Difference between revisions of "ObjectClassStatements"
(New page: = Object Class and Permission Statements = For those who write or manager SELinux policy, there is no need to define new objects and their associated permissions as these would be done by ...) |
(No difference)
|
Revision as of 14:38, 30 November 2009
Contents
Object Class and Permission Statements
For those who write or manager SELinux policy, there is no need to define new objects and their associated permissions as these would be done by those who actually design and/or write object managers.
Object Classes
A list of object classes used by Fedora can be found in the Reference Policy source in the ./policy/flask/security_classes file.
Object classes are defined within a policy as follows:
The statement definition is:
class class_id
Where:
class | The class keyword. |
class_id | The class identifier. |
The statement is valid in:
Example:
# Define the PostgreSQL db_tuple object class # class db_tuple
Permissions
A list of permissions can be found in the Reference Policy source in the ./policy/flask/access_vectors file.
Permissions can be defined within policy in two ways:
- Define class specific permissions. This is where permissions are declared for a specific object class only (i.e. the permission is not inherited by any other object class).
- Define a set of common permissions that can then be inherited by one or more object classes. The statement for creating a set of common permissions is shown in the Defining common Permissions section.
The permission (or AVC) statement definition is:
class class_id [ inherits common_set ] [ { perm_set } ]
Where:
class | The class keyword. |
class_id | The previously declared class identifier. |
inherits | The optional inherits keyword that allows a set of common permissions to be inherited. |
common_set | A previously declared common identifier as described in the Defining common Permissions section. |
perm_set | One or more optional permission identifiers in a space separated list enclosed within braces ({}). |
Note:
- There must be at least one common_set or one perm_set defined within the statement.
The statement is valid in:
Examples:
# The following example shows the db_tuple object class being # allocated two permissions: class db_tuple { relabelfrom relabelto }
# The following example shows the db_blob object class inheriting # permissions from the database set of common permissions: class db_blob inherits database
# The following example (from the access_vector file) shows the # db_blob object class inheriting permissions from the database # set of common permissions and adding a further four # permissions: class db_blob inherits database { read write import export }
Defining common Permissions
A list of common permissions can be found in the Reference Policy source in the ./policy/flask/access_vectors file.
New or updated common permissions would only be updated by those who produce kernel or user space object managers.
The statement definition is:
common common_id { perm_set }
Where:
common | The common keyword. |
common_id | The common identifier. |
perm_set | One or more permission identifiers in a space separated list enclosed within braces ({}). |
The statement is valid in:
Example:
# Define the common PostgreSQL permissions # common database { create drop getattr setattr relabelfrom relabelto }