Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual

Also see for ENTERPRISE LINUX 4 - DEVELOPER TOOLS GUIDE: Installation guide Installation guide Tuning guide Installation guide Manual

Contents

24 Chapter 2. SELinux Policy Overviewdomain_auto_trans($1, $2_exec_t, $2_t)Recall that the variables fed into daemon_sub_domain() were httpd_t ($1) and httpd_suexec($2). When m4 runs, it inputs the parameters in the order received, so $1 becomes httpd_t,$2_exec_t becomes httpd_suexec_exec_t, and $2_t is httpd_suexec_t. Notice thatthe macro daemon_sub_domain actually calls domain_auto_trans(), which is found incore_macros.te and looks like this:define(‘domain_auto_trans’,‘domain_trans($1,$2,$3)type_transition $1 $2:process $3;’)...define(‘domain_trans’,‘allow $1 $3:process transition;...There you see the completion of the chain, as domain_trans() is called, and the parameters are fedin to create the rules you are looking for:$1 = httpd_t (base input of httpd_t)$2 = httpd_suexec_exec_t (base input of httpd_suexec)$3 = httpd_suexec_t (base input of httpd_suexec)apache.te # feeds 2 variables intodaemon_sub_domain(httpd_t, httpd_suexec)# which callsdomain_auto_trans($1, $2_exec_t, $2_t) # that associates new vars#### $1 = $1, $2_exec_t = $2, $2_t = $3) # and feeds the vars intodomain_trans($1,$2,$3) # which hastype_transition $1 $2:process $3; # that expands intotype_transition httpd_t httpd_suexec_exec_t:process httpd_suexec_t# and# expands domain_trans()allow $1 $3:process transition; # which expands intoallow httpd_t httpd_suexec_t:process transition;# Here is a final association of variables to sourcesallow $1 $3 :process transition;allow httpd_t httpd_suexec_t:process transition;type_transition $1 $2 :process $3;type_transition httpd_t httpd_suexec_exec_t:process httpd_suexec_t;2.10. SELinux Users and RolesImportantUsers and roles can play a part in an SELinux policy. However, the greater part of SELinux is TypeEnforcement. Additionally, the targeted policy is designed not to utilize users and roles. Every domainin the targeted policy runs in a single role, and TE is used to separate the confined processes fromthe other processes.