Difference between revisions of "SIDStatements"

From SELinux Wiki
Jump to: navigation, search
(Security ID (SID) Statement: added a link for security context)
 
Line 1: Line 1:
 
= Security ID (SID) Statement =
 
= Security ID (SID) Statement =
There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to add an initial [[security context]] to the SID that is used when SELinux initialises or as a default if an object is not labeled correctly. The Building a Basic Policy section shows their usage.
+
There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to associate an initial [[NB_SC | security context]] to the SID, this is used when SELinux initialises but the policy has not yet been activated or as a default context should an object have an invalid label.
  
== sid Statement ==
+
== sid ==
The sid statement declares the actual SID identifier and is defined at the start of a policy source file.
+
The sid statement declares the SID identifier and is defined at the start of a policy source file.
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
Line 11: Line 11:
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|sid
+
{| border="1"
|The sid keyword.
+
| sid
 +
| The sid keyword.
  
 
|-
 
|-
|sid_id
+
| sid_id
|The sid identifier. Note that there is no terminating '<nowiki>;</nowiki>'.
+
| The sid identifier.
  
 
|}
 
|}
Line 23: Line 24:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 29: Line 31:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 47: Line 49:
  
 
'''Example:'''
 
'''Example:'''
This example has been taken from the Reference Policy source ../policy/flask/initial_sids file.
 
<pre>
 
<nowiki># This example was taken from the</nowiki>
 
<nowiki># ./policy/flask/initial_sids file and </nowiki>declares some
 
<nowiki># of the initial SIDs:</nowiki>
 
<nowiki>#</nowiki>
 
  
 +
This example has been taken from the Reference Policy source ./policy/flask/initial_sids file.
 +
<pre>
 
sid kernel
 
sid kernel
 
sid security
 
sid security
Line 60: Line 58:
 
</pre>
 
</pre>
  
== sid context Statement ==
+
 
The sid context statement is used to add an initial security context to the SID that is used when SELinux initialises, or as a default if an object is not labeled correctly.
+
== sid context ==
 +
The sid context statement is used to associate an initial security context to the SID.
 
<pre>
 
<pre>
 
sid sid_id context
 
sid sid_id context
Line 67: Line 66:
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|sid
+
{| border="1"
|The sid keyword.
+
| sid
 +
| The sid keyword.
  
 
|-
 
|-
|sid_id
+
| sid_id
|The previously declared sid identifier.  
+
| The previously declared sid identifier.  
  
 
|-
 
|-
|context
+
| context
|The initial security context associated with the SID. Note that there is no terminating '<nowiki>;</nowiki>'.
+
| The initial security context.
  
 
|}
 
|}
Line 83: Line 83:
  
 
'''The statements are valid in:'''
 
'''The statements are valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 89: Line 90:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 108: Line 109:
 
'''Examples:'''
 
'''Examples:'''
 
<pre>
 
<pre>
<nowiki># These statements add an initial security context to an object </nowiki>
+
# This is from a targeted policy:
<nowiki># that is used when SELinux initialises or as a default if a</nowiki>
+
 
<nowiki># context is not available or labeled incorrectly. </nowiki>
+
sid unlabeled
<nowiki>#</nowiki>
+
...
<nowiki># This one is from a targeted policy:</nowiki>
+
  
 
sid unlabeled system_u:object_r:unlabeled_t
 
sid unlabeled system_u:object_r:unlabeled_t
 +
</pre>
 +
<pre>
 +
# This is from an MLS policy. Note that the security level is set
 +
# to SystemHigh as it may need to label any object in the system.
  
<nowiki># This one is from an MLS policy. Note that the security level is</nowiki>
+
sid unlabeled
<nowiki># set to SystemHigh as it may need to label any object in the</nowiki>
+
...
<nowiki># system.</nowiki>
+
  
 
sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255  
 
sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255  
 
</pre>
 
</pre>
 +
 +
 +
{| style="width: 100%;" border="0"
 +
|-
 +
| [[MLSStatements | '''Previous''']]
 +
| <center>[[NewUsers | '''Home''']]</center>
 +
| <center>[[FileStatements | '''Next''']]</center>
 +
|}
 +
 +
 +
----
 +
<references/>
 +
 +
[[Category:Notebook]]

Latest revision as of 12:58, 28 January 2015

Security ID (SID) Statement

There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to associate an initial security context to the SID, this is used when SELinux initialises but the policy has not yet been activated or as a default context should an object have an invalid label.

sid

The sid statement declares the SID identifier and is defined at the start of a policy source file.

The statement definition is:

sid sid_id

Where:

sid The sid keyword.
sid_id The sid identifier.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

This example has been taken from the Reference Policy source ./policy/flask/initial_sids file.

sid kernel
sid security
sid unlabeled
sid fs


sid context

The sid context statement is used to associate an initial security context to the SID.

sid sid_id context

Where:

sid The sid keyword.
sid_id The previously declared sid identifier.
context The initial security context.


The statements are valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Examples:

# This is from a targeted policy:

sid unlabeled
...

sid unlabeled system_u:object_r:unlabeled_t
# This is from an MLS policy. Note that the security level is set
# to SystemHigh as it may need to label any object in the system.

sid unlabeled
...

sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255 


Previous
Home
Next