40

Chapter 3. Targeted Policy Overview

daemon_domain

,

daemon_base_domain

, and

daemon_core_rules

The macro

daemon_domain

is in

$SELINUX_SRC/macros/global_macros.te

, and is com 

mon to all of the targeted daemons. The purpose of

daemon_domain

is to group together per 

mission needs common to all daemons. These needs include creating a process ID (PID) file and

running

df

to check disk usage. In addition, two macros are called,

daemon_base_domain

and

read_locale

.

The base common set of type declarations and permissions is defined in

daemon_base_domain

,

and include allowing you to define a tunable that can disable the domain transition. You evoke one

of these tunables when you set the Boolean value to disable the transition to one of the targeted

domains, removing SELinux protection from that single daemon. Finally,

daemon_core_rules

is called.

This central macro is where the daemon's top level domains and roles are declared:

define(`daemon_core_rules', `

type $1_t, domain, privlog $2;

type $1_exec_t, file_type, sysadmfile, exec_type;

daemon_core_rules

gives a daemon the right to inherit and use descriptors from init, calls the

uses_shlib()

macro for the domain to use shared libraries, allows for common self signaling,

and so forth.

can_network

Providing a top level entry point for common networking policy, this macro appears in

$SELINUX_SRC/macros/global_macros.te

. One primary allow rule gives the domain

access to TCP and UDP sockets to create, send and receive on a network interface from any

node on any port. Read permission is granted for network files, which are configuration files in

/etc/

that network daemons need, mainly

/etc/resolv.conf

:

# can_network(domain)

define(`can_network',`

allow $1 self:udp_socket create_socket_perms;

allow $1 self:tcp_socket create_stream_socket_perms;

allow $1 netif_type:netif { tcp_send udp_send rawip_send };

allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };

allow $1 node_type:node { tcp_send udp_send rawip_send };

allow $1 node_type:node { tcp_recv udp_recv rawip_recv };

allow $1 port_type:{ tcp_socket udp_socket } { send_msg \

recv_msg };

...

allow $1 net_conf_t:file r_file_perms;

')dnl end can_network definition

The limitations on which nodes and ports are allowed by domain are defined in separate rules.

Recall that by default, everything is denied in SELinux. The

allow

rules here grant only the

permission to, for example, make a

bind(2)

call to the socket, but the specific port binding

requires another authorization. The permission

name_bind

to bind to the port is still limited by

the domain, so that, for example,

named

may be allowed by standard Linux permissions to bind

to port 22, but SELinux blocks access and generates an

avc: denied

message in

$AUDIT_LOG

.

This is because

named_t

is not allowed to bind to a port of type

ssh_port_t

, which is the type

for the SSH port.

can_unix_connect

This popular macro from

core_macros.te

provides permissions for establishing a UNIX

stream connection:

# can_unix_connect(client, server)

define(`can_unix_send',`

allow $1 $2:unix_dgram_socket sendto;

')