next up previous contents
Next: System Domains Up: Domains Previous: Domains   Contents


Every Domain

The domains/every.te file contains rules that apply to every domain. Each domain can send SIGCHLD to init. Each domain can access other processes in the same domain, e.g. each domain can send any signal to other processes in the same domain. Process-specific files in /proc can be accessed by any process with the same domain. Each domain is allowed to access open file descriptions, pipes, and sockets created by processes in the same domain.

Each domain is allowed to obtain SIDs for security contexts and to obtain the list of active SIDs. Each domain can obtain the security context for any SID.

Each domain can get the attributes for any file system type. Each domain has read access to the procfs types except for the proc_kmsg_t and proc_kcore_t types. Each domain has read access to most of the system file types, e.g. file_t, root_t, usr_t, lib_t, etc. Certain system file types are intentionally excluded from this general read access, such as lost-and-found directories (lost_found_t) and protected spool directories (e.g. cron_spool_t). Each domain can add and remove files from tmp_t directories.

Every domain is granted the ability to execute code from the system shared libraries and to execute the system dynamic loader. Since many domains only require execute access to these types and to their entry point executable, permission to execute other system binary types is not granted to all domains.

Each domain can read and write /dev/tty, /dev/null, and the random number devices. Currently, every domain is also allowed to read and write the console device, but this will be changed to only grant access to those domains that require such access.

Currently, every domain is allowed to create and use NFS files. Every domain is also currently allowed to use the network, bind to port numbers with the default port type, and communicate with portmap. These rules will be replaced with specific rules in the appropriate files granting these permissions to only those domains that require them.


next up previous contents
Next: System Domains Up: Domains Previous: Domains   Contents