https://selinuxproject.org/w/?title=NB_ComputingSecurityContexts&feed=atom&action=history NB ComputingSecurityContexts - Revision history 2024-03-29T07:18:01Z Revision history for this page on the wiki MediaWiki 1.23.13 https://selinuxproject.org/w/?title=NB_ComputingSecurityContexts&diff=1704&oldid=prev RichardHaines: /* Security Context Computation for Kernel Objects */ 2014-12-07T12:07:57Z <p>‎<span dir="auto"><span class="autocomment">Security Context Computation for Kernel Objects</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 12:07, 7 December 2014</td> </tr><tr><td colspan="2" class="diff-lineno">Line 21:</td> <td colspan="2" class="diff-lineno">Line 21:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Security Context Computation for Kernel Objects ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Security Context Computation for Kernel Objects ==</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Using a combination of the email thread: [http://www.spinics.net/lists/selinux/msg10746.html http://www.spinics.net/lists/selinux/msg10746.html] and kernel 3.14 source, this is how contexts are computed by the security server for various kernel objects (also see the [[NB_LSM | Linux Security Module and SELinux]] section and &quot;[http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml Implementing SELinux as a Linux Security Module]<del class="diffchange diffchange-inline">&lt;nowiki&gt;&quot; [1])</del>.<del class="diffchange diffchange-inline">&lt;/nowiki&gt;</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Using a combination of the email thread: [http://www.spinics.net/lists/selinux/msg10746.html http://www.spinics.net/lists/selinux/msg10746.html] and kernel 3.14 source, this is how contexts are computed by the security server for various kernel objects (also see the [[NB_LSM | Linux Security Module and SELinux]] section and &quot;[http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml Implementing SELinux as a Linux Security Module].</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Process ===</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Process ===</div></td></tr> </table> RichardHaines https://selinuxproject.org/w/?title=NB_ComputingSecurityContexts&diff=1703&oldid=prev RichardHaines at 12:07, 7 December 2014 2014-12-07T12:07:15Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 12:07, 7 December 2014</td> </tr><tr><td colspan="2" class="diff-lineno">Line 441:</td> <td colspan="2" class="diff-lineno">Line 441:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{| style=&quot;width: 100%;&quot; border=&quot;0&quot;</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">|-</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">| [[NB_Objects | '''Previous''']]</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">| &lt;center&gt;[[NewUsers | '''Home''']]&lt;/center&gt;</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">| &lt;center&gt;[[NB_ComputingAccessDecisions | '''Next''']]&lt;/center&gt;</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">|}</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td></tr> </table> RichardHaines https://selinuxproject.org/w/?title=NB_ComputingSecurityContexts&diff=1686&oldid=prev RichardHaines: New page: = Computing Security Contexts = SELinux uses a number of policy language statements and <tt>libselinux</tt> functions to compute a security context via the kernel security server. When se... 2014-12-05T13:14:46Z <p>New page: = Computing Security Contexts = SELinux uses a number of policy language statements and &lt;tt&gt;libselinux&lt;/tt&gt; functions to compute a security context via the kernel security server. When se...</p> <p><b>New page</b></p><div>= Computing Security Contexts =<br /> SELinux uses a number of policy language statements and &lt;tt&gt;libselinux&lt;/tt&gt; functions to compute a security context via the kernel security server.<br /> <br /> When security contexts are computed, the different kernel, userspace tools and policy versions can influence the outcome. This is because patches have been applied over the years that give greater flexiblity in computing contexts. For example a 2.6.39 kernel with SELinux userspace services supporting policy version 26 can influence the computed role.<br /> <br /> The security context is computed for an object using the following components: a source context, a target context and an object class.<br /> <br /> The &lt;tt&gt;libselinux&lt;/tt&gt; userspace functions used to compute a security context are:<br /> <br /> : &lt;tt&gt;'''avc_compute_create'''(3)&lt;/tt&gt; and &lt;tt&gt;'''security_compute_create'''(3)&lt;/tt&gt;<br /> : &lt;tt&gt;'''avc_compute_member'''(3)&lt;/tt&gt; and &lt;tt&gt;'''security_compute_member'''(3)&lt;/tt&gt;<br /> : &lt;tt&gt;'''security_compute_relabel'''(3)&lt;/tt&gt;<br /> <br /> Note that these &lt;tt&gt;libselinux&lt;/tt&gt; functions actually call the kernel equivalent functions in the security server (see kernel source &lt;tt&gt;security/selinux/ss/services.c&lt;/tt&gt;: &lt;tt&gt;security_compute_sid&lt;/tt&gt;, &lt;tt&gt;security_member_sid&lt;/tt&gt; and &lt;tt&gt;security_change_sid&lt;/tt&gt;) that actually compute the security context.<br /> <br /> The kernel policy language statements that influence a computed security context are:<br /> <br /> &lt;tt&gt;type_transition&lt;/tt&gt;, &lt;tt&gt;role_transition&lt;/tt&gt;, &lt;tt&gt;range_transition&lt;/tt&gt;, &lt;tt&gt;type_member&lt;/tt&gt; and &lt;tt&gt;type_change&lt;/tt&gt;, &lt;tt&gt;default_user&lt;/tt&gt;, &lt;tt&gt;default_role&lt;/tt&gt;, &lt;tt&gt;default_type&lt;/tt&gt; and &lt;tt&gt;default_range&lt;/tt&gt; statements (their corresponding CIL statements exclude the underscore).<br /> <br /> The sections that follow give an overview of how security contexts are computed for some kernel classes and also when using the userspace &lt;tt&gt;libselinux&lt;/tt&gt; functions.<br /> <br /> == Security Context Computation for Kernel Objects ==<br /> Using a combination of the email thread: [http://www.spinics.net/lists/selinux/msg10746.html http://www.spinics.net/lists/selinux/msg10746.html] and kernel 3.14 source, this is how contexts are computed by the security server for various kernel objects (also see the [[NB_LSM | Linux Security Module and SELinux]] section and &quot;[http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml Implementing SELinux as a Linux Security Module]&lt;nowiki&gt;&quot; [1]).&lt;/nowiki&gt;<br /> <br /> === Process ===<br /> The initial task starts with the kernel security context, but the &quot;&lt;tt&gt;init&lt;/tt&gt;&quot; process will typically transition into its own unique context (e.g. &lt;tt&gt;init_t&lt;/tt&gt;) when the init binary is executed after the policy has been loaded. Some init programs re-exec themselves after loading policy, while in other cases the initial policy load is performed by the &lt;tt&gt;initrd&lt;/tt&gt;/&lt;tt&gt;initramfs&lt;/tt&gt; script prior to mounting the real root and executing the real init program.<br /> <br /> Processes inherit their security context as follows:<br /> <br /> # On fork a process inherits the security context of its creator/parent.<br /> # On &lt;tt&gt;exec&lt;/tt&gt;, a process may transition to another security context based on policy statements: &lt;tt&gt;type_transition&lt;/tt&gt;, &lt;tt&gt;range_transition&lt;/tt&gt;, &lt;tt&gt;role_transition&lt;/tt&gt; (policy version 26), &lt;tt&gt;default_user&lt;/tt&gt;, &lt;tt&gt;default_role&lt;/tt&gt;, &lt;tt&gt;default_range&lt;/tt&gt; (policy versions 27) and &lt;tt&gt;default_type&lt;/tt&gt; (policy version 28) or if a security-aware process, by calling &lt;tt&gt;'''setexeccon'''(3)&lt;/tt&gt; if permitted by policy prior to invoking exec.<br /> # At any time, a security-aware process may invoke &lt;tt&gt;'''setcon'''(3)&lt;/tt&gt; to switch its security context (if permitted by policy) although this practice is generally discouraged - exec-based transitions are preferred.<br /> <br /> === Files ===<br /> The default behavior for labeling files (actually inodes that consist of the following classes: files, symbolic links, directories, socket files, fifo's and block/character) upon creation for any filesystem type that supports labeling is as follows:<br /> <br /> # The user component is inherited from the creating process (policy version 27 allows a &lt;tt&gt;default_user&lt;/tt&gt; of source or target to be defined for each object class).<br /> # The role component generally defaults to the &lt;tt&gt;object_r&lt;/tt&gt; role (policy version 26 allows a &lt;tt&gt;role_transition&lt;/tt&gt; and version 27 allows a &lt;tt&gt;default_role&lt;/tt&gt; of source or target to be defined for each object class). <br /> # The type component defaults to the type of the parent directory if no matching &lt;tt&gt;type_transition&lt;/tt&gt; rule was specified in the policy (policy version 25 allows a filename &lt;tt&gt;type_transition&lt;/tt&gt; rule and version 28 allows a &lt;tt&gt;default_type&lt;/tt&gt; of source or target to be defined for each object class).<br /> # The &lt;tt&gt;range&lt;/tt&gt;/&lt;tt&gt;level&lt;/tt&gt; component defaults to the low/current level of the creating process if no matching &lt;tt&gt;range_transition&lt;/tt&gt; rule was specified in the policy (policy version 27 allows a &lt;tt&gt;default_range&lt;/tt&gt; of source or target with the selected range being low, high or low-high to be defined for each object class).<br /> <br /> Security-aware applications can override this default behavior by calling &lt;tt&gt;'''setfscreatecon'''(3)&lt;/tt&gt; prior to creating the file, if permitted by policy.<br /> <br /> For existing files the label is determined from the &lt;tt&gt;xattr&lt;/tt&gt; value associated with the file. If there is no &lt;tt&gt;xattr&lt;/tt&gt; value set on the file, then the file is treated as being labeled with the default file security context for the filesystem. By default, this is the &quot;&lt;tt&gt;file&lt;/tt&gt;&quot; initial SID, which is mapped to a context by the policy. This default may be overridden via the &lt;tt&gt;defcontext=&lt;/tt&gt; mount option on a per-mount basis as described in &lt;tt&gt;'''mount'''(8)&lt;/tt&gt;.<br /> <br /> === File Descriptors ===<br /> Inherits the label of its creator/parent.<br /> <br /> === Filesystems ===<br /> Filesystems are labeled using the appropriate &lt;tt&gt;fs_use&lt;/tt&gt; kernel policy language statement as they are mounted, they are based on the filesystem type name (e.g. &lt;tt&gt;ext4&lt;/tt&gt;) and their behaviour (e.g. &lt;tt&gt;xattr&lt;/tt&gt;). For example if the policy specifies the following:<br /> &lt;pre&gt;<br /> fs_use_task pipefs system_u:object_r:fs_t:s0<br /> &lt;/pre&gt;<br /> <br /> then as the &lt;tt&gt;pipefs&lt;/tt&gt; filesystem is being mounted, the SELinux LSM security hook &lt;tt&gt;selinux_set_mnt_opts&lt;/tt&gt; will call &lt;tt&gt;security_fs_use&lt;/tt&gt; that will:<br /> <br /> # Look for the filesystem name within the policy (&lt;tt&gt;pipefs&lt;/tt&gt;)<br /> # If present, obtain its behaviour (&lt;tt&gt;fs_use_task&lt;/tt&gt;)<br /> # Then obtain the allocated security context (&lt;tt&gt;system_u:object_r:fs_t:s0&lt;/tt&gt;)<br /> <br /> Should the behaviour be defined as &lt;tt&gt;fs_use_task&lt;/tt&gt;, then the filesystem will be labeled as follows:<br /> <br /> # The user component is inherited from the creating process (policy version 27 allows a &lt;tt&gt;default_user&lt;/tt&gt; of source or target to be defined).<br /> # The role component generally defaults to the &lt;tt&gt;object_r&lt;/tt&gt; role (policy version 26 allows a &lt;tt&gt;role_transition&lt;/tt&gt; and version 27 allows a &lt;tt&gt;default_role&lt;/tt&gt; of source or target to be defined). <br /> # The type component defaults to the type of the target type if no matching &lt;tt&gt;type_transition&lt;/tt&gt; rule was specified in the policy (policy version 28 allows a &lt;tt&gt;default_type&lt;/tt&gt; of source or target to be defined).<br /> # The &lt;tt&gt;range&lt;/tt&gt;/&lt;tt&gt;level&lt;/tt&gt; component defaults to the low/current level of the creating process if no matching &lt;tt&gt;range_transition&lt;/tt&gt; rule was specified in the policy (policy version 27 allows a &lt;tt&gt;default_range&lt;/tt&gt; of source or target with the selected range being low, high or low-high to be defined).<br /> <br /> Notes:<br /> # Filesystems that support &lt;tt&gt;xattr&lt;/tt&gt; extended attributes can be identified via the mount command as there will be a '&lt;tt&gt;seclabel&lt;/tt&gt;' keyword present.<br /> # There are mount options for allocating various context types: &lt;tt&gt;context=&lt;/tt&gt;, &lt;tt&gt;fscontext=&lt;/tt&gt;, &lt;tt&gt;defcontext=&lt;/tt&gt; and &lt;tt&gt;rootcontext=&lt;/tt&gt;. They are fully described in the &lt;tt&gt;'''mount'''(8)&lt;/tt&gt; man page.<br /> <br /> === Network File System (nfsv4) ===<br /> If labeled NFS is implemented with &lt;tt&gt;xattr&lt;/tt&gt; support, then the creation of inodes are treated as described in the [[#Files| Files]] section. <br /> <br /> === INET Sockets ===<br /> If a socket is created by the &lt;tt&gt;'''socket'''(3)&lt;/tt&gt; call they are labeled as follows:<br /> <br /> # The user component is inherited from the creating process (policy version 27 allows a &lt;tt&gt;default_user&lt;/tt&gt; of source or target to be defined for each socket object class).<br /> # The role component is inherited from the creating process (policy version 26 allows a &lt;tt&gt;role_transition&lt;/tt&gt; and version 27 allows a &lt;tt&gt;default_role&lt;/tt&gt; of source or target to be defined for each socket object class). <br /> # The type component is inherited from the creating process if no matching &lt;tt&gt;type_transition&lt;/tt&gt; rule was specified in the policy and version 28 allows a &lt;tt&gt;default_type&lt;/tt&gt; of source or target to be defined for each socket object class).<br /> # The &lt;tt&gt;range&lt;/tt&gt;/&lt;tt&gt;level&lt;/tt&gt; component is inherited from the creating process if no matching &lt;tt&gt;range_transition&lt;/tt&gt; rule was specified in the policy (policy version 27 allows a &lt;tt&gt;default_range&lt;/tt&gt; of source or target with the selected range being low, high or low-high to be defined for each socket object class).<br /> <br /> Security-aware applications may use &lt;tt&gt;'''setsockcreatecon'''(3)&lt;/tt&gt; to explicitly label sockets they create if permitted by policy.<br /> <br /> If created by a connection they are labeled with the context of the listening process.<br /> <br /> Some sockets may be labeled with the kernel SID to reflect the fact that they are kernel-internal sockets that are not directly exposed to applications.<br /> <br /> === IPC ===<br /> Inherits the label of its creator/parent.<br /> <br /> === Message Queues ===<br /> Inherits the label of its sending process. However if sending a message that is unlabeled, compute a new label based on the current process and the message queue it will be stored in as follows:<br /> <br /> # The user component is inherited from the sending process (policy version 27 allows a &lt;tt&gt;default_user&lt;/tt&gt; of source or target to be defined for the message object class).<br /> # The role component is inherited from the sending process (policy version 26 allows a &lt;tt&gt;role_transition&lt;/tt&gt; and version 27 allows a &lt;tt&gt;default_role&lt;/tt&gt; of source or target to be defined for the message object class). <br /> # The type component is inherited from the sending process if no matching &lt;tt&gt;type_transition&lt;/tt&gt; rule was specified in the policy and version 28 allows a &lt;tt&gt;default_type&lt;/tt&gt; of source or target to be defined for the message object class).<br /> # The &lt;tt&gt;range&lt;/tt&gt;/&lt;tt&gt;level&lt;/tt&gt; component is inherited from the sending process if no matching &lt;tt&gt;range_transition&lt;/tt&gt; rule was specified in the policy (policy version 27 allows a &lt;tt&gt;default_range&lt;/tt&gt; of source or target with the selected range being low, high or low-high to be defined for the message object class).<br /> <br /> === Semaphores ===<br /> Inherits the label of its creator/parent.<br /> <br /> === Shared Memory ===<br /> Inherits the label of its creator/parent.<br /> <br /> === Keys ===<br /> Inherits the label of its creator/parent.<br /> <br /> Security-aware applications may use &lt;tt&gt;'''setkeycreatecon'''(3)&lt;/tt&gt; to explicitly label keys they create if permitted by policy.<br /> <br /> == Using libselinux Functions ==<br /> === avc_compute_create and security_compute_create ===<br /> The table below&lt;ref name=&quot;ftn8&quot;&gt;The table only contains the kernel version, the text gives the policy version also required.&lt;/ref&gt; shows how the components from the source context &lt;tt&gt;scon&lt;/tt&gt;, target context &lt;tt&gt;tcon&lt;/tt&gt; and class &lt;tt&gt;tclass&lt;/tt&gt; are used to compute the new context &lt;tt&gt;newcon&lt;/tt&gt; (referenced by SIDs for &lt;tt&gt;'''avc_compute_create'''(3)&lt;/tt&gt;). The following notes also apply:<br /> <br /> # Any valid policy &lt;tt&gt;role_transition&lt;/tt&gt;, &lt;tt&gt;type_transition&lt;/tt&gt; and &lt;tt&gt;range_transition&lt;/tt&gt; enforcement rules will influence the final outcome as shown.<br /> # For kernels less than 2.6.39 the context generated will depend on whether the class is &lt;tt&gt;process&lt;/tt&gt; or any other class.<br /> # For kernels 2.6.39 and above the following also applies:<br /> <br /> # Those classes suffixed by &lt;tt&gt;socket&lt;/tt&gt; will also be included in the &lt;tt&gt;process&lt;/tt&gt; class outcome. <br /> # If a valid &lt;tt&gt;role_transition&lt;/tt&gt; rule for &lt;tt&gt;tclass&lt;/tt&gt;, then use that instead of the default &lt;tt&gt;object_r&lt;/tt&gt;. Also requires policy version 26 or greater - see &lt;tt&gt;'''security_policyvers'''(3)&lt;/tt&gt;.<br /> # If the &lt;tt&gt;type_transition&lt;/tt&gt; rule is classed as the 'file name transition rule' (i.e. it has an &lt;tt&gt;object_name&lt;/tt&gt; parameter), then provided the object name in the rule matches the last component of the objects name (in this case a file or directory name), then use the rules &lt;tt&gt;default_type&lt;/tt&gt; . Also requires policy version 25 or greater.<br /> <br /> # For kernels 3.5 and above with policy version 27 or greater, the &lt;tt&gt;default_user&lt;/tt&gt;, &lt;tt&gt;default_role&lt;/tt&gt;, &lt;tt&gt;default_range&lt;/tt&gt; statements will influence the &lt;tt&gt;user&lt;/tt&gt;, &lt;tt&gt;role&lt;/tt&gt; and &lt;tt&gt;range&lt;/tt&gt; of the computed context for the specified class &lt;tt&gt;tclass&lt;/tt&gt;. With policy version 28 or greater the &lt;tt&gt;default_type&lt;/tt&gt; statement can also influence the &lt;tt&gt;type&lt;/tt&gt; in the computed context.<br /> <br /> {| border=&quot;1&quot;<br /> | &lt;center&gt;user&lt;/center&gt;<br /> | &lt;center&gt;role&lt;/center&gt;<br /> | &lt;center&gt;type&lt;/center&gt;<br /> | &lt;center&gt;range&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;If kernel &gt;= 3.5 with a '''default_user '''tclass''' target''' rule then use tcon user&lt;/center&gt;<br /> <br /> &lt;center&gt;'''ELSE'''&lt;/center&gt;<br /> <br /> &lt;center&gt;Use scon user&lt;/center&gt;<br /> | &lt;center&gt;If kernel &gt;=2.6.39, and there is a valid&lt;/center&gt;<br /> <br /> &lt;center&gt;'''role_transition'''&lt;/center&gt;<br /> <br /> &lt;center&gt; rule then use the rules new_role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_role '''tclass''' source''' rule then use scon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_role '''tclass''' target''' rule then use tcon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 2.6.39 and tclass is '''process''' or &lt;nowiki&gt;*socket&lt;/nowiki&gt;, then use scon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;&lt;nowiki&gt;If kernel &lt;= 2.6.38 and &lt;/nowiki&gt;tclass is '''process''', then use scon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''ELSE'''&lt;/center&gt;<br /> <br /> &lt;center&gt;Use '''object_r'''&lt;/center&gt;<br /> <br /> <br /> <br /> | &lt;center&gt;If there is a valid&lt;/center&gt;<br /> <br /> &lt;center&gt;'''type_transition'''&lt;/center&gt;<br /> <br /> &lt;center&gt;rule then use the rules default_type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_type '''tclass''' source''' rule then use scon type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_type '''tclass''' target''' rule then use tcon type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 2.6.39 and &lt;tt&gt;tclass&lt;/tt&gt; is &lt;tt&gt;'''process'''&lt;/tt&gt; or &lt;tt&gt;&lt;nowiki&gt;*socket&lt;/nowiki&gt;&lt;/tt&gt;, then use &lt;tt&gt;scon&lt;/tt&gt; &lt;tt&gt;type&lt;/tt&gt;&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;&lt;nowiki&gt;If kernel &lt;= 2.6.38 and &lt;/nowiki&gt;tclass is '''process''', then use scon type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''ELSE'''&lt;/center&gt;<br /> <br /> &lt;center&gt;Use tcon type&lt;/center&gt;<br /> <br /> <br /> <br /> | &lt;center&gt;If there is a valid&lt;/center&gt;<br /> <br /> &lt;center&gt;'''range_transition'''&lt;/center&gt;<br /> <br /> &lt;center&gt; rule then use the rules new_range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' source low''' rule then use scon low&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' source high''' rule then use scon high&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' source low_high''' rule then use scon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' target low''' rule then use tcon low&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' target high''' rule then use tcon high&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' target low_high''' rule then use tcon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 2.6.39 and tclass is '''process''' or &lt;nowiki&gt;*socket&lt;/nowiki&gt;, then use scon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;&lt;nowiki&gt;If kernel &lt;= 2.6.38 and &lt;/nowiki&gt;tclass is '''process''', then use scon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''ELSE'''&lt;/center&gt;<br /> <br /> &lt;center&gt;Use scon low&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> === avc_compute_member and security_compute_member ===<br /> The table below&lt;ref name=&quot;ftn9&quot;&gt;The table only contains the kernel version, the text gives the policy version also required.&lt;/ref&gt; shows how the components from the source context, &lt;tt&gt;scon&lt;/tt&gt; target context, &lt;tt&gt;tcon&lt;/tt&gt; and class, &lt;tt&gt;tclass&lt;/tt&gt; are used to compute the new context &lt;tt&gt;newcon&lt;/tt&gt; (referenced by SIDs for &lt;tt&gt;'''avc_compute_member'''(3)&lt;/tt&gt;). The following notes also apply:<br /> <br /> # Any valid policy &lt;tt&gt;type_member&lt;/tt&gt; enforcement rules will influence the final outcome as shown.<br /> # For kernels less than 2.6.39 the context generated will depend on whether the class is &lt;tt&gt;process&lt;/tt&gt; or any other class. <br /> # For kernels 2.6.39 and above, those classes suffixed by &lt;tt&gt;socket&lt;/tt&gt; are also included in the &lt;tt&gt;process&lt;/tt&gt; class outcome.<br /> # For kernels 3.5 and above with policy version 28 or greater, the &lt;tt&gt;default_role&lt;/tt&gt;, &lt;tt&gt;default_range&lt;/tt&gt; statements will influence the &lt;tt&gt;role&lt;/tt&gt; and &lt;tt&gt;range&lt;/tt&gt; of the computed context for the specified class &lt;tt&gt;tclass&lt;/tt&gt;. With policy version 28 or greater the &lt;tt&gt;default_type&lt;/tt&gt; statement can also influence the &lt;tt&gt;type&lt;/tt&gt; in the computed context.<br /> <br /> {| border=&quot;1&quot;<br /> | &lt;center&gt;user&lt;/center&gt;<br /> | &lt;center&gt;role&lt;/center&gt;<br /> | &lt;center&gt;type&lt;/center&gt;<br /> | &lt;center&gt;range&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;Always uses tcon user&lt;/center&gt;<br /> | &lt;center&gt;If kernel &gt;= 3.5 with '''default_role '''tclass''' source''' rule then use scon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_role '''tclass''' target''' rule then use tcon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 2.6.39 and tclass is '''process''' or &lt;nowiki&gt;*socket&lt;/nowiki&gt;, then use scon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;&lt;nowiki&gt;If kernel &lt;= 2.6.38 and &lt;/nowiki&gt;tclass is '''process''', then use scon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''ELSE'''&lt;/center&gt;<br /> <br /> &lt;center&gt;Use '''object_r'''&lt;/center&gt;<br /> <br /> <br /> <br /> | &lt;center&gt;If there is a valid&lt;/center&gt;<br /> <br /> &lt;center&gt;'''type_member'''&lt;/center&gt;<br /> <br /> &lt;center&gt;rule then use the rules member_type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_type '''tclass''' source''' rule then use scon type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_type '''tclass''' target''' rule then use tcon type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 2.6.39 and &lt;tt&gt;tclass&lt;/tt&gt; is &lt;tt&gt;'''process'''&lt;/tt&gt; or &lt;tt&gt;&lt;nowiki&gt;*socket&lt;/nowiki&gt;&lt;/tt&gt;, then use &lt;tt&gt;scon&lt;/tt&gt; &lt;tt&gt;type&lt;/tt&gt;&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;&lt;nowiki&gt;If kernel &lt;= 2.6.38 and &lt;/nowiki&gt;tclass is '''process''', then use scon type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''ELSE'''&lt;/center&gt;<br /> <br /> &lt;center&gt;Use tcon type&lt;/center&gt;<br /> <br /> <br /> <br /> | &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' source low''' rule then use scon low&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' source high''' rule then use scon high&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' source low_high''' rule then use scon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' target low''' rule then use tcon low&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' target high''' rule then use tcon high&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' target low_high''' rule then use tcon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 2.6.39 and tclass is '''process''' or &lt;nowiki&gt;*socket&lt;/nowiki&gt;, then use scon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;&lt;nowiki&gt;If kernel &lt;= 2.6.38 and &lt;/nowiki&gt;tclass is '''process''', then use scon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''ELSE'''&lt;/center&gt;<br /> <br /> &lt;center&gt;Use scon low&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> === security_compute_relabel ===<br /> The table below&lt;ref name=&quot;ftn10&quot;&gt;The table only contains the kernel version, the text gives the policy version also required.&lt;/ref&gt; shows how the components from the source context, &lt;tt&gt;scon&lt;/tt&gt; target context, &lt;tt&gt;tcon&lt;/tt&gt; and class, &lt;tt&gt;tclass&lt;/tt&gt; are used to compute the new context &lt;tt&gt;newcon&lt;/tt&gt; for &lt;tt&gt;'''security_compute_relabel'''(3)&lt;/tt&gt;. The following notes also apply:<br /> <br /> # Any valid policy &lt;tt&gt;type_change&lt;/tt&gt; enforcement rules will influence the final outcome shown in the table.<br /> # For kernels less than 2.6.39 the context generated will depend on whether the class is &lt;tt&gt;process&lt;/tt&gt; or any other class. <br /> # For kernels 2.6.39 and above, those classes suffixed by &lt;tt&gt;'''socket'''&lt;/tt&gt; are also included in the &lt;tt&gt;process&lt;/tt&gt; class outcome.<br /> # For kernels 3.5 and above with policy version 28 or greater, the &lt;tt&gt;default_user&lt;/tt&gt;, &lt;tt&gt;default_role&lt;/tt&gt;, &lt;tt&gt;default_range&lt;/tt&gt; statements will influence the &lt;tt&gt;user&lt;/tt&gt;, &lt;tt&gt;role&lt;/tt&gt; and &lt;tt&gt;range&lt;/tt&gt; of the computed context for the specified class &lt;tt&gt;tclass&lt;/tt&gt;. With policy version 28 or greater the &lt;tt&gt;default_type&lt;/tt&gt; statement can also influence the &lt;tt&gt;type&lt;/tt&gt; in the computed context.<br /> <br /> <br /> {| border=&quot;1&quot;<br /> | &lt;center&gt;user&lt;/center&gt;<br /> | &lt;center&gt;role&lt;/center&gt;<br /> | &lt;center&gt;type&lt;/center&gt;<br /> | &lt;center&gt;range&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;If kernel &gt;= 3.5 with a '''default_user '''tclass''' target''' rule then use tcon user&lt;/center&gt;<br /> <br /> &lt;center&gt;'''ELSE'''&lt;/center&gt;<br /> <br /> &lt;center&gt;Use scon user&lt;/center&gt;<br /> | &lt;center&gt;If kernel &gt;= 3.5 with '''default_role '''tclass''' source''' rule then use scon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_role '''tclass''' target''' rule then use tcon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 2.6.39 and tclass is '''process''' or &lt;nowiki&gt;*socket&lt;/nowiki&gt;, then use scon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;&lt;nowiki&gt;If kernel &lt;= 2.6.38 and &lt;/nowiki&gt;tclass is '''process''', then use scon role&lt;/center&gt;<br /> <br /> &lt;center&gt;'''ELSE'''&lt;/center&gt;<br /> <br /> &lt;center&gt;Use '''object_r'''&lt;/center&gt;<br /> <br /> <br /> <br /> | &lt;center&gt;If there is a valid&lt;/center&gt;<br /> <br /> &lt;center&gt;'''type_change'''&lt;/center&gt;<br /> <br /> &lt;center&gt;rule then use the rules change_type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_type '''tclass''' source''' rule then use scon type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_type '''tclass''' target''' rule then use tcon type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 2.6.39 and &lt;tt&gt;tclass&lt;/tt&gt; is &lt;tt&gt;'''process'''&lt;/tt&gt; or &lt;tt&gt;&lt;nowiki&gt;*socket&lt;/nowiki&gt;&lt;/tt&gt;, then use &lt;tt&gt;scon&lt;/tt&gt; &lt;tt&gt;type&lt;/tt&gt;&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;&lt;nowiki&gt;If kernel &lt;= 2.6.38 and &lt;/nowiki&gt;tclass is '''process''', then use scon type&lt;/center&gt;<br /> <br /> &lt;center&gt;'''ELSE'''&lt;/center&gt;<br /> <br /> &lt;center&gt;Use tcon type&lt;/center&gt;<br /> <br /> <br /> <br /> | &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' source low''' rule then use scon low&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' source high''' rule then use scon high&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' source low_high''' rule then use scon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' target low''' rule then use tcon low&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' target high''' rule then use tcon high&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 3.5 with '''default_range '''tclass''' target low_high''' rule then use tcon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;If kernel &gt;= 2.6.39 and tclass is '''process''' or &lt;nowiki&gt;*socket&lt;/nowiki&gt;, then use scon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''OR'''&lt;/center&gt;<br /> <br /> &lt;center&gt;&lt;nowiki&gt;If kernel &lt;= 2.6.38 and &lt;/nowiki&gt;tclass is '''process''', then use scon range&lt;/center&gt;<br /> <br /> &lt;center&gt;'''ELSE'''&lt;/center&gt;<br /> <br /> &lt;center&gt;Use scon low&lt;/center&gt;<br /> <br /> |}<br /> <br /> ----<br /> &lt;references/&gt;<br /> <br /> [[Category:Notebook]]</div> RichardHaines