Chapter 3. Targeted Policy Overview
35
$SELINUX_SRC/tunables/
The tunable is a way of switching on or off certain settings that have global effect. For example,
the file
distro.tun
has only one Linux distribution defined, the others are
dnl define
:
define(`distro_redhat')
The existence of this definition triggers conditional statements in the TE files for
httpd
,
mysqld
,
named
, and
snmpd
in
$SELINUX_SRC/domains/program
, as well
as
$SELINUX_SRC/macros/program/userhelper_macros.te
.
Tunables are included in the policy at compile time and are not a flexible way to manage settings
that you want to effect more immediately. For the most part, the tunables have been replaced by
Booleans in
/etc/selinux/targeted/booleans
that are checked during runtime.
The second file,
tunable.tun
, has several definitions which are in use in the targeted policy:
define(`targeted_policy')
define(`nscd_all_connect')
define(`nfs_home_dirs')
The
targeted_policy
tunable is used by
apache.te
,
named.te
,
squid.te
, and
mta.te
in
$SELINUX_SRC/domains/programs/
, as well as
global_macros.te
and
apache_macros.te
. For example, this statement from
apache.te
is triggered to be included
in the policy if
targeted_policy
is defined:
ifdef(`targeted_policy', `
typealias httpd_sys_content_t alias httpd_user_content_t;
typealias httpd_sys_script_exec_t alias \
httpd_user_script_exec_t;
if (httpd_enable_homedirs) {
allow httpd_sys_script_t user_home_dir_t:dir { getattr \
search };
allow httpd_t user_home_dir_t:dir { getattr search };
}
') dnl targeted policy
The type aliases created support for Apache HTTP CGI scripting by users, aliasing the user
equivalent of the
httpd
scripting type. Notice the
if (httpd_enable_homedirs)
statement.
This is the Boolean value
httpd_enable_homedirs
, used for enabling public HTML directo 
ries being served from user home directories.
$SELINUX_SRC/users
This file contains the definitions for the SELinux users, as explained in Section 2.10 SELinux
Users and Roles and Section 3.5 Understanding the Roles and Users in the Targeted Policy.
If you are trying to run a minimal policy to reduce disk and memory usage, you can try removing
unused files from
$SELINUX_SRC/domains/program/
. A TE file may be unused if the
daemon associated with that domain file is not installed. For example, if you do not have the
nameserver BIND installed, you may be able to remove the associated policy by moving the file
$SELINUX_SRC/domains/program/named.te
. This reduces the SELinux footprint in kernel
memory and possibly some impact on performance.
After you remove the
*.te
file from the directory, you need to
cd $SELINUX_SRC/
and
make load
.
This takes effect immediately. Policy compiling is discussed in detail in Chapter 7 Compiling SELinux
Policy. If you move the file to
$SELINUX_SRC/domains/program/unused/
, the TE policy is easy
to obtain should you choose to install BIND at a later date.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved