Chris PeBenito 31b7c0
The Makefile targets are:
Chris PeBenito 31b7c0
policy - compile the policy configuration.
Chris PeBenito 31b7c0
install - compile and install the policy configuration.
Chris PeBenito 31b7c0
load    - compile, install, and load the policy configuration.
Chris PeBenito 31b7c0
relabel - relabel the filesystem.
Chris PeBenito 31b7c0
check-all - check individual additional policy files in domains/program/unused.
Chris PeBenito 31b7c0
checkunused/FILE.te - check individual file FILE from domains/program/unused.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
If you have configured MLS into your module, then set MLS=y in the
Chris PeBenito 31b7c0
Makefile prior to building the policy.  Of course, you must have also
Chris PeBenito 31b7c0
built checkpolicy with MLS enabled.  
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Three of the configuration files are independent of the particular
Chris PeBenito 31b7c0
security policy:
Chris PeBenito 31b7c0
1) flask/security_classes -
Chris PeBenito 31b7c0
   This file has a simple declaration for each security class.
Chris PeBenito 31b7c0
   The corresponding symbol definitions are in the automatically
Chris PeBenito 31b7c0
   generated header file <selinux/flask.h>. 
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
2) flask/initial_sids - 
Chris PeBenito 31b7c0
   This file has a simple declaration for each initial SID.
Chris PeBenito 31b7c0
   The corresponding symbol definitions are in the automatically
Chris PeBenito 31b7c0
   generated header file <selinux/flask.h>.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
3) access_vectors - 
Chris PeBenito 31b7c0
   This file defines the access vectors.  Common prefixes for
Chris PeBenito 31b7c0
   access vectors may be defined at the beginning of the file.
Chris PeBenito 31b7c0
   After the common prefixes are defined, an access vector
Chris PeBenito 31b7c0
   may be defined for each security class.
Chris PeBenito 31b7c0
   The corresponding symbol definitions are in the automatically
Chris PeBenito 31b7c0
   generated header file <selinux/av_permissions.h>.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
In addition to being read by the security server, these configuration
Chris PeBenito 31b7c0
files are used during the kernel build to automatically generate
Chris PeBenito 31b7c0
symbol definitions used by the kernel for security classes, initial
Chris PeBenito 31b7c0
SIDs and permissions.  Since the symbol definitions generated from
Chris PeBenito 31b7c0
these files are used during the kernel build, the values of existing
Chris PeBenito 31b7c0
security classes and permissions may not be modified by load_policy.
Chris PeBenito 31b7c0
However, new classes may be appended to the list of classes and new
Chris PeBenito 31b7c0
permissions may be appended to the list of permissions associated with
Chris PeBenito 31b7c0
each access vector definition.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
The policy-dependent configuration files are:
Chris PeBenito 31b7c0
1) tmp/all.te -  
Chris PeBenito 31b7c0
   This file defines the Type Enforcement (TE) configuration.
Chris PeBenito 31b7c0
   This file is automatically generated from a collection of files.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
   The macros subdirectory contains a collection of m4 macro definitions
Chris PeBenito 31b7c0
   used by the TE configuration.  The global_macros.te file contains global 
Chris PeBenito 31b7c0
   macros used throughout the configuration for common groupings of classes 
Chris PeBenito 31b7c0
   and permissions and for common sets of rules.  The user_macros.te file
Chris PeBenito 31b7c0
   contains macros used in defining user domains.  The admin_macros.te file
Chris PeBenito 31b7c0
   contains macros used in defining admin domains.  The macros/program 
Chris PeBenito 31b7c0
   subdirectory contains macros that are used to instantiate derived domains
Chris PeBenito 31b7c0
   for certain programs that encode information about both the calling user
Chris PeBenito 31b7c0
   domain and the program, permitting the policy to maintain separation 
Chris PeBenito 31b7c0
   between different instances of the program.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
   The types subdirectory contains several files with declarations for
Chris PeBenito 31b7c0
   general types (types not associated with a particular domain) and 
Chris PeBenito 31b7c0
   some rules defining relationships among those types.  Related types 
Chris PeBenito 31b7c0
   are grouped together into each file in this directory, e.g. all
Chris PeBenito 31b7c0
   device type declarations are in the device.te file.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
   The domains subdirectory contains several files and directories
Chris PeBenito 31b7c0
   with declarations and rules for each domain.  User domains are defined in 
Chris PeBenito 31b7c0
   user.te.  Administrator domains are defined in admin.te.  Domains for 
Chris PeBenito 31b7c0
   specific programs, including both system daemons and other programs, are 
Chris PeBenito 31b7c0
   in the .te files within the domains/program subdirectory.  The domains/misc
Chris PeBenito 31b7c0
   subdirectory is for miscellaneous domains such as the kernel domain and
Chris PeBenito 31b7c0
   the kernel module loader domain.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
   The assert.te file contains assertions that are checked after evaluating 
Chris PeBenito 31b7c0
   the entire TE configuration.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
2) rbac - 
Chris PeBenito 31b7c0
   This file defines the Role-Based Access Control (RBAC) configuration.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
3) mls - 
Chris PeBenito 31b7c0
   This file defines the Multi-Level Security (MLS) configuration.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
4) users -
Chris PeBenito 31b7c0
   This file defines the users recognized by the security policy.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
5) constraints - 
Chris PeBenito 31b7c0
   This file defines additional constraints on permissions
Chris PeBenito 31b7c0
   in the form of boolean expressions that must be satisfied in order
Chris PeBenito 31b7c0
   for specified permissions to be granted.  These constraints
Chris PeBenito 31b7c0
   are used to further refine the type enforcement tables and
Chris PeBenito 31b7c0
   the role allow rules.  Typically, these constraints are used
Chris PeBenito 31b7c0
   to restrict changes in user identity or role to certain domains.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
6) initial_sid_contexts -
Chris PeBenito 31b7c0
   This file defines the security context for each initial SID.
Chris PeBenito 31b7c0
   A security context consists of a user identity, a role, a type and
Chris PeBenito 31b7c0
   optionally a MLS range if the MLS policy is enabled.  If left unspecified,
Chris PeBenito 31b7c0
   the high MLS level defaults to the low MLS level.  The syntax of a valid 
Chris PeBenito 31b7c0
   security context is:
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
     user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]]
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
7) fs_use -
Chris PeBenito 31b7c0
   This file defines the labeling behavior for inodes in particular
Chris PeBenito 31b7c0
   filesystem types.  
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
8) genfs_contexts -
Chris PeBenito 31b7c0
   This file defines security contexts for files in filesystems that
Chris PeBenito 31b7c0
   cannot support persistent label mappings or use one of the fixed
Chris PeBenito 31b7c0
   labeling schemes specified in fs_use.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
8) net_contexts -
Chris PeBenito 31b7c0
   This file defines the security contexts of network objects
Chris PeBenito 31b7c0
   such as ports, interfaces, and nodes.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
9) file_contexts/{types.fc,program/*.fc}
Chris PeBenito 31b7c0
   These files define the security contexts for persistent files.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
It is possible to test the security server functions on a given policy
Chris PeBenito 31b7c0
configuration by running the checkpolicy program with the -d option.
Chris PeBenito 31b7c0
This program is built from the same sources as the security server
Chris PeBenito 31b7c0
component of the kernel, so it may be used both to verify that a
Chris PeBenito 31b7c0
policy configuration will load successfully and to determine how the
Chris PeBenito 31b7c0
security server would respond if it were using that policy
Chris PeBenito 31b7c0
configuration.  A menu-based interface is provided for calling any of
Chris PeBenito 31b7c0
the security server functions after the policy is loaded.