Chapter 2. SELinux Policy Overview


19


type_transition named_t var_run_t:sock_file named_var_run_t;


# When a process in the domain named_t creates a socket file


# in a directory of the type var_run_t, the socket file is


# given the type named_var_run_t.


The directory with the


# type var_run_t is defined in the policy as /var/run/.


#


# This rule is only found in this format in policy.conf,


# and it is derived from the following rule in


# $SELINUX_SRC/domain/programs/named.te:


file_type_auto_trans(named_t, var_run_t, named_var_run_t, \


sock_file)


# This rule evokes the file_type_auto_trans macro from


# $SELINUX_SRC/macros/core_macros.te, ultimately feeding the 4


# variables in to the macro file_type_trans($1,$2,$3,$4)


Type Changes


This kind of transition is not used in the targeted policy in Red Hat Enterprise Linux 4. Type


changes are used by trusted applications to change the labels of objects, such as


login


relabeling


the tty for a user session. For more information about type changes, refer to the sources found in


Chapter 9 References.


2.8. TE Rules   Access Vectors


Access vectors (AVs) are the rules that allow domains to access various system objects. An AV is a set


of permissions. A basic AV rule is a subject and object pair of types, a class definition for the object,


and a permission for the subject. There is a general rule syntax that covers all the kinds of AV rules:


+


av_kind


+


source_type(s)


+


target_type(s) :


+


class(es)


\


,


,


,


,


+


permission(s)


,


All AV rules are considered by the policy enforcement engine as two types, one class, and one access


permission. However, rules are written using attributes, sets, and macros to be more efficient. AV rules


are simplified during policy compilation.


The parts of the AV rule are defined elsewhere in this chapter. This section describes the kinds of


access vectors used in the AV rule at


av_kind


.


av_kind


is one of three rule types:


  allow


  permit a subject to act in a specific way with an object. The rule here allows


named


(in


the domain of


named_t


) to perform a search of a directory with the type


sbin_t


(for example,


/sbin


,


/usr/sbin


,


/opt/sbin


, etc.):


allow named_t sbin_t:dir search;


If the ruling results in a denial, the denial is audited (that is, logged). Granted permission events are


not logged.


  auditallow


  when the permission is granted, log the access decision. In the targeted policy,


there is only one


auditallow


rule. This rule logs usage of certain SELinux applications, for ex 


ample logging


avc: granted { setenforce }


when allowing


setenforce


:


auditallow unconfined_t security_t : security { load_policy \


setenforce setbool };


  dontaudit


  never audit a specific access denial. This is used when a program is attempting an


action that is not allowed by policy, and the resulting denials are filling the log, but the denial is








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved