Chapter 3. Targeted Policy Overview
31
/etc/selinux/targeted/booleans
would then change to
squid_disable_trans=1
. An
easier technique for changing Booleans is to use the
setsebool
command.
If you change the value in
/etc/selinux/targeted/booleans
, the change takes effect upon
next policy load, such as a reboot or
make load
(refer to Chapter 7 Compiling SELinux Policy).
Booleans work by having the
if
statements with conditional policy compiled into the binary
policy, so the potential policy for each conditional is always present.
If
you
look
at
a
pseudo
file
system
Boolean
file,
for
example
cat
/selinux/booleans/httpd_unified/
, you get two values returned, 1 1. The first value
represents the current value, the other is the pending value that is to be set programmatically
when a
security_commit_booleans()
is run, that is, when policy is loaded. Another time
this occurs is when you run
setsebool P
. The
P
writes all the pending Boolean values to
the disk.
/etc/selinux/targeted/contexts/
This directory contains security context information used at run time by various applications,
such as
restorecon
. Within
contexts/
are a number of files and directories. Here are the
most important:
default_contexts
this file defines the default security context(s) for local and remote
user sessions,
cron
jobs, and so forth.
files/
this subdirectory contains security context configuration files used by applications
needing to set file labels during runtime, such as
rpm
,
restorecon
,
setfiles
, and
udev
.
userhelper_context
this file sets the context for the
userhelper
application to use.
$SELINUX_SRC/domains/program/
The location of the TE files that define the policy for the daemons covered by the targeted policy.
If a TE file is not in this directory, then it is not compiled into the policy.
$SELINUX_SRC/file_contexts/
All of the file contexts for the targeted and unconfined daemons are in the directory
file_contexts/program
. When the policy is built, all of the relevant
*.fc
files
are
concatenated
into
$SELINUX_SRC/file_contexts/file_contexts
.
A file contexts file is considered relevant to the policy if there is a corresponding
$SELINUX_SRC/domains/programs/*.fc
file. A copy of
file_contexts
is at
/etc/selinux/targeted/contexts/files/file_contexts
.
For files that are not part of the targeted daemons and their associated file contexts files, the
file
types.fc
is referenced for setting the security context, especially for when the policy is
installed or if the file system is relabeled.
This directory is discussed thoroughly in Section 3.3 Understanding the File Contexts Files.
$SELINUX_SRC/file_contexts/distros.fc
Each distribution of Linux that supports SELinux may have unique file contexts that should only
be included if the policy is being compiled on that system. The set for Red Hat Enterprise Linux
is grouped inside of
ifdef(`distro_redhat', ... ')
`, and includes contexts for Red Hat
specific applications such as
system config securitylevel
, packages with possibly unique
file locations, and file contexts for the
/emul
libraries for x86 emulation on 64 bit systems.
$SELINUX_SRC/domains/unconfined.te
This file defines the domain for unconfined processes, that is, everything that is not specifically
a targeted daemon.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved