2
# Declarations for type attributes.
5
# A type attribute can be used to identify a set of types with a similar
6
# property. Each type can have any number of attributes, and each
7
# attribute can be associated with any number of types. Attributes are
8
# explicitly declared here, and can then be associated with particular
9
# types in type declarations. Attribute names can then be used throughout
10
# the configuration to express the set of types that are associated with
11
# the attribute. Except for the MLS attributes, attributes have no implicit
12
# meaning to SELinux. The meaning of all other attributes are completely
13
# defined through their usage within the configuration, but should be
14
# documented here as comments preceding the attribute declaration.
20
# The mlstrustedreader attribute identifies every domain that can
21
# override the normal MLS restrictions on reading (i.e. domains
23
attribute mlstrustedreader;
25
# The mlstrustedwriter attribute identifies every domain that can
26
# override the normal MLS restrictions on writing (i.e. domains
27
# that can write down).
28
attribute mlstrustedwriter;
30
# The mlstrustedobject attribute identifies every type that can
31
# be accessed without normal MLS restrictions (i.e. processes can
32
# read or write objects with this type regardless of MLS level).
33
# Examples: /dev/null, descriptors created by login
34
attribute mlstrustedobject;
37
#########################
38
# Attributes for domains:
41
# The domain attribute identifies every type that can be
42
# assigned to a process. This attribute is used in TE rules
43
# that should be applied to all domains, e.g. permitting
44
# init to kill all processes or permitting all processes
45
# to read a particular file.
48
# The privuser attribute identifies every domain that can
49
# change its SELinux user identity. This attribute is used
50
# in the constraints configuration. NOTE: This attribute
51
# is not required for domains that merely change the Linux
52
# uid attributes, only for domains that must change the
53
# SELinux user identity. Also note that this attribute makes
54
# no sense without the privrole attribute.
57
# The privrole attribute identifies every domain that can
58
# change its SELinux role. This attribute is used in the
59
# constraints configuration.
62
# The priv_system_role attribute identifies every domain that can
63
# change role from a user role to system_r role, and identity from a user
64
# identity to system_u. It is used in the constraints configuration.
65
attribute priv_system_role;
67
# The privowner attribute identifies every domain that can
68
# assign a different SELinux user identity to a file, or that
69
# can create a file with an identity that's not the same as the
70
# process identity. This attribute is used in the constraints
74
# The privlog attribute identifies every domain that can
75
# communicate with syslogd through its Unix domain socket.
76
# This attribute is used in the TE rules in
77
# domains/program/syslogd.te to grant such access.
78
# XXX If you want to mandate the use of this attribute for all
79
# XXX domains that can log, then you should also write corresponding
80
# XXX assertions in assert.te to enforce this restriction. Otherwise,
81
# XXX it is just an optional convenience for domain writers.
84
# The privmodule attribute identifies every domain that can run
85
# modprobe, there is an assertion that other domains can not do it,
86
# and an allow rule to permit it
89
# The privmem attribute identifies every domain that can
90
# access kernel memory devices.
91
# This attribute is used in the TE assertions to verify
92
# that such access is limited to domains that are explicitly
93
# tagged with this attribute.
96
# The privfd attribute identifies every domain that should have
97
# file handles inherited widely (IE sshd_t and getty_t).
100
# The privhome attribute identifies every domain that can create files under
101
# regular user home directories in the regular context (IE act on behalf of
102
# a user in writing regular files)
105
# The auth attribute identifies every domain that needs
106
# to read /etc/shadow, and grants the permission.
109
# The auth_write attribute identifies every domain that can have write or
110
# relabel access to /etc/shadow, but does not grant it.
111
attribute auth_write;
113
# The auth_chkpwd attribute identifies every system domain that can
114
# authenticate users by running unix_chkpwd
115
attribute auth_chkpwd;
117
# The etc_writer attribute identifies every domain that can write to etc_t
118
attribute etc_writer;
120
# The sysctl_kernel_writer attribute identifies domains that can write to
121
# sysctl_kernel_t, in addition the admin attribute is permitted write access
122
attribute sysctl_kernel_writer;
124
# the sysctl_net_writer attribute identifies domains that can write to
125
# sysctl_net_t files.
126
attribute sysctl_net_writer;
128
# The sysctl_type attribute identifies every type that is assigned
129
# to a sysctl entry. This can be used in allow rules to grant
130
# permissions to all sysctl entries without enumerating each individual
131
# type, but should be used with care.
132
attribute sysctl_type;
134
# The admin attribute identifies every administrator domain.
135
# It is used in TE assertions when verifying that only administrator
136
# domains have certain permissions.
137
# This attribute is presently associated with sysadm_t and
138
# certain administrator utility domains.
139
# XXX The use of this attribute should be reviewed for consistency.
140
# XXX Might want to partition into several finer-grained attributes
141
# XXX used in different assertions within assert.te.
144
# The userdomain attribute identifies every user domain, presently
145
# user_t and sysadm_t. It is used in TE rules that should be applied
146
# to all user domains.
147
attribute userdomain;
149
# for a small domain that can only be used for newrole
150
attribute user_mini_domain;
152
# pty for the mini domain
153
attribute mini_pty_type;
155
# pty created by a server such as sshd
156
attribute server_pty;
158
# attribute for all non-administrative devpts types
159
attribute userpty_type;
161
# The user_tty_type identifies every type for a tty or pty owned by an
163
attribute user_tty_type;
165
# The user_crond_domain attribute identifies every user_crond domain, presently
166
# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
167
# applied to all user domains.
168
attribute user_crond_domain;
170
# The unpriv_userdomain identifies non-administrative users (default user_t)
171
attribute unpriv_userdomain;
173
# This attribute is for the main user home directory for unpriv users
174
attribute user_home_dir_type;
176
# The gphdomain attribute identifies every gnome-pty-helper derived
177
# domain. It is used in TE rules to permit inheritance and use of
178
# descriptors created by these domains.
181
# The fs_domain identifies every domain that may directly access a fixed disk
184
############################
185
# Attributes for file types:
188
# The file_type attribute identifies all types assigned to files
189
# in persistent filesystems. It is used in TE rules to permit
190
# the association of all such file types with persistent filesystem
191
# types, and to permit certain domains to access all such types as
195
# The device_type attribute identifies all types assigned to device nodes
196
attribute device_type;
198
# The sysadmfile attribute identifies all types assigned to files
199
# that should be completely accessible to administrators. It is used
200
# in TE rules to grant such access for administrator domains.
201
attribute sysadmfile;
203
# The fs_type attribute identifies all types assigned to filesystems
204
# (not limited to persistent filesystems).
205
# It is used in TE rules to permit certain domains to mount
206
# any filesystem and to permit most domains to obtain the
207
# overall filesystem statistics.
210
# The root_dir_type attribute identifies all types assigned to
211
# root directories of filesystems (not limited to persistent
213
# XXX This attribute was used to grant mountassociate permission,
214
# XXX but this permission is no longer defined. We can likely
215
# XXX remove this attribute.
216
attribute root_dir_type;
218
# The exec_type attribute identifies all types assigned
219
# to entrypoint executables for domains. This attribute is
220
# used in TE rules and assertions that should be applied to all
224
# The tmpfile attribute identifies all types assigned to temporary
225
# files. This attribute is used in TE rules to grant certain
226
# domains the ability to remove all such files (e.g. init, crond).
229
# The user_tmpfile attribute identifies all types associated with temporary
230
# files for unpriv_userdomain domains.
231
attribute user_tmpfile;
233
# for the user_xserver_tmp_t etc
234
attribute xserver_tmpfile;
236
# The tmpfsfile attribute identifies all types defined for tmpfs
238
# It is used in TE rules to grant certain domains the ability to
239
# access all such files.
242
# The home_type attribute identifies all types assigned to home
243
# directories. This attribute is used in TE rules to grant certain
244
# domains the ability to access all home directory types.
247
# This attribute is for the main user home directory /home/user, to
248
# distinguish it from sub-dirs. Often you want a process to be able to
249
# read the user home directory but not read the regular directories under it.
250
attribute home_dir_type;
252
# The ttyfile attribute identifies all types assigned to ttys.
253
# It is used in TE rules to grant certain domains the ability to
257
# The ptyfile attribute identifies all types assigned to ptys.
258
# It is used in TE rules to grant certain domains the ability to
262
# The pidfile attribute identifies all types assigned to pid files.
263
# It is used in TE rules to grant certain domains the ability to
264
# access all such files.
268
############################
269
# Attributes for network types:
272
# The socket_type attribute identifies all types assigned to
273
# kernel-created sockets. Ordinary sockets are assigned the
274
# domain of the creating process.
275
# XXX This attribute is unused. Remove?
276
attribute socket_type;
278
# Identifies all types assigned to port numbers to control binding.
281
# Identifies all types assigned to network interfaces to control
282
# operations on the interface (XXX obsolete, not supported via LSM)
283
# and to control traffic sent or received on the interface.
284
attribute netif_type;
286
# Identifies all default types assigned to packets received
287
# on network interfaces.
288
attribute netmsg_type;
290
# Identifies all types assigned to network nodes/hosts to control
291
# traffic sent to or received from the node.
294
# Identifier for log files or directories that only exist for log files.
297
# Identifier for lock files (/var/lock/*) or directories that only exist for
303
##############################
304
# Attributes for security policy types:
307
# The login_contexts attribute idenitifies the files used
308
# to define default contexts for login types (e.g., login, cron).
309
attribute login_contexts;
311
# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
312
# sysadm_mail_t, etc)
313
attribute user_mail_domain;
315
# Identifies domains that can transition to system_mail_t
318
# Type for non-sysadm home directory
319
attribute user_home_type;
321
# For domains that are part of a mail server and need to read user files and
322
# fifos, and inherit file handles to enable user email to get to the mail
324
attribute mta_user_agent;
326
# For domains that are part of a mail server for delivering messages to the
328
attribute mta_delivery_agent;
330
# For domains that make outbound TCP port 25 connections to send mail from the
332
attribute mail_server_sender;
334
# For a mail server process that takes TCP connections on port 25
335
attribute mail_server_domain;
337
# For web clients such as netscape and squid
338
attribute web_client_domain;
341
attribute dbus_client_domain;
343
# For X Window System server domains
346
# For X Window System client domains
349
# For X Window System protocol extensions
350
attribute xextension;
352
# For X Window System property types
355
# For a special files in the homedirectory
356
# This will be used for associating mount points with homedirectories
358
attribute homedirfile;
361
# For file systems that do not have extended attributes but need to be
364
attribute noexattrfile;
367
# For filetypes that the usercan read
369
attribute usercanread;
374
attribute serial_device;
added
removed
attrib.te
