Exception policy syntax
acl_group
This directive specifies a group entry. This can be referenced to in domain policy by the use_group directive. This directive should be followed by a group number, followed by an entry that matches domain policy syntax.
This example allows domains with "use_group 0" to read /dev/null:
acl_group 0 file read /dev/null
aggregator
This directive allows multiple applications to be aggregated together. This directive is intended to aggregate similar programs whose behaviours are very similar.
This example causes the application /usr/bin/tac
to be treated as /usr/bin/cat
:
aggregator /usr/bin/tac /usr/bin/cat
reset_domain
This directive causes programs to run in the root domain of specified namespace.
Possible entries:
- reset_domain "program" from any
- reset_domain "program" from "last_pathname_of_domain"
- reset_domain "program" from "domain"
- reset_domain any from any
- reset_domain any from "last_pathname_of_domain"
- reset_domain any from "domain"
This example causes all executions of /usr/sbin/sshd
to be reset to "</usr/sbin/sshd>" domain:
reset_domain /usr/sbin/sshd from any
no_reset_domain
This directive cancels the effect of reset_domain directive.
Possible entries:
- no_reset_domain "program" from any
- no_reset_domain "program" from "last_pathname_of_domain"
- no_reset_domain "program" from "domain"
- no_reset_domain any from any
- no_reset_domain any from "last_pathname_of_domain"
- no_reset_domain any from "domain"
This example causes all executions of /usr/sbin/sendmail.sendmail
not to be reset to "</usr/sbin/sendmail.sendmail>" domain when /usr/sbin/sendmail.sendmail
is executed from domains which the name of domains end with "/bin/mail":
reset_domain /usr/sbin/sendmail.sendmail from any no_reset_domain /usr/sbin/sendmail.sendmail from /bin/mail
initialize_domain
This directive causes programs to run in a child of "<kernel>" domain.
Possible entries:
- initialize_domain "program" from any
- initialize_domain "program" from "last_pathname_of_domain"
- initialize_domain "program" from "domain"
- initialize_domain any from any
- initialize_domain any from "last_pathname_of_domain"
- initialize_domain any from "domain"
This example causes all executions of /usr/sbin/sshd
to be reinitialized to "<kernel> /usr/sbin/sshd" domain:
initialize_domain /usr/sbin/sshd from any
no_initialize_domain
This directive cancels the effect of initialize_domain directive.
Possible entries:
- no_initialize_domain "program" from any
- no_initialize_domain "program" from "last_pathname_of_domain"
- no_initialize_domain "program" from "domain"
- no_initialize_domain any from any
- no_initialize_domain any from "last_pathname_of_domain"
- no_initialize_domain any from "domain"
This example causes all executions of /usr/sbin/sendmail.sendmail
not to be reinitialized to "<kernel> /usr/sbin/sendmail.sendmail" domain when /usr/sbin/sendmail.sendmail
is executed from domains which the name of domains end with "/bin/mail":
initialize_domain /usr/sbin/sendmail.sendmail from any no_initialize_domain /usr/sbin/sendmail.sendmail from /bin/mail
keep_domain
This directive prevents any domain transitions from occurring from a particular domain.
Possible entries:
- keep_domain "program" from any
- keep_domain "program" from "last_pathname_of_domain"
- keep_domain "program" from "domain"
- keep_domain any from any
- keep_domain any from "last_pathname_of_domain"
- keep_domain any from "domain"
This example causes domain transition not to occur when programs are executed from "<kernel> /usr/sbin/sshd /bin/bash" domain:
keep_domain any from <kernel> /usr/sbin/sshd /bin/bash
no_keep_domain
This directive cancels the effect of keep_domain directive.
Possible entries:
- no_keep_domain "program" from any
- no_keep_domain "program" from "last_pathname_of_domain"
- no_keep_domain "program" from "domain"
- no_keep_domain any from any
- no_keep_domain any from "last_pathname_of_domain"
- no_keep_domain any from "domain"
This example causes domain transition to occur when /bin/cat is executed from "<kernel> /usr/sbin/sshd /bin/bash" domain:
keep_domain any from <kernel> /usr/sbin/sshd /bin/bash no_keep_domain /bin/cat from <kernel> /usr/sbin/sshd /bin/bash
address_group
This directive declares a group name that can be used in domain policy to refer to a range of IP addresses.
For example, if suppose the following are defined in exception policy:
address_group LOCAL-ADDRESS 10.0.0.0-10.255.255.255 address_group LOCAL-ADDRESS 172.16.0.0-172.31.255.255 address_group LOCAL-ADDRESS 192.168.0.0-192.168.255.255
The following can then be defined in domain policy:
network inet stream accept @LOCAL-ADDRESS 1024-65535
number_group
This directive declares a group name that can be used in domain policy to refer to a range of numbers.
For example, if suppose the following are defined in exception policy:
number_group CREATE-MODES 0644 number_group CREATE-MODES 0664
The following can then be defined in domain policy:
file create /tmp/file @CREATE-MODES
path_group
This directive declares a group name that can be used in domain policy to refer to a range of pathnames.
For example, if suppose the following are defined in exception policy:
path_group HOME-DIR-FILE /home/\*/\* path_group HOME-DIR-FILE /home/\*/\{\*\}/\*
The following can then be defined in domain policy:
file read @HOME-DIR-FILE
deny_autobind
This directive prevents a specific local port from being selected automatically.
For example, some proxy servers use local port 8080, so this port should not be bound by other programs for temporary use:
deny_autobind 1-1023 deny_autobind 8080