Contents

On-line Guides
All Guides
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems

How To Guides
Xen Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions

 

 

The Guide to Writing SELinux Policy
Prev Home Next

6. System administrator related files


This section will discuss the policies related to the sysadm_r role, i.e., the system administrator. We have already seen how an SE Linux identity can be granted sysadm_r in section 4.1.

6.1 The admin_macros.te file


The admin_macros.te file contains macros for the system administration domains.

----- 

undefine(`admin_domain')
define(`admin_domain',`
# Inherit rules for ordinary users.
user_domain($1)
Define the macro admin_domain and allow it to have the same rules as user_t. $1 in this case would be sysadm.

----- 

allow $1_t policy_config_t:dir { getattr search };
allow $1_t policy_config_t:file getattr;
Allow sysadm_t to getattr (things such as ls -l) and search files and directories under a directory that has a type of policy_config_t.

----- 

allow $1_t kernel_t:system syslog_read;
Allow sysadm_t to read the system logs. kernel_t is the type for the kernel itself. system is the class of the operation, the operation being to read the syslog.

----- 

# Use capabilities other than sys_module.
allow $1_t self:capability ~sys_module;
Allow sysadm_t to use all capabilities apart from sys_module, which is used to load modules.

----- 

# Get security policy decisions.
can_getsecurity($1_t)
If you look at the file core_macros.te (under the macros directory) and search for can_getsecurity, this is what you see: 
# can_getsecurity(domain)
#
# Authorize a domain to get security policy decisions.
#
define(`can_getsecurity',`
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user };
')
Here, $1 is allowed to read, search and get attributes of a directory of type security_t (your policy source directory). $1 can also get attributes, read and write files in a directory of type security_t. Finally, $1 cancheck context validity, check whether the policy permits the source context to access the target context, compute a context for the labelling of a new object, compute the new context when relabelling an object, and to determine which user contexts can be reached from a given source context.

----- 

# Change system parameters.
can_sysctl($1_t)
sysadm_t is able to modify sysctl parameters, which is basically everything under /proc/sys. If you run the command grep ^type.*sysctl_type policy.conf you'll see the types that have the attribute sysctl_type.

The Guide to Writing SELinux Policy
Prev Home Next

 
 
  Published with kind permission of Faye Coker Design by Interspire