24
Chapter 2. SELinux Policy Overview
domain_auto_trans($1, $2_exec_t, $2_t)
Recall that the variables fed into
daemon_sub_domain()
were
httpd_t
(
$1
) and
httpd_suexec
(
$2
). When
m4
runs, it inputs the parameters in the order received, so
$1
becomes
httpd_t
,
$2_exec_t
becomes
httpd_suexec_exec_t
, and
$2_t
is
httpd_suexec_t
. Notice that
the macro
daemon_sub_domain
actually calls
domain_auto_trans()
, which is found in
core_macros.te
and looks like this:
define(`domain_auto_trans',`
domain_trans($1,$2,$3)
type_transition $1 $2:process $3;
')
...
define(`domain_trans',`
allow $1 $3:process transition;
...
There you see the completion of the chain, as
domain_trans()
is called, and the parameters are fed
in to create the rules you are looking for:
$1 = httpd_t
(base input of httpd_t)
$2 = httpd_suexec_exec_t (base input of httpd_suexec)
$3 = httpd_suexec_t
(base input of httpd_suexec)
apache.te
# feeds 2 variables into
daemon_sub_domain(httpd_t, httpd_suexec)# which calls
domain_auto_trans($1, $2_exec_t, $2_t) # that associates new vars
#### $1 = $1, $2_exec_t = $2, $2_t = $3) # and feeds the vars into
domain_trans($1,$2,$3)
# which has
type_transition $1 $2:process $3; # that expands into
type_transition httpd_t httpd_suexec_exec_t:process httpd_suexec_t
# and
# expands domain_trans()
allow $1 $3:process transition;
# which expands into
allow httpd_t httpd_suexec_t:process transition;
# Here is a final association of variables to sources
allow
$1
$3
:process transition;
allow httpd_t httpd_suexec_t:process transition;
type_transition
$1
$2
:process
$3;
type_transition httpd_t httpd_suexec_exec_t:process httpd_suexec_t;
2.10. SELinux Users and Roles
Important
Users and roles can play a part in an SELinux policy. However, the greater part of SELinux is Type
Enforcement. Additionally, the targeted policy is designed not to utilize users and roles. Every domain
in the targeted policy runs in a single role, and TE is used to separate the confined processes from
the other processes.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved