next up previous contents
Next: 8.9 Configuring access control Up: 8 Specification of simplified Previous: 8.7 Configuring domain transition   Contents

Subsections

8.8 Configuring access control to normal files


8.8.1 allow

  1. Syntax
    1. allow filename $\mid$ label [r],[w],[x],[s];
    2. allow directoryname exclusive label;
  2. Meaning
    1. Allow operation to file specified by permissions.
    2. This is used things corresponding to SELinux's file_type_auto_trans. The file created under directoryname is identified by the label. To allow access to such file, use allow label [r],[w],[x],[s]. And if you want to protect file that is deleted and re-created(such as /etc/fstab), you have to use this. The label is the same as type in SELinux.
      When converter finds a file(assume the filename is A) has a type that is named label, it includes
      		A   system_u:object_r:label
      
      in generated file_contexts.
      When file does not exist at the time of configuration, and want to protect file that is deleted/re-created, this is useful. For example, files under /var/run, /tmp, /var/log.

  3. Meaning of permissions 2
  4. Example
    {
    domain httpd_t;
    ...
    allow /var/www r,s;
    ....
    httpd_t is allowed to read all files and directories under /var/www.

8.8.2 deny

  1. Syntax
    deny filename;
  2. Meaning
    In normal domain, this is used to cancel allow. For global domain This is used to explicitly deny the access. See examples below.
  3. Example
    1. Example 1
      {
      domain httpd_t;
      ...
      allow /var r,s;
      deny /var/named; ....
      httpd_t is allowed to read /var, but denied to read /var/named.
    2. Example 2
      {
      domain global;
      deny /etc/shadow
      ...
      {
      domain httpd_t;
      ...
      allow /etc r,s;
      ...
      httpd_t is allowed to read under /etc, but denied to access /etc/shadow, because access to /etc/shadow is denied in global. If you have a important file, it is a good idea to describe deny in global.

8.8.3 allowonly

  1. Syntax
    allowonly directory name [r],[w],[x],[s];
  2. Meaning
    In $allow$ access right is inherited by all sub directories. On the other hand, in allowonly access is granted for files in the directory, not granted for sub directories.
  3. Example
    {
    domain httpd_t;
    ...
    allowonly /etc r,s;
    ....
    httpd_t is allowed to read under /etc, but not allowed to access sub directories such as /etc/httpd.

8.8.4 denyonly

  1. Syntax
    denyonly directory name;
  2. Meaning
    Deny access is granted for files in the directory, not deny access for sub directories.

8.8.5 Priority of allow, allowonly, deny, denyonly

  1. For the same directory allow(deny),allowonly(denyonly) in global domain is overwritten by allow(deny),allowonly(denyonly) in normal domain.
  2. When allow or deny exists for the child directory, it overwrites allow for parent directory.
  3. allow or deny for the same directory in the same domain
    OR operation is processed.

  4. More notes about global domain.
    To cancel allow/deny in global domain, allow/deny must be explicitly specified.
  5. GUI will be useful to know which files a domain can access.

8.8.6 Special files

Access to following files are special.
  1. /dev/tty* /dev/pts /dev/ptmx
    If you write allow for those file, this does nothing. Access control to these files must be done by allowtty and allowpts.
  2. /proc, /sysfs, /selinux, /dev/tmpfs
    Allow to these files do nothing, because these files are mounted on filesystems that do not support xattr. For /proc and /sys see allowproc. For /dev/tmpfs see allowtmpfs, and for /selinux see allowadm.


next up previous contents
Next: 8.9 Configuring access control Up: 8 Specification of simplified Previous: 8.7 Configuring domain transition   Contents
2005-07-19