40
Chapter 3. Targeted Policy Overview
daemon_domain
,
daemon_base_domain
, and
daemon_core_rules
The macro
daemon_domain
is in
$SELINUX_SRC/macros/global_macros.te
, and is com
mon to all of the targeted daemons. The purpose of
daemon_domain
is to group together per
mission needs common to all daemons. These needs include creating a process ID (PID) file and
running
df
to check disk usage. In addition, two macros are called,
daemon_base_domain
and
read_locale
.
The base common set of type declarations and permissions is defined in
daemon_base_domain
,
and include allowing you to define a tunable that can disable the domain transition. You evoke one
of these tunables when you set the Boolean value to disable the transition to one of the targeted
domains, removing SELinux protection from that single daemon. Finally,
daemon_core_rules
is called.
This central macro is where the daemon's top level domains and roles are declared:
define(`daemon_core_rules', `
type $1_t, domain, privlog $2;
type $1_exec_t, file_type, sysadmfile, exec_type;
daemon_core_rules
gives a daemon the right to inherit and use descriptors from init, calls the
uses_shlib()
macro for the domain to use shared libraries, allows for common self signaling,
and so forth.
can_network
Providing a top level entry point for common networking policy, this macro appears in
$SELINUX_SRC/macros/global_macros.te
. One primary allow rule gives the domain
access to TCP and UDP sockets to create, send and receive on a network interface from any
node on any port. Read permission is granted for network files, which are configuration files in
/etc/
that network daemons need, mainly
/etc/resolv.conf
:
# can_network(domain)
define(`can_network',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 netif_type:netif { tcp_send udp_send rawip_send };
allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };
allow $1 node_type:node { tcp_send udp_send rawip_send };
allow $1 node_type:node { tcp_recv udp_recv rawip_recv };
allow $1 port_type:{ tcp_socket udp_socket } { send_msg \
recv_msg };
...
allow $1 net_conf_t:file r_file_perms;
')dnl end can_network definition
The limitations on which nodes and ports are allowed by domain are defined in separate rules.
Recall that by default, everything is denied in SELinux. The
allow
rules here grant only the
permission to, for example, make a
bind(2)
call to the socket, but the specific port binding
requires another authorization. The permission
name_bind
to bind to the port is still limited by
the domain, so that, for example,
named
may be allowed by standard Linux permissions to bind
to port 22, but SELinux blocks access and generates an
avc: denied
message in
$AUDIT_LOG
.
This is because
named_t
is not allowed to bind to a port of type
ssh_port_t
, which is the type
for the SSH port.
can_unix_connect
This popular macro from
core_macros.te
provides permissions for establishing a UNIX
stream connection:
# can_unix_connect(client, server)
define(`can_unix_send',`
allow $1 $2:unix_dgram_socket sendto;
')
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved