akarititle.png

Exception policy syntax

acl_group

This directive specifies a group entry. This can be referenced to in domain policy by the use_group directive. This directive should be followed by a group number, followed by an entry that matches domain policy syntax.

This example allows domains with "use_group 0" to read /dev/null:

acl_group 0 file read /dev/null

aggregator

This directive allows multiple applications to be aggregated together. This directive is intended to aggregate similar programs whose behaviours are very similar.

This example causes the application /usr/bin/tac to be treated as /usr/bin/cat:

aggregator /usr/bin/tac /usr/bin/cat

reset_domain

This directive causes programs to run in the root domain of specified namespace.

Possible entries:

This example causes all executions of /usr/sbin/sshd to be reset to "</usr/sbin/sshd>" domain:

reset_domain /usr/sbin/sshd from any

no_reset_domain

This directive cancels the effect of reset_domain directive.

Possible entries:

This example causes all executions of /usr/sbin/sendmail.sendmail not to be reset to "</usr/sbin/sendmail.sendmail>" domain when /usr/sbin/sendmail.sendmail is executed from domains which the name of domains end with "/bin/mail":

reset_domain /usr/sbin/sendmail.sendmail from any
no_reset_domain /usr/sbin/sendmail.sendmail from /bin/mail

initialize_domain

This directive causes programs to run in a child of "<kernel>" domain.

Possible entries:

This example causes all executions of /usr/sbin/sshd to be reinitialized to "<kernel> /usr/sbin/sshd" domain:

initialize_domain /usr/sbin/sshd from any

no_initialize_domain

This directive cancels the effect of initialize_domain directive.

Possible entries:

This example causes all executions of /usr/sbin/sendmail.sendmail not to be reinitialized to "<kernel> /usr/sbin/sendmail.sendmail" domain when /usr/sbin/sendmail.sendmail is executed from domains which the name of domains end with "/bin/mail":

initialize_domain /usr/sbin/sendmail.sendmail from any
no_initialize_domain /usr/sbin/sendmail.sendmail from /bin/mail

keep_domain

This directive prevents any domain transitions from occurring from a particular domain.

Possible entries:

This example causes domain transition not to occur when programs are executed from "<kernel> /usr/sbin/sshd /bin/bash" domain:

keep_domain any from <kernel> /usr/sbin/sshd /bin/bash

no_keep_domain

This directive cancels the effect of keep_domain directive.

Possible entries:

This example causes domain transition to occur when /bin/cat is executed from "<kernel> /usr/sbin/sshd /bin/bash" domain:

keep_domain any from <kernel> /usr/sbin/sshd /bin/bash
no_keep_domain /bin/cat from <kernel> /usr/sbin/sshd /bin/bash

address_group

This directive declares a group name that can be used in domain policy to refer to a range of IP addresses.

For example, if suppose the following are defined in exception policy:

address_group LOCAL-ADDRESS 10.0.0.0-10.255.255.255
address_group LOCAL-ADDRESS 172.16.0.0-172.31.255.255
address_group LOCAL-ADDRESS 192.168.0.0-192.168.255.255

The following can then be defined in domain policy:

network inet stream accept @LOCAL-ADDRESS 1024-65535

number_group

This directive declares a group name that can be used in domain policy to refer to a range of numbers.

For example, if suppose the following are defined in exception policy:

number_group CREATE-MODES 0644
number_group CREATE-MODES 0664

The following can then be defined in domain policy:

file create /tmp/file @CREATE-MODES

path_group

This directive declares a group name that can be used in domain policy to refer to a range of pathnames.

For example, if suppose the following are defined in exception policy:

path_group HOME-DIR-FILE /home/\*/\*
path_group HOME-DIR-FILE /home/\*/\{\*\}/\*

The following can then be defined in domain policy:

file read @HOME-DIR-FILE

deny_autobind

This directive prevents a specific local port from being selected automatically.

For example, some proxy servers use local port 8080, so this port should not be bound by other programs for temporary use:

deny_autobind 1-1023
deny_autobind 8080