[22/22] xperm_rules: Tidy up formatting

Message ID	20200909133039.44498-23-richard_c_haines@btinternet.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <SRS0=Milt=CT=vger.kernel.org=selinux-owner@kernel.org> From: Richard Haines <richard_c_haines@btinternet.com> To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines <richard_c_haines@btinternet.com> Subject: [PATCH 22/22] xperm_rules: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:39 +0100 Message-Id: <20200909133039.44498-23-richard_c_haines@btinternet.com> In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-owner@vger.kernel.org Precedence: bulk
Series	SELinux Notebook: Convert batch 3 to markdown/tidy up \| expand [00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up [01/22] kernel_policy_language: Tidy up formatting [02/22] mls_statements: Convert to markdown [03/22] object_classes_permissions: : Tidy up formatting [04/22] policy_config_files: Tidy up formatting [05/22] policy_validation_example: Tidy up formatting [06/22] postgresql: Tidy up formatting [07/22] security_context: Convert to markdown [08/22] selinux_cmds: Convert to markdown [09/22] selinux_overview: Convert to markdown [10/22] sid_statement: Convert to markdown [11/22] subjects: Convert to markdown [12/22] toc: Tidy up formatting [13/22] type_enforcement: Convert to markdown [14/22] type_statements: Add toc, tidy up formatting [15/22] types_of_policy: Convert to markdown [16/22] user_statements:: Tidy up formatting [17/22] users: Tidy up formatting [18/22] userspace_libraries: Tidy up formatting, add toc [19/22] vm_support: Tidy up formatting [20/22] x_windows: Tidy up formatting [21/22] xen_statements: Tidy up formatting [22/22] xperm_rules: Tidy up formatting

Message ID

20200909133039.44498-23-richard_c_haines@btinternet.com (mailing list archive)

State

Accepted

Headers

From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 22/22] xperm_rules: Tidy up formatting
Date: Wed,  9 Sep 2020 14:30:39 +0100
Message-Id: <20200909133039.44498-23-richard_c_haines@btinternet.com>
In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com>
References: <20200909133039.44498-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-owner@vger.kernel.org
Precedence: bulk

Series

SELinux Notebook: Convert batch 3 to markdown/tidy up | expand

Commit Message

Richard Haines Sept. 9, 2020, 1:30 p.m. UTC

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/xperm_rules.md | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/xperm_rules.md b/src/xperm_rules.md
index 7f8744b..849b2ac 100644
--- a/src/xperm_rules.md
+++ b/src/xperm_rules.md
@@ -1,5 +1,7 @@ 
 # Extended Access Vector Rules
 
+- [*ioctl* Operation Rules](#ioctl-operation-rules)
+
 There are three extended AV rules implemented from Policy version 30
 with the target platform 'selinux' that expand the permission sets from
 a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*,
@@ -66,7 +68,7 @@  Policy Type
 
 Conditional Policy Statements
 
-| *if* statement          | *optional* Statement    | *require* Statement     |
+| *if* Statement          | *optional* Statement    | *require* Statement     |
 | ----------------------- | ----------------------- | ----------------------- |
 | No                      | No                      | No                      |
 
@@ -80,7 +82,7 @@  policy format changes shown in the example below with a brief overview
 the final upstream kernel patch).
 
 Ioctl calls are generally used to get or set device options. Policy
-versions &lt; 30 only controls whether an *ioctl* permission is allowed
+versions \> 30 only controls whether an *ioctl* permission is allowed
 or not, for example this rule allows the object class *tcp_socket* the
 *ioctl* permission:
 
@@ -116,17 +118,17 @@  tclass=udp_socket permissive=0
 
 Notes:
 
-1.  Important: The ioctl operation is not 'deny all' ioctl requests
-    (hence whitelisting). It is targeted at the specific
-    source/target/class set of ioctl commands. As no other *allowxperm*
-    rules have been defined in the example, all other ioctl calls may
-    continue to use any valid request parameters (provided there are
-    *allow* rules for the *ioctl* permission).
-2.  As the ***ioctl**(2)* function requires a file descriptor, its
-    context must match the process context otherwise the *fd { use }*
-    class/permission is required.
-3.  To deny all ioctl requests for a specific source/target/class the
-    *xperm_set* should be set to *0* or *0x0*.
+1. Important: The ioctl operation is not 'deny all' ioctl requests
+   (hence whitelisting). It is targeted at the specific
+   source/target/class set of ioctl commands. As no other *allowxperm*
+   rules have been defined in the example, all other ioctl calls may
+   continue to use any valid request parameters (provided there are
+   *allow* rules for the *ioctl* permission).
+2. As the ***ioctl**(2)* function requires a file descriptor, its
+   context must match the process context otherwise the *fd { use }*
+   class/permission is required.
+3. To deny all ioctl requests for a specific source/target/class the
+   *xperm_set* should be set to *0* or *0x0*.
 
 <!-- %CUTHERE% -->

[22/22] xperm_rules: Tidy up formatting

Commit Message

Patch