TE Rules - Attributes

2.6. TE Rules - Attributes

Policy attributes identify as groups sets of security types that have a similar property. These groups can be controlled by fewer, overarching rules. The relationship is many-to-many: a type can have any amount of attributes, and an attribute can be associated with any number of types.

The declarations file $SELINUX_SRC/attrib.te is well documented in the comment blocks. The attribute declaration syntax is: attribute <identifier>:

## Samples from $SELINUX_SRC/attrib.te

# The domain attribute identifies every type that can be 
# assigned to a process.  This attribute is used in TE rules 
# that should be applied to all domains, e.g. permitting 
# init to kill all processes.
attribute domain;

# Identifies all default types assigned to packets received 
# on network interfaces.  
attribute netmsg_type;

Here are a few noteworthy attributes. Information about these was obtained through policy analysis using apol, part of the setools package. You can read more about this in Section 6.3 Using apol for Policy Analysis.:

httpdcontent

The purpose of this attribute is to group together the various types associated with the policy for Apache HTTP. Because of the complexity of the httpd configuration, the targeted policy includes Boolean values that allow you to grant blanket permissions for httpd content types. This helps Web applications and built-in scripting, such as PHP for Apache HTTP, to work with the content. The types in this attribute are:

# This is an aliasing relationship
httpd_sys_content_t: httpd_sysadm_content_t, \
  httpd_user_content_t

# These types handle different permissions sets for scripts
httpd_sys_script_ro_t
httpd_sys_script_rw_t
httpd_sys_script_ra_t

The first line in the attribute group specifies that httpd_sys_content_t is an alias for httpd_sysadm_content_t and httpd_user_content_t.

file_type

This attribute is for all the types that are assigned to files, allowing for easier association of all file types to various kinds of file system needs. This attribute makes it more convenient to allow specific domains access to all file types. The list of types associated with the file_type attribute is greater than 170 types:

...
device_t
xconsole_device_t
file_t
default_t
root_t
mnt_t
home_root_t
lost_found_t
boot_t
system_map_t
boot_runtime_t
tmp_t
etc_t: hotplug_etc_t
shadow_t
ld_so_cache_t
etc_runtime_t
fonts_t
etc_aliases_t
net_conf_t: resolv_conf_t
lib_t
shlib_t
...
netif_type, port_type, and node_type

These attributes relate to network activity by domains. The netif_type identifies the types associated with network interfaces, allowing policy to control sending, receiving, and various operations on the interface:

netif_t
netif_eth0_t
netif_eth1_t
netif_eth2_t
netif_lo_t
netif_ippp0_t
netif_ipsec0_t
netif_ipsec1_t
netif_ipsec2_t

The port_type attribute is associated with all types that are assigned to port numbers. This allows SELinux to control port binding, meaning daemons are restricted in using a port depending on the type assigned to the port:

dns_port_t
dhcpd_port_t
http_cache_port_t
port_t
reserved_port_t
http_port_t
pxe_port_t
smtp_port_t
mysqld_port_t
rndc_port_t
ntp_port_t
portmap_port_t
postgresql_port_t
snmp_port_t
syslogd_port_t

The node_type is for types assigned to network nodes or hosts, allowing SELinux to control traffic to and from the node:

node_t
node_lo_t
node_internal_t
node_inaddr_any_t
node_unspec_t
node_link_local_t
node_site_local_t
node_multicast_t
node_mapped_ipv4_t
node_compat_ipv4_t

fs_type

This attribute identifies all types assigned to file systems, including non-persistent file systems. The fs_type attribute is used in TE rules to allow most domains to obtain overall file system statistics, and for some specific domains to mount any file system. Here are the SELinux file types that are part of fs_type:

devpts_t: sysadm_devpts_t, staff_devpts_t, user_devpts_t
fs_t
eventpollfs_t
futexfs_t
bdev_t
usbfs_t
nfsd_fs_t
rpc_pipefs_t
binfmt_misc_fs_t
tmpfs_t
autofs_t
usbdevfs_t
sysfs_t
iso9660_t
romfs_t
ramfs_t
dosfs_t
cifs_t: sambafs_t
nfs_t
proc_t
security_t
exec_type

This attribute groups together all types that are assigned to entry point executables. Any TE rules and assertions that should be applied to all entry point executables use this attribute. Here are the domains in this attribute:

ls_exec_t
shell_exec_t
httpd_exec_t
httpd_suexec_exec_t
httpd_php_exec_t
httpd_helper_exec_t
dhcpd_exec_t
hotplug_exec_t
initrc_exec_t
run_init_exec_t
init_exec_t
ldconfig_exec_t
mailman_queue_exec_t
mailman_mail_exec_t
mailman_cgi_exec_t
depmod_exec_t
insmod_exec_t
update_modules_exec_t
sendmail_exec_t
mysqld_exec_t
named_exec_t
ndc_exec_t
nscd_exec_t
ntpd_exec_t
ntpdate_exec_t
portmap_exec_t
postgresql_exec_t
rpm_exec_t
snmpd_exec_t
squid_exec_t
syslogd_exec_t
udev_exec_t
udev_helper_exec_t
winbind_exec_t
ypbind_exec_t
mta_delivery_agent

This attribute allows for flexibility in choosing a mail transfer agent (MTA) such as sendmail or postfix. Rules allow it to perform mail handling and take tasks from mailman. However, this attribute is not used in the targeted policy since none of the MTAs are targeted daemons for Red Hat Enterprise Linux 4.

domain

This attribute is for all types that can be assigned to a process. This is the method for identifying what is a domain in SELinux. In other Type Enforcement systems, domains may be implemented separately from types. In SELinux, domains are essentially types with the domain attribute.

This attribute allows you to have rules that can be applied to all domains, such as allowing init to send signals to all processes. Another example is the following rule that allows all processes to perform a search on directory objects that have a type of var_t or var_run_t, that is, the directories /var and /var/run:

allow domain { var_run_t var_t } : dir search ;

Here are the domains covered by this attribute:

unconfined_t: kernel_t, init_t, initrc_t, sysadm_t, rpm_t, \
              rpm_script_t, logrotate_t
mount_t
httpd_t
httpd_sys_script_t
httpd_suexec_t
httpd_php_t
httpd_helper_t
dhcpd_t
ldconfig_t
mailman_queue_t
mailman_mail_t
mailman_cgi_t
system_mail_t
mysqld_t
named_t
ndc_t
nscd_t
ntpd_t
portmap_t
postgresql_t
snmpd_t
squid_t
syslogd_t
winbind_t
ypbind_t
reserved_port_type

This attribute identifies all the types that are assigned to any of the reserved network ports, that is, ports numbered lower than 1024. The attribute is used to control binding. An example binding rule is followed here by the types that are part of this attribute:

# The allow rule permits the domain portmap_t to bind to a 
# port with a type of portmap_port_t, which is one of the 
# types identified by the reserved_port_type attribute.  The
# dontaudit rule tells SELinux to never audit the access of 
# portmap_t to a reserved_port_type.

allow portmap_t portmap_port_t:{ udp_socket tcp_socket } \
  name_bind;
dontaudit portmap_t reserved_port_type:tcp_socket name_bind;
# Types associated with the reserved_port_type attribute

http_port_t
smtp_port_t
rndc_port_t
ntp_port_t
portmap_port_t
snmp_port_t
syslogd_port_t