SIDStatements

From SELinux Wiki

Jump to: navigation, search

[edit] Security ID (SID) Statement

There are two SID statements, the first one declares the actual SID identifier and is defined at the start of a policy source file. The second statement is used to add an initial security context to the SID that is used when SELinux initialises or as a default if an object is not labeled correctly. The Building a Basic Policy section shows their usage.

[edit] sid Statement

The sid statement declares the actual SID identifier and is defined at the start of a policy source file.

The statement definition is:

sid sid_id

Where:

sid The sid keyword.
sid_id The sid identifier. Note that there is no terminating ';'.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
Conditional Policy (if) Statement
optional Statement
require Statement
No
No
No


Example: This example has been taken from the Reference Policy source ../policy/flask/initial_sids file.

# This example was taken from the
# ./policy/flask/initial_sids file and declares some 
# of the initial SIDs:
#

sid kernel
sid security
sid unlabeled
sid fs

[edit] sid context Statement

The sid context statement is used to add an initial security context to the SID that is used when SELinux initialises, or as a default if an object is not labeled correctly.

sid sid_id context

Where:

sid The sid keyword.
sid_id The previously declared sid identifier.
context The initial security context associated with the SID. Note that there is no terminating ';'.


The statements are valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
Conditional Policy (if) Statement
optional Statement
require Statement
No
No
No


Examples:

# These statements add an initial security context to an object 
# that is used when SELinux initialises or as a default if a
# context is not available or labeled incorrectly. 
#
# This one is from a targeted policy:

sid unlabeled system_u:object_r:unlabeled_t

# This one is from an MLS policy. Note that the security level is
# set to SystemHigh as it may need to label any object in the
# system.

sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255 
Personal tools