Blame strict/domains/program/chroot.te
|
Chris PeBenito |
0fbfa5 |
#DESC Chroot - Establish chroot environments
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages:
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
type chroot_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For a chroot environment named potato that can be entered from user_t (so
|
|
Chris PeBenito |
0fbfa5 |
# the user can run an old version of Debian in a chroot), with the possibility
|
|
Chris PeBenito |
0fbfa5 |
# of user_devpts_t or user_tty_device_t being the controlling tty type for
|
|
Chris PeBenito |
0fbfa5 |
# administration. This also defines a mount_domain for the user (so they can
|
|
Chris PeBenito |
0fbfa5 |
# mount file systems).
|
|
Chris PeBenito |
0fbfa5 |
#chroot(user, potato)
|
|
Chris PeBenito |
0fbfa5 |
# For a chroot environment named apache that can be entered from initrc_t for
|
|
Chris PeBenito |
0fbfa5 |
# running a different version of apache.
|
|
Chris PeBenito |
0fbfa5 |
# initrc is a special case, uses the system_r role (usually appends "_r" to
|
|
Chris PeBenito |
0fbfa5 |
# the base name of the parent domain), and has sysadm_devpts_t and
|
|
Chris PeBenito |
0fbfa5 |
# sysadm_tty_device_t for the controlling terminal
|
|
Chris PeBenito |
0fbfa5 |
#chroot(initrc, apache)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# the main code is in macros/program/chroot_macros.te
|