TypeStatements
From SELinux Wiki
Revision as of 14:31, 29 November 2009 by RichardHaines (Talk | contribs)
Contents
Type Enforcement and Attribute Statements
These statements share the same namespace, therefore the general convention is to use '_' as the final two characters of a type identifier to differentiate it from an attribute identifier as shown in the following examples:
# Statement Identifier Comment
#---------------------------------------------------
type bin_t; # A type identifier ends with _t
attribute file_type; # An attribute identifier ends with
# anything else
type Statement
The type statement declares the type identifier and any optional associated alias or attribute identifiers. Type identifiers are the main component of a Security Context.
The statement definition is:
type type_id;
Or
type type_id ,attribute_id;
Or
type type_id alias alias_id;
Or
type type_id alias alias_id ,attribute_id;
Where:
| type | The type keyword. |
| type_id | The type identifier. |
| alias | Optional alias keyword that signifies alternate identifiers for the type_id that are declared in the alias_id list. |
| alias_id | One or more alias identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). |
| attribute_id | One or more optional attribute identifiers that have been previously declared by the attribute Statement. Multiple entries consist of a comma (,) separated list, also note the lead comma. |
The statement is valid in:
Examples:
# Using the type statement to declare a type of shell_exec_t, # where exec_t is used to identify a file as an executable type. type shell_exec_t;
# Using the type statement to declare a type of bin_t, where # bin_t is used to identify a file as an ordinary program type. type bin_t;
# Using the type statement to declare a type of bin_t with two
# alias names. The sbin_t is used to identify the file as a
# system admin program type.
type bin_t alias { ls_exec_t sbin_t };
# Using the type statement to declare a type of boolean_t that # also associates it to a previously declared attribute # booleans_type (see the attribute Statement). attribute booleans_type;# declare the attribute type boolean_t, booleans_type;# and associate with the type
# Using the type statement to declare a type of setfiles_t that # also has an alias of restorecon_t and one previously declared # attribute of can_relabelto_binary_policy associated with it. attribute can_relabelto_binary_policy; type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
# Using the type statement to declare a type of # ssh_server_packet_t that also associates it to two previously # declared attributes packet_type and server_packet_type. attribute packet_type;# declare attribute 1 attribute server_packet_type;# declare attribute 2 # Associate the type identifier with the two attributes: type ssh_server_packet_t, packet_type, server_packet_type;
attribute Statement
An attribute statement declares an identifier that can then be used to refer to a group of types.
The statement definition is:
attribute attribute_id;
Where:
| attribute | The attribute keyword. |
| attribute_id | The attribute identifier. |
The statement is valid in:
Examples:
# Using the attribute statement to declare attributes domain, # daemon, file_type and non_security_file_type: attribute domain; attribute daemon; attribute file_type; attribute non_security_file_type;
typeattribute Statement
The typeattribute statement allows the association of previously declared types to one or more previously declared attributes.
The statement definition is:
typeattribute type_id attribute_id [ ,attribute_id ];
Where:
| typeattribute | The typeattribute keyword. |
| type_id | The identifier of a previously declared type. |
| attribute_id | One or more previously declared attribute identifiers. Multiple entries consist of a comma (,) separated list. |
The statement is valid in:
Examples:
# Using the typeattribute statement to associate a previously # declared type of setroubleshootd_t to a previously declared # domain attribute. # The previously declared attribute: attribute domain; # The previously declared type: type setroubleshootd_t; # The association using the typeattribute statement: typeattribute setroubleshootd_t domain; # Using the typeattribute statement to associate a type of # setroubleshootd_exec_t to two attributes file_type and # non_security_file_type. # These are the previously declared attributes: attribute file_type; attribute non_security_file_type; # The previously declared type: type setroubleshootd_exec_t; # These are the associations using the typeattribute statement: typeattribute setroubleshootd_exec_t file_type, non_security_file_type;
typealias Statement
The typealias statement allows the association of a previously declared type to one or more alias identifiers (an alternative way is to use the type Statement).
The statement definition is:
typealias type_id alias alias_id;
Where:
| typealias | The typealias keyword. |
| type_id | The identifier of a previously declared type. |
| alias | The alias keyword. |
| alias_id | One or more alias identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). |
The statement is valid in:
Examples:
# Using the typealias statement to associate the previously # declared type mount_t with an alias of mount_ntfs_t. # Declare the type: type mount_t; # Then alias the identifier: typealias mount_t alias mount_ntfs_t;
# Using the typealias statement to associate the previously
# declared type netif_t with two alias, lo_netif_t and netif_lo_t.
# Declare the type:
type netif_t;
# Then assign two alias identifiers lo_netif_t and netif_lo_t:
typealias netif_t alias { lo_netif_t netif_lo_t };
