Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

The Guide to Writing SELinux Policy
Prev Home Next

6. System administrator related files


This section will discuss the policies related to the sysadm_r role, i.e., the system administrator. We have already seen how an SE Linux identity can be granted sysadm_r in section 4.1.

6.1 The admin_macros.te file


The admin_macros.te file contains macros for the system administration domains.

-----

undefine(`admin_domain')
define(`admin_domain',`
# Inherit rules for ordinary users.
user_domain($1)
Define the macro admin_domain and allow it to have the same rules as user_t. $1 in this case would be sysadm.

-----

allow $1_t policy_config_t:dir { getattr search };
allow $1_t policy_config_t:file getattr;
Allow sysadm_t to getattr (things such as ls -l) and search files and directories under a directory that has a type of policy_config_t.

-----

allow $1_t kernel_t:system syslog_read;
Allow sysadm_t to read the system logs. kernel_t is the type for the kernel itself. system is the class of the operation, the operation being to read the syslog.

-----

# Use capabilities other than sys_module.
allow $1_t self:capability ~sys_module;
Allow sysadm_t to use all capabilities apart from sys_module, which is used to load modules.

-----

# Get security policy decisions.
can_getsecurity($1_t)
If you look at the file core_macros.te (under the macros directory) and search for can_getsecurity, this is what you see:
# can_getsecurity(domain)
#
# Authorize a domain to get security policy decisions.
#
define(`can_getsecurity',`
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user };
')
Here, $1 is allowed to read, search and get attributes of a directory of type security_t (your policy source directory). $1 can also get attributes, read and write files in a directory of type security_t. Finally, $1 cancheck context validity, check whether the policy permits the source context to access the target context, compute a context for the labelling of a new object, compute the new context when relabelling an object, and to determine which user contexts can be reached from a given source context.

-----

# Change system parameters.
can_sysctl($1_t)
sysadm_t is able to modify sysctl parameters, which is basically everything under /proc/sys. If you run the command grep ^type.*sysctl_type policy.conf you'll see the types that have the attribute sysctl_type.

The Guide to Writing SELinux Policy
Prev Home Next

 
 
  Published with kind permission of Faye Coker Design by Interspire