42
Chapter 3. Targeted Policy Overview
# file_type_auto_trans(creator_domain, parent_directory_type, \
file_type, object_class)
#
# the object class will default to notdevfile_class_set if not
# specified as the fourth parameter
define(`file_type_auto_trans',`
ifelse(`$4', `', `
file_type_trans($1,$2,$3)
type_transition $1 $2:dir $3;
type_transition $1 $2:notdevfile_class_set $3;
', `
file_type_trans($1,$2,$3,$4)
type_transition $1 $2:$4 $3;
')dnl end ifelse
')
The
file_type_trans
allows the process to modify the directory and create the file, all with
the proper labeling. As with
domain_auto_trans
, you can specify additional allowed options
for use by security aware applications that can call
setexeccon()
.
The optional fourth parameter,
$4
, lets you specify a particular file object class. The default is
non device files,
notdevfile_class_set()
.
r_dir_perms
,
r_file_perms
,
rw_file_perms
, and
ra_file_perms
These single line macros from
core_macros.te
are used directly in TE rules to group common
permission sets depending on the need to read, write, append, and execute files and directories:
# Permissions for reading directories and their attributes.
#
define(`r_dir_perms', `{ read getattr lock search ioctl }')
#
# Permissions for reading files and their attributes.
#
define(`r_file_perms', `{ read getattr lock ioctl }')
#
# Permissions for reading and writing files and their
# attributes.
#
define(`rw_file_perms', `{ ioctl read getattr lock write \
append }')
#
# Permissions for reading and appending to files.
#
define(`ra_file_perms', `{ ioctl read getattr lock append }')
tmp_domain
This macro identifies the domain as needing to be able to create temporary files in
/tmp/
. A
file transition is setup for temporary files created by the domain. A separate temporary type,
$1_tmp_t
, is declared. This type is used to label temporary files created by the domain so that
each domain may only read and write its own temporary files. Additional rules may be written
that allow permissions for domains to control temporary files of other domains, such as allowing
tmpwatch
to clean up
/tmp/
. Most of the targeted daemons use this macro:
define(`tmp_domain', `
type $1_tmp_t, file_type, sysadmfile, tmpfile $2;
file_type_auto_trans($1_t, tmp_t, $1_tmp_t)
')
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved