Difference between revisions of "XENStatements"
(New page: = Xen Statements = Xen policy supports additional policy language statements: <tt>iomemcon</tt>, <tt>ioportcon</tt>, <tt>pcidevicecon</tt> and <tt>pirqcon</tt> that are discussed in the se...) |
|||
Line 4: | Line 4: | ||
To compile these additional statements using <tt>'''semodule'''(8)</tt>, ensure that the <tt>'''semanage.conf'''(5)</tt> file has the <tt>policy-target=xen</tt> entry. | To compile these additional statements using <tt>'''semodule'''(8)</tt>, ensure that the <tt>'''semanage.conf'''(5)</tt> file has the <tt>policy-target=xen</tt> entry. | ||
− | + | == iomemcon == | |
− | == iomemcon | + | Label i/o memory. This may be a single memory location or a range. |
− | + | ||
'''The statement definition is:''' | '''The statement definition is:''' | ||
Line 13: | Line 12: | ||
</pre> | </pre> | ||
+ | '''Where:''' | ||
− | + | {| border="1" | |
− | {|border="1" | + | |
| iomemcon | | iomemcon | ||
| The iomemcon keyword. | | The iomemcon keyword. | ||
Line 21: | Line 20: | ||
|- | |- | ||
| addr | | addr | ||
− | | The memory address to apply the context. This may also be a range that consists of a start and end address separated by a hypen ( | + | | The memory address to apply the context. This may also be a range that consists of a start and end address separated by a hypen (<tt>-</tt>). |
|- | |- | ||
Line 31: | Line 30: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | |
− | | <center>'''Monolithic Policy'''</center> | + | {| border="1" |
− | | <center>'''Base Policy'''</center> | + | |<center>'''Monolithic Policy'''</center> |
− | | <center>'''Module Policy'''</center> | + | |<center>'''Base Policy'''</center> |
+ | |<center>'''Module Policy'''</center> | ||
|- | |- | ||
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | | <center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | | <center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | | <center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 62: | Line 62: | ||
− | == ioportcon | + | == ioportcon == |
− | + | Label i/o ports. This may be a single port or a range. | |
'''The statement definition is:''' | '''The statement definition is:''' | ||
Line 70: | Line 70: | ||
</pre> | </pre> | ||
+ | '''Where:''' | ||
− | + | {| border="1" | |
− | {|border="1" | + | |
| ioportcon | | ioportcon | ||
| The ioportcon keyword. | | The ioportcon keyword. | ||
Line 78: | Line 78: | ||
|- | |- | ||
| port | | port | ||
− | | The port to apply the context. This may also be a range that consists of a start and end port number separated by a hypen ( | + | | The port to apply the context. This may also be a range that consists of a start and end port number separated by a hypen (<tt>-</tt>). |
|- | |- | ||
Line 88: | Line 88: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | |
− | | <center>'''Monolithic Policy'''</center> | + | {| border="1" |
− | | <center>'''Base Policy'''</center> | + | |<center>'''Monolithic Policy'''</center> |
− | | <center>'''Module Policy'''</center> | + | |<center>'''Base Policy'''</center> |
+ | |<center>'''Module Policy'''</center> | ||
|- | |- | ||
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | | <center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | | <center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | | <center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 119: | Line 120: | ||
− | == pcidevicecon | + | == pcidevicecon == |
− | + | Label a PCI device. | |
'''The statement definition is:''' | '''The statement definition is:''' | ||
Line 127: | Line 128: | ||
</pre> | </pre> | ||
+ | '''Where:''' | ||
− | + | {| border="1" | |
− | {|border="1" | + | |
| pcidevicecon | | pcidevicecon | ||
| The pcidevicecon keyword. | | The pcidevicecon keyword. | ||
Line 145: | Line 146: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | |
− | | <center>'''Monolithic Policy'''</center> | + | {| border="1" |
− | | <center>'''Base Policy'''</center> | + | |<center>'''Monolithic Policy'''</center> |
− | | <center>'''Module Policy'''</center> | + | |<center>'''Base Policy'''</center> |
+ | |<center>'''Module Policy'''</center> | ||
|- | |- | ||
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | | <center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | | <center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | | <center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 174: | Line 176: | ||
− | + | == pirqcon == | |
− | == pirqcon | + | |
The sid statement declares the actual SID identifier and is defined at the start of a policy source file. | The sid statement declares the actual SID identifier and is defined at the start of a policy source file. | ||
Line 183: | Line 184: | ||
</pre> | </pre> | ||
+ | '''Where:''' | ||
− | + | {| border="1" | |
− | {|border="1" | + | |
| pirqcon | | pirqcon | ||
| The pirqcon keyword. | | The pirqcon keyword. | ||
Line 201: | Line 202: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | |
− | | <center>'''Monolithic Policy'''</center> | + | {| border="1" |
− | | <center>'''Base Policy'''</center> | + | |<center>'''Monolithic Policy'''</center> |
− | | <center>'''Module Policy'''</center> | + | |<center>'''Base Policy'''</center> |
+ | |<center>'''Module Policy'''</center> | ||
|- | |- | ||
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | | <center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | | <center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | | <center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 228: | Line 230: | ||
pirqcon 33 system_u:object_r:nicP_t; | pirqcon 33 system_u:object_r:nicP_t; | ||
</pre> | </pre> | ||
+ | |||
+ | |||
+ | {| style="width: 100%;" border="0" | ||
+ | |- | ||
+ | | [[PolicyStatements | '''Previous''']] | ||
+ | | <center>[[NewUsers | '''Home''']]</center> | ||
+ | | <center>[[NB_RefPolicy | '''Next''']]</center> | ||
+ | |} | ||
Revision as of 15:46, 28 January 2015
Xen Statements
Xen policy supports additional policy language statements: iomemcon, ioportcon, pcidevicecon and pirqcon that are discussed in the sections that follow.
To compile these additional statements using semodule(8), ensure that the semanage.conf(5) file has the policy-target=xen entry.
iomemcon
Label i/o memory. This may be a single memory location or a range.
The statement definition is:
iomemcon addr context;
Where:
iomemcon | The iomemcon keyword. |
addr | The memory address to apply the context. This may also be a range that consists of a start and end address separated by a hypen (-). |
context | The security context to be applied. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Example:
iomemcon 0xfebd9 system_u:object_r:nicP_t; iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t;
ioportcon
Label i/o ports. This may be a single port or a range.
The statement definition is:
ioportcon port context;
Where:
ioportcon | The ioportcon keyword. |
port | The port to apply the context. This may also be a range that consists of a start and end port number separated by a hypen (-). |
context | The security context to be applied. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Example:
ioportcon 0xeac0 system_u:object_r:nicP_t; ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t;
pcidevicecon
Label a PCI device.
The statement definition is:
pcidevicecon pci_id context;
Where:
pcidevicecon | The pcidevicecon keyword. |
pci_id | The PCI indentifer. |
context | The security context to be applied. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Example:
pcidevicecon 0xc800 system_u:object_r:nicP_t;
pirqcon
The sid statement declares the actual SID identifier and is defined at the start of a policy source file.
The statement definition is:
pirqcon irq context;
Where:
pirqcon | The pirqcon keyword. |
irq | The interrupt request number. |
context | The security context to be applied. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Example:
pirqcon 33 system_u:object_r:nicP_t;
Previous | |
|