http://selinuxproject.org/w/?title=NB_PolicyType&feed=atom&action=history NB PolicyType - Revision history 2024-03-19T08:59:22Z Revision history for this page on the wiki MediaWiki 1.23.13 http://selinuxproject.org/w/?title=NB_PolicyType&diff=1795&oldid=prev RichardHaines: /* Policy Versions */ 2015-09-25T13:51:51Z <p>‎<span dir="auto"><span class="autocomment">Policy Versions</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:51, 25 September 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 162:</td> <td colspan="2" class="diff-lineno">Line 162:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;22&lt;/center&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;22&lt;/center&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;7&lt;/center&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;7&lt;/center&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>| Added [[<del class="diffchange diffchange-inline">KernelPolicyLanguage</del>#policycap | policy capabilities]] that allows various kernel options to be enabled as described in the [[NB_LSM#SELinux Filesystem | SELinux Filesystem]] section.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>| Added [[<ins class="diffchange diffchange-inline">Policy_Configuration_Statements</ins>#policycap | policy capabilities]] that allows various kernel options to be enabled as described in the [[NB_LSM#SELinux Filesystem | SELinux Filesystem]] section.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td></tr> </table> RichardHaines http://selinuxproject.org/w/?title=NB_PolicyType&diff=1794&oldid=prev RichardHaines: /* Optional Policy */ 2015-09-25T13:49:54Z <p>‎<span dir="auto"><span class="autocomment">Optional Policy</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:49, 25 September 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 74:</td> <td colspan="2" class="diff-lineno">Line 74:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Optional Policy ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Optional Policy ==</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The loadable module policy infrastructure supports an [[<del class="diffchange diffchange-inline">KernelPolicyLanguage</del>#optional | optional policy statement]] that allows policy rules to be defined but only enabled in the binary policy once the conditions have been satisfied. &#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The loadable module policy infrastructure supports an [[<ins class="diffchange diffchange-inline">PolicyStatements</ins>#optional | optional policy statement]] that allows policy rules to be defined but only enabled in the binary policy once the conditions have been satisfied.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Conditional Policy ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Conditional Policy ==</div></td></tr> </table> RichardHaines http://selinuxproject.org/w/?title=NB_PolicyType&diff=1793&oldid=prev RichardHaines: /* Loadable Module Policy */ 2015-09-25T13:47:36Z <p>‎<span dir="auto"><span class="autocomment">Loadable Module Policy</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:47, 25 September 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 69:</td> <td colspan="2" class="diff-lineno">Line 69:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Utilities to manage the modules and associated configuration files within the 'policy store'.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Utilities to manage the modules and associated configuration files within the 'policy store'.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/2-high-level-arch.png High Level SELinux Architecture] diagram shows these components along the top of the diagram. The files contained in the policy store are detailed in the [[PolicyStoreConfigurationFiles | Policy Store Configuration Files]] section.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The [http://selinuxproject.org/~rhaines/NB4-diagrams/2-high-level-arch.png High Level SELinux Architecture] diagram shows these components along the top of the diagram. The files contained in the policy store are detailed in the [[PolicyStoreConfigurationFiles | Policy Store Configuration Files]] section.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The policy language was extended to handle loadable modules as detailed in the [[<del class="diffchange diffchange-inline">KernelPolicyLanguage#Policy_Support_Statements </del>| Policy Support Statements]] section. For a detailed overview on how the modular policy is built into the final binary policy for loading into the kernel, see &quot;[http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/ SELinux Policy Module Primer].</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The policy language was extended to handle loadable modules as detailed in the [[<ins class="diffchange diffchange-inline">PolicyStatements </ins>| <ins class="diffchange diffchange-inline">Modular </ins>Policy Support Statements]] section. For a detailed overview on how the modular policy is built into the final binary policy for loading into the kernel, see &quot;[http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/ SELinux Policy Module Primer].</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Optional Policy ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Optional Policy ==</div></td></tr> </table> RichardHaines http://selinuxproject.org/w/?title=NB_PolicyType&diff=1775&oldid=prev RichardHaines at 11:07, 21 July 2015 2015-07-21T11:07:00Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 11:07, 21 July 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 10:</td> <td colspan="2" class="diff-lineno">Line 10:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Binary policy (or kernel policy) - These can be described as [[#Policy_Versions | Monolithic, Kernel Policy or Binary file]].</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Binary policy (or kernel policy) - These can be described as [[#Policy_Versions | Monolithic, Kernel Policy or Binary file]].</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Classification can also be on the '[[#Policy_Versions | policy version]]' used (examples are version 27, 28 and 29).</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Classification can also be on the '[[#Policy_Versions | policy version]]' used (examples are version 27, 28 and 29).</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"># Policy can also be generated depending on the target platform of either&#160; 'selinux' (the default) or 'xen' (see the SELinux policy generation tools &lt;tt&gt;'''checkpolicy'''(8)&lt;/tt&gt; and &lt;tt&gt;'''secilc'''(8)&lt;/tt&gt;&#160; &lt;tt&gt;target_platform&lt;/tt&gt; option).</ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>As can be seen the description of a policy can vary depending on the context.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>As can be seen the description of a policy can vary depending on the context.</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 205:</td> <td colspan="2" class="diff-lineno">Line 206:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;17&lt;/center&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;17&lt;/center&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| Support attribute names within constraints. This allows attributes as well as the types to be retrieved from a kernel policy to assist &lt;tt&gt;'''audit2allow'''(8)&lt;/tt&gt; etc. to determine what attribute needs to be updated. Note that the attribute does not determine the constraint outcome, it is still the list of types associated to the constraint. Requires kernel 3.14 minimum.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| Support attribute names within constraints. This allows attributes as well as the types to be retrieved from a kernel policy to assist &lt;tt&gt;'''audit2allow'''(8)&lt;/tt&gt; etc. to determine what attribute needs to be updated. Note that the attribute does not determine the constraint outcome, it is still the list of types associated to the constraint. Requires kernel 3.14 minimum.</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">|-</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">| &lt;center&gt;30&lt;/center&gt;</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">|</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">| There are two version 30 enhancements that depend on the policy being built:</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"># For the 'selinux' target platform adds new 'xperm' rules and extends the permission sets as explained in the [[XpermRules | Extended Permission Access Vector Rules]] section. This is to support 'ioctl whitelisting' as explained in the [[XpermRules#ioctl_Operation_Rules | ioctl Operation Rules]] section.</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"># For the 'xen' target platform support the &lt;tt&gt;devicetreecon&lt;/tt&gt; statement and also expand the existing I/O memory range to 64 bits as explained in the [[XENStatements | XEN Statements]] section.</ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td></tr> </table> RichardHaines http://selinuxproject.org/w/?title=NB_PolicyType&diff=1694&oldid=prev RichardHaines at 12:14, 6 December 2014 2014-12-06T12:14:42Z <p></p> <a href="http://selinuxproject.org/w/?title=NB_PolicyType&amp;diff=1694&amp;oldid=1360">Show changes</a> RichardHaines http://selinuxproject.org/w/?title=NB_PolicyType&diff=1360&oldid=prev RichardHaines at 12:20, 3 April 2013 2013-04-03T12:20:20Z <p></p> <a href="http://selinuxproject.org/w/?title=NB_PolicyType&amp;diff=1360&amp;oldid=1034">Show changes</a> RichardHaines http://selinuxproject.org/w/?title=NB_PolicyType&diff=1034&oldid=prev Jaxelson at 20:48, 13 September 2010 2010-09-13T20:48:53Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 20:48, 13 September 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 196:</td> <td colspan="2" class="diff-lineno">Line 196:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;references/&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;references/&gt;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Category:Notebook]]</ins></div></td></tr> </table> Jaxelson http://selinuxproject.org/w/?title=NB_PolicyType&diff=948&oldid=prev RichardHaines: New page: = Types of SELinux Policy = This section describes the different type of policy descriptions and versions that can be found within SELinux. The types of SELinux policy can described in a ... 2010-05-16T14:57:36Z <p>New page: = Types of SELinux Policy = This section describes the different type of policy descriptions and versions that can be found within SELinux. The types of SELinux policy can described in a ...</p> <p><b>New page</b></p><div>= Types of SELinux Policy =<br /> This section describes the different type of policy descriptions and versions that can be found within SELinux.<br /> <br /> The types of SELinux policy can described in a number of ways:<br /> <br /> # Source code - These can be described as: Example, Reference Policy or Custom.<br /> # The source code descriptions or builds can also be sub-classified as: Monolithic, Base Module or Loadable Module.<br /> # Policies can also be described by the type of policy functionality they provide such as: targeted, mls, mcs, standard, strict or minimum.<br /> # Classified using language statements - These can be described as Modular, Optional or Conditional.<br /> # Binary policy (or kernel policy) - These can be described as Monolithic, Kernel Policy or Binary file.<br /> # Classification can also be on the &quot;policy version&quot; used (examples are version 22, 23 and 24).<br /> <br /> As can be seen the description of a policy can vary depending on the context.<br /> <br /> == Example Policy ==<br /> The Example policy is the name used to describe the original SELinux policy source used to build a monolithic&lt;ref name=&quot;ftn14&quot;&gt;&lt;sup&gt;The term &quot;monolithic&quot; generally means a single policy source is used to create the binary policy file that is then loaded as the &quot;policy&quot; using the &lt;tt&gt;checkpolicy(8)&lt;/tt&gt; command. However the term is sometimes used to refer to the binary policy file (as it is one file that describes the policy).&lt;/sup&gt;&lt;/ref&gt; policy produced by the NSA and is now superseded by the Reference Policy.<br /> <br /> == Reference Policy ==<br /> Note that this section only gives an introduction to the reference policy, the installation, configuration and building of a policy using the source code is contained in the Reference Policy.<br /> <br /> The Reference Policy is now the standard policy source used to build SELinux policies, and its main aim is to provide a single source tree with supporting documentation that can be used to build policies for different purposes such as: confining important daemons, supporting MLS / MCS and locking down systems so that all processes are under SELinux control. <br /> <br /> The Reference Policy is now used by all major distributions of SELinux, however each distribution makes its own specific changes to support their &quot;version of the Reference Policy&quot;. For example, the F-12 distribution is based on a specific build of the standard Reference Policy that is then modified and distributed by Red Hat as an RPM. The release numbers will vary however this Notebook uses:<br /> <br /> &lt;tt&gt;'''selinux-policy-3.6.32-103.fc12.src.rpm'''&lt;/tt&gt;<br /> <br /> For information, the policy RPMs installed on the authors test machine for F-12 are as follows:<br /> &lt;pre&gt;<br /> selinux-policy-3.6.32-103.fc12.noarch<br /> selinux-policy-doc-3.6.32-103.fc12.noarch<br /> selinux-policy-minimum-3.6.32-103.fc12.noarch<br /> selinux-policy-mls-3.6.32-103.fc12.noarch<br /> selinux-policy-targeted-3.6.32-103.fc12.noarch<br /> &lt;/pre&gt;<br /> <br /> === Policy Functionality Based on Name or Type ===<br /> Generally a policy is installed with a given name such as targeted, mls, refpolicy or minimum that attempts to describes its functionality. This name then normally becomes the entry in: <br /> <br /> # The directory pointing to the policy location (e.g. if the name is &lt;tt&gt;targeted&lt;/tt&gt;, then the policy will be installed in &lt;tt&gt;/etc/selinux/targeted&lt;/tt&gt;).<br /> # The &lt;tt&gt;SELINUXTYPE&lt;/tt&gt; entry in the &lt;tt&gt;/etc/selinux/config&lt;/tt&gt; file when it is the active policy (e.g. if the name is &lt;tt&gt;targeted&lt;/tt&gt;, then a &lt;tt&gt;SELINUXTYPE=targeted&lt;/tt&gt; entry would be in the &lt;tt&gt;/etc/selinux/config&lt;/tt&gt; file).<br /> <br /> This is how the reference policies distributed with F-12 are named, where:<br /> <br /> : &lt;tt&gt;minimum&lt;/tt&gt; - supports a minimal set of confined daemons within their own domains. The remainder run in the unconfined_t space. Red Hat pre-configure MCS support within this policy.<br /> <br /> : &lt;tt&gt;targeted&lt;/tt&gt; - supports a greater number of confined daemons and can also confine other areas and users (this targeted version also supports the older &quot;strict&quot; version). Red Hat pre-configure MCS support within this policy.<br /> <br /> : &lt;tt&gt;mls&lt;/tt&gt; - supports server based MLS systems.<br /> <br /> The Reference Policy also has a &lt;tt&gt;TYPE&lt;/tt&gt; description that describes the type of policy being built by the build process, these are:<br /> <br /> : &lt;tt&gt;standard&lt;/tt&gt; - supports confined daemons and can also confine other areas and users (this is an amalgamated version of the older &quot;targeted&quot; and &quot;strict&quot; versions).<br /> <br /> : &lt;tt&gt;mcs&lt;/tt&gt; - As standard but supports MCS labels.<br /> <br /> : &lt;tt&gt;mls&lt;/tt&gt; - supports MLS labels as discussed in the [[NB_MLS | Multi-Level Security and Multi-Category Security]] section.<br /> <br /> The &lt;tt&gt;NAME&lt;/tt&gt; and &lt;tt&gt;TYPE&lt;/tt&gt; entries are defined in the reference policy &lt;tt&gt;build.conf&lt;/tt&gt; file that is described in the [[NB_RefPolicy | Reference Policy Support]] section. <br /> <br /> == Custom Policy ==<br /> This generally refers to a policy source that is either:<br /> <br /> # A customised version of the Example policy.<br /> # A customised version of the Reference Policy (i.e. not the standard distribution version).<br /> # A policy that has been built using the language statements to build a specific policy such as those shown in the Building a Basic Policy section of volume 2.<br /> <br /> == Monolithic Policy ==<br /> A Monolithic policy is an SELinux policy that is compiled from one source file called &lt;tt&gt;policy.conf&lt;/tt&gt; (i.e. it does not use the Loadable Module Policy statements and infrastructure which therefore makes it suitable for embedded systems as there is no policy store overhead). <br /> <br /> An example monolithic policy is the NSAs original Example Policy. A simple monolithic policy is shown in Volume 2.<br /> <br /> Monolithic policies are compiled using the &lt;tt&gt;checkpolicy(8)&lt;/tt&gt; SELinux command. <br /> <br /> The Reference Policy supports the building of monolithic policies.<br /> <br /> In some cases the policy binary file is also called a monolithic policy.<br /> <br /> == Loadable Module Policy ==<br /> The loadable module infrastructure allows policy to be managed on a modular basis, in that there is a base policy module that contains all the core components of the policy (i.e. the policy that should always be present), and zero or more modules that can be loaded and unloaded as required (for example if there is a module to enforce policy for ftp, but ftp is not used, then that module could be unloaded).<br /> <br /> There are number of components that form the infrastructure:<br /> <br /> # Policy source code that is constructed for a modular policy with a base module and optional loadable modules.<br /> # Utilities to compile and link modules and place them into a &quot;policy store&quot;.<br /> # Utilities to manage the modules and associated configuration files within the &quot;policy store&quot;.<br /> <br /> The [http://taiga.selinuxproject.org/~rhaines/diagrams/2-high-level-arch.png High Level SELinux Architecture] diagram shows these components along the top of the diagram. The files contained in the policy store are detailed in the [[PolicyStoreConfigurationFiles | Policy Store Configuration Files]] section.<br /> <br /> The policy language was extended to handle loadable modules as detailed in the [[PolicyStatements | Policy Support Statements]] section. For a detailed overview on how the modular policy is built into the final binary policy for loading into the kernel, see the &quot;[http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/ SELinux Policy Module Primer]&quot;.<br /> <br /> === Optional Policy ===<br /> The loadable module policy infrastructure supports an &lt;tt&gt;optional&lt;/tt&gt; policy statement that allows policy rules to be defined but only enabled in the binary policy once the conditions have been satisfied. The example loadable modules shown in the Building a Basic Policy section of volume 2 use this feature.<br /> <br /> == Conditional Policy ==<br /> Conditional policies can be implemented in monolithic or loadable module policies and allow policy to be enabled or not depending on the state of a boolean flag. This is often used to enable or disable features within the policy (i.e. change the policy enforcement rules).<br /> <br /> The boolean flag status is held in kernel and can be changed using the &lt;tt&gt;setsebool(8)&lt;/tt&gt; command either persistently across system re-boots or temporarily (i.e. only valid until a re-boot). The following example shows a persistent conditional policy change:<br /> &lt;pre&gt;<br /> setsebool -P ext_gateway_audit=false<br /> &lt;/pre&gt;<br /> <br /> The conditional policy language statements are the [[ConditionalStatements | bool]] Statement that defines the boolean flag identifier and its initial status, and the [[ConditionalStatements | if]] that allows certain rules to be executed depending on the state of the boolean value or values.<br /> <br /> == Binary Policy ==<br /> The binary policy is the policy file that is loaded into the kernel and is always located at /etc/selinux/&lt;policy_name&gt;/policy and is called policy.&lt;version&gt;. Where &lt;policy_name&gt; is the policy name specified in the SELinux configuration file &lt;tt&gt;/etc/selinux/config&lt;/tt&gt; and &lt;version&gt; is the SELinux policy version supported by the kernel and SELinux tools.<br /> <br /> The binary policy can be built from source files supplied by the Example Policy, the Reference Policy or custom built source files as described in the Building a Basic Policy section of volume 2.<br /> <br /> An example /etc/selinux/config file is shown below where the &lt;tt&gt;'''SELINUXTYPE=targeted'''&lt;/tt&gt; entry identifies the &lt;tt&gt;&lt;nowiki&gt;&lt;policy_name&gt;&lt;/nowiki&gt;&lt;/tt&gt; that will be used to locate and load the active policy:<br /> &lt;pre&gt;<br /> SELINUX=permissive<br /> SELINUXTYPE=targeted<br /> &lt;/pre&gt;<br /> <br /> From the above example, the actual binary policy file would be located at &lt;tt&gt;/etc/selinux/targeted/policy&lt;/tt&gt; and be called policy.24 (as version 24 is supported by F-12):<br /> &lt;pre&gt;<br /> /etc/selinux/targeted/policy/policy.24<br /> &lt;/pre&gt;<br /> <br /> == Policy Versions ==<br /> SELinux has a policy database (built by the &lt;tt&gt;libsepol&lt;/tt&gt; library) that describes the format of data held within a binary policy, however, if any new features are added to SELinux (generally language extensions) this can result in a change to the policy database. Whenever the policy database is updated, the policy version is incremented. <br /> <br /> The &lt;tt&gt;sestatus(8)&lt;/tt&gt; command will show the current policy version number in its output as follows:<br /> &lt;pre&gt;<br /> SELinux status: enabled<br /> SELinuxfs mount: /selinux<br /> Current mode: enforcing<br /> Mode from config file: permissive<br /> Policy version: 24<br /> Policy from config file: modular-test<br /> &lt;/pre&gt;<br /> <br /> The F-12 policy version is &quot;24&quot; with Table 3 describing the different versions. There is also another version that applies to the modular policy, however the main policy database version is the one that is generally quoted (some SELinux utilities (e.g. apol) give both version numbers).<br /> <br /> {| border=&quot;1&quot;<br /> | '''''policy db Version'''''<br /> | '''''modular db Version'''''<br /> | '''''Description'''''<br /> <br /> |-<br /> | &lt;center&gt;15&lt;/center&gt;<br /> | &lt;center&gt;4&lt;/center&gt;<br /> | The base version when SELinux was merged into the kernel.<br /> <br /> |-<br /> | &lt;center&gt;16&lt;/center&gt;<br /> | &lt;center&gt;-&lt;/center&gt;<br /> | Added Conditional Policy support (the bool feature).<br /> <br /> |-<br /> | &lt;center&gt;17&lt;/center&gt;<br /> | &lt;center&gt;-&lt;/center&gt;<br /> | Added support for IPv6.<br /> <br /> |-<br /> | &lt;center&gt;18&lt;/center&gt;<br /> | &lt;center&gt;-&lt;/center&gt;<br /> | Added Netlink support.<br /> <br /> |-<br /> | &lt;center&gt;19&lt;/center&gt;<br /> | &lt;center&gt;5&lt;/center&gt;<br /> | Added MLS support, plus the validatetrans Statement.<br /> <br /> |-<br /> | &lt;center&gt;20&lt;/center&gt;<br /> | &lt;center&gt;-&lt;/center&gt;<br /> | Reduced the size of the access vector table.<br /> <br /> |-<br /> | &lt;center&gt;21&lt;/center&gt;<br /> | &lt;center&gt;6&lt;/center&gt;<br /> | Added support for the MLS range_transition Statement.<br /> <br /> |-<br /> | &lt;center&gt;22&lt;/center&gt;<br /> | &lt;center&gt;7&lt;/center&gt;<br /> | Added policy capabilities. Allows various kernel options to be enabled as described in the [[NB_LSM | SELinux Filesystem]] section.<br /> <br /> |-<br /> | &lt;center&gt;23&lt;/center&gt;<br /> | &lt;center&gt;8&lt;/center&gt;<br /> | Added support for the permissive Statement. This allows a module to run in permissive mode while the others are still confined (instead of the all or nothing set by the &lt;tt&gt;SELINUX&lt;/tt&gt; entry in the /etc/selinux/config file).<br /> <br /> |-<br /> | &lt;center&gt;24&lt;/center&gt;<br /> | &lt;center&gt;9 / 10&lt;/center&gt;<br /> | Add support for the &lt;tt&gt;typebounds&lt;/tt&gt; Statement. This was added to support a hierarchical relationship between two domains in multi-threaded web servers as described in &quot;[http://sepgsql.googlecode.com/files/LCA20090120-lapp-selinux.pdf A secure web application platform powered by SELinux]&quot;.<br /> <br /> |}<br /> ''Table 1: Policy version descriptions ''<br /> <br /> <br /> <br /> <br /> ----<br /> &lt;references/&gt;</div> RichardHaines