Blob Blame History Raw
#
# Declarations for type attributes.
# 

# A type attribute can be used to identify a set of types with a similar
# property.  Each type can have any number of attributes, and each
# attribute can be associated with any number of types.  Attributes are
# explicitly declared here, and can then be associated with particular
# types in type declarations.  Attribute names can then be used throughout 
# the configuration to express the set of types that are associated with 
# the attribute.  Attributes have no implicit meaning to SELinux.  The
# meaning of all attributes are completely defined through their
# usage within the configuration, but should be documented here as
# comments preceding the attribute declaration.  

#####################
# Attributes for MLS:
#

# Common Terminology
# 	MLS Range: low-high
#		low referred to as "Effective Sensitivity Label (SL)"
#		high referred to as "Clearance SL"


#
# File System MLS attributes/privileges
#
# Grant MLS read access to files not dominated by the process Effective SL
attribute mlsfileread;
# Grant MLS read access to files which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsfilereadtoclr;
# Grant MLS write access to files not equal to the Effective SL
attribute mlsfilewrite;
# Grant MLS write access to files which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsfilewritetoclr;
# Grant MLS ability to change file label to a new label which dominates
# the old label  
attribute mlsfileupgrade;
# Grant MLS ability to change file label to a new label which is
# dominated by or incomparable to the old label
attribute mlsfiledowngrade;

#
# Network MLS attributes/privileges
#
# Grant MLS read access to packets not dominated by the process Effective SL
attribute mlsnetread;
# Grant MLS read access to packets which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsnetreadtoclr;
# Grant MLS write access to packets not equal to the Effective SL
attribute mlsnetwrite;
# Grant MLS write access to packets which dominate the Effective SL
# and are dominated by the process Clearance SL
attribute mlsnetwritetoclr;
# Grant MLS read access to packets from hosts or interfaces which dominate
# or incomparable to the process Effective SL
attribute mlsnetrecvall;
# Grant MLS ability to change socket label to a new label which dominates
# the old label  
attribute mlsnetupgrade;
# Grant MLS ability to change socket label to a new label which is
# dominated by or incomparable to the old label
attribute mlsnetdowngrade;

#
# IPC MLS attributes/privileges
#
# Grant MLS read access to IPC objects not dominated by the process Effective SL
attribute mlsipcread;
# Grant MLS read access to IPC objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsipcreadtoclr;
# Grant MLS write access to IPC objects not equal to the process Effective SL
attribute mlsipcwrite;
# Grant MLS write access to IPC objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsipcwritetoclr;

#
# Process MLS attributes/privileges
#
# Grant MLS read access to processes not dominated by the process Effective SL
attribute mlsprocread;
# Grant MLS read access to processes which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsprocreadtoclr;
# Grant MLS write access to processes not equal to the Effective SL
attribute mlsprocwrite;
# Grant MLS write access to processes which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsprocwritetoclr;
# Grant MLS ability to change Effective SL or Clearance SL of process to a
# label dominated by the Clearance SL
attribute mlsprocsetsl;

#
# X Window MLS attributes/privileges
#
# Grant MLS read access to X objects not dominated by the process Effective SL
attribute mlsxwinread;
# Grant MLS read access to X objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsxwinreadtoclr;
# Grant MLS write access to X objects not equal to the process Effective SL
attribute mlsxwinwrite;
# Grant MLS write access to X objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsxwinwritetoclr;
# Grant MLS read access to X properties not dominated by
# the process Effective SL
attribute mlsxwinreadproperty;
# Grant MLS write access to X properties not equal to the process Effective SL
attribute mlsxwinwriteproperty;
# Grant MLS read access to X colormaps not dominated by
# the process Effective SL
attribute mlsxwinreadcolormap;
# Grant MLS write access to X colormaps not equal to the process Effective SL
attribute mlsxwinwritecolormap;
# Grant MLS write access to X xinputs not equal to the process Effective SL
attribute mlsxwinwritexinput;

# Grant MLS read/write access to objects which internally arbitrate MLS
attribute mlstrustedobject;

#
# Both of the following attributes are needed for a range transition to succeed
#
# Grant ability for the current domain to change SL upon process transition
attribute privrangetrans;
# Grant ability for the new process domain to change SL upon process transition
attribute mlsrangetrans;

#########################
# Attributes for domains:
#

# The domain attribute identifies every type that can be 
# assigned to a process.  This attribute is used in TE rules 
# that should be applied to all domains, e.g. permitting 
# init to kill all processes.
attribute domain;

# The daemon attribute identifies domains for system processes created via
# the daemon_domain, daemon_base_domain, and init_service_domain macros.
attribute daemon;

# The privuser attribute identifies every domain that can 
# change its SELinux user identity.  This attribute is used 
# in the constraints configuration.  NOTE:  This attribute
# is not required for domains that merely change the Linux
# uid attributes, only for domains that must change the
# SELinux user identity.  Also note that this attribute makes
# no sense without the privrole attribute.
attribute privuser;

# The privrole attribute identifies every domain that can 
# change its SELinux role.  This attribute is used in the 
# constraints configuration.
attribute privrole;

# The userspace_objmgr attribute identifies every domain
# which enforces its own policy.
attribute userspace_objmgr;

# The priv_system_role attribute identifies every domain that can
# change role from a user role to system_r role, and identity from a user
# identity to system_u.  It is used in the constraints configuration.
attribute priv_system_role;

# The privowner attribute identifies every domain that can 
# assign a different SELinux user identity to a file, or that
# can create a file with an identity that is not the same as the
# process identity.  This attribute is used in the constraints
# configuration.
attribute privowner;

# The privlog attribute identifies every domain that can 
# communicate with syslogd through its Unix domain socket.
# There is an assertion that other domains can not do it,
# and an allow rule to permit it
attribute privlog;

# The privmodule attribute identifies every domain that can run
# modprobe, there is an assertion that other domains can not do it,
# and an allow rule to permit it
attribute privmodule;

# The privsysmod attribute identifies every domain that can have the
# sys_module capability
attribute privsysmod;

# The privmem attribute identifies every domain that can 
# access kernel memory devices.
# This attribute is used in the TE assertions to verify
# that such access is limited to domains that are explicitly
# tagged with this attribute.
attribute privmem;

# The privkmsg attribute identifies every domain that can 
# read kernel messages (/proc/kmsg)
# This attribute is used in the TE assertions to verify
# that such access is limited to domains that are explicitly
# tagged with this attribute.
attribute privkmsg;

# The privfd attribute identifies every domain that should have
# file handles inherited widely (IE sshd_t and getty_t).
attribute privfd;

# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;

# The auth attribute identifies every domain that needs
# to read /etc/shadow, and grants the permission.
attribute auth;

# The auth_bool attribute identifies every domain that can 
# read /etc/shadow if its boolean is set;
attribute auth_bool;

# The auth_write attribute identifies every domain that can have write or
# relabel access to /etc/shadow, but does not grant it.
attribute auth_write;

# The auth_chkpwd attribute identifies every system domain that can
# authenticate users by running unix_chkpwd
attribute auth_chkpwd;

# The change_context attribute identifies setfiles_t, restorecon_t, and other
# system domains that change the context of most/all files on the system
attribute change_context;

# The etc_writer attribute identifies every domain that can write to etc_t
attribute etc_writer;

# The sysctl_kernel_writer attribute identifies domains that can write to
# sysctl_kernel_t, in addition the admin attribute is permitted write access
attribute sysctl_kernel_writer;

# the sysctl_net_writer attribute identifies domains that can write to
# sysctl_net_t files.
attribute sysctl_net_writer;

# The sysctl_type attribute identifies every type that is assigned
# to a sysctl entry.  This can be used in allow rules to grant
# permissions to all sysctl entries without enumerating each individual
# type, but should be used with care.
attribute sysctl_type;

# The admin attribute identifies every administrator domain.
# It is used in TE assertions when verifying that only administrator 
# domains have certain permissions.  
# This attribute is presently associated with sysadm_t and 
# certain administrator utility domains.  
# XXX The use of this attribute should be reviewed for consistency.
# XXX Might want to partition into several finer-grained attributes 
# XXX used in different assertions within assert.te.
attribute admin;

# The secadmin attribute identifies every security administrator domain.
# It is used in TE assertions when verifying that only administrator 
# domains have certain permissions.  
# This attribute is presently associated with sysadm_t and secadm_t
attribute secadmin;

# The userdomain attribute identifies every user domain, presently
# user_t and sysadm_t.  It is used in TE rules that should be applied
# to all user domains.
attribute userdomain;

# for a small domain that can only be used for newrole
attribute user_mini_domain;

# pty for the mini domain
attribute mini_pty_type;

# pty created by a server such as sshd
attribute server_pty;

# attribute for all non-administrative devpts types
attribute userpty_type;

# The user_tty_type identifies every type for a tty or pty owned by an
# unpriviledged user
attribute user_tty_type;

# The admin_tty_type identifies every type for a tty or pty owned by a
# priviledged user
attribute admin_tty_type;

# The user_crond_domain attribute identifies every user_crond domain, presently
# user_crond_t and sysadm_crond_t.  It is used in TE rules that should be
# applied to all user domains.
attribute user_crond_domain;

# The unpriv_userdomain identifies non-administrative users (default user_t)
attribute unpriv_userdomain;

# This attribute is for the main user home directory for unpriv users
attribute user_home_dir_type;

# The gphdomain attribute identifies every gnome-pty-helper derived
# domain.  It is used in TE rules to permit inheritance and use of
# descriptors created by these domains.
attribute gphdomain;

# The fs_domain identifies every domain that may directly access a fixed disk
attribute fs_domain;

# This attribute is for all domains for the userhelper program.
attribute userhelperdomain;

############################
# Attributes for file types:
#

# The file_type attribute identifies all types assigned to files 
# in persistent filesystems.  It is used in TE rules to permit
# the association of all such file types with persistent filesystem
# types, and to permit certain domains to access all such types as 
# appropriate.
attribute file_type;

# The secure_file_type attribute identifies files 
# which will be treated with a higer level of security.
# Most domains will be prevented from manipulating files in this domain
attribute secure_file_type;

# The device_type attribute identifies all types assigned to device nodes
attribute device_type;

# The proc_fs attribute identifies all types that may be assigned to
# files under /proc.
attribute proc_fs;

# The dev_fs attribute identifies all types that may be assigned to
# files, sockets, or pipes under /dev.
attribute dev_fs;

# The sysadmfile attribute identifies all types assigned to files 
# that should be completely accessible to administrators.  It is used
# in TE rules to grant such access for administrator domains.
attribute sysadmfile;

# The secadmfile attribute identifies all types assigned to files 
# that should be only accessible to security administrators.  It is used
# in TE rules to grant such access for security administrator domains.
attribute secadmfile;

# The fs_type attribute identifies all types assigned to filesystems
# (not limited to persistent filesystems).
# It is used in TE rules to permit certain domains to mount
# any filesystem and to permit most domains to obtain the
# overall filesystem statistics.
attribute fs_type;

# The mount_point attribute identifies all types that can serve
# as a mount point (for the mount binary). It is used in the mount 
# policy to grant mounton permission, and in other domains to grant 
# getattr permission over all the mount points.
attribute mount_point;

# The exec_type attribute identifies all types assigned
# to entrypoint executables for domains.  This attribute is 
# used in TE rules and assertions that should be applied to all 
# such executables.
attribute exec_type;

# The tmpfile attribute identifies all types assigned to temporary 
# files.  This attribute is used in TE rules to grant certain 
# domains the ability to remove all such files (e.g. init, crond).
attribute tmpfile;

# The user_tmpfile attribute identifies all types associated with temporary
# files for unpriv_userdomain domains.
attribute user_tmpfile;

# for the user_xserver_tmp_t etc
attribute xserver_tmpfile;

# The tmpfsfile attribute identifies all types defined for tmpfs 
# type transitions. 
# It is used in TE rules to grant certain domains the ability to
# access all such files.
attribute tmpfsfile;

# The home_type attribute identifies all types assigned to home
# directories.  This attribute is used in TE rules to grant certain
# domains the ability to access all home directory types.
attribute home_type;

# This attribute is for the main user home directory /home/user, to
# distinguish it from sub-dirs.  Often you want a process to be able to
# read the user home directory but not read the regular directories under it.
attribute home_dir_type;

# The ttyfile attribute identifies all types assigned to ttys.
# It is used in TE rules to grant certain domains the ability to
# access all ttys.
attribute ttyfile;

# The ptyfile attribute identifies all types assigned to ptys.
# It is used in TE rules to grant certain domains the ability to
# access all ptys.
attribute ptyfile;

# The pidfile attribute identifies all types assigned to pid files.
# It is used in TE rules to grant certain domains the ability to
# access all such files.
attribute pidfile;


############################
# Attributes for network types:
#

# The socket_type attribute identifies all types assigned to 
# kernel-created sockets.  Ordinary sockets are assigned the 
# domain of the creating process.
# XXX This attribute is unused.  Remove?
attribute socket_type;

# Identifies all types assigned to port numbers to control binding.
attribute port_type;

# Identifies all types assigned to reserved port (<1024) numbers to control binding.
attribute reserved_port_type;

# Identifies all types assigned to network interfaces to control
# operations on the interface (XXX obsolete, not supported via LSM) 
# and to control traffic sent or received on the interface.
attribute netif_type;

# Identifies all default types assigned to packets received 
# on network interfaces.  
attribute netmsg_type;

# Identifies all types assigned to network nodes/hosts to control
# traffic sent to or received from the node.
attribute node_type;

# Identifier for log files or directories that only exist for log files.
attribute logfile;

# Identifier for lock files (/var/lock/*) or directories that only exist for
# lock files.
attribute lockfile;



##############################
# Attributes for security policy types:
#

# The login_contexts attribute idenitifies the files used
# to define default contexts for login types (e.g., login, cron).
attribute login_contexts;

# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
# sysadm_mail_t, etc)
attribute user_mail_domain;

# Identifies domains that can transition to system_mail_t
attribute privmail;

# Type for non-sysadm home directory
attribute user_home_type;

# For domains that are part of a mail server and need to read user files and
# fifos, and inherit file handles to enable user email to get to the mail
# spool
attribute mta_user_agent;

# For domains that are part of a mail server for delivering messages to the
# user
attribute mta_delivery_agent;

# For domains that make outbound TCP port 25 connections to send mail from the
# mail server.
attribute mail_server_sender;

# For a mail server process that takes TCP connections on port 25
attribute mail_server_domain;

# For web clients such as netscape and squid
attribute web_client_domain;

# For X Window System server domains
attribute xserver;

# For X Window System client domains
attribute xclient;

# For X Window System protocol extensions
attribute xextension;

# For X Window System property types
attribute xproperty;

#
# For file systems that do not have extended attributes but need to be
# r/w by users
#
attribute noexattrfile;

#
# For filetypes that the usercan read
#
attribute usercanread;

#
# For serial devices
#
attribute serial_device;

# Attribute to designate unrestricted access
attribute unrestricted;

# Attribute to designate can transition to unconfined_t
attribute unconfinedtrans;

# For clients of nscd.
attribute nscd_client_domain;

# For clients of nscd that can use shmem interface.
attribute nscd_shmem_domain;

# For labeling of content for httpd.  This attribute is only used by
# the httpd_unified domain, which says treat all httpdcontent the
# same.  If you want content to be served in a "non-unified" system
# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
# your policy.
attribute httpdcontent;

# For labeling of domains whos transition can be disabled
attribute transitionbool;

# For labeling of file_context domains which users can change files to rather
# then the default file context.  These file_context can survive a relabeling
# of the file system.
attribute customizable;

##############################
# Attributes for polyinstatiation support:
#

# For labeling types that are to be polyinstantiated
attribute polydir;

# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;

# And labeling for the member directories
attribute polymember;