RefpolicyInterfaces

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 16:05, 13 October 2009 (edit)
ChrisPeBenito (Talk | contribs)
(New page: Interfaces provide access to a module’s policy resources (i.e., to its privately declared types and attributes). All domains needing a particular access will use the same interface; ther...)
← Previous diff
Current revision (14:14, 29 October 2009) (edit) (undo)
ChrisPeBenito (Talk | contribs)

 
Line 6: Line 6:
policy changes for access to a type require only a policy changes for access to a type require only a
change in one place, rather than requiring changes to all change in one place, rather than requiring changes to all
-the modules that use the type as is common in the sam-+the modules that use the type as is common in the sample policy.
-ple policy.+
For improved clarity, interfaces follow clear naming For improved clarity, interfaces follow clear naming

Current revision

Interfaces provide access to a module’s policy resources (i.e., to its privately declared types and attributes). All domains needing a particular access will use the same interface; therefore, the policy rules required for the access will be consistent across all users of the interface. Thus policy changes for access to a type require only a change in one place, rather than requiring changes to all the modules that use the type as is common in the sample policy.

For improved clarity, interfaces follow clear naming conventions. In particular, the module name, or abbreviation, is prefixed to the interface name. This allows a policy writer to look a policy and easily see where all of the interface calls are. In addition, consistent verbs are used to describe the access, such as read, write, and delete.

Each interface contains two parts, the dependencies and the access. The dependencies are contained in a gen_require() macro. This macro contains the statements that would be placed in a require block for loadable modules. It lists all of the types and attributes used by the interface. If an object class for a user space object manager is used, such as DBUS or NSCD, the object class and required permissions must also be listed.

Personal tools