18
Chapter 2. SELinux Policy Overview
Type Transitions
A type transition results in a new process running in a new domain different from the executing
process, or a new object being labeled with a type different from the source doing the labeling.
The rules define what domain and file type transitions occur by default. The domain transition
default can be overridden if the process explicitly requests a particular context. File transition
default is actually inherit from parent, that is, the new file receives its context from the parent di
rectory unless an explicit transition rule makes it inherit from creator. For example, the directory
~/
has a type of
user_home_dir_t
, and policy specifies that files created in a directory with
that type are labeled with
user_home_t
.
Transitions are defined through macros that combine the
type_transition
rule with a set of
allow rules. The allow rules are macros with variables that support common transitioning needs.
For more information about macros, refer to Section 2.9 Policy Macros.
## General syntax of a transition
type_transition
source_type(s)
target_type(s)
: \
'
()'
(
class(es)
new_type
'
(*'
(
# Note that all excepting the
new_type
can be
'
(
# multiple types and classes, surrounded by brackets { }
## Domain transition syntax
type_transition
current_domain
type_of_program
: \
'
()'
(
process
new_domain
'
(
# note that the object class is fixed to the process attribute
## Domain transition examples
type_transition httpd_t httpd_sys_script_exec_t:process \
httpd_sys_script_t;
# When the httpd daemon running in the domain httpd_t executes
# a program of the type httpd_sys_script_exec_t, such as a CGI
# script, the new process is given the domain of
# httpd_sys_script_t
type_transition initrc_t squid_exec_t:process squid_t;
# When init exec()s a program of the type squid_exec_t, the new
# process is transitioned to the squid_t domain
## New object labeling syntax
type_transition
creating_domain
parent_object_type
: \
'
()'
(
class(es)
new_type
'
(*'
(
# Note that multiple classes are allowed using the
# { } brackets
## New object labeling example
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved