|
Chris PeBenito |
31b7c0 |
The Makefile targets are:
|
|
Chris PeBenito |
31b7c0 |
policy - compile the policy configuration.
|
|
Chris PeBenito |
31b7c0 |
install - compile and install the policy configuration.
|
|
Chris PeBenito |
31b7c0 |
load - compile, install, and load the policy configuration.
|
|
Chris PeBenito |
31b7c0 |
relabel - relabel the filesystem.
|
|
Chris PeBenito |
31b7c0 |
check-all - check individual additional policy files in domains/program/unused.
|
|
Chris PeBenito |
31b7c0 |
checkunused/FILE.te - check individual file FILE from domains/program/unused.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
If you have configured MLS into your module, then set MLS=y in the
|
|
Chris PeBenito |
31b7c0 |
Makefile prior to building the policy. Of course, you must have also
|
|
Chris PeBenito |
31b7c0 |
built checkpolicy with MLS enabled.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
Three of the configuration files are independent of the particular
|
|
Chris PeBenito |
31b7c0 |
security policy:
|
|
Chris PeBenito |
31b7c0 |
1) flask/security_classes -
|
|
Chris PeBenito |
31b7c0 |
This file has a simple declaration for each security class.
|
|
Chris PeBenito |
31b7c0 |
The corresponding symbol definitions are in the automatically
|
|
Chris PeBenito |
31b7c0 |
generated header file <selinux/flask.h>.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
2) flask/initial_sids -
|
|
Chris PeBenito |
31b7c0 |
This file has a simple declaration for each initial SID.
|
|
Chris PeBenito |
31b7c0 |
The corresponding symbol definitions are in the automatically
|
|
Chris PeBenito |
31b7c0 |
generated header file <selinux/flask.h>.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
3) access_vectors -
|
|
Chris PeBenito |
31b7c0 |
This file defines the access vectors. Common prefixes for
|
|
Chris PeBenito |
31b7c0 |
access vectors may be defined at the beginning of the file.
|
|
Chris PeBenito |
31b7c0 |
After the common prefixes are defined, an access vector
|
|
Chris PeBenito |
31b7c0 |
may be defined for each security class.
|
|
Chris PeBenito |
31b7c0 |
The corresponding symbol definitions are in the automatically
|
|
Chris PeBenito |
31b7c0 |
generated header file <selinux/av_permissions.h>.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
In addition to being read by the security server, these configuration
|
|
Chris PeBenito |
31b7c0 |
files are used during the kernel build to automatically generate
|
|
Chris PeBenito |
31b7c0 |
symbol definitions used by the kernel for security classes, initial
|
|
Chris PeBenito |
31b7c0 |
SIDs and permissions. Since the symbol definitions generated from
|
|
Chris PeBenito |
31b7c0 |
these files are used during the kernel build, the values of existing
|
|
Chris PeBenito |
31b7c0 |
security classes and permissions may not be modified by load_policy.
|
|
Chris PeBenito |
31b7c0 |
However, new classes may be appended to the list of classes and new
|
|
Chris PeBenito |
31b7c0 |
permissions may be appended to the list of permissions associated with
|
|
Chris PeBenito |
31b7c0 |
each access vector definition.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
The policy-dependent configuration files are:
|
|
Chris PeBenito |
31b7c0 |
1) tmp/all.te -
|
|
Chris PeBenito |
31b7c0 |
This file defines the Type Enforcement (TE) configuration.
|
|
Chris PeBenito |
31b7c0 |
This file is automatically generated from a collection of files.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
The macros subdirectory contains a collection of m4 macro definitions
|
|
Chris PeBenito |
31b7c0 |
used by the TE configuration. The global_macros.te file contains global
|
|
Chris PeBenito |
31b7c0 |
macros used throughout the configuration for common groupings of classes
|
|
Chris PeBenito |
31b7c0 |
and permissions and for common sets of rules. The user_macros.te file
|
|
Chris PeBenito |
31b7c0 |
contains macros used in defining user domains. The admin_macros.te file
|
|
Chris PeBenito |
31b7c0 |
contains macros used in defining admin domains. The macros/program
|
|
Chris PeBenito |
31b7c0 |
subdirectory contains macros that are used to instantiate derived domains
|
|
Chris PeBenito |
31b7c0 |
for certain programs that encode information about both the calling user
|
|
Chris PeBenito |
31b7c0 |
domain and the program, permitting the policy to maintain separation
|
|
Chris PeBenito |
31b7c0 |
between different instances of the program.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
The types subdirectory contains several files with declarations for
|
|
Chris PeBenito |
31b7c0 |
general types (types not associated with a particular domain) and
|
|
Chris PeBenito |
31b7c0 |
some rules defining relationships among those types. Related types
|
|
Chris PeBenito |
31b7c0 |
are grouped together into each file in this directory, e.g. all
|
|
Chris PeBenito |
31b7c0 |
device type declarations are in the device.te file.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
The domains subdirectory contains several files and directories
|
|
Chris PeBenito |
31b7c0 |
with declarations and rules for each domain. User domains are defined in
|
|
Chris PeBenito |
31b7c0 |
user.te. Administrator domains are defined in admin.te. Domains for
|
|
Chris PeBenito |
31b7c0 |
specific programs, including both system daemons and other programs, are
|
|
Chris PeBenito |
31b7c0 |
in the .te files within the domains/program subdirectory. The domains/misc
|
|
Chris PeBenito |
31b7c0 |
subdirectory is for miscellaneous domains such as the kernel domain and
|
|
Chris PeBenito |
31b7c0 |
the kernel module loader domain.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
The assert.te file contains assertions that are checked after evaluating
|
|
Chris PeBenito |
31b7c0 |
the entire TE configuration.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
2) rbac -
|
|
Chris PeBenito |
31b7c0 |
This file defines the Role-Based Access Control (RBAC) configuration.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
3) mls -
|
|
Chris PeBenito |
31b7c0 |
This file defines the Multi-Level Security (MLS) configuration.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
4) users -
|
|
Chris PeBenito |
31b7c0 |
This file defines the users recognized by the security policy.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
5) constraints -
|
|
Chris PeBenito |
31b7c0 |
This file defines additional constraints on permissions
|
|
Chris PeBenito |
31b7c0 |
in the form of boolean expressions that must be satisfied in order
|
|
Chris PeBenito |
31b7c0 |
for specified permissions to be granted. These constraints
|
|
Chris PeBenito |
31b7c0 |
are used to further refine the type enforcement tables and
|
|
Chris PeBenito |
31b7c0 |
the role allow rules. Typically, these constraints are used
|
|
Chris PeBenito |
31b7c0 |
to restrict changes in user identity or role to certain domains.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
6) initial_sid_contexts -
|
|
Chris PeBenito |
31b7c0 |
This file defines the security context for each initial SID.
|
|
Chris PeBenito |
31b7c0 |
A security context consists of a user identity, a role, a type and
|
|
Chris PeBenito |
31b7c0 |
optionally a MLS range if the MLS policy is enabled. If left unspecified,
|
|
Chris PeBenito |
31b7c0 |
the high MLS level defaults to the low MLS level. The syntax of a valid
|
|
Chris PeBenito |
31b7c0 |
security context is:
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]]
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
7) fs_use -
|
|
Chris PeBenito |
31b7c0 |
This file defines the labeling behavior for inodes in particular
|
|
Chris PeBenito |
31b7c0 |
filesystem types.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
8) genfs_contexts -
|
|
Chris PeBenito |
31b7c0 |
This file defines security contexts for files in filesystems that
|
|
Chris PeBenito |
31b7c0 |
cannot support persistent label mappings or use one of the fixed
|
|
Chris PeBenito |
31b7c0 |
labeling schemes specified in fs_use.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
8) net_contexts -
|
|
Chris PeBenito |
31b7c0 |
This file defines the security contexts of network objects
|
|
Chris PeBenito |
31b7c0 |
such as ports, interfaces, and nodes.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
9) file_contexts/{types.fc,program/*.fc}
|
|
Chris PeBenito |
31b7c0 |
These files define the security contexts for persistent files.
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
It is possible to test the security server functions on a given policy
|
|
Chris PeBenito |
31b7c0 |
configuration by running the checkpolicy program with the -d option.
|
|
Chris PeBenito |
31b7c0 |
This program is built from the same sources as the security server
|
|
Chris PeBenito |
31b7c0 |
component of the kernel, so it may be used both to verify that a
|
|
Chris PeBenito |
31b7c0 |
policy configuration will load successfully and to determine how the
|
|
Chris PeBenito |
31b7c0 |
security server would respond if it were using that policy
|
|
Chris PeBenito |
31b7c0 |
configuration. A menu-based interface is provided for calling any of
|
|
Chris PeBenito |
31b7c0 |
the security server functions after the policy is loaded.
|