Defining common helper domains
Next to the common resources, some applications share the same set of helper commands. The sendmail command is a nice example of this, which is executed by a large set of domains (usually, applications that need to send e-mails without using the SMTP protocol themselves). The sendmail application is well understood and most MTA applications support it for command-line e-mail sending operations.
Supporting such helper domains is usually done through a functionality-driven policy.
How to do itβ¦
Creating helper domains is similar to creating regular application domains, but the use of attributes allows the policy to be very flexible and usable by the application-specific policy modules developed further. Let's look at the MTA definition as an example of how this can be accomplished:
Define an attribute for the command type:
attribute mta_exec_type;
Create a proper label type for the command, and assign it the
mta_exec_typeattribute:type sendmail_exec_t, mta_exec_type...
