next up previous contents
Next: User Login Domains Up: Domains Previous: System Domains   Contents


User Program Domains

The domains/program subdirectory contains a separate file for each domain used for a user program.

Types and domains for the privileged module utilities are defined in the modutil.te file. The modules_conf_t type is for the /etc/conf.modules configuration file. The modules_dep_t type is used for the modules.dep files. The modules_object_t type is used for the module object directories and files.

The modprobe_t, depmod_t, insmod_t, and rmmod_t domains are defined for the corresponding utilities, and each domain has a corresponding entry point executable type. The initrc_t and administrator domains can transition to these domains. Both the cardmgr_t domain and the modprobe_t domain can transition to the insmod_t or rmmod_t domains. The crond_t domain can transition to the rmmod_t domain for the /etc/cron.d/kmod crontab file.

The modprobe_t domain can execute shell commands from conf.modules. The depmod_t domain can create modules.dep. The insmod_t and rmmod_t domains can use the sys_module capability.

When executed by the kernel module loader, the modprobe and insmod programs remain in the kmod_t domain. This allows the security policy to distinguish between permissions granted to the kernel module loader and permissions granted to module utilities executed by user processes. For example, the security policy could be configured to prohibit any transitions to the modprobe_t and insmod_t domains while still allowing the kernel module loader to function.

The logrotate_t domain (logrotate.te) is the domain for the logrotate program. Only the system_crond_t domain and the administrator domains can transition to this domain. The logrotate_exec_t type is the type of the entry point executable for this domain. The logrotate_tmp_t type is the type of temporary files created by this domain. This domain can create, rename and truncate log files, and it can set the appropriate security context and Unix ownership. It can read the PID files, search /proc, and signal any domain in order to notify daemons of changes in log files. It can update var_lib_t for /var/lib/logrotate.status. The logrotate program was modified to preserve the security context of log files.

The fsadm_t domain (fsadm.te) is the domain for disk and file system administration programs such as fsck and swapon. Only the initrc_t domain and the administrator domains can transition to this domain. The fsadm_exec_t type is the type of the entry point executable for this domain. The fsadm_tmp_t type is the type of temporary files created by this domain. This domain can write to /etc/mtab and it can access the raw disk devices.

The ifconfig_t domain (ifconfig.te) is the domain for the ifconfig program. Only the initrc_t domain, cardmgr_t domain, and the administrator domains can transition to this domain. The ifconfig_exec_t type is the type of the entry point executable for this domain. This domain can use the sys_module capability to load network interface modules and it can configure the network interfaces.

The utempter_t domain (utempter.te) is the domain for the utempter program. Any of the user login domains can transition to this domain. The utempter_exec_t type is the type of the entry point executable for this domain. The utempter_t domain can read and write utmp and wtmp, allowing the utempter program to log the beginnings and ends of user sessions on behalf of the xterm virtual terminal program.

The passwd_t domain (passwd.te) is the domain for changing passwords and other user information. Any of the user login domains can transition to this domain. The passwd_exec_t type is the type of the entry point executable for this domain. This domain can read and write /etc and /etc/auth. It can also test for the existence of a shell and read utmp.

Since the ordinary programs for changing passwords and other user information (passwd, chfn, chsh) allow the superuser to change any user's information, it was necessary to interpose a wrapper program to prevent this behavior, as in [2]. The wrapper programs (spasswd, schfn, schsh) only call the real programs if the Flask user identity of the calling process is the same as the Unix real user identity, and these programs do not pass any arguments to the real programs. These wrapper programs will be changed to pass unprivileged arguments. Since the passwd_t domain can only be entered through the wrapper programs, an unprivileged user login domain cannot bypass the wrapper programs. Administrator domains can directly execute the regular programs and change other users' information as the superuser.

The X server program domains are user_xserver_t and sysadm_xserver_t. These domains are defined using the xserver_domain macro in xserver.te. The xserver_exec_t type is the type of the entry point executable for these domains. The user_xserver_tmp_t and sysadm_xserver_tmp_t types are the types of temporary files created by these domains. Each X server domain can create and bind to a socket in /tmp with the corresponding temporary type. It can connect to the X font server domain. It can receive connections from the corresponding user login domain. Currently, it can read and write memory devices, although the portion of the X server that requires this access should be separated. It can execute a variety of system programs.

The lpr domains are user_lpr_t and sysadm_lpr_t. These domains are defined using the lpr_domain macro in lpr.te. These domains are used for the client printing commands lpr, lpq, and lprm. The lpr_exec_t type is the type of the entry point executable for these domains. The user_lpr_tmp_t and sysadm_lpr_tmp_t types are the types of temporary files created by these domains. Each domain can create spool files with a derived type in /var/spool/lpd. It can connect to lpd and send SIGHUP to the daemon. It can read from pipes created by the user login domain.

The sendmail program domains are user_mail_t and sysadm_mail_t. These domains are defined using the mail_domain macro in mail.te. The sendmail_exec_t type is the type of the entry point executable for these domains. The user_mail_tmp_t and sysadm_mail_tmp_t types are the types of temporary files created by these domains. These domains share many of the same permissions as the sendmail_t system domain. They can also read temporary files created by the user login domain for sending mail and they can write to the user domain's home directory type to create the dead.letter file.

Currently, the mail program does not run in a separate domain from the user login domains, since it does not require any special permissions to access the mail spool files. To prevent the superuser from reading and writing all mail spool files, the individual spool files could be created with a type based on the default login domain for the user. Alternatively, a wrapper for the mail program could be created with its own domain to ensure that the program is only used to access the mail spool file for the Flask user identity.

The gnome-pty-helper program domains are user_gph_t and sysadm_gph_t. These domains are defined using the gph_domain macro in gnome-pty-helper.te. The gph_exec_t type is the type of the entry point executable for this domain. The gnome-pty-helper program creates new pseudo-terminals for instances of the gnome-terminal virtual terminal program running in the user login domains, and logs the beginnings and ends of gnome-terminal sessions to utmp and wtmp. Each of the gnome-pty-helper domains supports this behavior by providing read and write access to the /dev/ptmx device, utmp, and wtmp, and by permitting the passing of open file descriptors to programs in the corresponding user login domains via local socket IPC.

The su domains are user_su_t and sysadm_su_t. These domains are defined using the su_domain macro in su.te. The su_exec_t type is the type of the entry point executable for these domains. Each su domain automatically reverts to the domain of the caller when it executes a shell. It can read the shadow password file for user authentication. It can update the utmp file. It can modify the user's .Xauthority file. Since the su program is most frequently used simply to obtain Unix privileges for administrative tasks by becoming the superuser, it seems to be undesirable to also change the Flask user identity, so only the Unix identity is changed.

The netscape domains are user_netscape_t and sysadm_netscape_t. These domains are defined using the netscape_domain macro in netscape.te. The netscape_exec_t type is the type of the entry point executable for these domains. These domains are limited to writing to a derived type: user_netscape_rw_t and sysadm_netscape_rw_t. The file contexts configuration uses the user_netscape_rw_t type for the .netscape directories, the .mime.types file and the .mailcap file. Users can also apply this type to other files or directories that should be writeable by netscape. These netscape domains are not allowed to read a different derived type: user_netscape_noread_t and sysadm_netscape_noread_t. Users can apply this type to files that should not be readable by netscape.

The crontab domains are user_crontab_t and sysadm_crontab_t. These domains are defined using the crontab_domain macro in crontab.te. The crontab_exec_t type is the type of the entry point executable for these domains. The user_cron_spool_t and sysadm_cron_spool_t types are the types for the crontab files created by these domains in /var/spool/cron.


next up previous contents
Next: User Login Domains Up: Domains Previous: System Domains   Contents