O'Reilly logo

SELinux by Bill McCarty

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

SELinux Policy Structure

Now that we’ve completed our close-up view of an SELinux policy component, let’s return to a wide-angle view. This section explains the conventions observed by SELinux policy developers in choosing where to place policy statements of various types. The explanation is organized around the structure of the SELinux source directory tree, which is typically /etc/security/selinux/src/policy. In good computer science fashion, we’ll first visit the leaf nodes (that is, the subdirectories of the tree) and ultimately visit the root node (that is, the policy directory itself). However, we’ll depart from computer science conventions in one key respect: rather than visit the nodes in lexicographic (alphabetical) order, we’ll visit them in an order in which several nodes having fundamental content are visited first, to facilitate the exposition.

The flask Subdirectory

The flask directory, as implied by being the first subdirectory visited in our traversal of the policy source directory tree, is the most fundamental of the subdirectories. It contains three important files:

  • initial_sids

  • security_classes

  • access_vectors

Like other policy source files, these files are read and processed during policy compilation. In addition, these files are used to generate C header files that are used during compilation of an SELinux-capable Linux kernel. In that context, the files specify symbol definitions for access vectors (that is, permissions), initial SIDs, and security classes. ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required