32
Chapter 3. Targeted Policy Overview
$SELINUX_SRC/appconfig/
This directory contains application configuration files that provide contexts or partial contexts
for certain daemons and utilities. A partial context is when the user identity is not included. This
identity is inferred from the user who runs the utility.
The kind of utilities that rely upon the
appconfig
contexts are
crond
,
newrole
, and
login
,
which need to have a context that derives from a user rather than their own context. These files
provide a list of possible contexts the program can try to set, and the policy decides if the process
can transition to those contexts.
These
various
files
are
installed
as
the
separate
files
and
directories
within
$SELINUX_POLICY/contexts/
, and are used in runtime by
libselinux
to search through
for usable contexts.
In a stricter policy than the targeted policy, there would be additional entries since all users
and daemons run in their own security context instead of
unconfined_t
. For example, when
parsing through
default_contexts
, if the policy defines that a context is not allowed for a
user, it would be ignored and the next one checked. This way the file can have a cascading set
of partial contexts, so the most privileged gets the first choice, and the least privileged gets the
last choice. In
default_contexts
for the targeted policy, the most and least privileged are the
same
cat default_contexts
system_r:unconfined_t
system_r:unconfined_t
The
default_type
file is the configuration file for when applications need to know which do 
mains are to be associated with which roles. In the targeted policy, there is effectively one single
role for subjects:
system_r
. For example,
newrole
looks to this file to know what domains to
assign each transitioned role:
cat default_type
system_r:unconfined_t
There ins only a partial context in
failsafe_context
. This is what is returned if
default_contexts
does not have an appropriate context. In other words, if nothing else
matches, try this context. Note that it is the same context as in
default_contexts
. This file is
more useful in a stricter policy.
cat failsafe_context
system_r:unconfined_t
When
run_init
executes a script in
/etc/rc.d/
, this is the context that
run_init
transitions
to before running the script. This way, the context executing the scripts is the same as when they
are executed by
init
.
cat initrc_context
user_u:system_r:unconfined_t
These are the default contexts applied to different media types, for example, when they are
mounted on
/media
:
cat media
cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t
disk system_u:object_r:fixed_disk_device_t
This context covers removable media types, such as USB flash storage devices:
cat removable_context
system_u:object_r:removable_t
The
root_default_contexts
allows login to root to be different than login to a normal user:
cat root_default_contexts
system_r:unconfined_t
system_r:unconfined_t
This is the context
userhelper
transitions to before executing the application that requires the
privilege escalation:
cat userhelper_context






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved