SIDStatements

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 14:52, 30 November 2009 (edit)
RichardHaines (Talk | contribs)
(New page: = Security ID (SID) Statement = There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is ...)
← Previous diff
Current revision (22:25, 10 September 2010) (edit) (undo)
Jaxelson (Talk | contribs)
(Security ID (SID) Statement - added a link for security context)
 
Line 1: Line 1:
= Security ID (SID) Statement = = Security ID (SID) Statement =
-There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to add an initial security context to the SID that is used when SELinux initialises or as a default if an object is not labeled correctly. The Building a Basic Policy section shows their usage.+There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to add an initial [[security context]] to the SID that is used when SELinux initialises or as a default if an object is not labeled correctly. The Building a Basic Policy section shows their usage.
== sid Statement == == sid Statement ==

Current revision

[edit] Security ID (SID) Statement

There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to add an initial security context to the SID that is used when SELinux initialises or as a default if an object is not labeled correctly. The Building a Basic Policy section shows their usage.

[edit] sid Statement

The sid statement declares the actual SID identifier and is defined at the start of a policy source file.

The statement definition is:

sid sid_id

Where:

sid The sid keyword.
sid_id The sid identifier. Note that there is no terminating ';'.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
Conditional Policy (if) Statement
optional Statement
require Statement
No
No
No


Example: This example has been taken from the Reference Policy source ../policy/flask/initial_sids file.

# This example was taken from the
# ./policy/flask/initial_sids file and declares some 
# of the initial SIDs:
#

sid kernel
sid security
sid unlabeled
sid fs

[edit] sid context Statement

The sid context statement is used to add an initial security context to the SID that is used when SELinux initialises, or as a default if an object is not labeled correctly.

sid sid_id context

Where:

sid The sid keyword.
sid_id The previously declared sid identifier.
context The initial security context associated with the SID. Note that there is no terminating ';'.


The statements are valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
Conditional Policy (if) Statement
optional Statement
require Statement
No
No
No


Examples:

# These statements add an initial security context to an object 
# that is used when SELinux initialises or as a default if a
# context is not available or labeled incorrectly. 
#
# This one is from a targeted policy:

sid unlabeled system_u:object_r:unlabeled_t

# This one is from an MLS policy. Note that the security level is
# set to SystemHigh as it may need to label any object in the
# system.

sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255 
Personal tools