Chapter 2. SELinux Policy Overview
19
type_transition named_t var_run_t:sock_file named_var_run_t;
# When a process in the domain named_t creates a socket file
# in a directory of the type var_run_t, the socket file is
# given the type named_var_run_t.
The directory with the
# type var_run_t is defined in the policy as /var/run/.
#
# This rule is only found in this format in policy.conf,
# and it is derived from the following rule in
# $SELINUX_SRC/domain/programs/named.te:
file_type_auto_trans(named_t, var_run_t, named_var_run_t, \
sock_file)
# This rule evokes the file_type_auto_trans macro from
# $SELINUX_SRC/macros/core_macros.te, ultimately feeding the 4
# variables in to the macro file_type_trans($1,$2,$3,$4)
Type Changes
This kind of transition is not used in the targeted policy in Red Hat Enterprise Linux 4. Type
changes are used by trusted applications to change the labels of objects, such as
login
relabeling
the tty for a user session. For more information about type changes, refer to the sources found in
Chapter 9 References.
2.8. TE Rules   Access Vectors
Access vectors (AVs) are the rules that allow domains to access various system objects. An AV is a set
of permissions. A basic AV rule is a subject and object pair of types, a class definition for the object,
and a permission for the subject. There is a general rule syntax that covers all the kinds of AV rules:
+
av_kind
+
source_type(s)
+
target_type(s) :
+
class(es)
\
,
,
,
,
+
permission(s)
,
All AV rules are considered by the policy enforcement engine as two types, one class, and one access
permission. However, rules are written using attributes, sets, and macros to be more efficient. AV rules
are simplified during policy compilation.
The parts of the AV rule are defined elsewhere in this chapter. This section describes the kinds of
access vectors used in the AV rule at
av_kind
.
av_kind
is one of three rule types:
  allow
  permit a subject to act in a specific way with an object. The rule here allows
named
(in
the domain of
named_t
) to perform a search of a directory with the type
sbin_t
(for example,
/sbin
,
/usr/sbin
,
/opt/sbin
, etc.):
allow named_t sbin_t:dir search;
If the ruling results in a denial, the denial is audited (that is, logged). Granted permission events are
not logged.
  auditallow
  when the permission is granted, log the access decision. In the targeted policy,
there is only one
auditallow
rule. This rule logs usage of certain SELinux applications, for ex 
ample logging
avc: granted { setenforce }
when allowing
setenforce
:
auditallow unconfined_t security_t : security { load_policy \
setenforce setbool };
  dontaudit
  never audit a specific access denial. This is used when a program is attempting an
action that is not allowed by policy, and the resulting denials are filling the log, but the denial is






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved