[07/22] security_context: Convert to markdown

Message ID	20200909133039.44498-8-richard_c_haines@btinternet.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <SRS0=Milt=CT=vger.kernel.org=selinux-owner@kernel.org> From: Richard Haines <richard_c_haines@btinternet.com> To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines <richard_c_haines@btinternet.com> Subject: [PATCH 07/22] security_context: Convert to markdown Date: Wed, 9 Sep 2020 14:30:24 +0100 Message-Id: <20200909133039.44498-8-richard_c_haines@btinternet.com> In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-owner@vger.kernel.org Precedence: bulk
Series	SELinux Notebook: Convert batch 3 to markdown/tidy up \| expand [00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up [01/22] kernel_policy_language: Tidy up formatting [02/22] mls_statements: Convert to markdown [03/22] object_classes_permissions: : Tidy up formatting [04/22] policy_config_files: Tidy up formatting [05/22] policy_validation_example: Tidy up formatting [06/22] postgresql: Tidy up formatting [07/22] security_context: Convert to markdown [08/22] selinux_cmds: Convert to markdown [09/22] selinux_overview: Convert to markdown [10/22] sid_statement: Convert to markdown [11/22] subjects: Convert to markdown [12/22] toc: Tidy up formatting [13/22] type_enforcement: Convert to markdown [14/22] type_statements: Add toc, tidy up formatting [15/22] types_of_policy: Convert to markdown [16/22] user_statements:: Tidy up formatting [17/22] users: Tidy up formatting [18/22] userspace_libraries: Tidy up formatting, add toc [19/22] vm_support: Tidy up formatting [20/22] x_windows: Tidy up formatting [21/22] xen_statements: Tidy up formatting [22/22] xperm_rules: Tidy up formatting

Message ID

20200909133039.44498-8-richard_c_haines@btinternet.com (mailing list archive)

State

Accepted

Headers

From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 07/22] security_context: Convert to markdown
Date: Wed,  9 Sep 2020 14:30:24 +0100
Message-Id: <20200909133039.44498-8-richard_c_haines@btinternet.com>
In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com>
References: <20200909133039.44498-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-owner@vger.kernel.org
Precedence: bulk

Series

SELinux Notebook: Convert batch 3 to markdown/tidy up | expand

Commit Message

Richard Haines Sept. 9, 2020, 1:30 p.m. UTC

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/security_context.md | 83 ++++++++++++++++++++++-------------------
 1 file changed, 45 insertions(+), 38 deletions(-)

diff --git a/src/security_context.md b/src/security_context.md
index 3ca93a2..cb0fc4a 100644
--- a/src/security_context.md
+++ b/src/security_context.md
@@ -20,47 +20,50 @@  user:role:type[:range]
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>user</code></td>
-<td>The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.</td>
-</tr>
-<tr>
-<td><code>role</code></td>
-<td>The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.</td>
-</tr>
-<tr>
-<td><code>type</code></td>
-<td><p>When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access.</p>
-<p>When a type is associated with an object, it defines what access permissions the SELinux user has to that object.</p></td>
-</tr>
-<tr>
-<td><code>range</code></td>
-<td><p>This field can also be know as a <em>level</em> and is only present if the policy supports MCS or MLS. The entry can consist of:
-<p>A single security level that contains a sensitivity level and zero or more categories (e.g. s0, s1:c0, s7:c10.c15).</p>
-<p>A range that consists of two security levels (a low and high) separated by a hyphen (e.g. s0 - s15:c0.c1023).</p>
-<p>These components are discussed in the <a href="mls_mcs.md#security-levels">Security Levels</a> section.</p></td>
-</tr>
-</tbody>
-</table>
+*user*
+
+- The SELinux user identity. This can be associated to one or more roles
+  that the SELinux user is allowed to use.
+
+*role*
+
+- The SELinux role. This can be associated to one or more types the SELinux
+  user is allowed to access.
+
+*type*
+
+- When a type is associated with a process, it defines what processes
+  (or domains) the SELinux user (the subject) can access.
+  When a type is associated with an object, it defines what access
+  permissions the SELinux user has to that object.
+
+*range*
+
+- This field can also be know as a *level* and is only present if the policy
+  supports MCS or MLS. The entry can consist of:
+  - A single security level that contains a sensitivity level and zero
+    or more categories (e.g. *s0*, *s1:c0*, *s7:c10.c15*).
+  - A range that consists of two security levels (a low and high) separated
+   by a hyphen (e.g. *s0 - s15:c0.c1023*).
+- These components are discussed in the
+  [**Security Levels**]( mls_mcs.md#security-levels) section.
 
 However note that:
 
-1.  Access decisions regarding a subject make use of all the components
-    of the **security context**.
-2.  Access decisions regarding an object make use of the components as
-    follows:
-    1.  the user is either set to a special user called system_u or it
-        is set to the SELinux user id of the creating process. It is
-        possible to add constraints on users within policy based on
-        their object class (an example of this is the Reference Policy
-        UBAC (User Based Access Control) option.
-    2.  the role is generally set to a special SELinux internal role of
-        'object_r`, although policy version 26 with kernel 2.6.39 and
-        above do support role transitions on any object class. It is
-        then possible to add constraints on the role within policy
-        based on their object class.
+1. Access decisions regarding a subject make use of all the components
+   of the **security context**.
+2. Access decisions regarding an object make use of the components as
+   follows:
+    1. the user is either set to a special user called *system_u*[^fn_sc_1]
+       or it is set to the SELinux user id of the creating process. It is
+       possible to add constraints on users within policy based on
+       their object class (an example of this is the Reference Policy
+       UBAC (User Based Access Control) option.
+    2. the role is generally set to a special SELinux internal role of
+       *object_r*, although policy version 26 with kernel 2.6.39 and
+       above do support role transitions on any object class. It is
+       then possible to add constraints on the role within policy
+       based on their object class.
 
 The [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts)
 section decribes how SELinux computes the security context components based
@@ -116,6 +119,10 @@  unconfined_u:object_r:out_file_t Message-11
 # (see the process example above). The role remained as object_r.
 ```
 
+[^fn_sc_1]: The user *system_u* name is not mandatory, it is used to signify
+a special user in the Reference Policy. It is also used in some SELinux
+utilities.
+
 <!-- %CUTHERE% -->
 
 ---

[07/22] security_context: Convert to markdown

Commit Message

Patch