Difference between revisions of "PolicyLanguage"
(New page: In progress to build pages from the SELinux Notebook) |
|||
Line 1: | Line 1: | ||
− | In progress to build pages from the SELinux Notebook | + | In progress to build pages from the SELinux Notebook - Need to do the actual rules & statements |
+ | = SELinux Policy Language = | ||
+ | == Introduction == | ||
+ | This section is intended as a reference to give a basic understanding of the policy language statements and rules with supporting examples taken from the Reference Policy source. The language updates to Policy DB version 23 have been captured. | ||
+ | |||
+ | == Policy Statements and Rules == | ||
+ | === Policy Source Files === | ||
+ | There are three basic types of policy source file that can contain language statements and rules. The three types of policy source file are: | ||
+ | |||
+ | :'''Monolithic Policy''' - This is a single policy source file that contains all statements. By convention this file is called policy.conf and is compiled using the checkpolicy command that produces the binary policy file. | ||
+ | |||
+ | :'''Base Policy''' - This is the mandatory base policy source file that supports the loadable module infrastructure. The whole system policy could be fully contained within this file, however it is more usual for the base policy to hold the mandatory components of a policy, with the optional components contained in loadable module source files. By convention this file is called base.conf and is compiled using the checkpolicy or checkmodule command. | ||
+ | |||
+ | :'''Module (or Non-base) Policy''' - These are optional policy source files that when compiled, can be dynamically loaded or unloaded within the policy store. By convention these files are named after the module or application they represent, with the compiled binary having a ‘.pp’ extension. These files are compiled using the checkmodule command. | ||
+ | |||
+ | Table 1 shows the order in which the statements should appear in source files with the minimum (and therefore mandatory) statements that must be defined. | ||
+ | |||
+ | |||
+ | |||
+ | {| border="1" | ||
+ | ! Base Entries | ||
+ | ! M/O | ||
+ | |- | ||
+ | |Security Classes (class) | ||
+ | |<center>m</center> | ||
+ | |- | ||
+ | |Initial SIDs | ||
+ | |<center>m</center> | ||
+ | |- | ||
+ | |Access Vectors (permissions) | ||
+ | |<center>m</center> | ||
+ | |- | ||
+ | |MLS sensitivity, category and level Statements | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |MLS Constraints | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Policy Capability Statements | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Attributes | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Booleans | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Type / Type Alias | ||
+ | |<center>m</center> | ||
+ | |- | ||
+ | |Roles | ||
+ | |<center>m</center> | ||
+ | |- | ||
+ | |Policy Rules | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Users | ||
+ | |<center>m</center> | ||
+ | |- | ||
+ | |Constraints | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Default SID labeling | ||
+ | |<center>m</center> | ||
+ | |- | ||
+ | |fs_use_xattr Statements | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |fs_use_task and fs_use_trans Statements | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |genfscon Statements | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |portcon, netifcon and nodecon Statements | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | | '''Module Entries''' | ||
+ | |- | ||
+ | |module Statement | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |require Statement | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Attributes | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Booleans | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Type / Type Alias | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Roles | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Policy Rules | ||
+ | |<center>o</center> | ||
+ | |- | ||
+ | |Users | ||
+ | |<center>o</center> | ||
+ | |} | ||
+ | <center>'''Table 1: Base and Module Policy Statements -''''' A Monolithic source file would contain the same statements as the Base Module. The Mandatory policy entries are noted (the type, role and user require at least one entry each).''</center> | ||
+ | |||
+ | The language grammar defines what statements and rules can be used within the different types of source file. To highlight these rules, the following table is included in each statement and rule section to show what circumstances each one is valid within a policy source file: | ||
+ | |||
+ | |||
+ | {| border="1" | ||
+ | |<center>'''Monolithic Policy'''</center> | ||
+ | |<center>'''Base Policy'''</center> | ||
+ | |<center>'''Module Policy'''</center> | ||
+ | |- | ||
+ | |<center>'''Yes/No'''</center> | ||
+ | |<center>'''Yes/No'''</center> | ||
+ | |<center>'''Yes/No'''</center> | ||
+ | |} | ||
+ | |||
+ | '''Where:''' | ||
+ | :Monolithic Policy - Whether the statement is allowed within a monolithic policy source file or not. | ||
+ | :Base Policy - Whether the statement is allowed within a base (for loadable module support) policy source file or not. | ||
+ | :Module Policy - Whether the statement is allowed within the optional loadable module policy source file or not. | ||
+ | |||
+ | Table 3 shows a cross reference matrix of statements and rules allowed in each type of policy source file. | ||
+ | |||
+ | === Conditional, Optional and Require Statement Rules === | ||
+ | The language grammar specifies what statements and rules can be included within Conditional Policy, Optional Policy statements and the require statement. To highlight these rules the following table is included in each statement and rule section to show what circumstances each one is valid within a policy source file: | ||
+ | |||
+ | |||
+ | {|border="1" | ||
+ | |<center>'''Conditional Policy (if) Statement'''</center> | ||
+ | |<center>'''optional Statement'''</center> | ||
+ | |<center>'''require Statement'''</center> | ||
+ | |- | ||
+ | |<center>'''Yes/No'''</center> | ||
+ | |<center>'''Yes/No'''</center> | ||
+ | |<center>'''Yes/No'''</center> | ||
+ | |} | ||
+ | '''Where:''' | ||
+ | |||
+ | :Conditional Policy (if) Statement - Whether the statement is allowed within a conditional statement (IF / ELSE construct) as described in the if Statement section. Conditional statements can be in all types of policy source file. | ||
+ | :optional Statement - Whether the statement is allowed within the optional { rule_list } construct as described in the optional Statement section. | ||
+ | :require Statement - Whether the statement keyword is allowed within the require { rule_list } construct as described in the require Statement section. | ||
+ | |||
+ | Table 3 shows a cross reference matrix of statements and rules allowed in each of the above policy statements. | ||
+ | |||
+ | === MLS Statements and Optional MLS Components === | ||
+ | The MLS Statements section defines statements specifically for MLS support. However when MLS is enabled, there are other statements that require the MLS Security Context component as an argument, therefore these statements show an example taken from the Reference Policy MLS build. | ||
+ | |||
+ | === General Statement Information === | ||
+ | * Identifiers can generally be any length but should be restricted to the following characters: a-z, A-Z, 0-9 and _ (underscore). | ||
+ | * A “<nowiki>#</nowiki>” indicates the start of a comment in policy source files. | ||
+ | * Statements that were defined in the older NSA documentation have been updated to capture changes such as to prohibit the use of <nowiki>*</nowiki> and ~ in type and role sets (other than in the neverallow statement). Note that some of these changes are not captured by the language grammar, but are managed within the policy_parse.y source code). | ||
+ | * When multiple source and target entries are shown in a single statement or rule, the compiler (checkpolicy or checkmodule) will expand these to individual statements or rules as shown in the following example: | ||
+ | |||
+ | <pre> | ||
+ | <nowiki># This allow rule has two target entries </nowiki>''console_device_t'' and ''tty_device_t'': | ||
+ | allow apm_t { console_device_t tty_device_t }:chr_file { getattr read write append ioctl lock }; | ||
+ | |||
+ | <nowiki># The compiler will expand this to become:</nowiki> | ||
+ | allow apm_t console_device_t:chr_file { getattr read write append ioctl lock }; | ||
+ | <nowiki># and:</nowiki> | ||
+ | allow apm_t tty_device_t:chr_file { getattr read write append ioctl lock }; | ||
+ | </pre> | ||
+ | |||
+ | :Therefore when comparing the actual source code with a compiled binary using (for example) apol, sedispol or sedismod, the results will differ (however the resulting policy rules will be the same). | ||
+ | |||
+ | * Some statements can be added to a policy (via the policy store) using the semanage(8) command. Examples of these are shown where applicable, however the semanage man page should be consulted for all the possible command line options. | ||
+ | * Table 2 lists words reserved for the SELinux policy language. | ||
+ | |||
+ | {|border="1" | ||
+ | |alias | ||
+ | |allow | ||
+ | |and | ||
+ | |- | ||
+ | |attribute | ||
+ | |auditallow | ||
+ | |auditdeny | ||
+ | |- | ||
+ | |bool | ||
+ | |category | ||
+ | |cfalse | ||
+ | |- | ||
+ | |class | ||
+ | |clone | ||
+ | |common | ||
+ | |- | ||
+ | |constrain | ||
+ | |ctrue | ||
+ | |dom | ||
+ | |- | ||
+ | |domby | ||
+ | |dominance | ||
+ | |dontaudit | ||
+ | |- | ||
+ | |else | ||
+ | |eq | ||
+ | |false | ||
+ | |- | ||
+ | |fs_use_task | ||
+ | |fs_use_trans | ||
+ | |fs_use_xattr | ||
+ | |- | ||
+ | |fscon | ||
+ | |genfscon | ||
+ | |h1 | ||
+ | |- | ||
+ | |h2 | ||
+ | |if | ||
+ | |incomp | ||
+ | |- | ||
+ | |inherits | ||
+ | |ipv4_addr | ||
+ | |ipv6_addr | ||
+ | |- | ||
+ | |l1 | ||
+ | |l2 | ||
+ | |level | ||
+ | |- | ||
+ | |mlsconstrain | ||
+ | |mlsvalidatetrans | ||
+ | |module | ||
+ | |- | ||
+ | |netifcon | ||
+ | |neverallow | ||
+ | |nodecon | ||
+ | |- | ||
+ | |not | ||
+ | |object_r | ||
+ | |optional | ||
+ | |- | ||
+ | |or | ||
+ | |permissive | ||
+ | |policycap | ||
+ | |- | ||
+ | |portcon | ||
+ | |r1 | ||
+ | | r2 | ||
+ | |- | ||
+ | |r3 | ||
+ | |range | ||
+ | |range_transition | ||
+ | |- | ||
+ | |require | ||
+ | |role | ||
+ | |role_transition | ||
+ | |- | ||
+ | |roles | ||
+ | |sameuser | ||
+ | |self | ||
+ | |- | ||
+ | |sensitivity | ||
+ | |sid | ||
+ | |source | ||
+ | |- | ||
+ | |t1 | ||
+ | |t2 | ||
+ | |t3 | ||
+ | |- | ||
+ | |target | ||
+ | |true | ||
+ | |type | ||
+ | |- | ||
+ | |type_change | ||
+ | |type_member | ||
+ | |type_transition | ||
+ | |- | ||
+ | |typealias | ||
+ | |typeattribute | ||
+ | |types | ||
+ | |- | ||
+ | |u1 | ||
+ | |u2 | ||
+ | |u3 | ||
+ | |- | ||
+ | |user | ||
+ | |validatetrans | ||
+ | |version | ||
+ | |- | ||
+ | |version_identifier | ||
+ | |xor | ||
+ | | | ||
+ | |} | ||
+ | <center>'''Table 2: Policy language reserved words.'''</center> | ||
+ | |||
+ | * Table 3 shows what policy language statements and rules are allowed within each type of policy source file, and whether the statement is valid within an if / else construct, optional {rule_list}, or require {rule_list} statement. | ||
+ | |||
+ | |||
+ | {|border="1" | ||
+ | ! Statement / Rule | ||
+ | ! <center>Monolithic Policy</center> | ||
+ | ! <center>Base Policy</center> | ||
+ | ! <center>Module Policy</center> | ||
+ | ! <center>Conditional Statements</center> | ||
+ | ! <center>optional Statement</center> | ||
+ | ! <center>require Statement</center> | ||
+ | |||
+ | |- | ||
+ | |allow | ||
+ | |<center>'''Yes'''</center> | ||
+ | |<center>'''Yes'''</center> | ||
+ | |<center>'''Yes'''</center> | ||
+ | |<center>'''Yes'''</center> | ||
+ | |<center>'''Yes'''</center> | ||
+ | |<center>'''No'''</center> | ||
+ | |- | ||
+ | |allow - Role | ||
+ | |<center>'''Yes'''</center> | ||
+ | |<center>'''Yes'''</center> | ||
+ | |<center>'''Yes'''</center> | ||
+ | |<center>'''No'''</center> | ||
+ | |<center>'''Yes'''</center> | ||
+ | |<center>'''No'''</center> | ||
+ | |- | ||
+ | | attribute | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | |||
+ | |- | ||
+ | | auditallow | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | auditdeny (Depreciated) | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | bool | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | |||
+ | |- | ||
+ | | category | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | |||
+ | |- | ||
+ | | class | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | |||
+ | |- | ||
+ | | common | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | constrain | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | dominance - MLS | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | dominance - Role (Depreciated) | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | dontaudit | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | fs_use_task | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | fs_use_trans | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | fs_use_xattr | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | genfscon | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | if | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | level | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | mlsconstrain | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | mlsvalidatetrans | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | module | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | netifcon | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | neverallow | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | nodecon | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | optional | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | |||
+ | |- | ||
+ | | permissive | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | policycap | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | portcon | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | range_transition | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | require | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes *'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes *'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | role | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | |||
+ | |- | ||
+ | | role_transition | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | sensitivity | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | |||
+ | |- | ||
+ | | sid | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | type | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | |||
+ | |- | ||
+ | | type_change | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | type_member | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | type_transition | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | typealias | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | typeattribute | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | user | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | |||
+ | |- | ||
+ | | validatetrans | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |} | ||
+ | |||
+ | <center>'''Table 3: The policy language statements and rules that are allowed within each type of policy source file - '''''The left hand side of the table shows what Policy Language Statements and Rules are allowed within each type of policy source file. The right hand side of the table shows whether the statement is valid within the if / else construct, optional {rule_list}, or require {rule_list} statement.''</center> | ||
+ | |||
+ | <nowiki>* Only if preceded by the </nowiki>optional statement. |
Revision as of 16:57, 28 November 2009
In progress to build pages from the SELinux Notebook - Need to do the actual rules & statements
Contents
SELinux Policy Language
Introduction
This section is intended as a reference to give a basic understanding of the policy language statements and rules with supporting examples taken from the Reference Policy source. The language updates to Policy DB version 23 have been captured.
Policy Statements and Rules
Policy Source Files
There are three basic types of policy source file that can contain language statements and rules. The three types of policy source file are:
- Monolithic Policy - This is a single policy source file that contains all statements. By convention this file is called policy.conf and is compiled using the checkpolicy command that produces the binary policy file.
- Base Policy - This is the mandatory base policy source file that supports the loadable module infrastructure. The whole system policy could be fully contained within this file, however it is more usual for the base policy to hold the mandatory components of a policy, with the optional components contained in loadable module source files. By convention this file is called base.conf and is compiled using the checkpolicy or checkmodule command.
- Module (or Non-base) Policy - These are optional policy source files that when compiled, can be dynamically loaded or unloaded within the policy store. By convention these files are named after the module or application they represent, with the compiled binary having a ‘.pp’ extension. These files are compiled using the checkmodule command.
Table 1 shows the order in which the statements should appear in source files with the minimum (and therefore mandatory) statements that must be defined.
Base Entries | M/O |
---|---|
Security Classes (class) | |
Initial SIDs | |
Access Vectors (permissions) | |
MLS sensitivity, category and level Statements | |
MLS Constraints | |
Policy Capability Statements | |
Attributes | |
Booleans | |
Type / Type Alias | |
Roles | |
Policy Rules | |
Users | |
Constraints | |
Default SID labeling | |
fs_use_xattr Statements | |
fs_use_task and fs_use_trans Statements | |
genfscon Statements | |
portcon, netifcon and nodecon Statements | |
Module Entries | |
module Statement | |
require Statement | |
Attributes | |
Booleans | |
Type / Type Alias | |
Roles | |
Policy Rules | |
Users |
The language grammar defines what statements and rules can be used within the different types of source file. To highlight these rules, the following table is included in each statement and rule section to show what circumstances each one is valid within a policy source file:
Where:
- Monolithic Policy - Whether the statement is allowed within a monolithic policy source file or not.
- Base Policy - Whether the statement is allowed within a base (for loadable module support) policy source file or not.
- Module Policy - Whether the statement is allowed within the optional loadable module policy source file or not.
Table 3 shows a cross reference matrix of statements and rules allowed in each type of policy source file.
Conditional, Optional and Require Statement Rules
The language grammar specifies what statements and rules can be included within Conditional Policy, Optional Policy statements and the require statement. To highlight these rules the following table is included in each statement and rule section to show what circumstances each one is valid within a policy source file:
Where:
- Conditional Policy (if) Statement - Whether the statement is allowed within a conditional statement (IF / ELSE construct) as described in the if Statement section. Conditional statements can be in all types of policy source file.
- optional Statement - Whether the statement is allowed within the optional { rule_list } construct as described in the optional Statement section.
- require Statement - Whether the statement keyword is allowed within the require { rule_list } construct as described in the require Statement section.
Table 3 shows a cross reference matrix of statements and rules allowed in each of the above policy statements.
MLS Statements and Optional MLS Components
The MLS Statements section defines statements specifically for MLS support. However when MLS is enabled, there are other statements that require the MLS Security Context component as an argument, therefore these statements show an example taken from the Reference Policy MLS build.
General Statement Information
- Identifiers can generally be any length but should be restricted to the following characters: a-z, A-Z, 0-9 and _ (underscore).
- A “#” indicates the start of a comment in policy source files.
- Statements that were defined in the older NSA documentation have been updated to capture changes such as to prohibit the use of * and ~ in type and role sets (other than in the neverallow statement). Note that some of these changes are not captured by the language grammar, but are managed within the policy_parse.y source code).
- When multiple source and target entries are shown in a single statement or rule, the compiler (checkpolicy or checkmodule) will expand these to individual statements or rules as shown in the following example:
# This allow rule has two target entries ''console_device_t'' and ''tty_device_t'': allow apm_t { console_device_t tty_device_t }:chr_file { getattr read write append ioctl lock }; # The compiler will expand this to become: allow apm_t console_device_t:chr_file { getattr read write append ioctl lock }; # and: allow apm_t tty_device_t:chr_file { getattr read write append ioctl lock };
- Therefore when comparing the actual source code with a compiled binary using (for example) apol, sedispol or sedismod, the results will differ (however the resulting policy rules will be the same).
- Some statements can be added to a policy (via the policy store) using the semanage(8) command. Examples of these are shown where applicable, however the semanage man page should be consulted for all the possible command line options.
- Table 2 lists words reserved for the SELinux policy language.
alias | allow | and |
attribute | auditallow | auditdeny |
bool | category | cfalse |
class | clone | common |
constrain | ctrue | dom |
domby | dominance | dontaudit |
else | eq | false |
fs_use_task | fs_use_trans | fs_use_xattr |
fscon | genfscon | h1 |
h2 | if | incomp |
inherits | ipv4_addr | ipv6_addr |
l1 | l2 | level |
mlsconstrain | mlsvalidatetrans | module |
netifcon | neverallow | nodecon |
not | object_r | optional |
or | permissive | policycap |
portcon | r1 | r2 |
r3 | range | range_transition |
require | role | role_transition |
roles | sameuser | self |
sensitivity | sid | source |
t1 | t2 | t3 |
target | true | type |
type_change | type_member | type_transition |
typealias | typeattribute | types |
u1 | u2 | u3 |
user | validatetrans | version |
version_identifier | xor |
- Table 3 shows what policy language statements and rules are allowed within each type of policy source file, and whether the statement is valid within an if / else construct, optional {rule_list}, or require {rule_list} statement.
Statement / Rule | |
|
|
|
|
|
---|---|---|---|---|---|---|
allow | ||||||
allow - Role | ||||||
attribute | |
|
|
|
|
|
auditallow | |
|
|
|
|
|
auditdeny (Depreciated) | |
|
|
|
|
|
bool | |
|
|
|
|
|
category | |
|
|
|
|
|
class | |
|
|
|
|
|
common | |
|
|
|
|
|
constrain | |
|
|
|
|
|
dominance - MLS | |
|
|
|
|
|
dominance - Role (Depreciated) | |
|
|
|
|
|
dontaudit | |
|
|
|
|
|
fs_use_task | |
|
|
|
|
|
fs_use_trans | |
|
|
|
|
|
fs_use_xattr | |
|
|
|
|
|
genfscon | |
|
|
|
|
|
if | |
|
|
|
|
|
level | |
|
|
|
|
|
mlsconstrain | |
|
|
|
|
|
mlsvalidatetrans | |
|
|
|
|
|
module | |
|
|
|
|
|
netifcon | |
|
|
|
|
|
neverallow | |
|
|
|
|
|
nodecon | |
|
|
|
|
|
optional | |
|
|
|
|
|
permissive | |
|
|
|
|
|
policycap | |
|
|
|
|
|
portcon | |
|
|
|
|
|
range_transition | |
|
|
|
|
|
require | |
|
|
|
|
|
role | |
|
|
|
|
|
role_transition | |
|
|
|
|
|
sensitivity | |
|
|
|
|
|
sid | |
|
|
|
|
|
type | |
|
|
|
|
|
type_change | |
|
|
|
|
|
type_member | |
|
|
|
|
|
type_transition | |
|
|
|
|
|
typealias | |
|
|
|
|
|
typeattribute | |
|
|
|
|
|
user | |
|
|
|
|
|
validatetrans | |
|
|
|
|
|
* Only if preceded by the optional statement.