32


Chapter 3. Targeted Policy Overview


$SELINUX_SRC/appconfig/


This directory contains application configuration files that provide contexts or partial contexts


for certain daemons and utilities. A partial context is when the user identity is not included. This


identity is inferred from the user who runs the utility.


The kind of utilities that rely upon the


appconfig


contexts are


crond


,


newrole


, and


login


,


which need to have a context that derives from a user rather than their own context. These files


provide a list of possible contexts the program can try to set, and the policy decides if the process


can transition to those contexts.


These


various


files


are


installed


as


the


separate


files


and


directories


within


$SELINUX_POLICY/contexts/


, and are used in runtime by


libselinux


to search through


for usable contexts.


In a stricter policy than the targeted policy, there would be additional entries since all users


and daemons run in their own security context instead of


unconfined_t


. For example, when


parsing through


default_contexts


, if the policy defines that a context is not allowed for a


user, it would be ignored and the next one checked. This way the file can have a cascading set


of partial contexts, so the most privileged gets the first choice, and the least privileged gets the


last choice. In


default_contexts


for the targeted policy, the most and least privileged are the


same


cat default_contexts


system_r:unconfined_t


system_r:unconfined_t


The


default_type


file is the configuration file for when applications need to know which do 


mains are to be associated with which roles. In the targeted policy, there is effectively one single


role for subjects:


system_r


. For example,


newrole


looks to this file to know what domains to


assign each transitioned role:


cat default_type


system_r:unconfined_t


There ins only a partial context in


failsafe_context


. This is what is returned if


default_contexts


does not have an appropriate context. In other words, if nothing else


matches, try this context. Note that it is the same context as in


default_contexts


. This file is


more useful in a stricter policy.


cat failsafe_context


system_r:unconfined_t


When


run_init


executes a script in


/etc/rc.d/


, this is the context that


run_init


transitions


to before running the script. This way, the context executing the scripts is the same as when they


are executed by


init


.


cat initrc_context


user_u:system_r:unconfined_t


These are the default contexts applied to different media types, for example, when they are


mounted on


/media


:


cat media


cdrom system_u:object_r:removable_device_t


floppy system_u:object_r:removable_device_t


disk system_u:object_r:fixed_disk_device_t


This context covers removable media types, such as USB flash storage devices:


cat removable_context


system_u:object_r:removable_t


The


root_default_contexts


allows login to root to be different than login to a normal user:


cat root_default_contexts


system_r:unconfined_t


system_r:unconfined_t


This is the context


userhelper


transitions to before executing the application that requires the


privilege escalation:


cat userhelper_context








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved