Chapter 3. Targeted Policy Overview
33
system_u:system_r:unconfined_t
$SELINUX_SRC/types/*
These files are the type declarations for general sets of types. The types are grouped by simi 
larities such as being a file, being related to security, network, or devices. The name of the type
declaration file reflects its contents.
One odd file included in the targeted policy is
$SELINUX_SRC/types/apache.te
. The file
contains this one line macro:
define(`admin_tty_type', `{ tty_device_t devpts_t }')
This macro is connected with a conditional set of rules in the
httpd
TE file at
$SELINUX_SRC/domains/program/apache.te
. The confitional rules allow
httpd
to utilize
the console (
if (httpd_tty_comm) {}
). This allows Apache HTTP to use the console for
parts of the SSL certification handling process.
The reason the macro defining
admin_tty_type
is in
types/apache.te
is that the macro is
included in the targeted policy only for the benefit of
httpd
. Apache HTTP needs this macro
defined for the
httpd
policy to work.
In a stricter policy, the system administrator domain
sysadm_t
is used, and it's associated
TE file
at
/etc/selinux/strict/src/policy/domains/admin.te
supplies
the
admin_tty_type
macro.
The file
$SELINUX_SRC/types/files.fc
defines the contexts for all of the file types on the
system.
$SELINUX_SRC/domains/program/*
These are the TE policy files that make the targeted daemons protected. In SELinux, in the tree
at
$SELINUX_SRC/domains/
are all the rules that govern the behavior of the various domains.
If a particular
*.te
is not in the
$SELINUX_SRC/domains/
path, it is not compiled in as part
of the policy.
In Chapter 4 Example Policy Reference  
dhcpd
, the policy for
dhcpd
is completely dissected
and examined as a reference for all of the policy files for the targeted daemons.
$SELINUX_SRC/assert.te
,
$SELINUX_SRC/attrib.te
, and
$SELINUX_SRC/constraints
The file
assert.te
contains the
neverallow
assertions, discussed in Section 2.8 TE Rules  
Access Vectors. The attributes declared for the targeted policy are in
attrib.te
, discussed in
Section 2.6 TE Rules   Attributes. Constraining rules, as discussed in Section 2.11 TE Rules  
Constraints, are defined for the targeted policy in the file
constraints
.
$SELINUX_SRC/flask/
This directory is where several important definitions occur. In
access_vectors
, object
classes are defined, as discussed in Section 2.5 Object Classes and Permissions. The file
initial_sids
provides the booting kernel with the initial security identifiers to use until
policy can be loaded, as described in Section 2.3 Policy Role in Boot. Security object classes are
defined in
security_classes
. The shell scripts and
Makefile
are used in SELinux kernel
development, and are not intended for end user usage.
$SELINUX_SRC/macros/
Macros are discussed in Section 2.9 Policy Macros. Only two macro files in this
directory
are
used,
core_macros.te
and
global_macros.te
.
The
directory
$SELINUX_SRC/macros/program/
contains the macro files for various daemons. Only the
macro files that correspond to a
*.te
file in
$SELINUX_SRC/domains/program/
are actually
used in the policy.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved