TOMOYO Linux 2.4.x : Policy specification : Exception policy syntax

Exception policy syntax

acl_group

This directive specifies a group entry. This can be referenced to in domain policy by the use_group directive. This directive should be followed by a group number, followed by an entry that matches domain policy syntax.

This example allows domains with "use_group 0" to read /dev/null:

acl_group 0 file read /dev/null

aggregator

This directive allows multiple applications to be aggregated together. This directive is intended to aggregate similar programs whose behaviours are very similar.

This example causes the application /usr/bin/tac to be treated as /usr/bin/cat:

aggregator /usr/bin/tac /usr/bin/cat

reset_domain

This directive causes programs to run in the root domain of specified namespace.

Possible entries:

reset_domain "program" from any
reset_domain "program" from "last_pathname_of_domain"
reset_domain "program" from "domain"
reset_domain any from any
reset_domain any from "last_pathname_of_domain"
reset_domain any from "domain"

This example causes all executions of /usr/sbin/sshd to be reset to "</usr/sbin/sshd>" domain:

reset_domain /usr/sbin/sshd from any

no_reset_domain

This directive cancels the effect of reset_domain directive.

Possible entries:

no_reset_domain "program" from any
no_reset_domain "program" from "last_pathname_of_domain"
no_reset_domain "program" from "domain"
no_reset_domain any from any
no_reset_domain any from "last_pathname_of_domain"
no_reset_domain any from "domain"

This example causes all executions of /usr/sbin/sendmail.sendmail not to be reset to "</usr/sbin/sendmail.sendmail>" domain when /usr/sbin/sendmail.sendmail is executed from domains which the name of domains end with "/bin/mail":

reset_domain /usr/sbin/sendmail.sendmail from any
no_reset_domain /usr/sbin/sendmail.sendmail from /bin/mail

initialize_domain

This directive causes programs to run in a child of current namespace's root domain.

Possible entries:

initialize_domain "program" from any
initialize_domain "program" from "last_pathname_of_domain"
initialize_domain "program" from "domain"
initialize_domain any from any
initialize_domain any from "last_pathname_of_domain"
initialize_domain any from "domain"

This example causes all executions of /usr/sbin/sshd to be reinitialized to "<kernel> /usr/sbin/sshd" domain when executed from domains in "<kernel>" namespace:

initialize_domain /usr/sbin/sshd from any

no_initialize_domain

This directive cancels the effect of initialize_domain directive.

Possible entries:

no_initialize_domain "program" from any
no_initialize_domain "program" from "last_pathname_of_domain"
no_initialize_domain "program" from "domain"
no_initialize_domain any from any
no_initialize_domain any from "last_pathname_of_domain"
no_initialize_domain any from "domain"

This example causes all executions of /usr/sbin/sendmail.sendmail not to be reinitialized to "<kernel> /usr/sbin/sendmail.sendmail" domain when /usr/sbin/sendmail.sendmail is executed from domains which the name of domains end with "/bin/mail":

initialize_domain /usr/sbin/sendmail.sendmail from any
no_initialize_domain /usr/sbin/sendmail.sendmail from /bin/mail

keep_domain

This directive prevents any domain transitions from occurring from a particular domain.

Possible entries:

keep_domain "program" from any
keep_domain "program" from "last_pathname_of_domain"
keep_domain "program" from "domain"
keep_domain any from any
keep_domain any from "last_pathname_of_domain"
keep_domain any from "domain"

This example causes domain transition not to occur when programs are executed from "<kernel> /usr/sbin/sshd /bin/bash" domain:

keep_domain any from <kernel> /usr/sbin/sshd /bin/bash

no_keep_domain

This directive cancels the effect of keep_domain directive.

Possible entries:

no_keep_domain "program" from any
no_keep_domain "program" from "last_pathname_of_domain"
no_keep_domain "program" from "domain"
no_keep_domain any from any
no_keep_domain any from "last_pathname_of_domain"
no_keep_domain any from "domain"

This example causes domain transition to occur when /bin/cat is executed from "<kernel> /usr/sbin/sshd /bin/bash" domain:

keep_domain any from <kernel> /usr/sbin/sshd /bin/bash
no_keep_domain /bin/cat from <kernel> /usr/sbin/sshd /bin/bash

number_group

This directive declares a group name that can be used in domain policy to refer to a range of numbers.

For example, if suppose the following are defined in exception policy:

number_group CREATE-MODES 0644
number_group CREATE-MODES 0664

The following can then be defined in domain policy:

file create /tmp/file @CREATE-MODES

path_group

This directive declares a group name that can be used in domain policy to refer to a range of pathnames.

For example, if suppose the following are defined in exception policy:

path_group HOME-DIR-FILE /home/\*/\*
path_group HOME-DIR-FILE /home/\*/\{\*\}/\*

The following can then be defined in domain policy:

file read @HOME-DIR-FILE

Prev	Index	Next
A3: Expression rules	Main Index	A5: Domain policy syntax