Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual page 54

40
,
daemon_domain daemon_base_domain
The macro
daemon_domain
mon to all of the targeted daemons. The purpose of
mission needs common to all daemons. These needs include creating a process ID (PID) file and
running to check disk usage. In addition, two macros are called,
df
.
read_locale
The base common set of type declarations and permissions is defined in
and include allowing you to define a tunable that can disable the domain transition. You evoke one
of these tunables when you set the Boolean value to disable the transition to one of the targeted
domains, removing SELinux protection from that single daemon. Finally,
is called.
This central macro is where the daemon's top-level domains and roles are declared:
define('daemon_core_rules', '
type $1_t, domain, privlog $2;
type $1_exec_t, file_type, sysadmfile, exec_type;
daemon_core_rules
uses_shlib()
and so forth.
can_network
Providing a top-level entry point for common networking policy, this macro appears in
$SELINUX_SRC/macros/global_macros.te
access to TCP and UDP sockets to create, send and receive on a network interface from any
node on any port. Read permission is granted for network files, which are configuration files in
that network daemons need, mainly
/etc/
# can_network(domain)
define('can_network','
allow $1 self:udp_socket create_socket_perms;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 netif_type:netif { tcp_send udp_send rawip_send };
allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };
allow $1 node_type:node { tcp_send udp_send rawip_send };
allow $1 node_type:node { tcp_recv udp_recv rawip_recv };
allow $1 port_type:{ tcp_socket udp_socket } { send_msg \
recv_msg };
...
allow $1 net_conf_t:file r_file_perms;
')dnl end can_network definition
The limitations on which nodes and ports are allowed by domain are defined in separate rules.
Recall that by default, everything is denied in SELinux. The
permission to, for example, make a
requires another authorization. The permission
the domain, so that, for example,
to port 22, but SELinux blocks access and generates an
This is because
for the SSH port.
can_unix_connect
This popular macro from
stream connection:
# can_unix_connect(client, server)
define('can_unix_send','
allow $1 $2:unix_dgram_socket sendto;
')
is in
$SELINUX_SRC/macros/global_macros.te
gives a daemon the right to inherit and use descriptors from init, calls the
macro for the domain to use shared libraries, allows for common self signaling,
named
is not allowed to bind to a port of type
named_t
core_macros.te
Chapter 3. Targeted Policy Overview
, and
daemon_core_rules
daemon_domain
. One primary allow rule gives the domain
/etc/resolv.conf
call to the socket, but the specific port binding
bind(2)
name_bind
may be allowed by standard Linux permissions to bind
avc: denied
provides permissions for establishing a UNIX
is to group together per-
daemon_base_domain
daemon_base_domain
daemon_core_rules
:
rules here grant only the
allow
to bind to the port is still limited by
message in
, which is the type
ssh_port_t
, and is com-
and
,
.
$AUDIT_LOG