From patchwork Wed Sep 9 13:30:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11769501 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9DADA59D for ; Thu, 10 Sep 2020 22:01:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 549C3221E5 for ; Thu, 10 Sep 2020 22:01:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="KCBe8mP7" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725287AbgIJWBz (ORCPT ); Thu, 10 Sep 2020 18:01:55 -0400 Received: from mailomta23-re.btinternet.com ([213.120.69.116]:55114 "EHLO re-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725306AbgIJWBz (ORCPT ); Thu, 10 Sep 2020 18:01:55 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-049.btinternet.com with ESMTP id <20200909133043.HJKH4131.re-prd-fep-049.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:43 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658243; bh=fDp+aiYMiKuGOrDkASPb9CISSP9yZVmBgu7MP00KTiM=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=KCBe8mP79KdUY+qAdznaP7QIlZXIfbau0TJwLCmZGp0/A+KKsG7m0YsBxqM6bLfslLpvOht4B0CZghcNOeV5iGTuhyP3HTmgT5Z+/6rxjbtCjQU/GHZEDP37kbGkHJI9OGBRxj2PuN3CPSynjdTBvRlWWQtvcCAlJ+0e6xSgCq6fk50qo223R80pIkHf3MxR762GwiSR9DM5sqTH4om7JQ0Esis28sCf/Q5pMlZFBRpuQaZN5csqlEpd7jmTl0tuUNbVFx+pR54TgDQ7lZQwyXw5KWWfyiB2eWBVsu4hWvp6Rjf551iOQfUxFJwHdhBfRGSgQW5Ru2m9PsANJTjVkw== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeffieeigefgkeekteeifeffheevgfettdehjeeifeffudfggfdvkeefhefggeehveenucffohhmrghinheptghomhhprghrthhmvghnthhsrdgtvghnthgvrhdptggrthgvghhorhhivghsrdgtvghnthgvrhdpphholhhitgihrdgtvghnthgvrhenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgr ihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134D7F; Wed, 9 Sep 2020 14:30:43 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 02/22] mls_statements: Convert to markdown Date: Wed, 9 Sep 2020 14:30:19 +0100 Message-Id: <20200909133039.44498-3-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Remove table 1 as didn't seem to add anything. Signed-off-by: Richard Haines --- src/mls_statements.md | 461 +++++++++++++++--------------------------- 1 file changed, 167 insertions(+), 294 deletions(-) diff --git a/src/mls_statements.md b/src/mls_statements.md index f61ced6..05ba185 100644 --- a/src/mls_statements.md +++ b/src/mls_statements.md @@ -1,74 +1,30 @@ # MLS Statements +- [MLS range Definition](#mls-range-definition) +- [*sensitivity*](#sensitivity) +- [*dominance*](#dominance) +- [*category*](#category) +- [*level*](#level) +- [*range_transition*](#range_transition) +- [*mlsconstrain*](#mlsconstrain) +- [*mlsvalidatetrans*](#mlsvalidatetrans) + The optional MLS policy extension adds an additional security context component that consists of the following highlighted entries: -``` -user:role:type:sensitivity[:category,...]- sensitivity [:category,...] -``` +*user:role:type:* ***sensitivity[:category,...] - sensitivity [:category,...]*** -These consist of a mandatory hierarchical -[**sensitivity**](#sensitivity) and optional -non-hierarchical [**category**](#category)'s. The -combination of the two comprise a [**level**](#level) or security level as -shown in **Table 1: Sensitivity and Category = Security Level**. Depending on -the circumstances, there can be one level defined or a -[**range**](#mls-range-definition) as shown in **Table 1**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Security Level (or Level)

-

Consisting of a sensitivity and zero or more category entries:

Note that SELinux uses level, sensitivity and category
in the language statements (see the MLS Language Statements section),
however when discussing these the following terms can also be used:
labels, classifications, and compartments.

sensitivity [: category, ... ]
also known as:

-

Sensitivity Label

-

Consisting of a classification and compartment.

<-------------- Range -------------->
Low
-
High
sensitivity [: category, ... ]
sensitivity [: category, ... ]
For a process or subject this is the current level or sensitivity
For a process or subject this is the Clearance
For an object this is the current level or sensitivity
For an object this is the maximum range
SystemLow
SystemHigh
This is the lowest level or classification for the system
(for SELinux this is generally 's0', note that there are no categories).
This is the highest level or classification for the system
(for SELinux this is generally 's15:c0,c255',
although note that they will be the highest set by the policy).
- -**Table 1: Sensitivity and Category = Security Level** - *this table shows -the meanings depending on the context being discussed.* +These consist of a mandatory hierarchical [**sensitivity**](#sensitivity) and +optional non-hierarchical [**category**](#category)'s. The combination of the +two comprise a [**level**](#level) or security level. Depending on the +circumstances, there can be one level or a [**range**](#mls-range-definition). To make the security levels more meaningful, it is possible to use the -setransd daemon to translate these to human readable formats. The -**semanage**(8) command will allow this mapping to be defined as discussed +***mcstransd**(8)* daemon to translate these to human readable formats. The +***semanage**(8)* command will allow this mapping to be defined as discussed in the [**setrans.conf**](policy_config_files.md#setrans.conf) section. -#### MLS range Definition +## MLS range Definition The MLS range is appended to a number of statements and defines the lowest and highest security levels. The range can also consist of a single level as @@ -82,23 +38,20 @@ low_level [ - high_level ] **Where:** - - - - - - - - - - - - - - - -
low_level

The processes lowest level identifier that has been previously declared by a level statement.

-

If a high_level is not defined, then it is taken as the same as the low_level.

-The optional hyphen '-' separator if a high_level is also being defined.
high_levelThe processes highest level identifier that has been previously declared by a level statement.
+*low_level* + +The processes lowest level identifier that has been previously declared by a +[*level*](#level) statement. If a *high_level* is not defined, then it is taken +as the same as the *low_level*. + +*\-* + +The optional hyphen '-' separator if a *high_level* is also being defined. + +*high_level* + +The processes highest level identifier that has been previously declared by +a [*level*](#level) statement. ## *sensitivity* @@ -113,53 +66,35 @@ sensitivity sens_id [alias sensitivityalias_id ...]; **Where:** - - - - - - - - - - - - - - - - - - - -
sensitivityThe sensitivity keyword.
sens_idThe sensitivity identifier.
aliasThe optional alias keyword.
sensitivityalias_idOne or more sensitivity alias identifiers in a space separated list.
+*sensitivity* + +The *sensitivity* keyword. + +*sens_id* + +The *sensitivity* identifier. + +*alias* + +The optional *alias* keyword. + +*sensitivityalias_id* + +One or more sensitivity alias identifiers in a space separated list. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | Yes | **Examples:** @@ -193,45 +128,29 @@ dominance { sensitivity_id ... } **Where:** - - - - - - - - - - - -
dominanceThe dominance keyword.
sensitivity_idA space separated list of previously declared sensitivity or sensitivityalias identifiers in the order lowest to highest. They are enclosed in braces '{}', and note that there is no terminating semi-colon ';'.
- -The statement is valid in: - - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+*dominance* + +The *dominance* keyword. + +*sensitivity_id* + +A space separated list of previously declared *sensitivity* or +*sensitivityalias* identifiers in the order lowest to highest. They are +enclosed in braces '{}', and note that there is no terminating semi-colon ';'. + +**The statement is valid in:** + +Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Example:** @@ -255,53 +174,35 @@ category category_id [alias categoryalias_id ...]; **Where:** - - - - - - - - - - - - - - - - - - - -
categoryThe category keyword.
category_idThe category identifier.
aliasThe optional alias keyword.
categoryalias_idOne or more alias identifiers in a space separated list.
+*category* + +The *category* keyword. + +*category_id* + +The *category* identifier. + +*alias* + +The optional *alias* keyword. + +*categoryalias_id* + +One or more *alias* identifiers in a space separated list. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | Yes | **Examples:** @@ -337,52 +238,40 @@ level sensitivity_id [ :category_id ]; **Where:** - - - - - - - - - - - - - - - -
levelThe level keyword.
sensitivity_idA previously declared sensitivity or sensitivityalias identifier.
category_idAn optional set of zero or more previously declared category or categoryalias identifiers that are preceded by a colon ':', that can be written as follows: -

The period '.' separating two category identifiers means an inclusive set (e.g. c0.c16).

-

The comma ',' separating two category identifiers means a non-contiguous list (e.g. c21,c36,c45).

-

Both separators may be used (e.g. c0.c16,c21,c36,c45).

+*level* + +The *level* keyword. + +*sensitivity_id* + +A previously declared *sensitivity* or *sensitivityalias* identifier. + +*category_id* + +An optional set of zero or more previously declared *category* or +*categoryalias* identifiers that are preceded by a colon ':', that can be +written as follows: + +- The period '.' separating two *category* identifiers means an inclusive + set (e.g. *c0.c16*). +- The comma ',' separating two *category* identifiers means a non-contiguous + list (e.g. *c21,c36,c45*). + +Both separators may be used (e.g. *c0.c16,c21,c36,c45*). **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Example:** @@ -417,55 +306,39 @@ range_transition source_type target_type : class new_range; **Where:** - - - - - - - - - - - - - - - - - - - -
range_transitionThe range_transition keyword.

source_type

-

target_type

One or more source / target type or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces'{}'.

-

Entries can be excluded from the list by using the negative operator '-'.

classThe optional object class keyword (this allows policy versions 21 and greater to specify a class other than the default of process).
new_rangeThe new MLS range for the object class. The format of this field is described in the "MLS range Definition" section.
+*range_transition* + +The *range_transition* keyword. + +*source_type*, *target_type* + +One or more source / target *type* or *attribute* identifiers. Multiple entries +consist of a space separated list enclosed in braces'{}'. +Entries can be excluded from the list by using the negative operator '-'. + +*class* + +The optional object *class* keyword (this allows policy versions 21 and greater +to specify a class other than the default of *process*). + +*new_range* + +The new MLS range for the object class. The format of this field is described +in the [MLS range Definition](#mls-range-definition) section. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Examples:**