8.13 Configuring access control other administrative access rights

allowpriv string;
configures other priveleges.

8.13.1 allowpriv: related to kernel

Configures priviledges to communicate and administrate kernel. For detail of what is granted see allow_admin_xxxx in macros/seedit_macros.te. For example, to analyze what is allowed in allowpriv klog_adm see allow_admin_klog_adm macro.

• Syntax
  allowkernel netlink$\mid$klog_read$\mid$klog_write$\mid$klog_adm$\mid$insmod;
• Meaning
  
  1. netlink
     Allows to communicate with kernel by netlink socket.
  2. klog_read
     Allows to read kernel messages by syslog(2) call. Usually it is required to use dmesg command.
  3. klog_write
     Allows to send log message to audit subsystem in kernel.This is the same as capability audit_write.
  4. klog_adm
     Allows to change configuration of audit in kernel. The same as capability audit_control,sys_pacct.
  5. insmod
     Allows to install kernel module.

8.13.2 allowpriv: related to SELinux operations

• Syntax
  allowpriv load_policy$\mid$setenforce$\mid$relabel$\mid$part_relabel$\mid$getsecurity$\mid$getsecattr;
• Meaning
  Allow priviledges to administrate SELinux.
  1. relabel
     Allow to relabel all files. You must also allow getsecurity and allowpriv search.
  2. part_relabel
     Allow to relabel files that the domain can write. You must also allow getsecurity. setfscreate operation is also allowed.
  3. getsecurity
     Allow to get security policy decisions, by accessing /selinux.
  4. setenforce
     Allow to toggle enforcing/permissive mode.
  5. load_policy
     Allow to load policy to kernel.
  6. setsecparam
     Change performance parameter of SELinux via /selinux/avc
  7. getsecattr
     Get security information(such as domain, stored in /proc/pid/attr) of other processes.

8.13.3 allowpriv: other privileges

• Syntax
  allowpriv net$\mid$boot$\mid$quotaon$\mid$mount $\mid$rawio$\mid$ptrace$\mid$chroot$\mid$unlabel $\mid$memlock$\mid$nice$\mid$resource$\mid$ time$\mid$devcreate$\mid$setattr$\mid$search$\mid$read $\mid$write$\mid$all
• Meaning
  Allow other priviledges.
  1. net
     Allow capability CAP_NET_ADMIN(Such as administrate NIC, route table).
  2. boot
     Allow capabilityCAP_SYS_BOOT. This means allow the usage of reboot system call.
  3. insmod
     Allow capabilityCAP_SYS_MODULE. This means allow to install kernel module.
  4. quotaon
     Allow to quotaon.
  5. mount
     Allow to mount device.
  6. rawio
     Allow capability CAP_SYS_RAWIO.This means usage of ioperm, iopl system call and access to /dev/mem.
  7. ptrace
     Allow to use ptrace.
  8. chroot
     Allow to use chroot.
  9. unlabel
     Allow full access to unlabeled files(Files labeled as unlabeled_t).
  10. memlock
      Allow capability CAP_IPC_LOCK. This means to lock memory.
  11. nice
      Allow capability CAP_SYS_NICE. This means process scheduling.
  12. resource
      Allow capability CAP_SYS_RESOURCE. This means usage of rlimit etc.
  13. time
      Allow capability CAP_SYS_TIME. Thie means modify system clock.
  14. sys_admin
      The same as POSIX capability CAP_SYS_ADMIN. This permissions overlaps other permissions, so if you allow this, not so serious problem. By denying this, it can restrict sethostname and some ioctl operations.
  15. tty_config
      The same as capability CAP_TTY_CONFIG. Change keyboard configuration, and usage of vhangup call.
  16. devcreate
      Allow to create device files in directory that the domain can write. Without this, a process can not create device file on a directory even it is configured writable.
  17. setattr
      Allow to setattr to files that the domain can s access. Without this setattr permission is granted in w permission.
  18. search
      Allow s permission to all files.
  19. read
      Allow r permission to all files.
  20. write
      Allow w permission to all files.
  21. all
      

8.13.4 denypriv

This can be used to cancel allowpriv configuration described in global domain.