Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Declarations for type attributes.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# A type attribute can be used to identify a set of types with a similar
Chris PeBenito 0fbfa5
# property.  Each type can have any number of attributes, and each
Chris PeBenito 0fbfa5
# attribute can be associated with any number of types.  Attributes are
Chris PeBenito 0fbfa5
# explicitly declared here, and can then be associated with particular
Chris PeBenito 0fbfa5
# types in type declarations.  Attribute names can then be used throughout 
Chris PeBenito 0fbfa5
# the configuration to express the set of types that are associated with 
Chris PeBenito 0fbfa5
# the attribute.  Except for the MLS attributes, attributes have no implicit
Chris PeBenito 0fbfa5
# meaning to SELinux.  The meaning of all other attributes are completely 
Chris PeBenito 0fbfa5
# defined through their usage within the configuration, but should be 
Chris PeBenito 0fbfa5
# documented here as comments preceding the attribute declaration.  
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#####################
Chris PeBenito 0fbfa5
# Attributes for MLS:
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
attribute mlsfileread;
Chris PeBenito 0fbfa5
attribute mlsfilereadtoclr;
Chris PeBenito 0fbfa5
attribute mlsfilewrite;
Chris PeBenito 0fbfa5
attribute mlsfilewritetoclr;
Chris PeBenito 0fbfa5
attribute mlsfileupgrade;
Chris PeBenito 0fbfa5
attribute mlsfiledowngrade;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
attribute mlsnetread;
Chris PeBenito 0fbfa5
attribute mlsnetreadtoclr;
Chris PeBenito 0fbfa5
attribute mlsnetwrite;
Chris PeBenito 0fbfa5
attribute mlsnetwritetoclr;
Chris PeBenito 0fbfa5
attribute mlsnetupgrade;
Chris PeBenito 0fbfa5
attribute mlsnetdowngrade;
Chris PeBenito 2705f9
attribute mlsnetrecvall;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
attribute mlsipcread;
Chris PeBenito 0fbfa5
attribute mlsipcreadtoclr;
Chris PeBenito 0fbfa5
attribute mlsipcwrite;
Chris PeBenito 0fbfa5
attribute mlsipcwritetoclr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
attribute mlsprocread;
Chris PeBenito 0fbfa5
attribute mlsprocreadtoclr;
Chris PeBenito 0fbfa5
attribute mlsprocwrite;
Chris PeBenito 0fbfa5
attribute mlsprocwritetoclr;
Chris PeBenito 0fbfa5
attribute mlsprocsetsl;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
attribute mlsxwinread;
Chris PeBenito 0fbfa5
attribute mlsxwinreadtoclr;
Chris PeBenito 0fbfa5
attribute mlsxwinwrite;
Chris PeBenito 0fbfa5
attribute mlsxwinwritetoclr;
Chris PeBenito 0fbfa5
attribute mlsxwinupgrade;
Chris PeBenito 0fbfa5
attribute mlsxwindowngrade;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
attribute mlstrustedobject;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
attribute privrangetrans;
Chris PeBenito 0fbfa5
attribute mlsrangetrans;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#########################
Chris PeBenito 0fbfa5
# Attributes for domains:
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The domain attribute identifies every type that can be 
Chris PeBenito 0fbfa5
# assigned to a process.  This attribute is used in TE rules 
Chris PeBenito 0fbfa5
# that should be applied to all domains, e.g. permitting 
Chris PeBenito 0fbfa5
# init to kill all processes.
Chris PeBenito 0fbfa5
attribute domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The daemon attribute identifies domains for system processes created via
Chris PeBenito 0fbfa5
# the daemon_domain, daemon_base_domain, and init_service_domain macros.
Chris PeBenito 0fbfa5
attribute daemon;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The privuser attribute identifies every domain that can 
Chris PeBenito 0fbfa5
# change its SELinux user identity.  This attribute is used 
Chris PeBenito 0fbfa5
# in the constraints configuration.  NOTE:  This attribute
Chris PeBenito 0fbfa5
# is not required for domains that merely change the Linux
Chris PeBenito 0fbfa5
# uid attributes, only for domains that must change the
Chris PeBenito 0fbfa5
# SELinux user identity.  Also note that this attribute makes
Chris PeBenito 0fbfa5
# no sense without the privrole attribute.
Chris PeBenito 0fbfa5
attribute privuser;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The privrole attribute identifies every domain that can 
Chris PeBenito 0fbfa5
# change its SELinux role.  This attribute is used in the 
Chris PeBenito 0fbfa5
# constraints configuration.
Chris PeBenito 0fbfa5
attribute privrole;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The userspace_objmgr attribute identifies every domain
Chris PeBenito 0fbfa5
# which enforces its own policy.
Chris PeBenito 0fbfa5
attribute userspace_objmgr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The priv_system_role attribute identifies every domain that can
Chris PeBenito 0fbfa5
# change role from a user role to system_r role, and identity from a user
Chris PeBenito 0fbfa5
# identity to system_u.  It is used in the constraints configuration.
Chris PeBenito 0fbfa5
attribute priv_system_role;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The privowner attribute identifies every domain that can 
Chris PeBenito 0fbfa5
# assign a different SELinux user identity to a file, or that
Chris PeBenito a08248
# can create a file with an identity that is not the same as the
Chris PeBenito 0fbfa5
# process identity.  This attribute is used in the constraints
Chris PeBenito 0fbfa5
# configuration.
Chris PeBenito 0fbfa5
attribute privowner;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The privlog attribute identifies every domain that can 
Chris PeBenito 0fbfa5
# communicate with syslogd through its Unix domain socket.
Chris PeBenito 0fbfa5
# There is an assertion that other domains can not do it,
Chris PeBenito 0fbfa5
# and an allow rule to permit it
Chris PeBenito 0fbfa5
attribute privlog;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The privmodule attribute identifies every domain that can run
Chris PeBenito 0fbfa5
# modprobe, there is an assertion that other domains can not do it,
Chris PeBenito 0fbfa5
# and an allow rule to permit it
Chris PeBenito 0fbfa5
attribute privmodule;
Chris PeBenito 0fbfa5
Chris PeBenito 5493c2
# The privsysmod attribute identifies every domain that can have the
Chris PeBenito 5493c2
# sys_module capability
Chris PeBenito 5493c2
attribute privsysmod;
Chris PeBenito 5493c2
Chris PeBenito 0fbfa5
# The privmem attribute identifies every domain that can 
Chris PeBenito 0fbfa5
# access kernel memory devices.
Chris PeBenito 0fbfa5
# This attribute is used in the TE assertions to verify
Chris PeBenito 0fbfa5
# that such access is limited to domains that are explicitly
Chris PeBenito 0fbfa5
# tagged with this attribute.
Chris PeBenito 0fbfa5
attribute privmem;
Chris PeBenito 0fbfa5
Chris PeBenito 5493c2
# The privkmsg attribute identifies every domain that can 
Chris PeBenito 5493c2
# read kernel messages (/proc/kmsg)
Chris PeBenito 5493c2
# This attribute is used in the TE assertions to verify
Chris PeBenito 5493c2
# that such access is limited to domains that are explicitly
Chris PeBenito 5493c2
# tagged with this attribute.
Chris PeBenito 5493c2
attribute privkmsg;
Chris PeBenito 5493c2
Chris PeBenito 0fbfa5
# The privfd attribute identifies every domain that should have
Chris PeBenito 0fbfa5
# file handles inherited widely (IE sshd_t and getty_t).
Chris PeBenito 0fbfa5
attribute privfd;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The privhome attribute identifies every domain that can create files under
Chris PeBenito 0fbfa5
# regular user home directories in the regular context (IE act on behalf of
Chris PeBenito 0fbfa5
# a user in writing regular files)
Chris PeBenito 0fbfa5
attribute privhome;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The auth attribute identifies every domain that needs
Chris PeBenito 0fbfa5
# to read /etc/shadow, and grants the permission.
Chris PeBenito 0fbfa5
attribute auth;
Chris PeBenito 0fbfa5
Chris PeBenito cff75c
# The auth_bool attribute identifies every domain that can 
Chris PeBenito cff75c
# read /etc/shadow if its boolean is set;
Chris PeBenito cff75c
attribute auth_bool;
Chris PeBenito cff75c
Chris PeBenito 0fbfa5
# The auth_write attribute identifies every domain that can have write or
Chris PeBenito 0fbfa5
# relabel access to /etc/shadow, but does not grant it.
Chris PeBenito 0fbfa5
attribute auth_write;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The auth_chkpwd attribute identifies every system domain that can
Chris PeBenito 0fbfa5
# authenticate users by running unix_chkpwd
Chris PeBenito 0fbfa5
attribute auth_chkpwd;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The change_context attribute identifies setfiles_t, restorecon_t, and other
Chris PeBenito 0fbfa5
# system domains that change the context of most/all files on the system
Chris PeBenito 0fbfa5
attribute change_context;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The etc_writer attribute identifies every domain that can write to etc_t
Chris PeBenito 0fbfa5
attribute etc_writer;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The sysctl_kernel_writer attribute identifies domains that can write to
Chris PeBenito 0fbfa5
# sysctl_kernel_t, in addition the admin attribute is permitted write access
Chris PeBenito 0fbfa5
attribute sysctl_kernel_writer;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# the sysctl_net_writer attribute identifies domains that can write to
Chris PeBenito 0fbfa5
# sysctl_net_t files.
Chris PeBenito 0fbfa5
attribute sysctl_net_writer;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The sysctl_type attribute identifies every type that is assigned
Chris PeBenito 0fbfa5
# to a sysctl entry.  This can be used in allow rules to grant
Chris PeBenito 0fbfa5
# permissions to all sysctl entries without enumerating each individual
Chris PeBenito 0fbfa5
# type, but should be used with care.
Chris PeBenito 0fbfa5
attribute sysctl_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The admin attribute identifies every administrator domain.
Chris PeBenito 0fbfa5
# It is used in TE assertions when verifying that only administrator 
Chris PeBenito 0fbfa5
# domains have certain permissions.  
Chris PeBenito 0fbfa5
# This attribute is presently associated with sysadm_t and 
Chris PeBenito 0fbfa5
# certain administrator utility domains.  
Chris PeBenito 0fbfa5
# XXX The use of this attribute should be reviewed for consistency.
Chris PeBenito 0fbfa5
# XXX Might want to partition into several finer-grained attributes 
Chris PeBenito 0fbfa5
# XXX used in different assertions within assert.te.
Chris PeBenito 0fbfa5
attribute admin;
Chris PeBenito 0fbfa5
Chris PeBenito cff75c
# The secadmin attribute identifies every security administrator domain.
Chris PeBenito cff75c
# It is used in TE assertions when verifying that only administrator 
Chris PeBenito cff75c
# domains have certain permissions.  
Chris PeBenito cff75c
# This attribute is presently associated with sysadm_t and secadm_t
Chris PeBenito cff75c
attribute secadmin;
Chris PeBenito cff75c
Chris PeBenito 0fbfa5
# The userdomain attribute identifies every user domain, presently
Chris PeBenito 0fbfa5
# user_t and sysadm_t.  It is used in TE rules that should be applied
Chris PeBenito 0fbfa5
# to all user domains.
Chris PeBenito 0fbfa5
attribute userdomain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for a small domain that can only be used for newrole
Chris PeBenito 0fbfa5
attribute user_mini_domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# pty for the mini domain
Chris PeBenito 0fbfa5
attribute mini_pty_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# pty created by a server such as sshd
Chris PeBenito 0fbfa5
attribute server_pty;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# attribute for all non-administrative devpts types
Chris PeBenito 0fbfa5
attribute userpty_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The user_tty_type identifies every type for a tty or pty owned by an
Chris PeBenito 0fbfa5
# unpriviledged user
Chris PeBenito 0fbfa5
attribute user_tty_type;
Chris PeBenito 0fbfa5
Chris PeBenito a08248
# The admin_tty_type identifies every type for a tty or pty owned by a
Chris PeBenito a08248
# priviledged user
Chris PeBenito a08248
attribute admin_tty_type;
Chris PeBenito a08248
Chris PeBenito 0fbfa5
# The user_crond_domain attribute identifies every user_crond domain, presently
Chris PeBenito 0fbfa5
# user_crond_t and sysadm_crond_t.  It is used in TE rules that should be
Chris PeBenito 0fbfa5
# applied to all user domains.
Chris PeBenito 0fbfa5
attribute user_crond_domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The unpriv_userdomain identifies non-administrative users (default user_t)
Chris PeBenito 0fbfa5
attribute unpriv_userdomain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# This attribute is for the main user home directory for unpriv users
Chris PeBenito 0fbfa5
attribute user_home_dir_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The gphdomain attribute identifies every gnome-pty-helper derived
Chris PeBenito 0fbfa5
# domain.  It is used in TE rules to permit inheritance and use of
Chris PeBenito 0fbfa5
# descriptors created by these domains.
Chris PeBenito 0fbfa5
attribute gphdomain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The fs_domain identifies every domain that may directly access a fixed disk
Chris PeBenito 0fbfa5
attribute fs_domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# This attribute is for all domains for the userhelper program.
Chris PeBenito 0fbfa5
attribute userhelperdomain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
############################
Chris PeBenito 0fbfa5
# Attributes for file types:
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The file_type attribute identifies all types assigned to files 
Chris PeBenito 0fbfa5
# in persistent filesystems.  It is used in TE rules to permit
Chris PeBenito 0fbfa5
# the association of all such file types with persistent filesystem
Chris PeBenito 0fbfa5
# types, and to permit certain domains to access all such types as 
Chris PeBenito 0fbfa5
# appropriate.
Chris PeBenito 0fbfa5
attribute file_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The secure_file_type attribute identifies files 
Chris PeBenito 0fbfa5
# which will be treated with a higer level of security.
Chris PeBenito 0fbfa5
# Most domains will be prevented from manipulating files in this domain
Chris PeBenito 0fbfa5
attribute secure_file_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The device_type attribute identifies all types assigned to device nodes
Chris PeBenito 0fbfa5
attribute device_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The proc_fs attribute identifies all types that may be assigned to
Chris PeBenito 0fbfa5
# files under /proc.
Chris PeBenito 0fbfa5
attribute proc_fs;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The dev_fs attribute identifies all types that may be assigned to
Chris PeBenito 0fbfa5
# files, sockets, or pipes under /dev.
Chris PeBenito 0fbfa5
attribute dev_fs;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The sysadmfile attribute identifies all types assigned to files 
Chris PeBenito 0fbfa5
# that should be completely accessible to administrators.  It is used
Chris PeBenito 0fbfa5
# in TE rules to grant such access for administrator domains.
Chris PeBenito 0fbfa5
attribute sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito a08248
# The secadmfile attribute identifies all types assigned to files 
Chris PeBenito a08248
# that should be only accessible to security administrators.  It is used
Chris PeBenito a08248
# in TE rules to grant such access for security administrator domains.
Chris PeBenito a08248
attribute secadmfile;
Chris PeBenito a08248
Chris PeBenito 0fbfa5
# The fs_type attribute identifies all types assigned to filesystems
Chris PeBenito 0fbfa5
# (not limited to persistent filesystems).
Chris PeBenito 0fbfa5
# It is used in TE rules to permit certain domains to mount
Chris PeBenito 0fbfa5
# any filesystem and to permit most domains to obtain the
Chris PeBenito 0fbfa5
# overall filesystem statistics.
Chris PeBenito 0fbfa5
attribute fs_type;
Chris PeBenito 0fbfa5
Chris PeBenito 5493c2
# The mount_point attribute identifies all types that can serve
Chris PeBenito 5493c2
# as a mount point (for the mount binary). It is used in the mount 
Chris PeBenito 5493c2
# policy to grant mounton permission, and in other domains to grant 
Chris PeBenito 5493c2
# getattr permission over all the mount points.
Chris PeBenito 5493c2
attribute mount_point;
Chris PeBenito 5493c2
Chris PeBenito 0fbfa5
# The exec_type attribute identifies all types assigned
Chris PeBenito 0fbfa5
# to entrypoint executables for domains.  This attribute is 
Chris PeBenito 0fbfa5
# used in TE rules and assertions that should be applied to all 
Chris PeBenito 0fbfa5
# such executables.
Chris PeBenito 0fbfa5
attribute exec_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The tmpfile attribute identifies all types assigned to temporary 
Chris PeBenito 0fbfa5
# files.  This attribute is used in TE rules to grant certain 
Chris PeBenito 0fbfa5
# domains the ability to remove all such files (e.g. init, crond).
Chris PeBenito 0fbfa5
attribute tmpfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The user_tmpfile attribute identifies all types associated with temporary
Chris PeBenito 0fbfa5
# files for unpriv_userdomain domains.
Chris PeBenito 0fbfa5
attribute user_tmpfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for the user_xserver_tmp_t etc
Chris PeBenito 0fbfa5
attribute xserver_tmpfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The tmpfsfile attribute identifies all types defined for tmpfs 
Chris PeBenito 0fbfa5
# type transitions. 
Chris PeBenito 0fbfa5
# It is used in TE rules to grant certain domains the ability to
Chris PeBenito 0fbfa5
# access all such files.
Chris PeBenito 0fbfa5
attribute tmpfsfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The home_type attribute identifies all types assigned to home
Chris PeBenito 0fbfa5
# directories.  This attribute is used in TE rules to grant certain
Chris PeBenito 0fbfa5
# domains the ability to access all home directory types.
Chris PeBenito 0fbfa5
attribute home_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# This attribute is for the main user home directory /home/user, to
Chris PeBenito 0fbfa5
# distinguish it from sub-dirs.  Often you want a process to be able to
Chris PeBenito 0fbfa5
# read the user home directory but not read the regular directories under it.
Chris PeBenito 0fbfa5
attribute home_dir_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The ttyfile attribute identifies all types assigned to ttys.
Chris PeBenito 0fbfa5
# It is used in TE rules to grant certain domains the ability to
Chris PeBenito 0fbfa5
# access all ttys.
Chris PeBenito 0fbfa5
attribute ttyfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The ptyfile attribute identifies all types assigned to ptys.
Chris PeBenito 0fbfa5
# It is used in TE rules to grant certain domains the ability to
Chris PeBenito 0fbfa5
# access all ptys.
Chris PeBenito 0fbfa5
attribute ptyfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The pidfile attribute identifies all types assigned to pid files.
Chris PeBenito 0fbfa5
# It is used in TE rules to grant certain domains the ability to
Chris PeBenito 0fbfa5
# access all such files.
Chris PeBenito 0fbfa5
attribute pidfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
############################
Chris PeBenito 0fbfa5
# Attributes for network types:
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The socket_type attribute identifies all types assigned to 
Chris PeBenito 0fbfa5
# kernel-created sockets.  Ordinary sockets are assigned the 
Chris PeBenito 0fbfa5
# domain of the creating process.
Chris PeBenito 0fbfa5
# XXX This attribute is unused.  Remove?
Chris PeBenito 0fbfa5
attribute socket_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Identifies all types assigned to port numbers to control binding.
Chris PeBenito 0fbfa5
attribute port_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Identifies all types assigned to reserved port (<1024) numbers to control binding.
Chris PeBenito 0fbfa5
attribute reserved_port_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Identifies all types assigned to network interfaces to control
Chris PeBenito 0fbfa5
# operations on the interface (XXX obsolete, not supported via LSM) 
Chris PeBenito 0fbfa5
# and to control traffic sent or received on the interface.
Chris PeBenito 0fbfa5
attribute netif_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Identifies all default types assigned to packets received 
Chris PeBenito 0fbfa5
# on network interfaces.  
Chris PeBenito 0fbfa5
attribute netmsg_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Identifies all types assigned to network nodes/hosts to control
Chris PeBenito 0fbfa5
# traffic sent to or received from the node.
Chris PeBenito 0fbfa5
attribute node_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Identifier for log files or directories that only exist for log files.
Chris PeBenito 0fbfa5
attribute logfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Identifier for lock files (/var/lock/*) or directories that only exist for
Chris PeBenito 0fbfa5
# lock files.
Chris PeBenito 0fbfa5
attribute lockfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##############################
Chris PeBenito 0fbfa5
# Attributes for security policy types:
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The login_contexts attribute idenitifies the files used
Chris PeBenito 0fbfa5
# to define default contexts for login types (e.g., login, cron).
Chris PeBenito 0fbfa5
attribute login_contexts;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
Chris PeBenito 0fbfa5
# sysadm_mail_t, etc)
Chris PeBenito 0fbfa5
attribute user_mail_domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Identifies domains that can transition to system_mail_t
Chris PeBenito 0fbfa5
attribute privmail;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Type for non-sysadm home directory
Chris PeBenito 0fbfa5
attribute user_home_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For domains that are part of a mail server and need to read user files and
Chris PeBenito 0fbfa5
# fifos, and inherit file handles to enable user email to get to the mail
Chris PeBenito 0fbfa5
# spool
Chris PeBenito 0fbfa5
attribute mta_user_agent;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For domains that are part of a mail server for delivering messages to the
Chris PeBenito 0fbfa5
# user
Chris PeBenito 0fbfa5
attribute mta_delivery_agent;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For domains that make outbound TCP port 25 connections to send mail from the
Chris PeBenito 0fbfa5
# mail server.
Chris PeBenito 0fbfa5
attribute mail_server_sender;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For a mail server process that takes TCP connections on port 25
Chris PeBenito 0fbfa5
attribute mail_server_domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For web clients such as netscape and squid
Chris PeBenito 0fbfa5
attribute web_client_domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For X Window System server domains
Chris PeBenito 0fbfa5
attribute xserver;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For X Window System client domains
Chris PeBenito 0fbfa5
attribute xclient;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For X Window System protocol extensions
Chris PeBenito 0fbfa5
attribute xextension;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For X Window System property types
Chris PeBenito 0fbfa5
attribute xproperty;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# For file systems that do not have extended attributes but need to be
Chris PeBenito 0fbfa5
# r/w by users
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
attribute noexattrfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# For filetypes that the usercan read
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
attribute usercanread;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# For serial devices
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
attribute serial_device;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Attribute to designate unrestricted access
Chris PeBenito 0fbfa5
attribute unrestricted;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For clients of nscd.
Chris PeBenito 0fbfa5
attribute nscd_client_domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For clients of nscd that can use shmem interface.
Chris PeBenito 0fbfa5
attribute nscd_shmem_domain;
Chris PeBenito 0fbfa5
Chris PeBenito 5493c2
# For labeling of content for httpd.  This attribute is only used by
Chris PeBenito 5493c2
# the httpd_unified domain, which says treat all httpdcontent the
Chris PeBenito 5493c2
# same.  If you want content to be served in a "non-unified" system
Chris PeBenito 5493c2
# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
Chris PeBenito 5493c2
# your policy.
Chris PeBenito 0fbfa5
attribute httpdcontent;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For labeling of domains whos transition can be disabled
Chris PeBenito 0fbfa5
attribute transitionbool;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For labeling of file_context domains which users can change files to rather
Chris PeBenito 0fbfa5
# then the default file context.  These file_context can survive a relabeling
Chris PeBenito 0fbfa5
# of the file system.
Chris PeBenito 0fbfa5
attribute customizable;
Chris PeBenito 0fbfa5
Chris PeBenito cff75c
##############################
Chris PeBenito cff75c
# Attributes for polyinstatiation support:
Chris PeBenito cff75c
#
Chris PeBenito cff75c
Chris PeBenito cff75c
# For labeling types that are to be polyinstantiated
Chris PeBenito cff75c
attribute polydir;
Chris PeBenito cff75c
Chris PeBenito cff75c
# And for labeling the parent directories of those polyinstantiated directories
Chris PeBenito cff75c
# This is necessary for remounting the original in the parent to give
Chris PeBenito cff75c
# security aware apps access
Chris PeBenito cff75c
attribute polyparent;
Chris PeBenito cff75c
Chris PeBenito cff75c
# And labeling for the member directories
Chris PeBenito cff75c
attribute polymember;
Chris PeBenito cff75c