Difference between revisions of "SIDStatements"
(→Security ID (SID) Statement: added a link for security context) |
|||
Line 1: | Line 1: | ||
= Security ID (SID) Statement = | = Security ID (SID) Statement = | ||
− | There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to | + | There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to associate an initial [[NB_SC | security context]] to the SID, this is used when SELinux initialises but the policy has not yet been activated or as a default context should an object have an invalid label. |
− | == sid | + | == sid == |
− | The sid statement declares the | + | The sid statement declares the SID identifier and is defined at the start of a policy source file. |
'''The statement definition is:''' | '''The statement definition is:''' | ||
Line 11: | Line 11: | ||
'''Where:''' | '''Where:''' | ||
− | {|border="1" | + | |
− | |sid | + | {| border="1" |
− | |The sid keyword. | + | | sid |
+ | | The sid keyword. | ||
|- | |- | ||
− | |sid_id | + | | sid_id |
− | |The sid identifier | + | | The sid identifier. |
|} | |} | ||
Line 23: | Line 24: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | |
+ | {| border="1" | ||
|<center>'''Monolithic Policy'''</center> | |<center>'''Monolithic Policy'''</center> | ||
|<center>'''Base Policy'''</center> | |<center>'''Base Policy'''</center> | ||
Line 29: | Line 31: | ||
|- | |- | ||
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | |<center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | |<center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | |<center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | |<center>No</center> | + | | <center>'''No'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 47: | Line 49: | ||
'''Example:''' | '''Example:''' | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | This example has been taken from the Reference Policy source ./policy/flask/initial_sids file. | ||
+ | <pre> | ||
sid kernel | sid kernel | ||
sid security | sid security | ||
Line 60: | Line 58: | ||
</pre> | </pre> | ||
− | == sid context | + | |
− | The sid context statement is used to | + | == sid context == |
+ | The sid context statement is used to associate an initial security context to the SID. | ||
<pre> | <pre> | ||
sid sid_id context | sid sid_id context | ||
Line 67: | Line 66: | ||
'''Where:''' | '''Where:''' | ||
− | {|border="1" | + | |
− | |sid | + | {| border="1" |
− | |The sid keyword. | + | | sid |
+ | | The sid keyword. | ||
|- | |- | ||
− | |sid_id | + | | sid_id |
− | |The previously declared sid identifier. | + | | The previously declared sid identifier. |
|- | |- | ||
− | |context | + | | context |
− | |The initial security context | + | | The initial security context. |
|} | |} | ||
Line 83: | Line 83: | ||
'''The statements are valid in:''' | '''The statements are valid in:''' | ||
− | {|border="1" | + | |
+ | {| border="1" | ||
|<center>'''Monolithic Policy'''</center> | |<center>'''Monolithic Policy'''</center> | ||
|<center>'''Base Policy'''</center> | |<center>'''Base Policy'''</center> | ||
Line 89: | Line 90: | ||
|- | |- | ||
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | |<center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | |<center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | |<center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | |<center>No</center> | + | | <center>'''No'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 108: | Line 109: | ||
'''Examples:''' | '''Examples:''' | ||
<pre> | <pre> | ||
− | + | # This is from a targeted policy: | |
− | + | ||
− | + | sid unlabeled | |
− | + | ... | |
− | + | ||
sid unlabeled system_u:object_r:unlabeled_t | sid unlabeled system_u:object_r:unlabeled_t | ||
+ | </pre> | ||
+ | <pre> | ||
+ | # This is from an MLS policy. Note that the security level is set | ||
+ | # to SystemHigh as it may need to label any object in the system. | ||
− | + | sid unlabeled | |
− | + | ... | |
− | + | ||
sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255 | sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255 | ||
</pre> | </pre> | ||
+ | |||
+ | |||
+ | {| style="width: 100%;" border="0" | ||
+ | |- | ||
+ | | [[MLSStatements | '''Previous''']] | ||
+ | | <center>[[NewUsers | '''Home''']]</center> | ||
+ | | <center>[[FileStatements | '''Next''']]</center> | ||
+ | |} | ||
+ | |||
+ | |||
+ | ---- | ||
+ | <references/> | ||
+ | |||
+ | [[Category:Notebook]] |
Latest revision as of 12:58, 28 January 2015
Security ID (SID) Statement
There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to associate an initial security context to the SID, this is used when SELinux initialises but the policy has not yet been activated or as a default context should an object have an invalid label.
sid
The sid statement declares the SID identifier and is defined at the start of a policy source file.
The statement definition is:
sid sid_id
Where:
sid | The sid keyword. |
sid_id | The sid identifier. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Example:
This example has been taken from the Reference Policy source ./policy/flask/initial_sids file.
sid kernel sid security sid unlabeled sid fs
sid context
The sid context statement is used to associate an initial security context to the SID.
sid sid_id context
Where:
sid | The sid keyword. |
sid_id | The previously declared sid identifier. |
context | The initial security context. |
The statements are valid in:
|
|
|
|
|
|
|
|
|
Examples:
# This is from a targeted policy: sid unlabeled ... sid unlabeled system_u:object_r:unlabeled_t
# This is from an MLS policy. Note that the security level is set # to SystemHigh as it may need to label any object in the system. sid unlabeled ... sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255
Previous | |
|