From SELinux Wiki

Revision as of 14:52, 30 November 2009 (edit) RichardHaines (Talk | contribs) (New page: = Security ID (SID) Statement = There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is ...) ← Previous diff		Current revision (22:25, 10 September 2010) (edit) (undo) Jaxelson (Talk | contribs) (→Security ID (SID) Statement - added a link for security context)
Line 1:		Line 1:
	= Security ID (SID) Statement =		= Security ID (SID) Statement =
-	There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to add an initial security context to the SID that is used when SELinux initialises or as a default if an object is not labeled correctly. The Building a Basic Policy section shows their usage.	+	There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to add an initial [[security context]] to the SID that is used when SELinux initialises or as a default if an object is not labeled correctly. The Building a Basic Policy section shows their usage.
	== sid Statement ==		== sid Statement ==

---

Current revision

[edit] Security ID (SID) Statement

There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to add an initial security context to the SID that is used when SELinux initialises or as a default if an object is not labeled correctly. The Building a Basic Policy section shows their usage.

[edit] sid Statement

The sid statement declares the actual SID identifier and is defined at the start of a policy source file.

The statement definition is:

sid sid_id

Where:

sid	The sid keyword.
sid_id	The sid identifier. Note that there is no terminating ';'.

The statement is valid in:

Monolithic Policy	Base Policy	Module Policy
Yes	Yes	No
Conditional Policy (if) Statement	optional Statement	require Statement
No	No	No

Example: This example has been taken from the Reference Policy source ../policy/flask/initial_sids file.

# This example was taken from the
# ./policy/flask/initial_sids file and declares some 
# of the initial SIDs:
#

sid kernel
sid security
sid unlabeled
sid fs

[edit] sid context Statement

The sid context statement is used to add an initial security context to the SID that is used when SELinux initialises, or as a default if an object is not labeled correctly.

sid sid_id context

Where:

sid	The sid keyword.
sid_id	The previously declared sid identifier.
context	The initial security context associated with the SID. Note that there is no terminating ';'.

The statements are valid in:

Monolithic Policy	Base Policy	Module Policy
Yes	Yes	No
Conditional Policy (if) Statement	optional Statement	require Statement
No	No	No

Examples:

# These statements add an initial security context to an object 
# that is used when SELinux initialises or as a default if a
# context is not available or labeled incorrectly. 
#
# This one is from a targeted policy:

sid unlabeled system_u:object_r:unlabeled_t

# This one is from an MLS policy. Note that the security level is
# set to SystemHigh as it may need to label any object in the
# system.

sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255