Difference between revisions of "PolicyLanguage"
(→Introduction) |
|||
Line 1: | Line 1: | ||
= SELinux Policy Language = | = SELinux Policy Language = | ||
== Introduction == | == Introduction == | ||
− | This section is intended as a reference to give a basic understanding of the policy language statements and rules with supporting examples taken from the Reference Policy source. The language updates to Policy DB version | + | This section is intended as a reference to give a basic understanding of the policy language statements and rules with supporting examples taken from the Reference Policy source. The language updates to Policy DB version 24 have been captured. |
== Policy Statements and Rules == | == Policy Statements and Rules == |
Revision as of 13:10, 12 May 2010
Contents
SELinux Policy Language
Introduction
This section is intended as a reference to give a basic understanding of the policy language statements and rules with supporting examples taken from the Reference Policy source. The language updates to Policy DB version 24 have been captured.
Policy Statements and Rules
Policy Source Files
There are three basic types of policy source file that can contain language statements and rules. The three types of policy source file are:
- Monolithic Policy - This is a single policy source file that contains all statements. By convention this file is called policy.conf and is compiled using the checkpolicy command that produces the binary policy file.
- Base Policy - This is the mandatory base policy source file that supports the loadable module infrastructure. The whole system policy could be fully contained within this file, however it is more usual for the base policy to hold the mandatory components of a policy, with the optional components contained in loadable module source files. By convention this file is called base.conf and is compiled using the checkpolicy or checkmodule command.
- Module (or Non-base) Policy - These are optional policy source files that when compiled, can be dynamically loaded or unloaded within the policy store. By convention these files are named after the module or application they represent, with the compiled binary having a ‘.pp’ extension. These files are compiled using the checkmodule command.
Table 1 shows the order in which the statements should appear in source files with the minimum (and therefore mandatory) statements that must be defined.
Base Entries | M/O |
---|---|
Security Classes (class) | |
Initial SIDs | |
Access Vectors (permissions) | |
MLS sensitivity, category and level Statements | |
MLS Constraints | |
Policy Capability Statements | |
Attributes | |
Booleans | |
Type / Type Alias | |
Roles | |
Policy Rules | |
Users | |
Constraints | |
Default SID labeling | |
fs_use_xattr Statements | |
fs_use_task and fs_use_trans Statements | |
genfscon Statements | |
portcon, netifcon and nodecon Statements | |
Module Entries | |
module Statement | |
require Statement | |
Attributes | |
Booleans | |
Type / Type Alias | |
Roles | |
Policy Rules | |
Users |
The language grammar defines what statements and rules can be used within the different types of source file. To highlight these rules, the following table is included in each statement and rule section to show what circumstances each one is valid within a policy source file:
Where:
- Monolithic Policy - Whether the statement is allowed within a monolithic policy source file or not.
- Base Policy - Whether the statement is allowed within a base (for loadable module support) policy source file or not.
- Module Policy - Whether the statement is allowed within the optional loadable module policy source file or not.
Table 3 shows a cross reference matrix of statements and rules allowed in each type of policy source file.
Conditional, Optional and Require Statement Rules
The language grammar specifies what statements and rules can be included within Conditional Policy, Optional Policy statements and the require statement. To highlight these rules the following table is included in each statement and rule section to show what circumstances each one is valid within a policy source file:
Where:
- Conditional Policy (if) Statement - Whether the statement is allowed within a conditional statement (IF / ELSE construct) as described in the if Statement section. Conditional statements can be in all types of policy source file.
- optional Statement - Whether the statement is allowed within the optional { rule_list } construct as described in the optional Statement section.
- require Statement - Whether the statement keyword is allowed within the require { rule_list } construct as described in the require Statement section.
Table 3 shows a cross reference matrix of statements and rules allowed in each of the above policy statements.
MLS Statements and Optional MLS Components
The MLS Statements section defines statements specifically for MLS support. However when MLS is enabled, there are other statements that require the MLS Security Context component as an argument, therefore these statements show an example taken from the Reference Policy MLS build.
General Statement Information
- Identifiers can generally be any length but should be restricted to the following characters: a-z, A-Z, 0-9 and _ (underscore).
- A “#” indicates the start of a comment in policy source files.
- Statements that were defined in the older NSA documentation have been updated to capture changes such as to prohibit the use of * and ~ in type and role sets (other than in the neverallow statement). Note that some of these changes are not captured by the language grammar, but are managed within the policy_parse.y source code).
- When multiple source and target entries are shown in a single statement or rule, the compiler (checkpolicy or checkmodule) will expand these to individual statements or rules as shown in the following example:
# This allow rule has two target entries ''console_device_t'' and ''tty_device_t'': allow apm_t { console_device_t tty_device_t }:chr_file { getattr read write append ioctl lock }; # The compiler will expand this to become: allow apm_t console_device_t:chr_file { getattr read write append ioctl lock }; # and: allow apm_t tty_device_t:chr_file { getattr read write append ioctl lock };
- Therefore when comparing the actual source code with a compiled binary using (for example) apol, sedispol or sedismod, the results will differ (however the resulting policy rules will be the same).
- Some statements can be added to a policy (via the policy store) using the semanage(8) command. Examples of these are shown where applicable, however the semanage man page should be consulted for all the possible command line options.
- Table 2 lists words reserved for the SELinux policy language.
alias | allow | and |
attribute | auditallow | auditdeny |
bool | category | cfalse |
class | clone | common |
constrain | ctrue | dom |
domby | dominance | dontaudit |
else | eq | false |
fs_use_task | fs_use_trans | fs_use_xattr |
fscon | genfscon | h1 |
h2 | if | incomp |
inherits | ipv4_addr | ipv6_addr |
l1 | l2 | level |
mlsconstrain | mlsvalidatetrans | module |
netifcon | neverallow | nodecon |
not | object_r | optional |
or | permissive | policycap |
portcon | r1 | r2 |
r3 | range | range_transition |
require | role | role_transition |
roles | sameuser | self |
sensitivity | sid | source |
t1 | t2 | t3 |
target | true | type |
type_change | type_member | type_transition |
typealias | typeattribute | types |
u1 | u2 | u3 |
user | validatetrans | version |
version_identifier | xor |
- Table 3 shows what policy language statements and rules are allowed within each type of policy source file, and whether the statement is valid within an if / else construct, optional {rule_list}, or require {rule_list} statement.
Statement / Rule | |
|
|
|
|
|
---|---|---|---|---|---|---|
allow | ||||||
allow - Role | ||||||
attribute | |
|
|
|
|
|
auditallow | |
|
|
|
|
|
auditdeny (Depreciated) | |
|
|
|
|
|
bool | |
|
|
|
|
|
category | |
|
|
|
|
|
class | |
|
|
|
|
|
common | |
|
|
|
|
|
constrain | |
|
|
|
|
|
dominance - MLS | |
|
|
|
|
|
dominance - Role (Depreciated) | |
|
|
|
|
|
dontaudit | |
|
|
|
|
|
fs_use_task | |
|
|
|
|
|
fs_use_trans | |
|
|
|
|
|
fs_use_xattr | |
|
|
|
|
|
genfscon | |
|
|
|
|
|
if | |
|
|
|
|
|
level | |
|
|
|
|
|
mlsconstrain | |
|
|
|
|
|
mlsvalidatetrans | |
|
|
|
|
|
module | |
|
|
|
|
|
netifcon | |
|
|
|
|
|
neverallow | |
|
|
|
|
|
nodecon | |
|
|
|
|
|
optional | |
|
|
|
|
|
permissive | |
|
|
|
|
|
policycap | |
|
|
|
|
|
portcon | |
|
|
|
|
|
range_transition | |
|
|
|
|
|
require | |
|
|
|
|
|
role | |
|
|
|
|
|
role_transition | |
|
|
|
|
|
sensitivity | |
|
|
|
|
|
sid | |
|
|
|
|
|
type | |
|
|
|
|
|
type_change | |
|
|
|
|
|
type_member | |
|
|
|
|
|
type_transition | |
|
|
|
|
|
typealias | |
|
|
|
|
|
typeattribute | |
|
|
|
|
|
user | |
|
|
|
|
|
validatetrans | |
|
|
|
|
|
* Only if preceded by the optional statement.
Policy Language Definition Links
The policy language statement and rule sections are as follows:
- Type Enforcement and Attribute Statements
- Type Enforcement Rules
- Access Vector Rules
- User Statement
- Role Statement
- Role Rules
- Conditional Policy Statements
- Constraint Statements
- File System Labeling Statements
- Network Labeling Statements
- MLS Statements
- Policy Support Statements
- Object Class and Permission Statements
- Security ID (SID) Statement