|
|
 |
|
| |
NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
Policy attributes identify as groups sets of security types that
have a similar property. These groups can be controlled by fewer,
overarching rules. The relationship is many-to-many: a type can
have any amount of attributes, and an attribute can be associated
with any number of types.
The declarations file $SELINUX_SRC/attrib.te is well documented in the
comment blocks. The attribute declaration syntax is: attribute <identifier>:
## Samples from $SELINUX_SRC/attrib.te
# The domain attribute identifies every type that can be
# assigned to a process. This attribute is used in TE rules
# that should be applied to all domains, e.g. permitting
# init to kill all processes.
attribute domain;
# Identifies all default types assigned to packets received
# on network interfaces.
attribute netmsg_type;
|
Here are a few noteworthy attributes. Information about these
was obtained through policy analysis using apol, part of the setools package. You can read more about this in
Section 6.3 Using
apol for Policy Analysis.:
- httpdcontent
-
The purpose of this attribute is to group together the various
types associated with the policy for Apache HTTP. Because of the
complexity of the httpd configuration, the
targeted policy includes Boolean values that allow you to grant
blanket permissions for httpd content
types. This helps Web applications and built-in scripting, such as
PHP for Apache HTTP, to work with the content. The types in this
attribute are:
# This is an aliasing relationship
httpd_sys_content_t: httpd_sysadm_content_t, \
httpd_user_content_t
# These types handle different permissions sets for scripts
httpd_sys_script_ro_t
httpd_sys_script_rw_t
httpd_sys_script_ra_t
|
The first line in the attribute group specifies that
httpd_sys_content_t is an alias
for httpd_sysadm_content_t and
httpd_user_content_t.
- file_type
-
This attribute is for all the types that are assigned to files,
allowing for easier association of all file types to various kinds
of file system needs. This attribute makes it more convenient to
allow specific domains access to all file types. The list of types
associated with the file_type
attribute is greater than 170 types:
...
device_t
xconsole_device_t
file_t
default_t
root_t
mnt_t
home_root_t
lost_found_t
boot_t
system_map_t
boot_runtime_t
tmp_t
etc_t: hotplug_etc_t
shadow_t
ld_so_cache_t
etc_runtime_t
fonts_t
etc_aliases_t
net_conf_t: resolv_conf_t
lib_t
shlib_t
...
|
- netif_type, port_type, and node_type
-
These attributes relate to network activity by domains. The
netif_type identifies the types
associated with network interfaces, allowing policy to control
sending, receiving, and various operations on the interface:
The port_type attribute is
associated with all types that are assigned to port numbers. This
allows SELinux to control port binding, meaning daemons are
restricted in using a port depending on the type assigned to the
port:
The node_type is for types
assigned to network nodes or hosts, allowing SELinux to control
traffic to and from the node:
- fs_type
-
This attribute identifies all types assigned to file systems,
including non-persistent file systems. The fs_type attribute is used in TE rules to
allow most domains to obtain overall file system statistics, and
for some specific domains to mount any file system. Here are the
SELinux file types that are part of fs_type:
devpts_t: sysadm_devpts_t, staff_devpts_t, user_devpts_t
fs_t
eventpollfs_t
futexfs_t
bdev_t
usbfs_t
nfsd_fs_t
rpc_pipefs_t
binfmt_misc_fs_t
tmpfs_t
autofs_t
usbdevfs_t
sysfs_t
iso9660_t
romfs_t
ramfs_t
dosfs_t
cifs_t: sambafs_t
nfs_t
proc_t
security_t
|
- exec_type
-
This attribute groups together all types that are assigned to
entry point executables. Any TE rules and assertions that should be
applied to all entry point executables use this attribute. Here are
the domains in this attribute:
ls_exec_t
shell_exec_t
httpd_exec_t
httpd_suexec_exec_t
httpd_php_exec_t
httpd_helper_exec_t
dhcpd_exec_t
hotplug_exec_t
initrc_exec_t
run_init_exec_t
init_exec_t
ldconfig_exec_t
mailman_queue_exec_t
mailman_mail_exec_t
mailman_cgi_exec_t
depmod_exec_t
insmod_exec_t
update_modules_exec_t
sendmail_exec_t
mysqld_exec_t
named_exec_t
ndc_exec_t
nscd_exec_t
ntpd_exec_t
ntpdate_exec_t
portmap_exec_t
postgresql_exec_t
rpm_exec_t
snmpd_exec_t
squid_exec_t
syslogd_exec_t
udev_exec_t
udev_helper_exec_t
winbind_exec_t
ypbind_exec_t
|
- mta_delivery_agent
-
This attribute allows for flexibility in choosing a mail transfer agent (MTA) such as sendmail or
postfix. Rules allow it to perform mail
handling and take tasks from mailman.
However, this attribute is not used in the targeted policy since
none of the MTAs are targeted daemons for Red Hat Enterprise Linux
4.
- domain
-
This attribute is for all types that can be assigned to a
process. This is the method for identifying what is a domain in
SELinux. In other Type Enforcement systems, domains may be
implemented separately from types. In SELinux, domains are
essentially types with the domain attribute.
This attribute allows you to have rules that can be applied to
all domains, such as allowing init to send
signals to all processes. Another example is the following rule
that allows all processes to perform a search on directory objects
that have a type of var_t or
var_run_t, that is, the
directories /var and /var/run:
allow domain { var_run_t var_t } : dir search ;
|
Here are the domains covered by this attribute:
unconfined_t: kernel_t, init_t, initrc_t, sysadm_t, rpm_t, \
rpm_script_t, logrotate_t
mount_t
httpd_t
httpd_sys_script_t
httpd_suexec_t
httpd_php_t
httpd_helper_t
dhcpd_t
ldconfig_t
mailman_queue_t
mailman_mail_t
mailman_cgi_t
system_mail_t
mysqld_t
named_t
ndc_t
nscd_t
ntpd_t
portmap_t
postgresql_t
snmpd_t
squid_t
syslogd_t
winbind_t
ypbind_t
|
- reserved_port_type
-
This attribute identifies all the types that are assigned to any
of the reserved network ports, that is, ports numbered lower than
1024. The attribute is used to control binding. An example binding
rule is followed here by the types that are part of this
attribute:
# The allow rule permits the domain portmap_t to bind to a
# port with a type of portmap_port_t, which is one of the
# types identified by the reserved_port_type attribute. The
# dontaudit rule tells SELinux to never audit the access of
# portmap_t to a reserved_port_type.
allow portmap_t portmap_port_t:{ udp_socket tcp_socket } \
name_bind;
dontaudit portmap_t reserved_port_type:tcp_socket name_bind;
|
# Types associated with the reserved_port_type attribute
http_port_t
smtp_port_t
rndc_port_t
ntp_port_t
portmap_port_t
snmp_port_t
syslogd_port_t
|
|
|
|
