8.8 Configuring access control to normal files

8.8.1 allow

1. Syntax
   1. allow filename $\mid$ label [r],[w],[x],[s];
   2. allow directoryname exclusive label;
   3. allow directoryname exclusive -all [r],[w],[x],[s];
2. Meaning
   
   1. Allow operation to file specified by permissions.
   2. This is used things corresponding to SELinux's file_type_auto_trans. The file created under directoryname is identified by the label. To allow access to such file, use allow label [r],[w],[x],[s]. And if you want to protect file that is deleted and re-created(such as /etc/mtab), you have to use this. The label is the same as type in SELinux.
      When converter finds a file(assume the filename is A) has a type that is named label, it includes

      		A   system_u:object_r:label
      

      in generated file_contexts.
      When file does not exist at the time of configuration, and want to protect file that is deleted/re-created, this is useful. For example, files under /var/run, /tmp, /var/log.
   3. This allows to access all files on directoryname that are labeled by allow directoryname exclusive label;.

3. Meaning of permissions ²
   • r(Read)
     Allows to read file
   • w(Write)
     Allows to write,create,delete file. Note that creation of device is not allowed unless allowpriv devcreate is described.
   • x(eXecute)
     Allows to execute file.
   • s(Stat)
     For directory, get contents of directory. For file get attribute(such as last modified) of file.
4. Example
   {
   domain httpd_t;
   ...
   allow /var/www r,s;
   ....
   httpd_t is allowed to read all files and directories under /var/www.
5. Detailed configuration support(version more than 1.3)
   In addition to a s,r,x,w permissions, new permissions o,t,a,c,e can be used. Permission w is devided into those permissions.
   
   • o: Overwrite
     Allows only writing file, not allow create,delete.
   • t: seTattr
     Allow modify attribute of file.
   • a: Append
     Allow append to file.
   • c: Create
     Allow to create file.
   • e: Erase
     Allow to delete file

8.8.2 deny

1. Syntax
   deny filename;
2. Meaning
   In normal domain, this is used to cancel allow. For global domain This is used to explicitly deny the access. See examples below.
3. Example
   1. Example 1
      {
      domain httpd_t;
      ...
      allow /var r,s;
      deny /var/named; ....
      httpd_t is allowed to read /var, but denied to read /var/named.
   2. Example 2
      {
      domain global;
      deny /etc/shadow
      ...
      {
      domain httpd_t;
      ...
      allow /etc r,s;
      ...
      httpd_t is allowed to read under /etc, but denied to access /etc/shadow, because access to /etc/shadow is denied in global. If you have a important file, it is a good idea to describe deny in global.

8.8.3 allowonly

1. Syntax
   allowonly directory name [r],[w],[x],[s];
2. Meaning
   In $allow$ access right is inherited by all sub directories. On the other hand, in allowonly access is granted for files in the directory, not granted for sub directories.
3. Example
   {
   domain httpd_t;
   ...
   allowonly /etc r,s;
   ....
   httpd_t is allowed to read under /etc, but not allowed to access sub directories such as /etc/httpd.

8.8.4 denyonly

1. Syntax
   denyonly directory name;
2. Meaning
   Deny access is granted for files in the directory, not deny access for sub directories.

8.8.5 Priority of allow, allowonly, deny, denyonly

1. For the same directory allow(deny),allowonly(denyonly) in global domain is overwritten by allow(deny),allowonly(denyonly) in normal domain.
   • Ex1)
     In global:allow /usr/ r;
     In a_t domain:allowonly /usr/ w;
     a_t can write to under /usr.
2. When allow or deny exists for the child directory, it overwrites allow for parent directory.
   • Ex)
     In a_t: allow /usr r; allow /usr/local w;
     a_t can read under /usr including sub directories. But it can write under /usr/local.
3. allow or deny for the same directory in the same domain
   OR operation is processed.
   • Ex1)
     {
     domain httpd_t;
     allow /var/www r;
     allow /var/www w;
     httpd_t can read write under /var/www.
   • Ex2)
     {
     domain httpd_t;
     allow /var/www r;
     deny /var/www;
     httpd_t can not access /var/www.

4. More notes about global domain.
   To cancel allow/deny in global domain, allow/deny must be explicitly specified.
   • Ex1)
     In global: deny /etc/shadow;
     If you want a_t domain to read /etc/shadow, you must specify allow a_t /etc/shadow r;.
   • Ex2)
     In global:allow /usr/local r;
     In a_t: allow /usr w;
     a_t can not write under /usr/local. If you want write access to /usr/local, you must specify allow /usr/local w; in a_t..
   • Ex3)
     global: allowonly /usr/local r;
     a_t: allow /usr w;
     a_t is allowonly read for /usr/local.
5. GUI will be useful to know which files a domain can access.

8.8.6 Special files

Access to following files are special.

1. /dev/tty* /dev/pts /dev/ptmx, /dev/vcs*,/dev/vcsa*
   If you write allow for those file, this does nothing. Access control to these files must be done by allowdev.
2. /proc, /sysfs, /selinux, /dev/tmpfs
   Allow to these files do nothing, because these files are mounted on filesystems that do not support xattr. See allowfs. For /selinux see allowpriv getsecurity.