RefpolicyInterfaces

From SELinux Wiki
Jump to: navigation, search

Interfaces provide access to a module’s policy resources (i.e., to its privately declared types and attributes). All domains needing a particular access will use the same interface; therefore, the policy rules required for the access will be consistent across all users of the interface. Thus policy changes for access to a type require only a change in one place, rather than requiring changes to all the modules that use the type as is common in the sample policy.

For improved clarity, interfaces follow clear naming conventions. In particular, the module name, or abbreviation, is prefixed to the interface name. This allows a policy writer to look a policy and easily see where all of the interface calls are. In addition, consistent verbs are used to describe the access, such as read, write, and delete.

Each interface contains two parts, the dependencies and the access. The dependencies are contained in a gen_require() macro. This macro contains the statements that would be placed in a require block for loadable modules. It lists all of the types and attributes used by the interface. If an object class for a user space object manager is used, such as DBUS or NSCD, the object class and required permissions must also be listed.