The railroad diagram in Figure 6-9 represents an overview of the syntax of an SELinux policy.
Figure 6-9. The SELinux Policy
As the figure shows, an SELinux policy consists of 11 elements, several of which are optional:
Defines the security object classes recognized by SELinux.
Defines initial SIDs for important security objects.
Defines access vectors associated with each security object class.
Defines MLS configuration (optional).
MLS is not currently implemented in sample SELinux policies and is not covered in this book.
Defines type enforcement and role-based access control configuration.
Defines the user configuration.
Defines constraints that the security policy must observe (optional).
Defines the security contexts of important security objects.
Defines the method of labeling of filesystem inodes.
Defines security contexts for filesystems lacking persistent labels (optional).
Defines security contexts for network objects.
The policy elements must appear in the order indicated by the railroad diagram. However, you generally don’t have to concern yourself with the order of policy statements, because each type of statement resides in a designated file or directory. As explained in Chapter 4, the SELinux policy Makefile assembles ...