next up previous contents
Next: Rule Macros Up: Global Macros Previous: Global Macros   Contents


Class and Permission Macros

Several macros are defined for groupings of file-related classes. The dir_file_class_set macro expands to the directory class and all of the file classes. The file_class_set macro expands to all file classes. The notdevfile_class_set macro expands to all file classes except for device special files, and the devfile_class_set macro expands to the device special file classes. These macros are used in access vector rules, type transition rules, and access vector assertions in the TE configuration. They are also used in the constraints configuration.

Several macros are defined for groupings of file permissions. The stat_file_perms macro expands to the permissions required to call stat or access on a file. This macro is useful in granting domains the ability to test for the existence of a file or stat files for a directory listing without granting any further accesses.

The x_file_perms, r_file_perms, rx_file_perms and rw_file_perms macros expand to the permissions required to execute a file, read a file, read and execute a file, and read and write a file, respectively. These macros are used to grant domains the ability to use existing files without granting them the ability to create, unlink, or rename them. Since it is desirable to strictly control execute access, file execute permission is only included in the x_file_perms and rx_file_perms macros. A rwx_file_perms macro could be added, but most domains are not allowed to execute programs that they can write. It would be useful to add a ra_file_perms macro to indicate read and append access for append-only files.

The link_file_perms macro expands to permissions for linking, unlinking and renaming a file. This macro allows name space operations to be separately authorized from other operations. The create_file_perms macro expands to permissions for creating, reading, writing, linking, renaming and unlinking a file. This macro does not include file execute permission, since most domains are not allowed to execute programs that they can write. It also does not include permissions for relabeling, since it is desirable to strictly control relabeling operations.

The r_dir_perms, rw_dir_perms, and create_dir_perms macros provide similar expansions for directories. These macros differ in that they use directory-specific permissions such as search, add_name, remove_name, reparent, and rmdir. Directory search permission is included in the macros that permit reading, since search and read access are typically not separated in the policy configuration. It would be useful to add a ra_dir_perms macro to indicate read and add_name access for append-only directories. It might also be useful to add a link_dir_perms macro.

A single macro is currently defined for socket classes. The socket_class_set macro expands to the set of all socket classes. This macro is currently only used in the constraints configuration. It would be useful to add a notrawsocket_class_set macro that only expands to datagram and stream socket classes, since raw sockets should be limited to privileged domains.

The rw_socket_perms and create_socket_perms macros expand to permissions for reading and writing sockets and for creating, reading and writing sockets. These macros can be used for datagram or raw sockets. The rw_stream_socket_perms and create_stream_socket_perms macros are equivalent macros for stream sockets. It might be useful to add variants of these macros that are specific to clients and servers.

The inherit_fd_perms macro expands to permissions for inheriting and using an open file description. The most common use of this macro is to grant a domain the ability to inherit and use open file descriptions from the domain that transitioned to it. It is also sometimes necessary to grant these permissions for open file descriptions that are inherited through multiple domain transitions. For example, the rlogind_t domain inherits descriptions created by inetd_t indirectly through tcpd_t. The receive_fd_perms macro expands to permissions for receiving an open file description through local socket IPC and subsequently using it.

The mount_fs_perms macro expands to permissions for mounting and unmounting file systems. The signal_perms macro expands to permissions for sending any signal. The packet_perms macro expands to permissions for sending and receiving network packets. This macro can be used with either the node class or the network interface class.


next up previous contents
Next: Rule Macros Up: Global Macros Previous: Global Macros   Contents