Chapter 3. Targeted Policy Overview


39


/selinux(/.*)?


none


IDI


JDJ


/etc(/.*)?


system_u:object_r:etc_t


/etc/passwd\.lock    system_u:object_r:shadow_t


/etc/group\.lock    system_u:object_r:shadow_t


/etc/shadow.*


   system_u:object_r:shadow_t


/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*    system_u:object_r:shlib_t


/usr(/.*)?/java/.*\.so(\.[^/]*)*    system_u:object_r:shlib_t


Similarly, there are specific file contexts files for all domains, depending on their special needs. The


*.fc


files are present in the policy source, but are only used if there is an associated


*.te


file in


$SELINUX_SRC/domains/program/


. Here is an example from


mta.fc


:


# types for general mail servers


/usr/sbin/sendmail(.sendmail)?    system_u:object_r:sendmail_exec_t


/usr/lib(64)?/sendmail


   system_u:object_r:sendmail_exec_t


/etc/aliases


  


system_u:object_r:etc_aliases_t


/etc/aliases\.db


  


system_u:object_r:etc_aliases_t


/var/spool/mail(/.*)?


system_u:object_r:mail_spool_t


/var/mail(/.*)?


system_u:object_r:mail_spool_t


ifdef(`dhcp_defined', `', `


/var/lib/dhcp(3)?  d system_u:object_r:dhcp_state_t


define(`dhcp_defined')


')


Example 3 1.


ifdef


statement in a context file


Another interesting example is Example 3 1. The file context


dhcp_state_t


must be set for


the DHCP based daemons to work properly, so the pattern and value are in both


dhcpd.fc


and


dhcpc.fc


(the DHCP client daemon contexts). This is to ensure the label value is present in case


one file is not included in a policy build. In fact, this is the case for the targeted policy, where the


DHCP client is not confined by SELinux policy. In this case, the file


dhcpd.fc


declares the file


context for


/var/lib/dhcp


for the pattern matching


^/var/lib/dhcp(3)?$


.


If you include policy to cover the DHCP client programs, you want to ensure that it also can declare


the context for


/var/lib/dhcp/


. However, if you include both programs and they both declare the


context,


setfiles


reports an error during policy build. This happens when a file context is specified


multiple times, even if the specification is identical.


To handle this, a conditional


ifdef


statement is used. When concatenating the file context files into


the single file


$SELINUX_SRC/file_contexts/file_contexts


, the first time the


ifdef


state 


ment is reached, the definition


dhcp_defined


is checked for. If it is defined, the value true is re 


turned, and the additional file context is skipped. If


dhcp_defined


has not been defined, the value


returns as false, the file context is read from inside the statement, and


dhcp_defined


is defined.


3.4. Common Macros in the Targeted Policy


Macros in SELinux are discussed in Section 2.9 Policy Macros. This section covers macros that are


used extensively throughout the targeted policy. These were chosen by frequency, the list comprising


mainly macros used nine or more times in the various policy files. A large number of macro files are


present in the policy, but are not necessarily called by any of the TE files. There are macro files for


many, but not all, of the targeted daemons.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved