XENStatements

From SELinux Wiki

Revision as of 13:43, 19 November 2012 by RichardHaines (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

Contents

[edit] Xen Statements

Xen policy supports additional policy language statements: iomemcon, ioportcon, pcidevicecon and pirqcon that are discussed in the sections that follow.

To compile these additional statements using semodule(8), ensure that the semanage.conf(5) file has the policy-target=xen entry.


[edit] iomemcon Statement

The sid statement declares the actual SID identifier and is defined at the start of a policy source file.

The statement definition is:

iomemcon addr context;


Where:

iomemcon The iomemcon keyword.
addr The memory address to apply the context. This may also be a range that consists of a start and end address separated by a hypen ('-').
context The security context to be applied.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
Conditional Policy (if]) Statement
optional Statement
require Statement
No
No
No


Example:

iomemcon 0xfebd9 system_u:object_r:nicP_t;

iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t;


[edit] ioportcon Statement

The sid statement declares the actual SID identifier and is defined at the start of a policy source file.

The statement definition is:

ioportcon port context;


Where:

ioportcon The ioportcon keyword.
port The port to apply the context. This may also be a range that consists of a start and end port number separated by a hypen ('-').
context The security context to be applied.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
Conditional Policy (if]) Statement
optional Statement
require Statement
No
No
No


Example:

ioportcon 0xeac0 system_u:object_r:nicP_t;

ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t;


[edit] pcidevicecon Statement

The sid statement declares the actual SID identifier and is defined at the start of a policy source file.

The statement definition is:

pcidevicecon pci_id context;


Where:

pcidevicecon The pcidevicecon keyword.
pci_id The PCI indentifer.
context The security context to be applied.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
Conditional Policy (if]) Statement
optional Statement
require Statement
No
No
No


Example:

pcidevicecon 0xc800 system_u:object_r:nicP_t;


[edit] pirqcon Statement

The sid statement declares the actual SID identifier and is defined at the start of a policy source file.

The statement definition is:

pirqcon irq context;


Where:

pirqcon The pirqcon keyword.
irq The interrupt request number.
context The security context to be applied.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
Conditional Policy (if]) Statement
optional Statement
require Statement
No
No
No


Example:

pirqcon 33 system_u:object_r:nicP_t;



    Personal tools