لطفا منتظر باشید ...
Appendix C. SELinux Macros Defined in src/policy/macros
Table C-1 describes principal macros defined in the
src/policy/macros subdirectory. The macros included in the
table are those present in the Fedora Core 2 implementation of
SELinux. Other implementations may define different macros or alter
the operation of macros appearing in the table.
Table C-1. SELinux macros defined in the macros subdirectory
Macro
Description
admin_domain
Defines a domain for an administrative user.
append_logdir_domain
Authorizes a specified domain to create, read, and append to logfiles
within its own specially labeled logging directory.
append_log_domain
Authorizes a specified domain to read and append to its own specially
labeled logfiles.
application_domain
Authorizes a specified domain to perform operations common to simple
applications.
base_file_read_access
Authorizes a specified domain to read and search several system file
types.
base_pty_perms
Authorizes a specified domain to access the pty master multiplexer
domain and to search /dev/pts.
base_user_domain
Defines a domain for a nonadministrative user.
can_create_other_pty
Authorizes a specified domain to create new ptys for another
specified domain.
can_create_pty
Authorizes a specified domain to create new ptys.
can_exec
Authorizes a specified domain to execute files having a specified
type (domain) without transitioning to a new domain.
can_exec_any
Authorizes a specified domain to execute a variety of executable
types.
can_getcon
Authorizes a specified domain to obtain its execution context.
can_getsecurity
Authorizes a specified domain to query the security server.
can_loadpol
Authorizes a specified domain to load a policy.
can_network
Authorizes a specified domain to access the network.
can_ps
Authorizes a process in a specified domain to see
/proc entries for processes in another specified
domain.
can_ptrace
Authorizes a specified domain to trace processes executing in another
specified domain.
can_setbool
Authorizes a specified domain to set a policy Boolean.
can_setenforce
Authorizes a specified domain to set the SELinux enforcement mode.
can_setexec
Authorizes a specified domain to set its exec
context.
can_setfscreate
Authorizes a domain to set its fscreate
context.
can_sysctl
Authorizes a specified domain to modify sysctl
parameters.
can_tcp_connect
Authorizes a specified domain to establish a TCP connection with
another specified domain.
can_udp_send
Authorizes a specified domain to send UDP datagrams to another
specified domain.
can_unix_connect
Authorizes two specified domains to establish a Unix stream
connection.
can_unix_send
Authorizes a specified domain to send Unix datagrams to another
specified domain.
create_append_log_file
Authorizes a domain to read, write, and add names to directories and
create and append to files.
create_dir_file
Authorizes a specified domain to create and use directories and files.
create_dir_notdevfile
Defines access-vector rules for creating and using directories and
nondevice files.
create_dir_perms
Defines permissions needed to create and use directories.
create_file_perms
Defines permissions needed to create and use files.
create_msgq_perms
Defines permissions needed to create message queues and read and
write message queues and their attributes.
create_sem_perms
Defines permissions needed to create semaphores and read and write
semaphores and their attributes.
create_shm_perms
Defines permissions needed to create shared memory segments and read
and write shared memory segments and their attributes.
create_socket_perms
Defines permissions needed to create, read, write, and otherwise use
sockets.
create_stream_socket_perms
Defines permissions needed to create, read, write, and otherwise use
stream sockets.
daemon_base_domain
Authorizes a specified domain to perform a variety of operations
useful to daemons, including those authorized by
daemon_core_rules
.
daemon_core_rules
Authorizes a specified domain to access a variety of types useful to
daemons.
daemon_domain
Authorizes a specified domain to use PID files.
daemon_sub_domain
Defines a child domain of a specified domain.
devfile_class_set
Defines a class that includes all device file classes.
dgram_socket_class_set
Defines a class that includes all datagram socket classes.
dir_file_class_set
Defines a class that includes all directory and file classes.
domain_auto_trans
Authorizes a specified domain to automatically transition to another
specified domain.
domain_trans
Authorizes a specified domain to transition to another specified
domain.
etcdir_domain
Authorizes a specified domain to read files within its own specially
labeled configuration subdirectory of directories labeled
etc_t
.
etc_domain
Authorizes a specified domain to read its own specially labeled
configuration files residing in directories labeled
etc_t
.
file_class_set
Defines a class including all nondirectory file classes.
file_type_auto_trans
Authorizes a specified domain to automatically label with a specified
type files created within directories having another specified type.
file_type_trans
Authorizes a specified domain to label with a specified type files
created within directories having another specified type.
full_user_role
Defines a role for a user who logs in to the system and has full user
status.
general_domain_access
Authorizes a specified domain to access processes, PID files, file
descriptors, pipes, Unix sockets, and IPC objects belonging to the
domain.
general_proc_read_access
Authorizes a specified domain to access most nodes in the
/proc filesystem.
init_service_domain
Authorizes a specified domain to perform operations useful to
programs that are run from init.
in_user_role
Defines a type as accessible to the user_r
and
staff_r
roles.
link_file_perms
Defines permissions needed to link, unlink, and rename files.
lock_domain
Authorizes a specified domain to use its own specially labeled lock
files within directories labeled var_lock_t
.
logdir_domain
Authorizes a specified domain to create private logfiles.
log_domain
Authorizes a specified domain to use files having type
var_log_t
.
mini_user_domain
Defines a simple domain for a nonadministrative user having minimal
privileges.
mount_fs_perms
Defines permissions needed to mount and unmount filesystems.
notdevfile_class_set
Defines a class including all nondevice file classes.
packet_perms
Defines permissions needed to send and receive network packets.
pty_slave_label
Authorizes a specified domain to access a slave pty, but not to
create new ptys.
r_dir_file
Authorizes a specified domain to read directories and files.
r_dir_perms
Defines permissions needed to read directories and directory
attributes.
r_file_perms
Defines permissions needed to read files and file attributes.
r_msgq_perms
Defines permissions needed to read message queues and message queue
attributes.
r_sem_perms
Defines permissions needed to read semaphores and semaphore
attributes.
r_shm_perms
Defines permissions needed to read shared memory segments and shared
memory segment attributes.
ra_dir_create_file
Defines access-vector rules for reading directories and files,
creating and appending to files, and adding names to directories.
ra_dir_file
Defines access vector rules for reading directories and files,
appending to files, and adding names to directories.
ra_dir_perms
Defines permissions needed to read directories and add names to
directories.
ra_file_perms
Defines permissions needed to read and append to files.
read_locale
Authorizes a specified domain to read the locale data,
/etc/localtime, and the file to which it links.
read_sysctl
Authorizes a specified domain to read sysctl
variables.
rw_dir_create_file
Authorizes a specified domain to read and write directories and
create and use files.
rw_dir_file
Defines access vector rules for reading and writing files and
directories.
rw_dir_perms
Defines permissions needed to read and write directories and
directory attributes.
rw_file_perms
Defines permissions needed to read and write files and file
attributes.
rw_msgq_perms
Defines permissions needed to read and write message queues and their
attributes.
rw_sem_perms
Defines permissions needed to read and write semaphores and their
attributes.
rw_shm_perms
Defines permissions needed to read and write shared memory segments
and their attributes.
rw_socket_perms
Defines permissions needed to read, write, and otherwise use (but not
create) sockets.
rw_stream_socket_perms
Defines permissions needed to read, write, and otherwise use (but not
create) stream sockets.
rx_file_perms
Defines permissions needed to read and execute files.
signal_perms
Defines permissions needed to send signals to processes.
socket_class_set
Defines a class including all socket classes.
stat_file_perms
Defines permissions needed to get file attributes.
stream_socket_class_set
Defines a class including all stream socket classes.
system_domain
Authorizes a specified domain to use shared libraries, the system
log, access system administration files, and perform other operations
common to system processes.
tmp_domain
Authorizes a specified domain to create and use files having type
tmp_t
.
tmpfs_domain
Authorizes a specified domain to create and use files having type
tmpfs_t
.
unconfined_domain
Authorize a domain to perform any operation permitted by Linux DAC,
effectively bypassing all SELinux policy checks.
unpriv_socket_class_set
Defines a class including all nonprivileged socket classes (excludes
rawip-, netlink-, and packet-related classes).
user_application_domain
Authorizes a specified domain to perform operations common to simple
applications and defines the domain as a user domain.
user_domain
Defines a domain for a nonadministrative user.
uses_authbind
Authorizes a specified domain to use services provided by the
authbind_t
domain.
uses_shlib
Authorizes a specified domain to use shared libraries.
var_lib_domain
Authorizes a specified domain to use files having type
var_lib_t
.
var_run_domain
Authorizes a specified domain to create files in
/var/run files and other directories created for
the domain.
x_file_perms
Defines permissions needed to execute files.
