6
Chapter 2. SELinux Policy Overview
For example, the binary executable file object at
/usr/bin/postgres
has the type of
postgresql_exec_t
. All of the targeted daemons have their own
*_exec_t
type for their
executable applications. In fact, the entire set of PostgreSQL executables such as
createlang
,
pg_dump
, and
pg_restore
have the same type,
postgresql_exec_t
, and they transition to the
same domain,
postgresql_t
, upon execution.
The policy defines various rules that say how each domain may access each type. Only what is specif 
ically allowed by the rules is permitted. By default every operation is denied and audited, meaning it
is logged in
$AUDIT_LOG
, such as
/var/log/messages
. Policy is compiled into binary format for
loading into the kernel security server, and as the security server hands out decisions, these are cached
in the AVC for performance.
Policy can be administratively defined, either by modifying the existing files or adding local TE and
file context files to the policy tree. Such a new policy can be loaded into the kernel in real time.
Otherwise, the policy is loaded during boot by
init
, as explained in Section 2.3 Policy Role in Boot.
Ultimately, every system operation is determined by the policy and the type labeling of the files.
Important
After loading a new policy, it is recommended to restart any services that may have new or changed
labeling. For the most part, this is only the targeted daemons, as listed in Section 3.1 What is the
Targeted Policy?.
SELinux is an implementation of domain type access control, with role based limiting. The policy
specifies the rules in that environment. It is written in a simple language created specifically for writing
security policy. Policy writers use
m4
macros to capture common sets of low level rules. There are a
number of
m4
macros defined in the existing policy, which assist greatly in writing new policy. These
rules are preprocessed into many additional rules as part of building
policy.conf
, which is compiled
into the binary policy.
The files are divided into various categories in a policy tree at
$SELINUX_SRC/
. This is covered in
Section 3.2 Files and Directories of the Targeted Policy. Access rights are divided differently among
domains, and no domain is required to act as a master for all other domains. Entering and switching
domains is controlled by the policy, through login programs, userspace programs such as
newrole
,
or by requiring a new process execution in the new domain, called a transition.
2.2. Where is the Policy?
There are two components to the policy, the binary tree and the source tree. The binary tree comes from
the
selinux policy  policyname
package and supplies the binary policy file. Alternately,
the binary policy can be built from source when the
selinux policy  policyname  sources
package is installed. For Red Hat Enterprise Linux 4 the
policyname
is targeted. Directory
conventions for this guide are explained in Section 3 Conventions for SELinux Directories and Files.
  /etc/selinux/targeted/
  this is the root folder for the targeted policy, and contains both the
binary and source trees.
  /etc/selinux/targeted/policy/
  the binary policy file
policy. XY
is here. In this
guide, the variable $SELINUX_POLICY/ is used for this directory.
  /etc/selinux/targeted/src/policy/
  this is the location of the policy source tree. For
details about these sub directories, read Section 3.2 Files and Directories of the Targeted Policy. In
this guide, the variable $SELINUX_SRC/ is used for this directory.
  /etc/selinux/targeted/contexts/
  location of the security context information and con 
figuration files, which are used during runtime by various applications. This directory contains:






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved