combining two domains in SE Linux
To get the maximum value out of my writing when I am asked a question that is of general interest in private mail I will (without in any way identifying the person or giving any specifics of their work) blog my reply. I hope that not only will this benefit the general readers, but also the person who originally asked the question may benefit from reading blog comments.
The question is "I wonder whether I can define a domain which is a union of two existing domain, that is, define a new domain X, which has all the privilege domain Y and Z has got".
There is no way to say in one line of policy "let foo_t do everything that bar_t and baz_t can do" (for reasons I will explain later). However you can easily define a domain to have the privileges that two other domains have.
If you have bar.te and baz.te then a start is:
grep ^allow bar.te baz.te | sed -e s/bar/foo/ -e s/baz/foo/ >> foo.te
Then you need to just define foo_t in the file foo.te and define an entry-point type and a suitable domain_auto_trans() rule to enter the domain.
There are other macros that allow operations that don't fit easily into a grep command, but they aren't difficult to manage.
The only tricky area is if you have the following:
domain_auto_trans(bar_t, shell_exec_t, whatever1_t)
domain_auto_trans(baz_t, shell_exec_t, whatever2_t)
As every domain_auto_trans() needs to have a single target type those two lines conflict so you will need to decide which one you want to merge. This is the reason why you can't just merge two domains. Also the same applies for file_type_auto_trans() rules and for booleans in some situations.
1 comment:
That grep/sed transformation is a huge oversimplification.
There will be lots of cases where the sed fails, and most allow rules are done via macros so the "^allow" RE might even not match a single line in the policy.
Just one of the reasons we need to go away from M4 and use some non-executable (!) syntax that we can process with regular tools. Maybe some XML format. There are tons of generic tools for XML processing.
Parsing M4 macros in a way you don't execute them is a pain.
Post a Comment