O'Reilly logo

SELinux by Bill McCarty

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

SELinux Policy Syntax

The railroad diagram in Figure 6-9 represents an overview of the syntax of an SELinux policy.

The SELinux Policy

Figure 6-9. The SELinux Policy

As the figure shows, an SELinux policy consists of 11 elements, several of which are optional:

classes

Defines the security object classes recognized by SELinux.

initial_sids

Defines initial SIDs for important security objects.

access_vectors

Defines access vectors associated with each security object class.

mls

Defines MLS configuration (optional).

Tip

MLS is not currently implemented in sample SELinux policies and is not covered in this book.

te_rbac

Defines type enforcement and role-based access control configuration.

users

Defines the user configuration.

constraints

Defines constraints that the security policy must observe (optional).

initial_sid_contexts

Defines the security contexts of important security objects.

fs_use

Defines the method of labeling of filesystem inodes.

genfs_contexts

Defines security contexts for filesystems lacking persistent labels (optional).

net_contexts

Defines security contexts for network objects.

The policy elements must appear in the order indicated by the railroad diagram. However, you generally don’t have to concern yourself with the order of policy statements, because each type of statement resides in a designated file or directory. As explained in Chapter 4, the SELinux policy Makefile assembles ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required