-
Notifications
You must be signed in to change notification settings - Fork 21
CilTeRules
Type enforcement rules define access control privileges for processes.
The typetransition statement defines the behavior for default domain and object transitions.
'''Syntax:'''
(typetransition source target class default)
'''Syntax Explanation:''' typetransition:: The keyword for the typetransition statement. source:: The source domain - a type, typealias or typeattribute. target:: The target type - a type, typealias, or typeattribute. This type is either the entry point type of a new domain or the container type for the object being created. class:: The object class associated with default type. default:: The type of the new domain in a domain transition, or the type to label the new object.
'''Example:'''
(class file (read write execute entry_point)) (type foo) (type bar) (type tmp) (type bar_exec) (type bar_tmp) ; domain transition (typetransition foo bar_exec process bar) ; file transition (typetransition bar tmp file bar_tmp)
The nametypetransition statement, similar to the typetransition statment, defines the behavior for object transitions, but with the additional requirement that the name of the object (e.g. file name, directory name) must match for the object transition to occur.
'''Syntax:'''
(nametypetransition name source target class default)
'''Syntax Explanation:''' nametypetransition:: The keyword for the nametypetransition statement. name:: The last path component of an object. source:: The source domain - a type, typealias or typeattribute. target:: The target type - a type, typealias, or typeattribute. This type is either the entry point type of a new domain or the container type for the object being created. class:: The object class associated with default type. default:: The type of the new domain in a domain transition, or the type to label the new object.
'''Example:'''
(class file (read write execute entry_point)) (type foo) (type bar) (type tmp) (type bar_exec) (type bar_tmp) ; file transition with name requirement (nametypetransition filename.txt bar tmp file bar_tmp)
The typechange statement specifies the default types to be used in relabeling by SELinux-aware applications.
'''Syntax:'''
(typechange source target class default)
'''Syntax Explanation:''' typechange:: The keyword for the typechange statement. source:: The source domain - a type, typealias or typeattribute. target:: The target type - a type, typealias, or typeattribute. This is the type of the file to be relabeled. class:: The object class associated with target type. default:: The type that should be used to relabel the file.
'''Example:'''
(class char (read write)) (type sysadm) (type tty_device) (type sysadm_tty_device) (typechange sysadm tty_device char sysadm_tty_device)
The typemember statement determines the type of a member of a polyinstantiated object.
'''Syntax:'''
(typemember source target class default)
'''Syntax Explanation:''' typemember:: The keyword for the typemember statement. source:: The source domain - a type, typealias or typeattribute. target:: The target type - a type, typealias, or typeattribute. class:: The object class associated with target type. default:: The type of the new object.
'''Example:'''
(class dir (read write)) (type sysadm) (type user_home_dir) (typemember sysadm user_home_dir dir user_home_dir)
The typebounds statement is used to limit the access granted to a type to the access granted to a parent type.
'''Syntax:'''
(typebounds parent child)
'''Syntax Explanation:''' typebounds:: The keyword for the typebounds statement. parent:: The parent or bounding type - a type or typealias. child:: The child or bounded type - a type or typealias.
'''Example:'''
(class file (read write))
(type parent)
(type child)
(type some_file)
(allow parent some_file (file (read))
; This rule is allowed
(allow child some_file (file (read))
; This rule is not allowed
; (allow child some_file (file (write))