next up previous contents
Next: User Program Domains Up: Domains Previous: Every Domain   Contents


System Domains

The domains/system subdirectory contains a separate file for each domain used for a system process.

The kernel_t domain (kernel.te) is the domain of process 0 and the kernel threads started by it. No domain can transition to this domain. This domain is granted permissions for mounting and unmounting file systems and for searching the persistent label mapping. This domain automatically transitions to the init_t domain upon executing the init program.

The kernel_t domain is also the target type when checking permissions in the system class. This latter use of the kernel_t domain can be eliminated. The system permissions seem to be obsoleted by the capability permissions, so they can probably be completely eliminated. If the system permissions are retained, the calling process domain could be used instead as the target type, as with the capability permissions.

The kmod_t domain (kmod.te) is the domain of the kernel module loader. No domain can transition to this domain, so it can only be entered by the kernel. This domain can use the sys_module capability. It can execute modprobe, insmod, and shell commands from conf.modules. It can read conf.modules, modules.dep, and the module object files. It can signal any domain so that any process can wait on a kernel module loader thread.

The init_t domain (init.te) is the domain of the init process. Only the kernel_t domain can transition to this domain. The init_exec_t type is the type of the entry point executable for this domain. The initctl_t type is the type for /dev/initctl, a named pipe created by init for receiving communications. The sulogin_exec_t type is the type of the sulogin program used for authentication for single-user mode. The init_t domain can create /dev/initctl and /etc/ioctl.save. It can also modify utmp and wtmp. This domain can directly run the update program. All processes can be killed by this domain. It automatically transitions to initrc_t when it executes one of the rc scripts. It automatically transitions to getty_t when it executes getty. It automatically transitions to sysadm_t when it executes a shell or the sulogin program for single-user mode.

The getty_t domain (getty.te) is the domain of getty. Only the init_t domain is allowed to transition to this domain. The getty_exec_t type is the type of the entry point executable for this domain. The getty_tmp_t type is the type of temporary files created by this domain. This domain can update utmp and wtmp. It transitions to the local_login_t domain when it executes the login program.

The initrc_t domain (initrc.te) is the domain of the system rc scripts. Only the init_t domain can transition to this domain. The initrc_exec_t type is the type of the entry point executable for this domain. The initrc_tmp_t type is the type of temporary files created by this domain. The initrc_var_run_t type is the type of files created in /var/run by this domain.

The initrc_t domain can execute a variety of system programs, other rc scripts, and telinit. It can communicate with the init_t domain through /dev/initctl. It can examine all processes in procfs and send signals to any process. It can mount and unmount file systems of any type and configure any network interface. It can create various system runtime files. It can read and unlink PID files. This domain can set values in /proc/sys. It can use the network.

The initrc_t domain transitions to a corresponding daemon domain when it executes each system daemon. It transitions to the corresponding module utility domain when it executes a module utility. It transitions to the fsadm_t domain when it executes fsck and swapon. It transitions to the ifconfig_t domain when it executes ifconfig.

The klogd_t domain (klogd.te) is the domain of the kernel log daemon. Only the initrc_t domain can transition to this domain. The klogd_exec_t type is the type of the entry point executable for this domain. The klogd_tmp_t type is the type of temporary files created by this domain. The klogd_var_run_t type is the type of files created in /var/run by this domain. This domain can read /proc/kmsg and /dev/mem.

The syslogd_t domain (syslogd.te) is the domain of the system log daemon. Only the initrc_t domain can transition to this domain. The syslogd_exec_t type is the type of the entry point executable for this domain. The syslogd_tmp_t type is the type of temporary files created by this domain. The syslogd_var_run_t type is the type of files created in /var/run by this domain. The devlog_t type is used for /dev/log, a Unix domain socket created by syslogd for receiving log messages. Domains with the privlog attribute can read and write this socket and can communicate with syslogd. The syslogd_t domain can modify log files. It can create and bind to /dev/log.

The crond_t domain (crond.te) is the domain of a daemon used to run scheduled commands. Only the initrc_t domain can transition to this domain. The crond_exec_t type is the type of the entry point executable for this domain. The crond_tmp_t type is the type of temporary files created by this domain. The crond_var_run_t type is the type of files created in /var/run by this domain. The cron_log_t type is the type of the cron log file. This domain can read from /var/spool/cron and it can read system and user crontab files. This domain transitions to user_mail_t when it executes sendmail for mailing output from cron jobs.

The crond program was changed to transition to a default security context for each user before executing any jobs for the user. The cron security contexts are specified in the /etc/security/cron_context file. The domains for these security contexts can be defined using the crond_domain macro from crond.te. This macro defines a derived domain for a user domain that can be used for cron jobs created by users in that domain. The use of a derived domain allows the policy to grant different permissions to user cron jobs than to an interactive user session.

Since crontab files are not directly executed, crond must ensure that the crontab file has a context that is appropriate for the context of the user cron job. The crond program was changed to perform an entrypoint permission check for this purpose. User crontab files are typed based on the domain that ran the crontab program. The domains defined by crond_domain are granted entrypoint permission to this type.

A system_crond_t domain is defined for system cron jobs to separate the permissions needed by system cron jobs from the permissions needed by the daemon itself. This domain is specified in the /etc/security/cron_context file for the system_u user. The system_crond_script_t type is used for system crontab files, and the system_crond_t domain is granted entrypoint permission to this type. This domain transitions to rmmod_t when it executes rmmod for /etc/cron.d/kmod. It transitions to logrotate_t when it executes logrotate.

The atd_t domain (atd.te) is the domain of another daemon that runs scheduled commands. Only the initrc_t domain can transition to this domain. The atd_exec_t type is the type of the entry point executable for this domain. The atd_tmp_t type is the type of temporary files created by this domain. The atd_var_run_t type is the type of files created in /var/run by this domain. Currently, this domain can read and write /var/spool/at. A separate type will be defined for /var/spool/at/spool, which is used for output from the jobs. This domain and program will be revised in a similar manner to crond_t.

The sendmail_t domain (sendmail.te) is the domain of the mail daemon. Only the initrc_t domain can transition to this domain. The sendmail_exec_t type is the type of the entry point executable for this domain. The sendmail_tmp_t type is the type of temporary files created by this domain. The sendmail_var_run_t type is the type of files created in /var/run by this domain. The sendmail_var_log_t type is the type of files created in /var/log by this domain. The sendmail_t domain can use the network and can bind to the SMTP port. It can write to the aliases database, /etc/mail, the mail spool directory, and the mail queue directory. The sendmail program is being analyzed to determine appropriate control points to insert transitions to derived domains for users so that its privileges are properly limited when acting on behalf of users.

The lpd_t domain (lpd.te) is the domain of the printer daemon. Only the initrc_t domain can transition to this domain. The lpd_exec_t type is the type of the entry point executable for this domain. The lpd_tmp_t type is the type of temporary files created by this domain. The printer_t type is used to control access to /dev/printer, a Unix domain socket created by lpd. This domain can use the network and bind to the network printer port. This domain can read and write /var/spool/lpd. Currently, this domain can directly execute filters in the spool directory or in system program directories. It may be desirable to transition to a separate domain when executing filters. For local printing, permissions will need to be added to local printer devices.

Since the lpr command can be used to create a symbolic link to the file rather than copying it into the spool directory, the lpd_t domain will either need to be granted permissions to read a variety of file types or it will need to transition to a default security context for the user prior to reading the file. The existing lpd program attempts to prevent abuse of its superuser privileges by checking that the device and inode number of the actual file are the same as when the link was created by lpr. However, this does not guarantee that the file is the same.

The gpm_t domain (gpm.te) is the domain of the console mouse server. Only the initrc_t domain can transition to this domain. The gpm_exec_t type is the type of the entry point executable for this domain. The gpm_tmp_t type is the type of temporary files created by this domain. The gpm_var_run_t type is the type of files created in /var/run by this domain. The gpmctl_t type is used for /dev/gpmctl, a Unix domain socket created by gpm for communications. This domain can create and bind to /dev/gpmctl. It can access /dev/psaux. Permissions are not yet defined to allow client domains to communicate with this domain.

The xfs_t domain (xfs.te) is the domain of the X font server. Only the initrc_t domain can transition to this domain. The xfs_exec_t type is the type of the entry point executable for this domain. The xfs_tmp_t type is the type of temporary files created by this domain. This domain can create and bind to sockets in /tmp/.font-unix. The X server program domains can communicate with this domain.

The apmd_t domain (apmd.te) is the domain of the apmd daemon. Only the initrc_t domain can transition to this domain. The apmd_exec_t type is the type of the entry point executable for this domain. The apmd_var_run_t type is the type of files created in /var/run by this domain. The apm_bios_t type is the type of /dev/apm_bios. This domain can access /dev/apm_bios.

The cardmgr_t domain (cardmgr.te) is the domain of the cardmgr daemon. Only the initrc_t domain can transition to this domain. The cardmgr_exec_t type is the type of the entry point executable for this domain. The cardmgr_var_run_t type is the type of files created in /var/run by this domain. The cardmgr_dev_t type is the type of character devices created by this domain in /tmp. The cardmgr_lnk_t type is the type of symbolic links created by this domain in /dev. This domain can execute a shell and system programs. It can transition to the insmod_t domain and the rmmod_t domain by executing the corresponding module utility. It can transition to the ifconfig_t domain by executing the ifconfig program. This domain requires further review.

The inetd_t domain (inetd.te) is the domain of the Internet superserver. Only the initrc_t domain can transition to this domain. The inetd_exec_t type is the type of the entry point executable for this domain. The inetd_tmp_t type is the type of temporary files created by this domain. The inetd_var_run_t type is the type of files created in /var/run by this domain. This domain can use the network and can bind to a variety of port numbers. It transitions to the tcpd_t domain when it executes tcpd. It transitions to the inetd_child_t domain when it executes other daemons.

The inetd_child_t domain (inetd.te) is a general domain for daemons started by inetd or tcpd that do not have their own individual domains yet. Either inetd_t or tcpd_t can transition to this domain. The inetd_child_exec_t type is the type of the entry point executable for this domain. The inetd_child_tmp_t type is the type of temporary files created by this domain. The inetd_child_var_run_t type is the type of files created in /var/run by this domain. This domain is only a stub.

The tcpd_t domain (tcpd.te) is the domain of the TCP wrapper daemon. Only the inetd_t domain can transition to this domain. The tcpd_exec_t type is the type of the entry point executable for this domain. The tcpd_tmp_t type is the type of temporary files created by this domain. This domain can use the network and can use TCP sockets inherited from inetd_t. It transitions to the rlogind_t domain when it executes rlogind or telnetd. It transitions to the rshd_t domain when it executes rshd. It transitions to the ftpd_t domain when it executes ftpd. It transitions to the inetd_child_t domain when it executes other daemons.

The rlogind_t domain (rlogind.te) is the domain of the daemons for telnet and remote login. Only the tcpd_t domain can transition to this domain. The rlogind_exec_t type is the type of the entry point executable for this domain. The rlogind_tmp_t type is the type of temporary files created by this domain. This domain can use the network and can use TCP sockets inherited from inetd_t. It can create ptys. It can modify utmp and wtmp. It transitions to the remote_login_t domain when it executes login.

The rshd_t domain (rshd.te) is the domain of the rshd daemon. Only the tcpd_t domain can transition to this domain. The rshd_exec_t type is the type of the entry point executable for this domain. This domain can use the network and can use TCP sockets inherited from inetd_t. The rshd program was modified to read an initial security context for the user from a /etc/security/rsh_contexts configuration file and to run the shell with this security context. It can only transition to the user_t domain, so it can not be used to enter an administrator domain. This restriction is to prevent entry to an administrator domain without authentication.

The ftpd_t domain (ftpd.te) is the domain of the ftpd daemon. Only the tcpd_t domain can transition to this domain. The ftpd_exec_t type is the type of the entry point executable for this domain. The ftpd_var_run_t type is the type of files created in /var/run by this domain. This domain can use the network and can use TCP sockets inherited from inetd_t. The ftpd program is being modified to transition to a configurable security context for the user after the user has been authenticated. The ftpd_domain macro is used to define derived domains for user ftp sessions.

The ypbind_t domain (ypbind.te) is the domain of the NIS binding daemon. The portmap_t domain is the domain of a daemon that maps RPC program numbers to port numbers. The rpcd_t domain is a general domain for other RPC daemons. Only the initrc_t domain can transition to these domains. These daemons have not yet been studied for proper permissions.

The local_login_t domain (login.te) is a domain for local logins. Only the getty_t domain can transition to this domain. The login_exec_t type is the type of the entry point executable for this domain. The local_login_tmp_t type is the type of temporary files created by this domain. This domain can use the network to perform NIS lookups. It can read and write utmp, wtmp, and lastlog. It can search the mail spool directory so that it can check for mail for the user. It can transition to any of the domains for user login sessions when it executes a shell. By default, it automatically transitions to the user_t domain when it executes a shell.

The login program was modified to provide a default login context for each user and to allow the user to specify a different context for the login session. The login program was also changed to relabel the user terminal with a security context derived from the user's security context. The pam_console module still needs to be modified to relabel other devices accordingly.

The remote_login_t domain (login.te) is a domain for remote logins. Only the rlogind_t domain can transition to this domain. This domain has a few differences from local_login_t. The remote_login_tmp_t type is the type of temporary files created by this domain. This domain can use ptys created by rlogind. It can only transition to the user_t domain, so it can not be used to enter an administrator domain. This restriction is to prevent unauthenticated remote logins by administrators via .rhosts files. A separate newrole program was added to support changing from user_t to sysadm_t after authenticating to permit remote users to enter the administrator domain after login.


next up previous contents
Next: User Program Domains Up: Domains Previous: Every Domain   Contents