7.1 allow

1. Syntax
   1. allow filename $\mid$ label [r],[w],[x],[s],[o],[t],[a],[c],[e],[dx];
2. Meaning
   
   1. Allow access to file.
3. Specifying filename
   
   • Wildcard
     For filename directory/* and directory** can be used. For example, /var/* means, all files in /var directory, and /var directory. /var/** means, all files under /var, /var directory and files/dirs in its child,child's child... directories.
   • Home directories
     File name that starts with ~  represents home directory(Not including /root). For example, /public_html means, /home/all users/public_html.
     But in role configuration, it is different, it means home directories for users that can use role.

4. Meaning of permissions.
   • r(Read)
     Allows to read file
   • w(Write)
     Allows to write,create,delete file. Note that creation of device is not allowed unless allowpriv devcreate is described.
   • x(eXecute)
     Allows to execute file.
   • s(Search)
     Search file tree. i.e. Get contents of directory. For file,means nothing.
5. Example
   {
   domain httpd_t;
   ...
   allow /var/www/** r,s;
   ....
   httpd_t is allowed to read all files and directories under /var/www and its children.
6. Detailed configuration support
   In addition to s,r,x,w permissions, permissions o,t,a,c,e can be used. Permission w is divided into those permissions.
   
   • o: Overwrite
     Allows only writing file, not allow create,delete.
   • t: seTattr
     Allow modify attribute of file.
   • a: Append
     Allow append to file.
   • c: Create
     Allow to create file.
   • e: Erase
     Allow to delete file
7. Domain execute permission
   dx permission means Domain Execute. If domain is defined for the program, program is executed in new domain.

   Example:
           {
   	  domain httpd_t;
             program /usr/sbin/httpd;
             allow /var/www/cgi-bin/test.cgi r,s,dx;
           }
           {
   	  domain cgi_t;
             program /var/www/cgi-bin/test.cgi;
             allow ............
           }
   

   In this case, httpd_t domain have dx permission to test.cgi. Domain is defined below. So, test.cgi runs as different domain.
8. Limitation about home-directories
   Deny statement for individual home directory does not work. For example,

   deny /home/ynakam/public_html;
   

   does not work.