Chapter 2. SELinux Policy Overview
23
The allow rule says,
httpd_t
is permitted to start a child process that transitions to
httpd_suexec_t
. The
type_transition
rule defines two things: the circumstances,
that is, when the domain
httpd_t
is executing a file of the type
httpd_suexec_exec_t
(
/usr/sbin/suexec
); and the child domain transitioned to,
httpd_suexec_t
. The
allow
rule
then permits the defined transition.
These rules are present only in
$SELINUX_SRC/policy.conf
, so they must be derived from a
macro.
In those rules, the variable elements are the parent domain (
httpd_t
), the child domain
(
httpd_suexec_t
), and the program type (
httpd_suexec_exec_t
). These are represented in the
macro as
$1
,
$2
, and so forth. Fortunately, the search is made easier because the object class
(
process
) and permission (
transition
) are never variables in an SELinux macro. It is safe to
search using the class and permission as a query:
grep R ":process transition" macros/*
macros/core_macros.te:allow $1 $3:process transition;
# match
macros/global_macros.te:allow $1 self:process transition;
The return from
core_macros.te
fits the right format. Here it is in the macro file, showing it to be
part of the
domain_trans()
macro:
# domain_trans(parent_domain, program_type, child_domain)
#
# Permissions for transitioning to a new domain.
#
define(`domain_trans',`
#
# Allow the process to transition to the new domain.
#
allow $1 $3:process transition;
In the macro call, the variables are
domain_trans($1, $2, $3)
, with
$1
the parent domain,
$2
the program type, and
$3
the child domain.
However,
a
search
through
$SELINUX_SRC/domains/program/apache.te
and
$SELINUX_SRC/macros/programs/apache_macros.te
does not find a line such as
domain_trans(httpd_t, httpd_suexec_t, httpd_suexec_exec_t)
. This means that
domain_trans()
is not called directly by the Apache HTTP policy, so another macro must be
involved.
Looking back at the rules you are curious about, the common name roots that make up those rules are
httpd_t
and
httpd_suexec
. Focusing your search on those as variables turns up a macro call:
grep httpd_suexec domains/program/apache.te
| grep httpd_t
daemon_sub_domain(httpd_t, httpd_suexec)
The parameter
httpd_suexec
does not have either of the suffixes,
_t
or
_exec_t
,
because it obtains those from the macro. The macro
daemon_sub_domain()
is found in
$SELINUX_SRC/macros/global_macros.te
. Notice the
_exec_t
and
_t
that are attached to the
variable inputs
$1
and
$2
:
# define a sub domain, $1_t is the parent domain, $2 is the name
# of the sub domain.
#
define(`daemon_sub_domain', `
...
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved