next up previous contents
Next: General Types Up: TE Configuration Previous: Rule Macros   Contents


Type Attributes

Each type can have an optional set of attributes associated with it. A type attribute is used to identify a set of types with a similar property. When a type attribute is used in a rule, it is expanded to the set of types with that attribute. Hence, type attributes can be used to conveniently group types together and express shared properties for all types with the attribute. By prefixing a type attribute with the tilde character, a rule can also be applied to all types that do not have the specified attribute. The policy language does not yet support a set difference operator for type attributes.

The domain attribute is used to identify all types that can be used as domains. The TE configuration uses this attribute in rules to grant every domain a standard set of permissions. This attribute is also used in rules to allow certain privileged domains to send signals to all processes and to inspect the procfs entries of all processes. An access vector assertion uses this attribute to verify that only types with the domain attribute can be entered by processes.

The privuser attribute is used to identify all domains that can change their user identity. The privrole attribute is used to identify all domains that can change their role. The privowner attribute is used to identify all domains that can label objects with other user identities. These restrictions are specified in the constraints configuration.

The privlog attribute is used to identify all domains that can communicate with syslogd through its Unix domain socket. This attribute is used in rules that grant the necessary file permissions to the corresponding socket file. It is also used in rules that grant the necessary socket permissions for communicating with syslogd. The privmem attribute is used to identify all domains that can access kernel memory devices. This attribute is used in an assertion that only these domains have read or write access to the memory device type.

The exec_type attribute is used to identify all file types that are used as entry point executables for domains. This attribute is used in the can_exec_any macro to allow general execute access to these programs, although the ability to transition to the corresponding domains is more restricted. It is also used in an access vector assertion to verify that entry point executables can only be modified, deleted, or renamed by administrators.

Several attributes are defined to identify all types used for a particular kind of object. For example, file_type is used to identify all file types, fs_type attribute is used to identify all file system types, and netif_type is used to identify all network interface types. These attributes are used in access vector rules such as a rule to allow all file types to be created in a file system type and a rule to allow the initrc scripts to configure all network interfaces.

The pidfile attribute is used to identify all file types that are used as PID files in /var/run. The tmpfile attribute is used to identify all files types that are used as temporary files in one of the tmp directories. The sysadmfile attribute is used to identify file types that are fully accessible by the system administrator domain (sysadm_t).


next up previous contents
Next: General Types Up: TE Configuration Previous: Rule Macros   Contents