2 |
|
|
Chris PeBenito |
0fbfa5 |
# The privmem attribute identifies every domain that can
|
|
Chris PeBenito |
0fbfa5 |
# access kernel memory devices.
|
|
Chris PeBenito |
0fbfa5 |
# This attribute is used in the TE assertions to verify
|
|
Chris PeBenito |
0fbfa5 |
# that such access is limited to domains that are explicitly
|
|
Chris PeBenito |
0fbfa5 |
# tagged with this attribute.
|
|
Chris PeBenito |
0fbfa5 |
attribute privmem;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
5493c2 |
# The privkmsg attribute identifies every domain that can
|
|
Chris PeBenito |
5493c2 |
# read kernel messages (/proc/kmsg)
|
|
Chris PeBenito |
5493c2 |
# This attribute is used in the TE assertions to verify
|
|
Chris PeBenito |
5493c2 |
# that such access is limited to domains that are explicitly
|
|
Chris PeBenito |
5493c2 |
# tagged with this attribute.
|
|
Chris PeBenito |
5493c2 |
attribute privkmsg;
|
|
Chris PeBenito |
5493c2 |
|
|
Chris PeBenito |
0fbfa5 |
# The privfd attribute identifies every domain that should have
|
|
Chris PeBenito |
0fbfa5 |
# file handles inherited widely (IE sshd_t and getty_t).
|
|
Chris PeBenito |
0fbfa5 |
attribute privfd;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The privhome attribute identifies every domain that can create files under
|
|
Chris PeBenito |
0fbfa5 |
# regular user home directories in the regular context (IE act on behalf of
|
|
Chris PeBenito |
0fbfa5 |
# a user in writing regular files)
|
|
Chris PeBenito |
0fbfa5 |
attribute privhome;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The auth attribute identifies every domain that needs
|
|
Chris PeBenito |
0fbfa5 |
# to read /etc/shadow, and grants the permission.
|
|
Chris PeBenito |
0fbfa5 |
attribute auth;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
cff75c |
# The auth_bool attribute identifies every domain that can
|
|
Chris PeBenito |
cff75c |
# read /etc/shadow if its boolean is set;
|
|
Chris PeBenito |
cff75c |
attribute auth_bool;
|
|
Chris PeBenito |
cff75c |
|
|
Chris PeBenito |
0fbfa5 |
# The auth_write attribute identifies every domain that can have write or
|
|
Chris PeBenito |
0fbfa5 |
# relabel access to /etc/shadow, but does not grant it.
|
|
Chris PeBenito |
0fbfa5 |
attribute auth_write;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The auth_chkpwd attribute identifies every system domain that can
|
|
Chris PeBenito |
0fbfa5 |
# authenticate users by running unix_chkpwd
|
|
Chris PeBenito |
0fbfa5 |
attribute auth_chkpwd;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The change_context attribute identifies setfiles_t, restorecon_t, and other
|
|
Chris PeBenito |
0fbfa5 |
# system domains that change the context of most/all files on the system
|
|
Chris PeBenito |
0fbfa5 |
attribute change_context;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The etc_writer attribute identifies every domain that can write to etc_t
|
|
Chris PeBenito |
0fbfa5 |
attribute etc_writer;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The sysctl_kernel_writer attribute identifies domains that can write to
|
|
Chris PeBenito |
0fbfa5 |
# sysctl_kernel_t, in addition the admin attribute is permitted write access
|
|
Chris PeBenito |
0fbfa5 |
attribute sysctl_kernel_writer;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# the sysctl_net_writer attribute identifies domains that can write to
|
|
Chris PeBenito |
0fbfa5 |
# sysctl_net_t files.
|
|
Chris PeBenito |
0fbfa5 |
attribute sysctl_net_writer;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The sysctl_type attribute identifies every type that is assigned
|
|
Chris PeBenito |
0fbfa5 |
# to a sysctl entry. This can be used in allow rules to grant
|
|
Chris PeBenito |
0fbfa5 |
# permissions to all sysctl entries without enumerating each individual
|
|
Chris PeBenito |
0fbfa5 |
# type, but should be used with care.
|
|
Chris PeBenito |
0fbfa5 |
attribute sysctl_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The admin attribute identifies every administrator domain.
|
|
Chris PeBenito |
0fbfa5 |
# It is used in TE assertions when verifying that only administrator
|
|
Chris PeBenito |
0fbfa5 |
# domains have certain permissions.
|
|
Chris PeBenito |
0fbfa5 |
# This attribute is presently associated with sysadm_t and
|
|
Chris PeBenito |
0fbfa5 |
# certain administrator utility domains.
|
|
Chris PeBenito |
0fbfa5 |
# XXX The use of this attribute should be reviewed for consistency.
|
|
Chris PeBenito |
0fbfa5 |
# XXX Might want to partition into several finer-grained attributes
|
|
Chris PeBenito |
0fbfa5 |
# XXX used in different assertions within assert.te.
|
|
Chris PeBenito |
0fbfa5 |
attribute admin;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
cff75c |
# The secadmin attribute identifies every security administrator domain.
|
|
Chris PeBenito |
cff75c |
# It is used in TE assertions when verifying that only administrator
|
|
Chris PeBenito |
cff75c |
# domains have certain permissions.
|
|
Chris PeBenito |
cff75c |
# This attribute is presently associated with sysadm_t and secadm_t
|
|
Chris PeBenito |
cff75c |
attribute secadmin;
|
|
Chris PeBenito |
cff75c |
|
|
Chris PeBenito |
0fbfa5 |
# The userdomain attribute identifies every user domain, presently
|
|
Chris PeBenito |
0fbfa5 |
# user_t and sysadm_t. It is used in TE rules that should be applied
|
|
Chris PeBenito |
0fbfa5 |
# to all user domains.
|
|
Chris PeBenito |
0fbfa5 |
attribute userdomain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for a small domain that can only be used for newrole
|
|
Chris PeBenito |
0fbfa5 |
attribute user_mini_domain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# pty for the mini domain
|
|
Chris PeBenito |
0fbfa5 |
attribute mini_pty_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# pty created by a server such as sshd
|
|
Chris PeBenito |
0fbfa5 |
attribute server_pty;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# attribute for all non-administrative devpts types
|
|
Chris PeBenito |
0fbfa5 |
attribute userpty_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The user_tty_type identifies every type for a tty or pty owned by an
|
|
Chris PeBenito |
0fbfa5 |
# unpriviledged user
|
|
Chris PeBenito |
0fbfa5 |
attribute user_tty_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
a08248 |
# The admin_tty_type identifies every type for a tty or pty owned by a
|
|
Chris PeBenito |
a08248 |
# priviledged user
|
|
Chris PeBenito |
a08248 |
attribute admin_tty_type;
|
|
Chris PeBenito |
a08248 |
|
|
Chris PeBenito |
0fbfa5 |
# The user_crond_domain attribute identifies every user_crond domain, presently
|
|
Chris PeBenito |
0fbfa5 |
# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
|
|
Chris PeBenito |
0fbfa5 |
# applied to all user domains.
|
|
Chris PeBenito |
0fbfa5 |
attribute user_crond_domain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The unpriv_userdomain identifies non-administrative users (default user_t)
|
|
Chris PeBenito |
0fbfa5 |
attribute unpriv_userdomain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# This attribute is for the main user home directory for unpriv users
|
|
Chris PeBenito |
0fbfa5 |
attribute user_home_dir_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The gphdomain attribute identifies every gnome-pty-helper derived
|
|
Chris PeBenito |
0fbfa5 |
# domain. It is used in TE rules to permit inheritance and use of
|
|
Chris PeBenito |
0fbfa5 |
# descriptors created by these domains.
|
|
Chris PeBenito |
0fbfa5 |
attribute gphdomain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The fs_domain identifies every domain that may directly access a fixed disk
|
|
Chris PeBenito |
0fbfa5 |
attribute fs_domain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# This attribute is for all domains for the userhelper program.
|
|
Chris PeBenito |
0fbfa5 |
attribute userhelperdomain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
############################
|
|
Chris PeBenito |
0fbfa5 |
# Attributes for file types:
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The file_type attribute identifies all types assigned to files
|
|
Chris PeBenito |
0fbfa5 |
# in persistent filesystems. It is used in TE rules to permit
|
|
Chris PeBenito |
0fbfa5 |
# the association of all such file types with persistent filesystem
|
|
Chris PeBenito |
0fbfa5 |
# types, and to permit certain domains to access all such types as
|
|
Chris PeBenito |
0fbfa5 |
# appropriate.
|
|
Chris PeBenito |
0fbfa5 |
attribute file_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The secure_file_type attribute identifies files
|
|
Chris PeBenito |
0fbfa5 |
# which will be treated with a higer level of security.
|
|
Chris PeBenito |
0fbfa5 |
# Most domains will be prevented from manipulating files in this domain
|
|
Chris PeBenito |
0fbfa5 |
attribute secure_file_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The device_type attribute identifies all types assigned to device nodes
|
|
Chris PeBenito |
0fbfa5 |
attribute device_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The proc_fs attribute identifies all types that may be assigned to
|
|
Chris PeBenito |
0fbfa5 |
# files under /proc.
|
|
Chris PeBenito |
0fbfa5 |
attribute proc_fs;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The dev_fs attribute identifies all types that may be assigned to
|
|
Chris PeBenito |
0fbfa5 |
# files, sockets, or pipes under /dev.
|
|
Chris PeBenito |
0fbfa5 |
attribute dev_fs;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The sysadmfile attribute identifies all types assigned to files
|
|
Chris PeBenito |
0fbfa5 |
# that should be completely accessible to administrators. It is used
|
|
Chris PeBenito |
0fbfa5 |
# in TE rules to grant such access for administrator domains.
|
|
Chris PeBenito |
0fbfa5 |
attribute sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
a08248 |
# The secadmfile attribute identifies all types assigned to files
|
|
Chris PeBenito |
a08248 |
# that should be only accessible to security administrators. It is used
|
|
Chris PeBenito |
a08248 |
# in TE rules to grant such access for security administrator domains.
|
|
Chris PeBenito |
a08248 |
attribute secadmfile;
|
|
Chris PeBenito |
a08248 |
|
|
Chris PeBenito |
0fbfa5 |
# The fs_type attribute identifies all types assigned to filesystems
|
|
Chris PeBenito |
0fbfa5 |
# (not limited to persistent filesystems).
|
|
Chris PeBenito |
0fbfa5 |
# It is used in TE rules to permit certain domains to mount
|
|
Chris PeBenito |
0fbfa5 |
# any filesystem and to permit most domains to obtain the
|
|
Chris PeBenito |
0fbfa5 |
# overall filesystem statistics.
|
|
Chris PeBenito |
0fbfa5 |
attribute fs_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
5493c2 |
# The mount_point attribute identifies all types that can serve
|
|
Chris PeBenito |
5493c2 |
# as a mount point (for the mount binary). It is used in the mount
|
|
Chris PeBenito |
5493c2 |
# policy to grant mounton permission, and in other domains to grant
|
|
Chris PeBenito |
5493c2 |
# getattr permission over all the mount points.
|
|
Chris PeBenito |
5493c2 |
attribute mount_point;
|
|
Chris PeBenito |
5493c2 |
|
|
Chris PeBenito |
0fbfa5 |
# The exec_type attribute identifies all types assigned
|
|
Chris PeBenito |
0fbfa5 |
# to entrypoint executables for domains. This attribute is
|
|
Chris PeBenito |
0fbfa5 |
# used in TE rules and assertions that should be applied to all
|
|
Chris PeBenito |
0fbfa5 |
# such executables.
|
|
Chris PeBenito |
0fbfa5 |
attribute exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The tmpfile attribute identifies all types assigned to temporary
|
|
Chris PeBenito |
0fbfa5 |
# files. This attribute is used in TE rules to grant certain
|
|
Chris PeBenito |
0fbfa5 |
# domains the ability to remove all such files (e.g. init, crond).
|
|
Chris PeBenito |
0fbfa5 |
attribute tmpfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The user_tmpfile attribute identifies all types associated with temporary
|
|
Chris PeBenito |
0fbfa5 |
# files for unpriv_userdomain domains.
|
|
Chris PeBenito |
0fbfa5 |
attribute user_tmpfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for the user_xserver_tmp_t etc
|
|
Chris PeBenito |
0fbfa5 |
attribute xserver_tmpfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The tmpfsfile attribute identifies all types defined for tmpfs
|
|
Chris PeBenito |
0fbfa5 |
# type transitions.
|
|
Chris PeBenito |
0fbfa5 |
# It is used in TE rules to grant certain domains the ability to
|
|
Chris PeBenito |
0fbfa5 |
# access all such files.
|
|
Chris PeBenito |
0fbfa5 |
attribute tmpfsfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The home_type attribute identifies all types assigned to home
|
|
Chris PeBenito |
0fbfa5 |
# directories. This attribute is used in TE rules to grant certain
|
|
Chris PeBenito |
0fbfa5 |
# domains the ability to access all home directory types.
|
|
Chris PeBenito |
0fbfa5 |
attribute home_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# This attribute is for the main user home directory /home/user, to
|
|
Chris PeBenito |
0fbfa5 |
# distinguish it from sub-dirs. Often you want a process to be able to
|
|
Chris PeBenito |
0fbfa5 |
# read the user home directory but not read the regular directories under it.
|
|
Chris PeBenito |
0fbfa5 |
attribute home_dir_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The ttyfile attribute identifies all types assigned to ttys.
|
|
Chris PeBenito |
0fbfa5 |
# It is used in TE rules to grant certain domains the ability to
|
|
Chris PeBenito |
0fbfa5 |
# access all ttys.
|
|
Chris PeBenito |
0fbfa5 |
attribute ttyfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The ptyfile attribute identifies all types assigned to ptys.
|
|
Chris PeBenito |
0fbfa5 |
# It is used in TE rules to grant certain domains the ability to
|
|
Chris PeBenito |
0fbfa5 |
# access all ptys.
|
|
Chris PeBenito |
0fbfa5 |
attribute ptyfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The pidfile attribute identifies all types assigned to pid files.
|
|
Chris PeBenito |
0fbfa5 |
# It is used in TE rules to grant certain domains the ability to
|
|
Chris PeBenito |
0fbfa5 |
# access all such files.
|
|
Chris PeBenito |
0fbfa5 |
attribute pidfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
############################
|
|
Chris PeBenito |
0fbfa5 |
# Attributes for network types:
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The socket_type attribute identifies all types assigned to
|
|
Chris PeBenito |
0fbfa5 |
# kernel-created sockets. Ordinary sockets are assigned the
|
|
Chris PeBenito |
0fbfa5 |
# domain of the creating process.
|
|
Chris PeBenito |
0fbfa5 |
# XXX This attribute is unused. Remove?
|
|
Chris PeBenito |
0fbfa5 |
attribute socket_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Identifies all types assigned to port numbers to control binding.
|
|
Chris PeBenito |
0fbfa5 |
attribute port_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Identifies all types assigned to reserved port (<1024) numbers to control binding.
|
|
Chris PeBenito |
0fbfa5 |
attribute reserved_port_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Identifies all types assigned to network interfaces to control
|
|
Chris PeBenito |
0fbfa5 |
# operations on the interface (XXX obsolete, not supported via LSM)
|
|
Chris PeBenito |
0fbfa5 |
# and to control traffic sent or received on the interface.
|
|
Chris PeBenito |
0fbfa5 |
attribute netif_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Identifies all default types assigned to packets received
|
|
Chris PeBenito |
0fbfa5 |
# on network interfaces.
|
|
Chris PeBenito |
0fbfa5 |
attribute netmsg_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Identifies all types assigned to network nodes/hosts to control
|
|
Chris PeBenito |
0fbfa5 |
# traffic sent to or received from the node.
|
|
Chris PeBenito |
0fbfa5 |
attribute node_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Identifier for log files or directories that only exist for log files.
|
|
Chris PeBenito |
0fbfa5 |
attribute logfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Identifier for lock files (/var/lock/*) or directories that only exist for
|
|
Chris PeBenito |
0fbfa5 |
# lock files.
|
|
Chris PeBenito |
0fbfa5 |
attribute lockfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
##############################
|
|
Chris PeBenito |
0fbfa5 |
# Attributes for security policy types:
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The login_contexts attribute idenitifies the files used
|
|
Chris PeBenito |
0fbfa5 |
# to define default contexts for login types (e.g., login, cron).
|
|
Chris PeBenito |
0fbfa5 |
attribute login_contexts;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
|
|
Chris PeBenito |
0fbfa5 |
# sysadm_mail_t, etc)
|
|
Chris PeBenito |
0fbfa5 |
attribute user_mail_domain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Identifies domains that can transition to system_mail_t
|
|
Chris PeBenito |
0fbfa5 |
attribute privmail;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Type for non-sysadm home directory
|
|
Chris PeBenito |
0fbfa5 |
attribute user_home_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For domains that are part of a mail server and need to read user files and
|
|
Chris PeBenito |
0fbfa5 |
# fifos, and inherit file handles to enable user email to get to the mail
|
|
Chris PeBenito |
0fbfa5 |
# spool
|
|
Chris PeBenito |
0fbfa5 |
attribute mta_user_agent;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For domains that are part of a mail server for delivering messages to the
|
|
Chris PeBenito |
0fbfa5 |
# user
|
|
Chris PeBenito |
0fbfa5 |
attribute mta_delivery_agent;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For domains that make outbound TCP port 25 connections to send mail from the
|
|
Chris PeBenito |
0fbfa5 |
# mail server.
|
|
Chris PeBenito |
0fbfa5 |
attribute mail_server_sender;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For a mail server process that takes TCP connections on port 25
|
|
Chris PeBenito |
0fbfa5 |
attribute mail_server_domain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For web clients such as netscape and squid
|
|
Chris PeBenito |
0fbfa5 |
attribute web_client_domain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For X Window System server domains
|
|
Chris PeBenito |
0fbfa5 |
attribute xserver;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For X Window System client domains
|
|
Chris PeBenito |
0fbfa5 |
attribute xclient;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For X Window System protocol extensions
|
|
Chris PeBenito |
0fbfa5 |
attribute xextension;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For X Window System property types
|
|
Chris PeBenito |
0fbfa5 |
attribute xproperty;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# For file systems that do not have extended attributes but need to be
|
|
Chris PeBenito |
0fbfa5 |
# r/w by users
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
attribute noexattrfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# For filetypes that the usercan read
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
attribute usercanread;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# For serial devices
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
attribute serial_device;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Attribute to designate unrestricted access
|
|
Chris PeBenito |
0fbfa5 |
attribute unrestricted;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
77f6e2 |
# Attribute to designate can transition to unconfined_t
|
|
Chris PeBenito |
77f6e2 |
attribute unconfinedtrans;
|
|
Chris PeBenito |
77f6e2 |
|
|
Chris PeBenito |
0fbfa5 |
# For clients of nscd.
|
|
Chris PeBenito |
0fbfa5 |
attribute nscd_client_domain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For clients of nscd that can use shmem interface.
|
|
Chris PeBenito |
0fbfa5 |
attribute nscd_shmem_domain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
5493c2 |
# For labeling of content for httpd. This attribute is only used by
|
|
Chris PeBenito |
5493c2 |
# the httpd_unified domain, which says treat all httpdcontent the
|
|
Chris PeBenito |
5493c2 |
# same. If you want content to be served in a "non-unified" system
|
|
Chris PeBenito |
5493c2 |
# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
|
|
Chris PeBenito |
5493c2 |
# your policy.
|
|
Chris PeBenito |
0fbfa5 |
attribute httpdcontent;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For labeling of domains whos transition can be disabled
|
|
Chris PeBenito |
0fbfa5 |
attribute transitionbool;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For labeling of file_context domains which users can change files to rather
|
|
Chris PeBenito |
0fbfa5 |
# then the default file context. These file_context can survive a relabeling
|
|
Chris PeBenito |
0fbfa5 |
# of the file system.
|
|
Chris PeBenito |
0fbfa5 |
attribute customizable;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
cff75c |
##############################
|
|
Chris PeBenito |
cff75c |
# Attributes for polyinstatiation support:
|
|
Chris PeBenito |
cff75c |
#
|
|
Chris PeBenito |
cff75c |
|
|
Chris PeBenito |
cff75c |
# For labeling types that are to be polyinstantiated
|
|
Chris PeBenito |
cff75c |
attribute polydir;
|
|
Chris PeBenito |
cff75c |
|
|
Chris PeBenito |
cff75c |
# And for labeling the parent directories of those polyinstantiated directories
|
|
Chris PeBenito |
cff75c |
# This is necessary for remounting the original in the parent to give
|
|
Chris PeBenito |
cff75c |
# security aware apps access
|
|
Chris PeBenito |
cff75c |
attribute polyparent;
|
|
Chris PeBenito |
cff75c |
|
|
Chris PeBenito |
cff75c |
# And labeling for the member directories
|
|
Chris PeBenito |
cff75c |
attribute polymember;
|
|
Chris PeBenito |
cff75c |
|