34
Chapter 3. Targeted Policy Overview
$SELINUX_SRC/genfs_contexts
As explained in Section 2.4 File System Security Contexts, this file supplies the contexts for
mountpoint labeling, where a mounted file system is given a single, overarching context instead
of an individual context for each file.
$SELINUX_SRC/initial_sid_contexts
These
are
the
security
contexts
that
are
applied
to
the
initial
contexts
in
$SELINUX_SRC/flask/initial_sids
and are used by the kernel during boot before it has
loaded the policy. Refer to Section 2.3 Policy Role in Boot for more information.
$SELINUX_SRC/mls
This file is unused in the targeted policy, but is noteworthy for those interested in MLS security.
Refer to Chapter 9 References for sources of information about MLS.
$SELINUX_SRC/net_contexts
This file has the contexts for network entities, with many declarations within an
ifdef
statement
that depends on the presence of a specific
*.te
file in
$SELINUX_SRC/domains/program/
.
The syntax looks like this:
portcon
protocol
{ port | port range }
type
?
@/?
@A?
@
When invoked, a network context declaration looks like this:
ifdef(`mta.te', `
portcon tcp 25 system_u:object_r:smtp_port_t
portcon tcp 465 system_u:object_r:smtp_port_t
portcon tcp 587 system_u:object_r:smtp_port_t
')
...
ifdef(`use_dhcpd', `portcon udp 67
\
system_u:object_r:dhcpd_port_t')
...
# Defaults for reserved ports.
Earlier portcon entries take
# precedence; these entries just cover any remaining reserved
# ports not otherwise declared or omitted due to removal of a
# domain.
portcon tcp 1 1023 system_u:object_r:reserved_port_t
portcon udp 1 1023 system_u:object_r:reserved_port_t
...
netifcon eth0 system_u:object_r:netif_eth0_t \
system_u:object_r:unlabeled_t
$SELINUX_SRC/policy.conf
This file is created by
m4
during the policy compiling process. It is all of the TE rules from
domains/
with the macros expanded, and the result concatenated together. The compilation
process is covered in Chapter 7 Compiling SELinux Policy, and you can learn about analyzing
the policy using
policy.conf
in Chapter 6 Tools for Manipulating and Analyzing SELinux.
$SELINUX_SRC/rbac
This file defines which roles are allowed to attain which other roles. Roles are discussed in
Section 2.10 SELinux Users and Roles. These are all the allowed role transitions in the targeted
policy: This file only specifies which roles may transition to which other roles, it does not grant
permission to actually change role.
allow sysadm_r system_r;
allow user_r system_r;
allow user_r sysadm_r;
allow sysadm_r user_r;
allow system_r sysadm_r;






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved