Difference between revisions of "XENStatements"

From SELinux Wiki
Jump to: navigation, search
(New page: = Xen Statements = Xen policy supports additional policy language statements: <tt>iomemcon</tt>, <tt>ioportcon</tt>, <tt>pcidevicecon</tt> and <tt>pirqcon</tt> that are discussed in the se...)
 
(Xen Statements)
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
= Xen Statements =
 
= Xen Statements =
Xen policy supports additional policy language statements: <tt>iomemcon</tt>, <tt>ioportcon</tt>, <tt>pcidevicecon</tt> and <tt>pirqcon</tt> that are discussed in the sections that follow.
+
Xen policy supports additional policy language statements: <tt>iomemcon</tt>, <tt>ioportcon</tt>, <tt>pcidevicecon</tt>, <tt>pirqcon</tt> and <tt>devicetreecon</tt> that are discussed in the sections that follow, also the [http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt XSM/FLASK Configuration] document contains further information.
 +
 
 +
Policy version 30 introduced the <tt>[[#devicetreecon | devicetreecon]]</tt> statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages).
  
 
To compile these additional statements using <tt>'''semodule'''(8)</tt>, ensure that the <tt>'''semanage.conf'''(5)</tt> file has the <tt>policy-target=xen</tt> entry.
 
To compile these additional statements using <tt>'''semodule'''(8)</tt>, ensure that the <tt>'''semanage.conf'''(5)</tt> file has the <tt>policy-target=xen</tt> entry.
  
 
+
== iomemcon ==
== iomemcon Statement ==
+
Label i/o memory. This may be a single memory location or a range.
The sid statement declares the actual SID identifier and is defined at the start of a policy source file.
+
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
 
<pre>
 
<pre>
iomemcon addr context;
+
iomemcon addr context
 
</pre>
 
</pre>
 
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
 +
{| border="1"
 
| iomemcon
 
| iomemcon
 
| The iomemcon keyword.
 
| The iomemcon keyword.
Line 21: Line 22:
 
|-
 
|-
 
| addr
 
| addr
| The memory address to apply the context. This may also be a range that consists of a start and end address separated by a hypen ('<tt>-</tt>').
+
| The memory address to apply the context. This may also be a range that consists of a start and end address separated by a hypen (<tt>-</tt>).
  
 
|-
 
|-
Line 31: Line 32:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
| <center>'''Monolithic Policy'''</center>
+
{| border="1"
| <center>'''Base Policy'''</center>
+
|<center>'''Monolithic Policy'''</center>
| <center>'''Module Policy'''</center>
+
|<center>'''Base Policy'''</center>
 +
|<center>'''Module Policy'''</center>
  
 
|-
 
|-
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
| <center>'''Conditional Policy (if]) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
| <center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
| <center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 56: Line 58:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
iomemcon 0xfebd9 system_u:object_r:nicP_t;
+
iomemcon 0xfebd9 system_u:object_r:nicP_t
 
+
iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t
iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t;
+
 
</pre>
 
</pre>
  
  
== ioportcon Statement ==
+
== ioportcon ==
The sid statement declares the actual SID identifier and is defined at the start of a policy source file.
+
Label i/o ports. This may be a single port or a range.
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
 
<pre>
 
<pre>
ioportcon port context;
+
ioportcon port context
 
</pre>
 
</pre>
 
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
 +
{| border="1"
 
| ioportcon
 
| ioportcon
 
| The ioportcon keyword.
 
| The ioportcon keyword.
Line 78: Line 79:
 
|-
 
|-
 
| port
 
| port
| The port to apply the context. This may also be a range that consists of a start and end port number separated by a hypen ('<tt>-</tt>').
+
| The port to apply the context. This may also be a range that consists of a start and end port number separated by a hypen (<tt>-</tt>).
  
 
|-
 
|-
Line 88: Line 89:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
| <center>'''Monolithic Policy'''</center>
+
{| border="1"
| <center>'''Base Policy'''</center>
+
|<center>'''Monolithic Policy'''</center>
| <center>'''Module Policy'''</center>
+
|<center>'''Base Policy'''</center>
 +
|<center>'''Module Policy'''</center>
  
 
|-
 
|-
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
| <center>'''Conditional Policy (if]) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
| <center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
| <center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 113: Line 115:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
ioportcon 0xeac0 system_u:object_r:nicP_t;
+
ioportcon 0xeac0 system_u:object_r:nicP_t
 
+
ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t
ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t;
+
 
</pre>
 
</pre>
  
  
== pcidevicecon Statement ==
+
== pcidevicecon ==
The sid statement declares the actual SID identifier and is defined at the start of a policy source file.
+
Label a PCI device.
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
 
<pre>
 
<pre>
pcidevicecon pci_id context;
+
pcidevicecon pci_id context
 
</pre>
 
</pre>
 
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
 +
{| border="1"
 
| pcidevicecon
 
| pcidevicecon
 
| The pcidevicecon keyword.
 
| The pcidevicecon keyword.
Line 145: Line 146:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
| <center>'''Monolithic Policy'''</center>
+
{| border="1"
| <center>'''Base Policy'''</center>
+
|<center>'''Monolithic Policy'''</center>
| <center>'''Module Policy'''</center>
+
|<center>'''Base Policy'''</center>
 +
|<center>'''Module Policy'''</center>
  
 
|-
 
|-
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
| <center>'''Conditional Policy (if]) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
| <center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
| <center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 170: Line 172:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
pcidevicecon 0xc800 system_u:object_r:nicP_t;
+
pcidevicecon 0xc800 system_u:object_r:nicP_t
 
</pre>
 
</pre>
  
  
 
+
== pirqcon ==
== pirqcon Statement ==
+
Label an interrupt level.
The sid statement declares the actual SID identifier and is defined at the start of a policy source file.
+
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
 
<pre>
 
<pre>
pirqcon irq context;
+
pirqcon irq context
 
</pre>
 
</pre>
  
 +
'''Where:'''
  
'''Where:'''
+
{| border="1"
{|border="1"
+
 
| pirqcon
 
| pirqcon
 
| The pirqcon keyword.
 
| The pirqcon keyword.
Line 201: Line 202:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
| <center>'''Monolithic Policy'''</center>
+
{| border="1"
| <center>'''Base Policy'''</center>
+
|<center>'''Monolithic Policy'''</center>
| <center>'''Module Policy'''</center>
+
|<center>'''Base Policy'''</center>
 +
|<center>'''Module Policy'''</center>
  
 
|-
 
|-
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
| <center>'''Conditional Policy (if]) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
| <center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
| <center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 226: Line 228:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
pirqcon 33 system_u:object_r:nicP_t;
+
pirqcon 33 system_u:object_r:nicP_t
 
</pre>
 
</pre>
 +
 +
== devicetreecon ==
 +
Label device tree nodes.
 +
 +
'''The statement definition is:'''
 +
<pre>
 +
devicetreecon path context
 +
</pre>
 +
 +
'''Where:'''
 +
 +
{| border="1"
 +
| devicetreecon
 +
| The devicetreecon keyword.
 +
 +
|-
 +
| path
 +
| the device tree path. If this contains spaces enclose within "".
 +
 +
|-
 +
| context
 +
| The security context to be applied.
 +
 +
|}
 +
 +
 +
'''The statement is valid in:'''
 +
 +
{| border="1"
 +
|<center>'''Monolithic Policy'''</center>
 +
|<center>'''Base Policy'''</center>
 +
|<center>'''Module Policy'''</center>
 +
 +
|-
 +
| <center>'''Yes'''</center>
 +
| <center>'''Yes'''</center>
 +
| <center>'''No'''</center>
 +
 +
|-
 +
| <center>[[ConditionalStatements#if | if Statement]]</center>
 +
| <center>[[PolicyStatements#optional | optional Statement]] </center>
 +
| <center>[[PolicyStatements#require | require Statement]] </center>
 +
 +
|-
 +
| <center>'''No'''</center>
 +
| <center>'''No'''</center>
 +
| <center>'''No'''</center>
 +
 +
|}
 +
 +
 +
'''Example:'''
 +
<pre>
 +
devicetreecon "/this is/a/path" system_u:object_r:arm_path
 +
</pre>
 +
 +
 +
 +
{| style="width: 100%;" border="0"
 +
|-
 +
| [[PolicyStatements | '''Previous''']]
 +
| <center>[[NewUsers | '''Home''']]</center>
 +
| <center>[[NB_RefPolicy | '''Next''']]</center>
 +
|}
  
  

Latest revision as of 15:31, 19 March 2015

Xen Statements

Xen policy supports additional policy language statements: iomemcon, ioportcon, pcidevicecon, pirqcon and devicetreecon that are discussed in the sections that follow, also the XSM/FLASK Configuration document contains further information.

Policy version 30 introduced the devicetreecon statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages).

To compile these additional statements using semodule(8), ensure that the semanage.conf(5) file has the policy-target=xen entry.

iomemcon

Label i/o memory. This may be a single memory location or a range.

The statement definition is:

iomemcon addr context

Where:

iomemcon The iomemcon keyword.
addr The memory address to apply the context. This may also be a range that consists of a start and end address separated by a hypen (-).
context The security context to be applied.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

iomemcon 0xfebd9 system_u:object_r:nicP_t
iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t


ioportcon

Label i/o ports. This may be a single port or a range.

The statement definition is:

ioportcon port context

Where:

ioportcon The ioportcon keyword.
port The port to apply the context. This may also be a range that consists of a start and end port number separated by a hypen (-).
context The security context to be applied.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

ioportcon 0xeac0 system_u:object_r:nicP_t
ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t


pcidevicecon

Label a PCI device.

The statement definition is:

pcidevicecon pci_id context

Where:

pcidevicecon The pcidevicecon keyword.
pci_id The PCI indentifer.
context The security context to be applied.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

pcidevicecon 0xc800 system_u:object_r:nicP_t


pirqcon

Label an interrupt level.

The statement definition is:

pirqcon irq context

Where:

pirqcon The pirqcon keyword.
irq The interrupt request number.
context The security context to be applied.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

pirqcon 33 system_u:object_r:nicP_t

devicetreecon

Label device tree nodes.

The statement definition is:

devicetreecon path context

Where:

devicetreecon The devicetreecon keyword.
path the device tree path. If this contains spaces enclose within "".
context The security context to be applied.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

devicetreecon "/this is/a/path" system_u:object_r:arm_path


Previous
Home
Next