Policy attributes identify as groups sets of security types that have a similar property. These groups can be controlled by fewer, overarching rules. The relationship is many-to-many: a type can have any amount of attributes, and an attribute can be associated with any number of types.
The declarations file $SELINUX_SRC/attrib.te is well documented in the comment blocks. The attribute declaration syntax is: attribute <identifier>:
## Samples from $SELINUX_SRC/attrib.te # The domain attribute identifies every type that can be # assigned to a process. This attribute is used in TE rules # that should be applied to all domains, e.g. permitting # init to kill all processes. attribute domain; # Identifies all default types assigned to packets received # on network interfaces. attribute netmsg_type; |
Here are a few noteworthy attributes. Information about these was obtained through policy analysis using apol, part of the setools package. You can read more about this in Section 6.3 Using apol for Policy Analysis.:
The purpose of this attribute is to group together the various types associated with the policy for Apache HTTP. Because of the complexity of the httpd configuration, the targeted policy includes Boolean values that allow you to grant blanket permissions for httpd content types. This helps Web applications and built-in scripting, such as PHP for Apache HTTP, to work with the content. The types in this attribute are:
# This is an aliasing relationship httpd_sys_content_t: httpd_sysadm_content_t, \ httpd_user_content_t # These types handle different permissions sets for scripts httpd_sys_script_ro_t httpd_sys_script_rw_t httpd_sys_script_ra_t |
The first line in the attribute group specifies that httpd_sys_content_t is an alias for httpd_sysadm_content_t and httpd_user_content_t.
This attribute is for all the types that are assigned to files, allowing for easier association of all file types to various kinds of file system needs. This attribute makes it more convenient to allow specific domains access to all file types. The list of types associated with the file_type attribute is greater than 170 types:
... device_t xconsole_device_t file_t default_t root_t mnt_t home_root_t lost_found_t boot_t system_map_t boot_runtime_t tmp_t etc_t: hotplug_etc_t shadow_t ld_so_cache_t etc_runtime_t fonts_t etc_aliases_t net_conf_t: resolv_conf_t lib_t shlib_t ... |
These attributes relate to network activity by domains. The netif_type identifies the types associated with network interfaces, allowing policy to control sending, receiving, and various operations on the interface:
netif_t netif_eth0_t netif_eth1_t netif_eth2_t netif_lo_t netif_ippp0_t netif_ipsec0_t netif_ipsec1_t netif_ipsec2_t |
The port_type attribute is associated with all types that are assigned to port numbers. This allows SELinux to control port binding, meaning daemons are restricted in using a port depending on the type assigned to the port:
dns_port_t dhcpd_port_t http_cache_port_t port_t reserved_port_t http_port_t pxe_port_t smtp_port_t mysqld_port_t rndc_port_t ntp_port_t portmap_port_t postgresql_port_t snmp_port_t syslogd_port_t |
The node_type is for types assigned to network nodes or hosts, allowing SELinux to control traffic to and from the node:
This attribute identifies all types assigned to file systems, including non-persistent file systems. The fs_type attribute is used in TE rules to allow most domains to obtain overall file system statistics, and for some specific domains to mount any file system. Here are the SELinux file types that are part of fs_type:
devpts_t: sysadm_devpts_t, staff_devpts_t, user_devpts_t fs_t eventpollfs_t futexfs_t bdev_t usbfs_t nfsd_fs_t rpc_pipefs_t binfmt_misc_fs_t tmpfs_t autofs_t usbdevfs_t sysfs_t iso9660_t romfs_t ramfs_t dosfs_t cifs_t: sambafs_t nfs_t proc_t security_t |
This attribute groups together all types that are assigned to entry point executables. Any TE rules and assertions that should be applied to all entry point executables use this attribute. Here are the domains in this attribute:
ls_exec_t shell_exec_t httpd_exec_t httpd_suexec_exec_t httpd_php_exec_t httpd_helper_exec_t dhcpd_exec_t hotplug_exec_t initrc_exec_t run_init_exec_t init_exec_t ldconfig_exec_t mailman_queue_exec_t mailman_mail_exec_t mailman_cgi_exec_t depmod_exec_t insmod_exec_t update_modules_exec_t sendmail_exec_t mysqld_exec_t named_exec_t ndc_exec_t nscd_exec_t ntpd_exec_t ntpdate_exec_t portmap_exec_t postgresql_exec_t rpm_exec_t snmpd_exec_t squid_exec_t syslogd_exec_t udev_exec_t udev_helper_exec_t winbind_exec_t ypbind_exec_t |
This attribute allows for flexibility in choosing a mail transfer agent (MTA) such as sendmail or postfix. Rules allow it to perform mail handling and take tasks from mailman. However, this attribute is not used in the targeted policy since none of the MTAs are targeted daemons for Red Hat Enterprise Linux 4.
This attribute is for all types that can be assigned to a process. This is the method for identifying what is a domain in SELinux. In other Type Enforcement systems, domains may be implemented separately from types. In SELinux, domains are essentially types with the domain attribute.
This attribute allows you to have rules that can be applied to all domains, such as allowing init to send signals to all processes. Another example is the following rule that allows all processes to perform a search on directory objects that have a type of var_t or var_run_t, that is, the directories /var and /var/run:
allow domain { var_run_t var_t } : dir search ; |
Here are the domains covered by this attribute:
unconfined_t: kernel_t, init_t, initrc_t, sysadm_t, rpm_t, \
rpm_script_t, logrotate_t
mount_t
httpd_t
httpd_sys_script_t
httpd_suexec_t
httpd_php_t
httpd_helper_t
dhcpd_t
ldconfig_t
mailman_queue_t
mailman_mail_t
mailman_cgi_t
system_mail_t
mysqld_t
named_t
ndc_t
nscd_t
ntpd_t
portmap_t
postgresql_t
snmpd_t
squid_t
syslogd_t
winbind_t
ypbind_t |
This attribute identifies all the types that are assigned to any of the reserved network ports, that is, ports numbered lower than 1024. The attribute is used to control binding. An example binding rule is followed here by the types that are part of this attribute:
# The allow rule permits the domain portmap_t to bind to a
# port with a type of portmap_port_t, which is one of the
# types identified by the reserved_port_type attribute. The
# dontaudit rule tells SELinux to never audit the access of
# portmap_t to a reserved_port_type.
allow portmap_t portmap_port_t:{ udp_socket tcp_socket } \
name_bind;
dontaudit portmap_t reserved_port_type:tcp_socket name_bind; |
# Types associated with the reserved_port_type attribute http_port_t smtp_port_t rndc_port_t ntp_port_t portmap_port_t snmp_port_t syslogd_port_t |