From patchwork Wed Sep 2 13:17:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11750633 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3F73C109B for ; Wed, 2 Sep 2020 13:21:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EBD222083B for ; Wed, 2 Sep 2020 13:21:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="rcFLUH5k" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726948AbgIBNU7 (ORCPT ); Wed, 2 Sep 2020 09:20:59 -0400 Received: from mailomta4-sa.btinternet.com ([213.120.69.10]:23987 "EHLO sa-prd-fep-042.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727783AbgIBNSy (ORCPT ); Wed, 2 Sep 2020 09:18:54 -0400 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-042.btinternet.com with ESMTP id <20200902131744.VSYZ26396.sa-prd-fep-042.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:44 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052664; bh=4CuCl3ZGb3eXUCF7I0EoQVrYtT38Ut+MJdeqNvA/lBY=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=rcFLUH5k2p4QJljufHs2Yce6uPJrb5iS+4RkrdGBNqgighh5YJVz1nIL1EERUTd1dqGypJLhsoBzwmLmjHfJtUy9jkkfEP6tVVlXKVK47rLM96CdObO6Bmdb4FUqEQNvYczOd9J1KO/E9sDoQR4E19ng2+8rrKYOg/e7pEDrjuy1OLqIcQQ8582vNB8Y5AJ10o905bOFcfYuDdleDy30RTHEPjlRbW874zqMIKt38Uqdte3oGOV8IB5PtVIdH5BWggiyXxYC5bCDme8yyXkt3G2rEdu98QqTyFobbhwOnuGLH6KXf+BhBSanBKCpTvzW6nX7jckc5x/Y/XKzcHcrTQ== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfgggtgfesthekredtredtjeenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepieduteeiteeiteejgfeiueejfedvueduvdelkeetudegleekffetgfdvjedvfeeknecuffhomhgrihhnpegtohhnthgvgihtrdhlohgtrghlnecukfhppedutdelrdduheehrdefvddrudeljeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepuddtledrudehhedrfedvrdduleejpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehv ghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36B6E; Wed, 2 Sep 2020 14:17:44 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 01/13] libselinux_functions: Convert to markdown Date: Wed, 2 Sep 2020 14:17:26 +0100 Message-Id: <20200902131738.18425-2-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Convert to markdown Signed-off-by: Richard Haines --- src/libselinux_functions.md | 2179 ++++++++++++++++++----------------- 1 file changed, 1092 insertions(+), 1087 deletions(-) diff --git a/src/libselinux_functions.md b/src/libselinux_functions.md index 9cae37a..b06018a 100644 --- a/src/libselinux_functions.md +++ b/src/libselinux_functions.md @@ -2,1096 +2,1101 @@ These functions have been taken from the following header files of *libselinux* version 3.0: -- */usr/include/selinux/avc.h* -- */usr/include/selinux/context.h* -- */usr/include/selinux/get_context_list.h* -- */usr/include/selinux/get_default_type.h* -- */usr/include/selinux/label.h* -- */usr/include/selinux/restorecon.h* -- */usr/include/selinux/selinux.h* + +- */usr/include/selinux/avc.h* +- */usr/include/selinux/context.h* +- */usr/include/selinux/get_context_list.h* +- */usr/include/selinux/get_default_type.h* +- */usr/include/selinux/label.h* +- */usr/include/selinux/restorecon.h* +- */usr/include/selinux/selinux.h* The appropriate ***man**(3)* pages should consulted for detailed usage. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function NameDescriptionHeader File
avc_add_callbackRegister a callback for security events.avc.h
avc_auditAudit the granting or denial of permissions in accordance with the policy. This function is typically called by avc_has_perm(3) after a permission check, but can also be called directly by callers who use avc_has_perm_noaudit(3) in order to separate the permission check from the auditing. For example, this separation is useful when the permission check must be performed under a lock, to allow the lock to be released before calling the auditing code.avc.h
avc_av_statsLog AV table statistics. Logs a message with information about the size and distribution of the access vector table. The audit callback is used to print the message.avc.h
avc_cache_statsGet cache access statistics. Fill the supplied structure with information about AVC activity since the last call to avc_init(3) or avc_reset(3).avc.h
avc_cleanup

Remove unused SIDs and AVC entries.

-

Search the SID table for SID structures with zero reference counts, and remove them along with all AVC entries that reference them. This can be used to return memory to the system.

avc.h
avc_compute_createCompute SID for labeling a new object. Call the security server to obtain a context for labeling a new object. Look up the context in the SID table, making a new entry if not found.avc.h
avc_compute_member

Compute SID for polyinstantation.

-

Call the security server to obtain a context for labeling an object instance. Look up the context in the SID table, making a new entry if not found.

avc.h

avc_context_to_sid

-

avc_context_to_sid_raw

Get SID for context. Look up security context ctx in SID table, making a new entry if ctx is not found. Store a pointer to the SID structure into the memory referenced by sid, returning 0 on success or -1 on error with errno set.avc.h
avc_destroy

Free all AVC structures.

-

Destroy all AVC structures and free all allocated memory. User-supplied locking, memory, and audit callbacks will be retained, but security-event callbacks will not. All SID's will be invalidated. User must call avc_init(3) if further use of AVC is desired.

avc.h
avc_entry_ref_init

Initialize an AVC entry reference.

-

Use this macro to initialize an avc entry reference structure before first use. These structures are passed to avc_has_perm(3), which stores cache entry references in them. They can increase performance on repeated queries.

avc.h
avc_get_initial_sid

Get SID for an initial kernel security identifier.

-

Get the context for an initial kernel security identifier specified by name using security_get_initial_context(3) and then call avc_context_to_sid(3) to get the corresponding SID.

avc.h
avc_has_perm

Check permissions and perform any appropriate auditing.

-

Check the AVC to determine whether the requested permissions are granted for the SID pair (ssid, tsid), interpreting the permissions based on tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update aeref to refer to an AVC entry with the resulting decisions. Audit the granting or denial of permissions in accordance with the policy. Return 0 if all requested permissions are granted, -1 with errno set to EACCES if any permissions are denied or to another value upon other errors.

avc.h
avc_has_perm_noauditCheck permissions but perform no auditing. Check the AVC to determine whether the requested permissions are granted for the SID pair (ssid, tsid), interpreting the permissions based on tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update aeref to refer to an AVC entry with the resulting decisions, and return a copy of the decisions in avd. Return 0 if all requested permissions are granted, -1 with errno set to EACCES if any permissions are denied, or to another value upon other errors. This function is typically called by avc_has_perm(3), but may also be called directly to separate permission checking from auditing, e.g. in cases where a lock must be held for the check but should be released for the auditing.avc.h
avc_init (deprecated)

Use avc_open

-

Initialize the AVC. Initialize the access vector cache. Return 0 on success or -1 with errno set on failure. If msgprefix is NULL, use "uavc". If any callback structure references are NULL, use default methods for those callbacks (see the definition of the callback structures).

avc.h
avc_netlink_acquire_fdCreate a netlink socket and connect to the kernel.avc.h
avc_netlink_check_nbWait for netlink messages from the kernel.avc.h
avc_netlink_closeClose the netlink socket.avc.h
avc_netlink_loopAcquire netlink socket fd. Allows the application to manage messages from the netlink socket in its own main loop.avc.h
avc_netlink_openRelease netlink socket fd. Returns ownership of the netlink socket to the library.avc.h
avc_netlink_release_fdCheck netlink socket for new messages. Called by the application when using avc_netlink_acquire_fd(3) to process kernel netlink events.avc.h
avc_openInitialize the AVC. This function is identical to avc_init(3) except the message prefix is set to "avc" and any callbacks desired should be specified via selinux_set_callback(3).avc.h
avc_resetFlush the cache and reset statistics. Remove all entries from the cache and reset all access statistics (as returned by avc_cache_stats(3)) to zero. The SID mapping is not affected. Return 0 on success, -1 with errno set on error.avc.h
avc_sid_statsLog SID table statistics. Log a message with information about the size and distribution of the SID table. The audit callback is used to print the message.avc.h

avc_sid_to_context

-

avc_sid_to_context_raw

Get copy of context corresponding to SID. Return a copy of the security context corresponding to the input sid in the memory referenced by ctx. The caller is expected to free the context with freecon(3). Return 0 on success, -1 on failure, with errno set to ENOMEM if insufficient memory was available to make the copy, or EINVAL if the input SID is invalid.avc.h
checkPasswdAccess (deprecated)

Use selinux_check_passwd_access(3) or preferably selinux_check_access(3)

-

Check a permission in the passwd class. Return 0 if granted or -1 otherwise.

selinux.h
context_freeFree the storage used by a context.context.h
context_newReturn a new context initialized to a context string.context.h
context_range_getGet a pointer to the range.context.h
context_range_setSet the range component. Returns nonzero if unsuccessful.context.h
context_role_getGet a pointer to the role.context.h
context_role_setSet the role component. Returns nonzero if unsuccessful.context.h
context_strReturn a pointer to the string value of context_t. Valid until the next call to context_str or context_free for the same context_t*.context.h
context_type_getGet a pointer to the type.context.h
context_type_setSet the type component. Returns nonzero if unsuccessful.context.h
context_user_getGet a pointer to the user.context.h
context_user_setSet the user component. Returns nonzero if unsuccessful.context.h

fgetfilecon

-

fgetfilecon_raw

Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon.selinux.h
fini_selinuxmntClear selinuxmnt variable and free allocated memory.selinux.h
freeconFree the memory allocated for a context by any of the get* calls.selinux.h
freeconary (deprecated)Free the memory allocated for a context array by security_compute_user(3).selinux.h

fsetfilecon

-

fsetfilecon_raw

Wrapper for the xattr API - Set file context.selinux.h
get_default_contextGet the default security context for a user session for 'user' spawned by 'fromcon' and set *newcon to refer to it. The context will be one of those authorized by the policy, but the selection of a default is subject to user customizable preferences. If 'fromcon' is NULL, defaults to current context. Returns 0 on success or -1 otherwise. Caller must free via freecon. get_context_list.h
get_default_context_with_levelSame as get_default_context(3), but use the provided MLS level rather than the default level for the user. get_context_list.h
get_default_context_with_roleSame as get_default_context(3), but only return a context that has the specified role.get_context_list.h
get_default_context_with_rolelevelSame as get_default_context(3), but only return a context that has the specified role and level.get_context_list.h
get_default_typeGet the default type (domain) for 'role' and set 'type' to refer to it. Caller must free via free(3). Return 0 on success or -1 otherwise. get_default_type.h
get_ordered_context_listGet an ordered list of authorized security contexts for a user session for 'user' spawned by 'fromcon' and set *conary to refer to the NULL-terminated array of contexts. Every entry in the list will be authorized by the policy, but the ordering is subject to user customizable preferences. Returns number of entries in *conary. If 'fromcon' is NULL, defaults to current context. Caller must free via freeconary(3).get_context_list.h
get_ordered_context_list_with_levelSame as get_ordered_context_list(3), but use the provided MLS level rather than the default level for the user.get_context_list.h

getcon

-

getcon_raw

Get current context, and set *con to refer to it. Caller must free via freecon(3). selinux.h

getexeccon

-

getexeccon_raw

Get exec context, and set *con to refer to it. Sets *con to NULL if no exec context has been set, i.e. using default. If non-NULL, caller must free via freecon(3).selinux.h

getfilecon

-

getfilecon_raw

Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon(3).selinux.h

getfscreatecon

-

getfscreatecon_raw

Get fscreate context, and set *con to refer to it. Sets *con to NULL if no fs create context has been set, i.e. using default.If non-NULL, caller must free via freecon(3).selinux.h

getkeycreatecon

-

getkeycreatecon_raw

Get keycreate context, and set *con to refer to it. Sets *con to NULL if no key create context has been set, i.e. using default. If non-NULL, caller must free via freecon(3).selinux.h

getpeercon

-

getpeercon_raw

Wrapper for the socket API - Get context of peer socket, and set *con to refer to it. Caller must free via freecon(3).selinux.h

getpidcon

-

getpidcon_raw

Get context of process identified by pid, and set *con to refer to it. Caller must free via freecon(3).selinux.h

getprevcon

-

getprevcon_raw

Get previous context (prior to last exec), and set *con to refer to it. Caller must free via freecon(3).selinux.h
getseuserGet the SELinux username and level to use for a given Linux username and service. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(3).selinux.h
getseuserbynameGet the SELinux username and level to use for a given Linux username. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via free(3).selinux.h

getsockcreatecon

-

getsockcreatecon_raw

Get sockcreate context, and set *con to refer to it. Sets *con to NULL if no socket create context has been set, i.e. using default. If non-NULL, caller must free via freecon(3).selinux.h
init_selinuxmntThere is a man page for this, however it is not a user accessible function (internal use only - although the fini_selinuxmnt is reachable).-
is_context_customizableReturns whether a file context is customizable, and should not be relabeled.selinux.h
is_selinux_enabledReturn 1 if running on a SELinux kernel, or 0 if not or -1 for error.selinux.h
is_selinux_mls_enabledReturn 1 if we are running on a SELinux MLS kernel, or 0 otherwise.selinux.h

lgetfilecon

-

lgetfilecon_raw

Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon(3).selinux.h

lsetfilecon

-

lsetfilecon_raw

Wrapper for the xattr API- Set file context for symbolic link.selinux.h
manual_user_enter_contextAllow the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon(3). Returns 0 on success or -1 otherwise. get_context_list.h
matchmediaconMatch the specified media and against the media contexts configuration and set *con to refer to the resulting context. Caller must free con via freecon.selinux.h
matchpathcon (deprecated)Match the specified pathname and mode against the file context sconfiguration and set *con to refer to the resulting context.'mode' can be 0 to disable mode matching. Caller must free via freecon. If matchpathcon_init(3) has not already been called, then this function will call it upon its first invocation with a NULL path.selinux.h
matchpathcon_checkmatches (deprecated)Check to see whether any specifications had no matches and report them. The 'str' is used as a prefix for any warning messages.selinux.h
matchpathcon_filespec_add (deprecated)Maintain an association between an inode and a specification index, and check whether a conflicting specification is already associated with the same inode (e.g. due to multiple hard links). If so, then use the latter of the two specifications based on their order in the file contexts configuration. Return the used specification index. selinux.h
matchpathcon_filespec_destroy (deprecated)Destroy any inode associations that have been added, e.g. to restart for a new filesystem. selinux.h
matchpathcon_filespec_eval (deprecated)Display statistics on the hash table usage for the associations.selinux.h
matchpathcon_fini (deprecated)Free the memory allocated by matchpathcon_init.selinux.h
matchpathcon_index (deprecated)Same as matchpathcon(3), but return a specification index for later use in a matchpathcon_filespec_add(3) call.selinux.h
matchpathcon_init (deprecated)Load the file contexts configuration specified by 'path' into memory for use by subsequent matchpathcon calls. If 'path' is NULL, then load the active file contexts configuration, i.e. the path returned by selinux_file_context_path(3). Unless the MATCHPATHCON_BASEONLY flag has been set, this function also checks for a 'path'.homedirs file and a 'path'.local file and loads additional specifications from them if present.selinux.h
matchpathcon_init_prefix (deprecated)Same as matchpathcon_init(3), but only load entries with regexes that have stems that are prefixes of 'prefix'.selinux.h
mode_to_security_classTranslate mode_t to a security class string name (e.g. S_ISREG = "file").selinux.h
print_access_vectorDisplay an access vector in a string representation.selinux.h
query_user_contextGiven a list of authorized security contexts for the user, query the user to select one and set *newcon to refer to it. Caller must free via freecon(3). Returns 0 on success or -1 otherwise. get_context_list.h
realpath_not_finalResolve all of the symlinks and relative portions of a pathname, but NOT the final component (same a realpath(3) unless the final component is a symlink. Resolved path must be a path of size PATH_MAX + 1.selinux.h
rpm_execcon (deprecated)Use setexecfilecon and execve Execute a helper for rpm in an appropriate security context.selinux.h
security_av_perm_to_stringConvert access vector permissions to string names.selinux.h
security_av_stringReturns an access vector in a string representation. User must free the returned string via free(3).selinux.h

security_canonicalize_context

-

security_canonicalize_context_raw

Canonicalize a security context. Returns a pointer to the canonical (primary) form of a security context in canoncon that the kernel is using rather than what is provided by the userspace application in con. selinux.h

security_check_context

-

security_check_context_raw

Check the validity of a security context.selinux.h
security_class_to_stringConvert security class values to string names.selinux.h
security_commit_booleansCommit the pending values for the booleans.selinux.h

security_compute_av

-

security_compute_av_raw

Compute an access decision.

-

Queries whether the policy permits the source context scon to access the target context tcon via class tclass with the requested access vector. The decision is returned in avd.

selinux.h

security_compute_av_flags

-

security_compute_av_flags_raw

Compute an access decision and return the flags.

-

Queries whether the policy permits the source context scon to access the target context tcon via class tclass with the requested access vector. The decision is returned in avd. that has an additional flags entry. Currently the only flag defined is SELINUX_AVD_FLAGS_PERMISSIVE that indicates the decision was computed on a permissive domain (i.e. the permissive policy language statement has been used in policy or semanage(8) has been used to set the domain in permissive mode). Note this does not indicate that SELinux is running in permissive mode, only the scon domain.

selinux.h

security_compute_create

-

security_compute_create_raw

Compute a labeling decision and set *newcon to refer to it. Caller must free via freecon(3).selinux.h

security_compute_create_name

-

security_compute_create_name_raw

This is identical to security_compute_create(3) but also takes the name of the new object in creation as an argument.

-

When a type_transition rule on the given class and the scon / tcon pair has an object name extension, newcon will be returned according to the policy. Note that this interface is only supported on the kernels 2.6.40 or later. For older kernels the object name is ignored.

selinux.h

security_compute_member

-

security_compute_member_raw

Compute a polyinstantiation member decision and set *newcon to refer to it. Caller must free via freecon(3).selinux.h

security_compute_relabel

-

security_compute_relabel_raw

Compute a relabeling decision and set *newcon to refer to it. Caller must free via freecon(3).selinux.h

security_compute_user (deprecated)

-

security_compute_user_raw (deprecated)

Compute the set of reachable user contexts and set *con to refer to the NULL-terminated array of contexts. Caller must free via freeconary(3). selinux.h
security_deny_unknownGet the behavior for undefined classes / permissions.selinux.h
security_disableDisable SELinux at runtime (must be done prior to initial policy load).selinux.h
security_get_boolean_activeGet the active value for the boolean.selinux.h
security_get_boolean_namesGet the boolean namesselinux.h
security_get_boolean_pendingGet the pending value for the boolean.selinux.h

security_get_initial_context

-

security_get_initial_context_raw

Get the context of an initial kernel security identifier by name. Caller must free via freecon(3).selinux.h
security_getenforceGet the enforce flag value.selinux.h
security_load_booleans (deprecated)Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file.selinux.h
security_load_policyLoad a policy configuration.selinux.h
security_policyversGet the policy version number.selinux.h
security_set_booleanSet the pending value for the boolean.selinux.h
security_set_boolean_listSave a list of booleans in a single transaction.selinux.h
security_setenforceSet the enforce flag value.selinux.h

security_validatetrans

-

security_validatetrans_raw

Validate a transition. This determines whether a transition from scon to newcon using tcon as the target for object class tclass is valid in the loaded policy. This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy. Returns 0 if allowed and -1 if an error occurred with errno set.selinux.h
selabel_closeDestroy the specified handle, closing files, freeing allocated memory, etc. The handle may not be further used after it has been closed.label.h
selabel_cmp

Compare two label configurations. Returns:

-

SELABEL_SUBSET if h1 is a subset of h2

-

SELABEL_EQUAL if h1 is identical to h2

-

SELABEL_SUPERSET if h1 is a superset of h2

-

SELABEL_INCOMPARABLE if h1 and h2 are incomparable

label.h
selabel_digestRetrieve the SHA1 digest and the list of specfiles used to generate the digest. The SELABEL_OPT_DIGEST option must be set in selabel_open(3) to initiate the digest generation.label.h
selabel_get_digests_all_partial_matchesReturns true if the digest of all partial matched contexts is the same as the one saved by setxattr, otherwise returns false. The length of the SHA1 digest will always be returned. The caller must free any returned digests.label.h
selabel_hash_all_partial_matchesReturns true if the digest of all partial matched contexts is the same as the one saved by setxattr, otherwise returns false.label.h

selabel_lookup

-

selabel_lookup_raw

Perform a labeling lookup operation. Return 0 on success, -1 with errno set on failure. The key and type arguments are the inputs to the lookup operation; appropriate values are dictated by the backend in use. The result is returned in the memory pointed to by con and must be freed by freecon.label.h

selabel_lookup_best_match

-

selabel_lookup_best_match_raw

Obtain a best match SELinux security context - Only supported on file backend. The order of precedence for best match is:

-

1. An exact match for the real path (key) or

-

2. An exact match for any of the links (aliases), or

-

3. The longest fixed prefix match.

label.h
selabel_open

Create a labeling handle.

-

Open a labeling backend for use. The available backend identifiers are:

-

SELABEL_CTX_FILE - file_contexts.

-

SELABEL_CTX_MEDIA - media contexts.

-

SELABEL_CTX_X - x_contexts.

-

SELABEL_CTX_DB - SE-PostgreSQL contexts.

-

SELABEL_CTX_ANDROID_PROP – property_contexts.

-

SELABEL_CTX_ANDROID_SERVICEservice_contexts.

-

Options may be provided via the opts parameter; available options are:

-

SELABEL_OPT_UNUSED - no-op option, useful for unused slots in an array of options.

-

SELABEL_OPT_VALIDATE - validate contexts before returning them (boolean value).

-

SELABEL_OPT_BASEONLY - don't use local customizations to backend data (boolean value).

-

SELABEL_OPT_PATH - specify an alternate path to use when loading backend data.

-

SELABEL_OPT_SUBSET - select a subset of the search space as an optimization (file backend).

-

SELABEL_OPT_DIGEST – request an SHA1 digest of the specfiles.

-

Not all options may be supported by every backend. Return value is the created handle on success or NULL with errno set on failure.

label.h
selabel_partial_matchlabel.h
selabel_statsLog a message with information about the number of queries performed, number of unused matching entries, or other operational statistics. Message is backend-specific, some backends may not output a message.label.h
selinux_binary_policy_pathReturn path to the binary policy file under the policy root directory.selinux.h
selinux_booleans_path (deprecated)Return path to the booleans file under the policy root directory.selinux.h
selinux_boolean_subReads the /etc/selinux/TYPE/booleans.subs_dist file looking for a record with boolean_name. If a record exists selinux_boolean_sub(3) returns the translated name otherwise it returns the original name. The returned value needs to be freed. On failure NULL will be returned.selinux.h
selinux_booleans_subs_pathReturns the path to the booleans.subs_dist configuration file.selinux.h
selinux_check_access

Used to check if the source context has the access permission for the specified class on the target context. Note that the permission and class are reference strings.

-

The aux parameter may reference supplemental auditing information.

-

Auditing is handled as described in avc_audit(3).

-

See security_deny_unknown(3) for how the deny_unknown flag can influence policy decisions.

selinux.h
selinux_check_passwd_access (deprecated)

Use selinux_check_access Check a permission in the passwd class. Return 0 if granted or -1 otherwise.

-

Replaced by selinux_check_access(3)

selinux.h
selinux_check_securetty_context Check if the tty_context is defined as a securetty. Return 0 if secure, < 0 otherwise.selinux.h
selinux_colors_pathReturn path to file under the policy root directory.selinux.h
selinux_contexts_pathReturn path to contexts directory under the policy root directory.selinux.h
selinux_current_policy_pathReturn path to the current policy.selinux.h
selinux_customizable_types_pathReturn path to customizable_types file under the policy root directory.selinux.h
selinux_default_context_pathReturn path to default_context file under the policy root directory.selinux.h
selinux_default_type_pathReturn path to default_type file.get_default_type.h
selinux_failsafe_context_pathReturn path to failsafe_context file under the policy root directory.selinux.h
selinux_file_context_cmpCompare two file contexts, return 0 if equivalent.selinux.h
selinux_file_context_homedir_pathReturn path to file_context.homedir file under the policy root directory.selinux.h
selinux_file_context_local_pathReturn path to file_context.local file under the policy root directory.selinux.h
selinux_file_context_pathReturn path to file_context file under the policy root directory.selinux.h
selinux_file_context_subs_pathReturn path to file_context.subs file under the policy root directory.selinux.h
selinux_file_context_subs_dist_pathReturn path to file_context.subs_dist file under the policy root directory.selinux.h
selinux_file_context_verifyVerify the context of the file 'path' against policy. Return 0 if correct.selinux.h
selinux_get_callbackUsed to get a pointer to the callback function of the given type. Callback functions are set using selinux_set_callback(3).selinux.h
selinux_getenforcemodeReads the /etc/selinux/config file and determines whether the machine should be started in enforcing (1), permissive (0) or disabled (-1) mode. selinux.h
selinux_getpolicytypeReads the /etc/selinux/config file and determines what the default policy for the machine is. Calling application must free policytype.selinux.h
selinux_homedir_context_pathReturn path to file under the policy root directory. Note that this file will only appear in older versions of policy at this location. On systems that are managed using semanage(8) this is now in the policy store.selinux.h
selinux_init_load_policy

Perform the initial policy load.

-

This function determines the desired enforcing mode, sets the the *enforce argument accordingly for the caller to use, sets the SELinux kernel enforcing status to match it, and loads the policy. It also internally handles the initial selinuxfs mount required to perform these actions.

-

The function returns 0 if everything including the policy load succeeds. In this case, init is expected to re-exec itself in order to transition to the proper security context. Otherwise, the function returns -1, and init must check *enforce to determine how to proceed. If enforcing (*enforce > 0), then init should halt the system. Otherwise, init may proceed normally without a re-exec.

selinux.h
selinux_lsetfilecon_defaultThis function sets the file context to the system defaults. Returns 0 on success.selinux.h
selinux_lxc_contexts_pathReturn the path to the lxc_contexts configuration file.selinux.h
selinux_media_context_pathReturn path to file under the policy root directory.selinux.h
selinux_mkload_policy

Make a policy image and load it.

-

This function provides a higher level interface for loading policy than security_load_policy(3), internally determining the right policy version, locating and opening the policy file, mapping it into memory, manipulating it as needed for current boolean settings and/or local definitions, and then calling security_load_policy(3) to load it.

-

'preservebools' is a boolean flag indicating whether current policy boolean values should be preserved into the new policy (if 1) or reset to the saved policy settings (if 0). The former case is the default for policy reloads, while the latter case is an option for policy reloads but is primarily for the initial policy load.

selinux.h
selinux_netfilter_context_pathReturns path to the netfilter_context file under the policy root directory.selinux.h
selinux_pathReturns path to the policy root directory.selinux.h
selinux_policy_rootReads the /etc/selinux/config file and returns the top level directory.selinux.h
selinux_raw_context_to_colorPerform context translation between security contexts and display colors. Returns a space-separated list of ten ten hex RGB triples prefixed by hash marks, e.g. "#ff0000". Caller must free the resulting string via free(3). Returns -1 upon an error or 0 otherwise.selinux.h
selinux_raw_to_trans_contextPerform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon(3). Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0.selinux.h
selinux_removable_context_pathReturn path to removable_context file under the policy root directory.selinux.h
selinux_restorecon

Relabel files that automatically calls selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3) first time through to set the selabel_open(3) parameters to use the currently loaded policy file_contexts and request their computed digest.

-

Should other selabel_open(3) parameters be required see selinux_restorecon_set_sehandle(3).

restorecon.h
selinux_restorecon_xattr

Read/remove RESTORECON_LAST xattr entries that automatically calls selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3) first time through to set the selabel_open(3) parameters to use the currently loaded policy file_contexts and request their computed digest.

-

Should other selabel_open(3) parameters be required see selinux_restorecon_set_sehandle(3), however note that a file_contexts computed digest is required for selinux_restorecon_xattr(3).

restorecon.h
selinux_restorecon_default_handleSets default selabel_open(3) parameters to use the currently loaded policy and file_contexts, also requests the digest.restorecon.h
selinux_restorecon_set_alt_rootpathUse alternate rootpath.restorecon.h
selinux_restorecon_set_exclude_listAdd a list of directories that are to be excluded from relabeling.restorecon.h
selinux_restorecon_set_sehandleSet the global fc handle. Called by a process that has already called selabel_open(3) with its required parameters, or if selinux_restorecon_default_handle(3) has been called to set the default selabel_open(3) parameters.restorecon.h
selinux_securetty_types_pathReturn path to the securetty_types file under the policy root directory.selinux.h
selinux_sepgsql_context_pathReturn path to sepgsql_context file under the policy root directory.selinux.h
selinux_set_callbackSets the callback according to the type: SELINUX_CB_LOG, SELINUX_CB_AUDIT, SELINUX_CB_VALIDATE, SELINUX_CB_SETENFORCE, SELINUX_CB_POLICYLOADselinux.h
selinux_set_mappingUserspace class mapping support that establishes a mapping from a user-provided ordering of object classes and permissions to the numbers actually used by the loaded system policy.selinux.h
selinux_set_policy_rootSets an alternate policy root directory path under which the compiled policy file and context configuration files exist.selinux.h
selinux_status_openOpen and map SELinux kernel status page.avc.h
selinux_status_closeUnmap and close kernel status page.avc.h
selinux_status_updatedInform whether the kernel status has been updated.avc.h
selinux_status_getenforceGet the enforce flag value.avc.h
selinux_status_policyloadGet the number of policy loads.avc.h
selinux_status_deny_unknownGet behaviour for undefined classes/permissions.avc.h
selinux_systemd_contexts_pathReturns the path to the systemd_contexts configuration file.selinux.h
selinux_reset_configForce a reset of the loaded configuration. WARNING: This is not thread safe. Be very sure that no other threads are calling into libselinux when this is called.selinux.h
selinux_trans_to_raw_contextPerform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon(3). Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0.selinux.h
selinux_translations_pathReturn path to setrans.conf file under the policy root directory.selinux.h
selinux_user_contexts_pathReturn path to file under the policy root directory.selinux.h
selinux_users_path (deprecated)Return path to file under the policy root directory.selinux.h
selinux_usersconf_pathReturn path to file under the policy root directory.selinux.h
selinux_virtual_domain_context_pathReturn path to file under the policy root directory.selinux.h
selinux_virtual_image_context_pathReturn path to file under the policy root directory.selinux.h
selinux_x_context_pathReturn path to x_context file under the policy root directory.selinux.h
selinuxfs_existsCheck if selinuxfs exists as a kernel filesystem.selinux.h
set_matchpathcon_canoncon (deprecated)Same as set_matchpathcon_invalidcon(3), but also allows canonicalization of the context, by changing *context to refer to the canonical form. If not set, and invalidcon is also not set, then this defaults to calling security_canonicalize_context(3).selinux.h
set_matchpathcon_flags (deprecated)

Set flags controlling operation of matchpathcon_init(3) or matchpathcon(3):

-

MATCHPATHCON_BASEONLY - Only process the base file_contexts file.

-

MATCHPATHCON_NOTRANS - Do not perform any context translation.

-

MATCHPATHCON_VALIDATE - Validate/canonicalize contexts at init time.

selinux.h
set_matchpathcon_invalidcon (deprecated)Set the function used by matchpathcon_init(3) when checking the validity of a context in the file_contexts configuration. If not set, then this defaults to a test based on security_check_context(3). The function is also responsible for reporting any such error, and may include the 'path' and 'lineno' in such error messages.selinux.h
set_matchpathcon_printf (deprecated)Set the function used by matchpathcon_init(3) when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...).selinux.h
set_selinuxmnt Set the path to the selinuxfs mount point explicitly. Normally, this is determined automatically during libselinux initialization, but this is not always possible, e.g. for /sbin/init which performs the initial mount of selinuxfs.selinux.h

setcon

-

setcon_raw

Set the current security context to con.

-

Note that use of this function requires that the entire application be trusted to maintain any desired separation between the old and new security contexts, unlike exec-based transitions performed via setexeccon(3). When possible, decompose your application and use setexeccon(3)+execve(3) instead. Note that the application may lose access to its open descriptors as a result of a setcon(3) unless policy allows it to use descriptors opened by the old context.

selinux.h

setexeccon

-

setexeccon_raw

Set exec security context for the next execve(3). Call with NULL if you want to reset to the default.selinux.h
setexecfileconSet an appropriate security context based on the filename of a helper program, falling back to a new context with the specified type.selinux.h

setfilecon

-

setfilecon_raw

Wrapper for the xattr API - Set file context.selinux.h

setfscreatecon

-

setfscreatecon_raw

Set the fscreate security context for subsequent file creations. Call with NULL if you want to reset to the default.selinux.h

setkeycreatecon

-

setkeycreatecon_raw

Set the keycreate security context for subsequent key creations. Call with NULL if you want to reset to the default.selinux.h

setsockcreatecon

-

setsockcreatecon_raw

Set the sockcreate security context for subsequent socket creations. Call with NULL if you want to reset to the default.selinux.h
sidget (deprecated)From 2.0.86 this is a no-op.avc.h
sidput (deprecated)From 2.0.86 this is a no-op.avc.h
string_to_av_permConvert string names to access vector permissions.selinux.h
string_to_security_classConvert string names to security class values.selinux.h
+Some useful notes: + +1. Use ***free**(3)* instead of ***freecon**(3)* for context strings as they + are now defined as *char\**. Note this does not apply to ***context_free**(3)*. +2. There must be more ??? + +*avc_add_callback* - *avc.h* + +Register a callback for security events. + +*avc_audit* - *avc.h* + +Audit the granting or denial of permissions in accordance with the policy. +This function is typically called by ***avc_has_perm**(3)* after a permission +check, but can also be called directly by callers who use +***avc_has_perm_noaudit**(3)* in order to separate the permission check from +the auditing. For example, this separation is useful when the permission +check must be performed under a lock, to allow the lock to be released before +calling the auditing code. + +*avc_av_stats* - *avc.h* + +Log AV table statistics. Logs a message with information about the size and +distribution of the access vector table. The audit callback is used to print +the message. + +*avc_cache_stats* - *avc.h* + +Get cache access statistics. Fill the supplied structure with information +about AVC activity since the last call to ***avc_init**(3)* +or ***avc_reset**(3)*. + +*avc_cleanup* - *avc.h* + +Remove unused SIDs and AVC entries. Search the SID table for SID structures +with zero reference counts, and remove them along with all AVC entries that +reference them. This can be used to return memory to the system. + +*avc_compute_create* - *avc.h* + +Compute SID for labeling a new object. Call the security server to obtain +a context for labeling a new object. Look up the context in the SID table, +making a new entry if not found. + +*avc_compute_member* - *avc.h* + +Compute SID for polyinstantation. Call the security server to obtain a +context for labeling an object instance. Look up the context in the SID table, +making a new entry if not found. + +*avc_context_to_sid*, *avc_context_to_sid_raw* - *avc.h* + +Get SID for context. Look up security context *ctx* in SID table, making a new +entry if *ctx* is not found. Store a pointer to the SID structure into the +memory referenced by *sid*, returning 0 on success or -1 on error with +*errno* set. + +*avc_destroy* - *avc.h* + +Free all AVC structures. Destroy all AVC structures and free all allocated +memory. User-supplied locking, memory, and audit callbacks will be retained, +but security-event callbacks will not. All SID's will be invalidated. +User must call ***avc_init**(3)* if further use of AVC is desired. + +*avc_entry_ref_init* - *avc.h* + +Initialize an AVC entry reference. Use this macro to initialize an *avc* entry +reference structure before first use. These structures are passed to +***avc_has_perm**(3)*, which stores cache entry references in them. +They can increase performance on repeated queries. + +*avc_get_initial_sid* - *avc.h* + +Get SID for an initial kernel security identifier. Get the context for an +initial kernel security identifier specified by name using +***security_get_initial_context**(3)* and then call +***avc_context_to_sid**(3)* to get the corresponding SID. + +*avc_has_perm* - *avc.h* + +Check permissions and perform any appropriate auditing. Check the AVC to +determine whether the requested permissions are granted for the SID pair +(*ssid*, *tsid*), interpreting the permissions based on tclass, and call the +security server on a cache miss to obtain a new decision and add it to the +cache. Update *aeref* to refer to an AVC entry with the resulting decisions. +Audit the granting or denial of permissions in accordance with the policy. +Return 0 if all requested permissions are granted, -1 with errno set to EACCES +if any permissions are denied or to another value upon other errors. + +*avc_has_perm_noaudit* - *avc.h* + +Check permissions but perform no auditing. Check the AVC to determine whether +the requested permissions are granted for the SID pair (*ssid*, *tsid*), +interpreting the permissions based on tclass, and call the security server +on a cache miss to obtain a new decision and add it to the cache. Update aeref +to refer to an AVC entry with the resulting decisions, and return a copy of +the decisions in *avd*. Return 0 if all requested permissions are granted, -1 +with errno set to EACCES if any permissions are denied, or to another value +upon other errors. This function is typically called by ***avc_has_perm**(3)*, +but may also be called directly to separate permission checking from auditing, +e.g. in cases where a lock must be held for the check but should be released +for the auditing. + +*avc_init* (deprecated) + +Use *avc_open*. Initialize the AVC. Initialize the access vector cache. +Return 0 on success or -1 with errno set on failure. If *msgprefix* is NULL, +use *uavc*. If any callback structure references are NULL, use default methods +for those callbacks (see the definition of the callback structures). + +*avc_netlink_acquire_fd* - *avc.h* + +Create a netlink socket and connect to the kernel. + +*avc_netlink_check_nb* - *avc.h* + +Wait for netlink messages from the kernel. + +*avc_netlink_close* - *avc.h* + +Close the netlink socket. + +*avc_netlink_loop* - *avc.h* + +Acquire netlink socket fd. Allows the application to manage messages from +the netlink socket in its own main loop. + +*avc_netlink_open* - *avc.h* + +Release netlink socket fd. Returns ownership of the netlink socket to the +ibrary. + +*avc_netlink_release_fd* - *avc.h* + +Check netlink socket for new messages. Called by the application when using +***avc_netlink_acquire_fd**(3)* to process kernel netlink events. + +*avc_open* - *avc.h* + +Initialize the AVC. This function is identical to ***avc_init**(3)* except the +message prefix is set to *avc* and any callbacks desired should be specified +via ***selinux_set_callback**(3)*. + +*avc_reset* - *avc.h* + +Flush the cache and reset statistics. Remove all entries from the cache and +reset all access statistics (as returned by ***avc_cache_stats**(3)*) to zero. +The SID mapping is not affected. Return 0 on success, -1 with errno set on error. + +*avc_sid_stats* - *avc.h* + +Log SID table statistics. Log a message with information about the size and +distribution of the SID table. The audit callback is used to print the message. + +avc_sid_to_context*, *avc_sid_to_context_raw* - *avc.h* + +Get copy of context corresponding to SID. Return a copy of the security context +corresponding to the input sid in the memory referenced by *ctx*. The caller is +expected to free the context with ***freecon**(3)*. Return 0 on success, -1 +on failure, with errno set to ENOMEM if insufficient memory was available to +make the copy, or EINVAL if the input SID is invalid. + +*checkPasswdAccess* (deprecated) - *selinux.h* + +Use ***selinux_check_passwd_access**(3)* or preferably +***selinux_check_access**(3)*. Check a permission in the passwd class. +Return 0 if granted or -1 otherwise. + +*context_free* - *context.h* + +Free the storage used by a context structure. + +*context_new* - *context.h* + +Return a new context initialized to a context string. + +*context_range_get* - *context.h* + +Get a pointer to the range. + +*context_range_set* - *context.h* + +Set the range component. Returns nonzero if unsuccessful. + +*context_role_get* - *context.h* + +Get a pointer to the role. + +*context_role_set* - *context.h* + +Set the role component. Returns nonzero if unsuccessful. + +*context_str* - *context.h* + +Return a pointer to the string value of *context_t*. Valid until the next call +to ***context_str**(3)* or ***context_free**(3)* for the same *context_t*. + +*context_type_get* - *context.h* + +Get a pointer to the type. + +*context_type_set* - *context.h* + +Set the type component. Returns nonzero if unsuccessful. + +*context_user_get* - *context.h* + +Get a pointer to the user. + +*context_user_set* - *context.h* + +Set the user component. Returns nonzero if unsuccessful. + +*fgetfilecon*, *fgetfilecon_raw* - *selinux.h* + +Wrapper for the ***xattr**(7)* API - Get file context, and set *\*con* to +refer to it. Caller must free via ***freecon**(3)*. + +*fini_selinuxmnt* - *selinux.h* + +Clear *selinuxmnt* variable and free allocated memory. + +*freecon* - *selinux.h* + +Free the memory allocated for a context by any of the *get\** calls. + +*freeconary* - *selinux.h* + +Free the memory allocated for a context array by +***get_ordered_context_list**(3)*. + +*fsetfilecon*, *fsetfilecon_raw* - *selinux.h* + +Wrapper for the ***xattr**(7)* API - Set file context. + +*get_default_context* - *get_context_list.h* + +Get the default security context for a user session for *user* spawned by +*fromcon* and set *\*newcon* to refer to it. The context will be one of those +authorized by the policy, but the selection of a default is subject to user +customizable preferences. If *fromcon* is NULL, defaults to current context. +Returns 0 on success or -1 otherwise. Caller must free via ***freecon**(3)*. + +*get_default_context_with_level* - *get_context_list.h* + +Same as ***get_default_context**(3)*, but use the provided MLS level rather +than the default level for the user. + +*get_default_context_with_role* - *get_context_list.h* + +Same as ***get_default_context**(3)*, but only return a context that +has the specified role. + +*get_default_context_with_rolelevel* - *get_context_list.h* + +Same as ***get_default_context**(3)*, but only return a context that has +the specified role and level. + +*get_default_type* - *get_default_type.h* + +Get the default type (domain) for *role* and set *type* to refer to it. +Caller must free via ***free**(3)*. +Return 0 on success or -1 otherwise. + +*get_ordered_context_list* - *get_context_list.h* + +Get an ordered list of authorized security contexts for a user session for +*user* spawned by *fromcon* and set *\*conary* to refer to the NULL-terminated +array of contexts. Every entry in the list will be authorized by the policy, +but the ordering is subject to user customizable preferences. +Returns number of entries in *\*conary*. If *fromcon* is NULL, defaults +to current context. Caller must free via ***freeconary**(3)*. + +*get_ordered_context_list_with_level* - *get_context_list.h* + +Same as ***get_ordered_context_list**(3)*, but use the provided MLS level +rather than the default level for the user. + +*getcon*, *getcon_raw* - *selinux.h* + +Get current context, and set *\*con* to refer to it. Caller must free via +***freecon**(3)*. + +*getexeccon*, *getexeccon_raw* - *selinux.h* + +Get exec context, and set *\*con* to refer to it. Sets *\*con* to NULL if no +exec context has been set, i.e. using default. If non-NULL, caller must +free via ***freecon**(3)*. + +*getfilecon*, *getfilecon_raw* - *selinux.h* + +Wrapper for the ***xattr**(7)* API - Get file context, and set *\*con* to refer +to it. Caller must free via ***freecon**(3)*. + +*getfscreatecon*, *getfscreatecon_raw* - *selinux.h* + +Get fscreate context, and set *\*con* to refer to it. Sets *\*con* to NULL if +no fs create context has been set, i.e. using default.If non-NULL, caller must +free via ***freecon**(3)*. + +*getkeycreatecon* *getkeycreatecon_raw* - *selinux.h* + +Get keycreate context, and set *\*con* to refer to it. Sets *\*con* to NULL +if no key create context has been set, i.e. using default. If non-NULL, caller +must free via ***freecon**(3)*. + +*getpeercon*, *getpeercon_raw* - *selinux.h* + +Wrapper for the socket API - Get context of peer socket, and set *\*con* to +refer to it. Caller must free via ***freecon**(3)*. + +*getpidcon*, *getpidcon_raw* - *selinux.h* + +Get context of process identified by pid, and set *\*con* to refer to it. +Caller must free via ***freecon**(3)*. + +*getprevcon*, *getprevcon_raw* - *selinux.h* + +Get previous context (prior to last exec), and set *\*con* to refer to it. +Caller must free via ***freecon**(3)*. + +*getseuser* - *selinux.h* + +Get the SELinux username and level to use for a given Linux username and +service. These values may then be passed into the +***get_ordered_context_list**(3)* and ***get_default_context**(3)* functions +to obtain a context for the user. +Returns 0 on success or -1 otherwise. +Caller must free the returned strings via ***free**(3)*. + +*getseuserbyname* - *selinux.h* + +Get the SELinux username and level to use for a given Linux username. +These values may then be passed into the ***get_ordered_context_list**(3)* +and ***get_default_context**(3)* functions to obtain a context for the user. +Returns 0 on success or -1 otherwise. +Caller must free the returned strings via ***free**(3)*. + +*getsockcreatecon*, *getsockcreatecon_raw* - *selinux.h* + +Get sockcreate context, and set *\*con* to refer to it. Sets *\*con* to NULL +if no socket create context has been set, i.e. using default. +If non-NULL, caller must free via ***freecon**(3)*. + +*init_selinuxmnt* - *selinux.h* + +There is a man page for this, however it is not a user accessible function +(internal use only - although the ***fini_selinuxmnt**(3)* is reachable). + +*is_context_customizable* - *selinux.h* + +Returns whether a file context is customizable, and should not be relabeled. + +*is_selinux_enabled* - *selinux.h* + +Return 1 if running on a SELinux kernel, or 0 if not or -1 for error. + +*is_selinux_mls_enabled* - *selinux.h* + +Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. + +*lgetfilecon*, *lgetfilecon_raw* - *selinux.h* + +Wrapper for the ***xattr**(7)* API - Get file context, and set *\*con* to +refer to it. Caller must free via ***freecon**(3)*. + +*lsetfilecon*, *lsetfilecon_raw* - *selinux.h* + +Wrapper for the xattr API- Set file context for symbolic link. + +*manual_user_enter_context* - *get_context_list.h* + +Allow the user to manually enter a context as a fallback if a list of +authorized contexts could not be obtained. Caller must free via +***freecon**(3)*. Returns 0 on success or -1 otherwise. + +*matchmediacon* - *selinux.h* + +Match the specified media and against the media contexts configuration and +set *\*con* to refer to the resulting context. +Caller must free con via ***freecon**(3)*. + +*matchpathcon* (deprecated) - *selinux.h* + +Match the specified *pathname* and *mode* against the file context configuration +and set *\*con* to refer to the resulting context. *mode* can be 0 to disable +mode matching. Caller must free via freecon. If ***matchpathcon_init**(3)* +has not already been called, then this function will call it upon its first +invocation with a NULL path. + +*matchpathcon_checkmatches* (deprecated) - *selinux.h* + +Check to see whether any specifications had no matches and report them. +The *str* is used as a prefix for any warning messages. + +*matchpathcon_filespec_add* (deprecated) - *selinux.h* + +Maintain an association between an inode and a specification index, and check +whether a conflicting specification is already associated with the same inode +(e.g. due to multiple hard links). If so, then use the latter of the two +specifications based on their order in the file contexts configuration. +Return the used specification index. + +*matchpathcon_filespec_destroy* (deprecated) - *selinux.h* + +Destroy any inode associations that have been added, e.g. to restart for a +new filesystem. + +*matchpathcon_filespec_eval* (deprecated) - *selinux.h* + +Display statistics on the hash table usage for the associations. + +*matchpathcon_fini* (deprecated) - *selinux.h* + +Free the memory allocated by ***matchpathcon_init**(3)*. + +*matchpathcon_index* (deprecated) - *selinux.h* + +Same as ***matchpathcon**(3)*, but return a specification index for later use +in a ***matchpathcon_filespec_add**(3)* call. + + +*matchpathcon_init* (deprecated) - *selinux.h* + +Load the file contexts configuration specified by *path* into memory for use +by subsequent *matchpathcon* calls. If *path* is NULL, then load the active file +contexts configuration, i.e. the path returned by +***selinux_file_context_path**(3)*. Unless the *MATCHPATHCON_BASEONLY* flag +has been set, this function also checks for a *path.homedirs* file and a +*path.local* file and loads additional specifications from them if present. + +*matchpathcon_init_prefix* (deprecated) - *selinux.h* + +Same as ***matchpathcon_init**(3)*, but only load entries with regexes that +have stems that are prefixes of *prefix*. + +*mode_to_security_class* - *selinux.h* + +Translate mode_t to a security class string name (e.g. *S_ISREG* = *file*). + +*print_access_vector* - *selinux.h* + +Display an access vector in a string representation. + +*query_user_context*- *get_context_list.h* + +Given a list of authorized security contexts for the user, query the user to +select one and set *\*newcon* to refer to it. Caller must free via +***freecon**(3)*. Returns 0 on success or -1 otherwise. + +*realpath_not_final* - *selinux.h* + +Resolve all of the symlinks and relative portions of a *pathname*, but NOT the +final component (same a ***realpath**(3)* unless the final component is a symlink. +Resolved path must be a path of size *PATH_MAX + 1*. + +*rpm_execcon* (deprecated) - *selinux.h* + +Use ***setexecfilecon**(3)* and ***execve**(2)*. Execute a helper for rpm in +an appropriate security context. + +*security_av_perm_to_string* - *selinux.h* + +Convert access vector permissions to string names. + +*security_av_string* - *selinux.h* + +Returns an access vector in a string representation. User must free the +returned string via ***free**(3)*. + +*security_canonicalize_context*, *security_canonicalize_context_raw* - *selinux.h* + +Canonicalize a security context. Returns a pointer to the canonical (primary) +form of a security context in *canoncon* that the kernel is using rather than +what is provided by the userspace application in *con*. + +*security_check_context*, *security_check_context_raw* - *selinux.h* + +Check the validity of a security context. + +*security_class_to_string* - *selinux.h* + +Convert security class values to string names. + +*security_commit_booleans* - *selinux.h* + +Commit the pending values for the booleans. + +*security_compute_av*, *security_compute_av_raw* - *selinux.h* + +Compute an access decision. Queries whether the policy permits the source +context *scon* to access the target context *tcon* via class *tclass* with +the *requested* access vector. The decision is returned in *avd*. + +*security_compute_av_flags*, *security_compute_av_flags_raw* - *selinux.h* + +Compute an access decision and return the flags. +Queries whether the policy permits the source context *scon* to access the +target context *tcon* via class *tclass* with the *requested* access vector. +The decision is returned in *avd*. that has an additional *flags* entry. +Currently the only *flag* defined is *SELINUX_AVD_FLAGS_PERMISSIVE* that +indicates the decision was computed on a permissive domain (i.e. the +*permissive* policy language statement has been used in policy or +***semanage**(8)* has been used to set the domain in permissive mode). +Note this does not indicate that SELinux is running in permissive mode, +only the *scon* domain. + +*security_compute_create*, *security_compute_create_raw* - *selinux.h* + +Compute a labeling decision and set *newcon to refer to it. +Caller must free via ***freecon**(3)*. + +*security_compute_create_name*, *security_compute_create_name_raw* - *selinux.h* + +This is identical to* ***security_compute_create**(3)* but also takes the name +of the new object in creation as an argument. +When a *type_transition* rule on the given class and the *scon* / *tcon* pair +has an object name extension, *newcon* will be returned according to the policy. +Note that this interface is only supported on the kernels 2.6.40 or later. +For older kernels the object name is ignored. + +*security_compute_member*, *security_compute_member_raw* - *selinux.h* + +Compute a polyinstantiation member decision and set *newcon to refer to it. +Caller must free via ***freecon**(3)*. + +*security_compute_relabel*, *security_compute_relabel_raw* - *selinux.h* + +Compute a relabeling decision and set *\*newcon* to refer to it. +Caller must free via ***freecon**(3)*. + +*security_compute_user*, security_compute_user_raw* (deprecated) - *selinux.h* + +Compute the set of reachable user contexts and set *\*con* to refer to the +NULL-terminated array of contexts. Caller must free via ***freeconary**(3)*. + +*security_deny_unknown* - *selinux.h* + +Get the behavior for undefined classes / permissions. + +*security_disable* - *selinux.h* + +Disable SELinux at runtime (must be done prior to initial policy load). + +*security_get_boolean_active* - *selinux.h* + +Get the active value for the boolean. + +*security_get_boolean_names* - *selinux.h* + +Get the boolean names + +*security_get_boolean_pending* - *selinux.h* + +Get the pending value for the boolean. + +*security_get_initial_context*, *security_get_initial_context_raw* - *selinux.h* + +Get the context of an initial kernel security identifier by name. +Caller must free via ***freecon**(3)*. + +*security_getenforce* - *selinux.h* + +Get the enforce flag value. + +*security_load_booleans* (deprecated) - *selinux.h* + +Load policy boolean settings. Path may be NULL, in which case the booleans +are loaded from the active policy boolean configuration file. + +*security_load_policy* - *selinux.h* + +Load a policy configuration. + +*security_policyvers* - *selinux.h* + +Get the policy version number. + +*security_set_boolean* - *selinux.h* + +Set the pending value for the boolean. + +*security_set_boolean_list* - *selinux.h* + +Save a list of booleans in a single transaction. + +*security_setenforce* - *selinux.h* + +Set the enforce flag value. + +*security_validatetrans*, *security_validatetrans_raw* - *selinux.h* + +Validate a transition. This determines whether a transition from *scon* +to *newcon* using *tcon* as the target for object class *tclass* is valid in +the loaded policy. This checks against the *mlsvalidatetrans* and +*validatetrans* constraints in the loaded policy. +Returns 0 if allowed and -1 if an error occurred with errno set. + +*selabel_close* - *label.h* + +Destroy the specified handle, closing files, freeing allocated memory, etc. +The handle may not be further used after it has been closed. + +*selabel_cmp* - *label.h* + +Compare two label configurations. Returns: + +- *SELABEL_SUBSET* - if *h1* is a subset of *h2* +- *SELABEL_EQUAL* - if *h1* is identical to *h2* +- *SELABEL_SUPERSET* - if *h1* is a superset of *h2* +- *SELABEL_INCOMPARABLE* - if *h1* and *h2* are incomparable + +*selabel_digest* - *label.h* + +Retrieve the SHA1 digest and the list of specfiles used to generate the digest. +The *SELABEL_OPT_DIGEST* option must be set in ***selabel_open**(3)* to +initiate the digest generation. + +*selabel_get_digests_all_partial_matches* - *label.h* + +Returns true if the digest of all partial matched contexts is the same as the +one saved by ***setxattr**(2)*, otherwise returns false. The length of the +SHA1 digest will always be returned. The caller must free any returned digests. + +*selabel_hash_all_partial_matches* - *label.h* + +Returns true if the digest of all partial matched contexts is the same as the +one saved by ***setxattr**(2)*, otherwise returns false. + +*selabel_lookup*, *selabel_lookup_raw* - *label.h* + +Perform a labeling lookup operation. Return 0 on success, -1 with *errno* +set on failure. The *key* and *type* arguments are the inputs to the lookup +operation; appropriate values are dictated by the backend in use. +The result is returned in the memory pointed to by *con* and must be freed by +***freecon**(3)*. + +*selabel_lookup_best_match*, *selabel_lookup_best_match_raw* - *label.h* + +Obtain a best match SELinux security context - Only supported on file backend. +The order of precedence for best match is: + +- An exact match for the real path (key) or +- An exact match for any of the links (aliases), or +- The longest fixed prefix match. + +*selabel_open* - *label.h* + +Create a labeling handle. Open a labeling backend for use. +The available backend identifiers are: + +- *SELABEL_CTX_FILE* - *file_contexts*. +- *SELABEL_CTX_MEDIA* - media contexts. +- *SELABEL_CTX_X* - *x_contexts*. +- *SELABEL_CTX_DB* - SE-PostgreSQL contexts. +- *SELABEL_CTX_ANDROID_PROP* – *property_contexts*. +- *SELABEL_CTX_ANDROID_SERVICE* – *service_contexts*. + +Options may be provided via the *opts* parameter; available options are: + +- *SELABEL_OPT_UNUSED* - no-op option, useful for unused slots in an array of + options. +- *SELABEL_OPT_VALIDATE* - validate contexts before returning them + (boolean value). +- *SELABEL_OPT_BASEONLY* - don't use local customizations to backend data + (boolean value). +- *SELABEL_OPT_PATH* - specify an alternate path to use when loading backend + data. +- *SELABEL_OPT_SUBSET* - select a subset of the search space as an + optimization (file backend). +- *SELABEL_OPT_DIGEST* – request an SHA1 digest of the specfiles. + +Not all options may be supported by every backend. +Return value is the created handle on success or NULL with errno set on failure. + +*selabel_partial_match* - *label.h* + +Performs a partial match operation, returning TRUE or FALSE. +The *key* parameter is a file *path* to check for a direct or partial match. +Returns TRUE if a direct or partial match is found, FALSE if not. + +*selabel_stats* - *label.h* + +Log a message with information about the number of queries performed, number +of unused matching entries, or other operational statistics. +Message is backend-specific, some backends may not output a message. + +*selinux_binary_policy_path* - *selinux.h* + +Return path to the binary policy file under the policy root directory. + +*selinux_booleans_path* (deprecated) - *selinux.h* + +Return path to the booleans file under the policy root directory. + +*selinux_boolean_sub* - *selinux.h* + +Reads the */etc/selinux/TYPE/booleans.subs_dist* file looking for a record +with *boolean_name*. If a record exists ***selinux_boolean_sub**(3)* returns +the translated name otherwise it returns the original name. +The returned value needs to be freed. On failure NULL will be returned. + +*selinux_booleans_subs_path* - *selinux.h* + +Returns the path to the *booleans.subs_dist* configuration file. + +*selinux_check_access* - *selinux.h* + +Used to check if the source context has the access permission for the specified +class on the target context. Note that the permission and class are reference +strings. The *aux* parameter may reference supplemental auditing information. +Auditing is handled as described in ***avc_audit**(3)*. +See ***security_deny_unknown**(3)* for how the *deny_unknown* flag can +influence policy decisions. + +*selinux_check_passwd_access* (deprecated) - *selinux.h* + +Use ***selinux_check_access**(3)*. Check a permission in the passwd class. +Return 0 if granted or -1 otherwise. + +*selinux_check_securetty_context* - *selinux.h* + +Check if the tty_context is defined as a securetty. Return 0 if secure, +\< 0 otherwise. + +*selinux_colors_path* - *selinux.h* + +Return path to file under the policy root directory. + +*selinux_contexts_path* - *selinux.h* + +Return path to contexts directory under the policy root directory. + +*selinux_current_policy_path* - *selinux.h* + +Return path to the current policy. + +*selinux_customizable_types_path* - *selinux.h* + +Return path to customizable_types file under the policy root directory. + +*selinux_default_context_path* - *selinux.h* + +Return path to default_context file under the policy root directory. + +*selinux_default_type_path* - *get_default_type.h* + +Return path to *default_type* file. + +*selinux_failsafe_context_path* - *selinux.h* + +Return path to failsafe_context file under the policy root directory. + +*selinux_file_context_cmp* - *selinux.h* + +Compare two file contexts, return 0 if equivalent. + +*selinux_file_context_homedir_path* - *selinux.h* + +Return path to *file_context.homedir* file under the policy root directory. + +*selinux_file_context_local_path* - *selinux.h* + +Return path to *file_context.local* file under the policy root directory. + +*selinux_file_context_path* - *selinux.h* + +Return path to *file_context* file under the policy root directory. + +*selinux_file_context_subs_path* - *selinux.h* + +Return path to *file_context.subs* file under the policy root directory. + +*selinux_file_context_subs_dist_path* - *selinux.h* + +Return path to *file_context.subs_dist* file under the policy root directory. + +*selinux_file_context_verify* - *selinux.h* + +Verify the context of the file *path* against policy. Return 0 if correct. + +*selinux_get_callback* - *selinux.h* + +Used to get a pointer to the callback function of the given *type*. +Callback functions are set using ***selinux_set_callback**(3)*. + +*selinux_getenforcemode* - *selinux.h* + +Reads the /etc/selinux/config file and determines whether the machine should +be started in enforcing (1), permissive (0) or disabled (-1) mode. + +*selinux_getpolicytype* - *selinux.h* + +Reads the /*etc/selinux/config* file and determines what the default policy +for the machine is. Calling application must free *policytype*. + +*selinux_homedir_context_path* - *selinux.h* + +Return path to file under the policy root directory. Note that this file will +only appear in older versions of policy at this location. On systems that are +managed using ***semanage**(8)* this is now in the policy store. + +*selinux_init_load_policy* - *selinux.h* + +Perform the initial policy load. +This function determines the desired enforcing mode, sets the *enforce* +argument accordingly for the caller to use, sets the SELinux kernel enforcing +status to match it, and loads the policy. It also internally handles the +initial *selinuxfs* mount required to perform these actions. +The function returns 0 if everything including the policy load succeeds. +In this case, init is expected to re-exec itself in order to transition to the +proper security context. Otherwise, the function returns -1, and init must +check *enforce* to determine how to proceed. If enforcing (*enforce* \> 0), +then init should halt the system. Otherwise, init may proceed normally without +a re-exec. + +*selinux_lsetfilecon_default* - *selinux.h* + +This function sets the file context to the system defaults. +Returns 0 on success. + +*selinux_lxc_contexts_path* - *selinux.h* + +Return the path to the *lxc_contexts* configuration file. + +*selinux_media_context_path* - *selinux.h* + +Return path to file under the policy root directory. + +*selinux_mkload_policy* - *selinux.h* + +Make a policy image and load it. +This function provides a higher level interface for loading policy than +***security_load_policy**(3)*, internally determining the right policy version, +locating and opening the policy file, mapping it into memory, manipulating +it as needed for current boolean settings and/or local definitions, and then +calling ***security_load_policy**(3)* to load it. +*preservebools* is a boolean flag indicating whether current policy boolean +values should be preserved into the new policy (if 1) or reset to the saved +policy settings (if 0). The former case is the default for policy reloads, +while the latter case is an option for policy reloads but is primarily for the +initial policy load. + +*selinux_netfilter_context_path* - *selinux.h* + +Returns path to the netfilter_context file under the policy root directory. + +*selinux_path* - *selinux.h* + +Returns path to the policy root directory. + +*selinux_policy_root* - *selinux.h* + +Reads the /etc/selinux/config file and returns the top level directory. + +*selinux_raw_context_to_color* - *selinux.h* + +Perform context translation between security contexts and display colors. +Returns a space-separated list of ten ten hex RGB triples prefixed by +hash marks, e.g. *#ff0000*. Caller must free the resulting string +via ***free**(3)*. Returns -1 upon an error or 0 otherwise. + +*selinux_raw_to_trans_context* - *selinux.h* + +Perform context translation between the human-readable format (*translated*) +and the internal system format (*raw*). Caller must free the resulting context +via ***freecon**(3)*. Returns -1 upon an error or 0 otherwise. +If passed NULL, sets the returned context to NULL and returns 0. + +*selinux_removable_context_path* - *selinux.h* + +Return path to *removable_context* file under the policy root directory. + +*selinux_restorecon* - *restorecon.h* + +Relabel files that automatically calls ***selinux_restorecon_default_handle**(3)* and ***selinux_restorecon_set_sehandle**(3)* first time through to set the ***selabel_open**(3)* parameters to use the currently loaded policy *file_contexts* and request their computed digest. +Should other ***selabel_open**(3)* parameters be required see ***selinux_restorecon_set_sehandle**(3)*. + +*selinux_restorecon_xattr* - *restorecon.h* + +Read/remove *RESTORECON_LAST* xattr entries that automatically calls ***selinux_restorecon_default_handle**(3)* and ***selinux_restorecon_set_sehandle**(3)* first time through to set the ***selabel_open**(3)* parameters to use the currently loaded policy *file_contexts* and request their computed digest. +Should other ***selabel_open**(3)* parameters be required see ***selinux_restorecon_set_sehandle**(3)*, however note that a *file_contexts* computed digest is required for ***selinux_restorecon_xattr**(3)*. + +*selinux_restorecon_default_handle* - *restorecon.h* + +Sets default ***selabel_open**(3)* parameters to use the currently loaded policy and *file_contexts*, also requests the digest. + +*selinux_restorecon_set_alt_rootpath* - *restorecon.h* + +Use alternate rootpath. + +*selinux_restorecon_set_exclude_list* - *restorecon.h* + +Add a list of directories that are to be excluded from relabeling. + +*selinux_restorecon_set_sehandle* - *restorecon.h* + +Set the global fc handle. Called by a process that has already called ***selabel_open**(3)* with its required parameters, or if ***selinux_restorecon_default_handle**(3)* has been called to set the default ***selabel_open**(3)* parameters. + +*selinux_securetty_types_path* - *selinux.h* + +Return path to the securetty_types file under the policy root directory. + +*selinux_sepgsql_context_path* - *selinux.h* + +*Return path to *sepgsql_context* file under the policy root directory. + +*selinux_set_callback* - *selinux.h* + +Sets the callback according to the type: *SELINUX_CB_LOG*, *SELINUX_CB_AUDIT*, *SELINUX_CB_VALIDATE*, *SELINUX_CB_SETENFORCE*, *SELINUX_CB_POLICYLOAD* + +*selinux_set_mapping* - *selinux.h* + +Userspace class mapping support that establishes a mapping from a user-provided ordering of object classes and permissions to the numbers actually used by the loaded system policy. + +*selinux_set_policy_root* - *selinux.h* + +Sets an alternate policy root directory path under which the compiled policy file and context configuration files exist. + +*selinux_status_open* - *avc.h* + +Open and map SELinux kernel status page. + +*selinux_status_close* - *avc.h* + +Unmap and close kernel status page. + +*selinux_status_updated* - *avc.h* + +Inform whether the kernel status has been updated. + +*selinux_status_getenforce* - *avc.h* + +Get the enforce flag value. + +*selinux_status_policyload* - *avc.h* + +Get the number of policy loads. + +*selinux_status_deny_unknown* - *avc.h* + +Get behaviour for undefined classes/permissions. + +*selinux_systemd_contexts_path* - *selinux.h* + +Returns the path to the *systemd_contexts* configuration file. + +*selinux_reset_config* - *selinux.h* + +Force a reset of the loaded configuration. **WARNING**: This is not thread safe. +Be very sure that no other threads are calling into *libselinux* when this +is called. + +*selinux_trans_to_raw_context* - *selinux.h* + +Perform context translation between the human-readable format (*translated*) +and the internal system format (*raw*). Caller must free the resulting context +via ***freecon**(3)*. Returns -1 upon an error or 0 otherwise. +If passed NULL, sets the returned context to NULL and returns 0. + +*selinux_translations_path* - *selinux.h* + +Return path to setrans.conf file under the policy root directory. + +*selinux_user_contexts_path* - *selinux.h* + +Return path to file under the policy root directory. + +*selinux_users_path* (deprecated) - *selinux.h* + +Return path to file under the policy root directory. + +*selinux_usersconf_path* - *selinux.h* + +Return path to file under the policy root directory. + +*selinux_virtual_domain_context_path* - *selinux.h* + +Return path to file under the policy root directory. + +*selinux_virtual_image_context_path* - *selinux.h* + +Return path to file under the policy root directory. + +*selinux_x_context_path* - *selinux.h* + +Return path to x_context file under the policy root directory. + +*selinuxfs_exists* - *selinux.h* + +Check if selinuxfs exists as a kernel filesystem. + +*set_matchpathcon_canoncon* (deprecated) - *selinux.h* + +Same as ***set_matchpathcon_invalidcon**(3)*, but also allows canonicalization +of the context, by changing *context* to refer to the canonical form. +If not set, and *invalidcon* is also not set, then this defaults to calling +***security_canonicalize_context**(3)*. + +*set_matchpathcon_flags* (deprecated) - *selinux.h* + +Set flags controlling operation of ***matchpathcon_init**(3)* or +***matchpathcon**(3)*: + +- *MATCHPATHCON_BASEONLY* - Only process the base file_contexts file. +- *MATCHPATHCON_NOTRANS* - Do not perform any context translation. +- *MATCHPATHCON_VALIDATE* - Validate/canonicalize contexts at init time. + +*set_matchpathcon_invalidcon* (deprecated) - *selinux.h* + +Set the function used by ***matchpathcon_init**(3)* when checking the validity +of a context in the *file_contexts* configuration. If not set, then this +defaults to a test based on ***security_check_context**(3)*. The function is +also responsible for reporting any such error, and may include the *path* and +*lineno* in such error messages. + +*set_matchpathcon_printf* (deprecated) - *selinux.h* + +Set the function used by ***matchpathcon_init**(3)* when displaying errors +about the *file_contexts* configuration. If not set, then this defaults +to *fprintf(stderr, fmt, ...)*. + +*set_selinuxmnt* - *selinux.h* + +Set the path to the selinuxfs mount point explicitly. Normally, this is +determined automatically during libselinux initialization, but this is not +always possible, e.g. for /sbin/init which performs the initial mount of +*selinuxfs*. + +*setcon*, *setcon_raw* - *selinux.h* + +Set the current security context to con. +Note that use of this function requires that the entire application be trusted +to maintain any desired separation between the old and new security contexts, +unlike exec-based transitions performed via ***setexeccon**(3)*. +When possible, decompose your application and use ***setexeccon**(3)* + +***execve**(3)* instead. Note that the application may lose access to its +open descriptors as a result of a ***setcon**(3)* unless policy allows it to +use descriptors opened by the old context. + +*setexeccon*, *setexeccon_raw* - *selinux.h* + +Set exec security context for the next ***execve**(3)*. +Call with NULL if you want to reset to the default. + +*setexecfilecon* - *selinux.h* + +Set an appropriate security context based on the filename of a helper program, +falling back to a new context with the specified type. + +*setfilecon*, *setfilecon_raw* - *selinux.h* + +Wrapper for the xattr API - Set file context. + +*setfscreatecon*, *setfscreatecon_raw* - *selinux.h* + +Set the fscreate security context for subsequent file creations. +Call with NULL if you want to reset to the default. + +*setkeycreatecon*, *setkeycreatecon_raw* - *selinux.h* + +Set the keycreate security context for subsequent key creations. +Call with NULL if you want to reset to the default. + +*setsockcreatecon*, *setsockcreatecon_raw* - *selinux.h* + +Set the sockcreate security context for subsequent socket creations. +Call with NULL if you want to reset to the default. + +*sidget* (deprecated) - *avc.h* + +From 2.0.86 this is a no-op. + +*sidput* (deprecated) - *avc.h* + +From 2.0.86 this is a no-op. + +*string_to_av_perm* - *selinux.h* + +Convert string names to access vector permissions. + +*string_to_security_class* - *selinux.h* + +Convert string names to security class values. From patchwork Wed Sep 2 13:17:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11772479 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8CCD2746 for ; Sun, 13 Sep 2020 21:59:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4DE3020756 for ; Sun, 13 Sep 2020 21:59:52 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="iBouZVpY" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725983AbgIMV7w (ORCPT ); Sun, 13 Sep 2020 17:59:52 -0400 Received: from mailomta12-sa.btinternet.com ([213.120.69.18]:27904 "EHLO sa-prd-fep-047.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725939AbgIMV7v (ORCPT ); Sun, 13 Sep 2020 17:59:51 -0400 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-048.btinternet.com with ESMTP id <20200902131744.PPI4139.sa-prd-fep-048.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:44 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052664; bh=sfiuhwBUJQVlhXbUwLOWJd+LDRIe8+TqXRPJzyYbaaM=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=iBouZVpYgCr8IrWyVab8ZyuQ9ti6kOgO/sOMUtwuYALISiyvnhRx3af57DOIbh9z5i+xS3RpLLPIR1oJO+zq3A5JsVMVLQJu8LLg8DrBNoEeO1NKiWlItB2C4LvRo+uN96J4cbCcIoch8/vcDKjHstjl3k1Datd6GmjC9agU2nKOph+UP1m+wUaFNO3VWudmgJuPNv7R4w0AVBpptZmpRt0N7DFjsU9wlT93s6Ooks1mctIpc1TMbETbnrFkYu9b6qw/6X11zkr+akW0ZgUJ1I40ZqNVMV4nGra1HgBXPTFdkfA+Dd1y146gj2DMMpPpFQ9xLCGIA8hHK8/aOXWiIg== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36B74; Wed, 2 Sep 2020 14:17:44 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 02/13] mac: Tidy formatting Date: Wed, 2 Sep 2020 14:17:27 +0100 Message-Id: <20200902131738.18425-3-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/mac.md | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/src/mac.md b/src/mac.md index 7b88c24..7f673fe 100644 --- a/src/mac.md +++ b/src/mac.md @@ -9,13 +9,13 @@ Each of the subjects and objects have a set of security attributes that can be interrogated by the operating system to check if the requested operation can be performed or not. For SELinux the: -- [**subjects**](subjects.md#subjects) are processes. -- [**objects**](objects.md#objects) are system resources such as files, - sockets, etc. -- security attributes are the [**security context**](security_context.md#security-context). -- Security Server within the Linux kernel authorizes access (or not) - using the security policy (or policy) that describes rules that must - be enforced. +- [**subjects**](subjects.md#subjects) are processes. +- [**objects**](objects.md#objects) are system resources such as files, + sockets, etc. +- security attributes are the [**security context**](security_context.md#security-context). +- Security Server within the Linux kernel authorizes access (or not) + using the security policy (or policy) that describes rules that must + be enforced. Note that the subject (and therefore the user) cannot decide to bypass the policy rules being enforced by the MAC policy with SELinux enabled. @@ -35,8 +35,8 @@ SELinux supports two forms of MAC: objects are controlled by policy. This is the implementation used for general purpose MAC within SELinux along with Role Based Access Control. The [**Type Enforcement (TE)**](type_enforcement.md#type-enforcement) and -[**Role Based Access Control**](rbac.md#role-based-access-control) sections covers -these in more detail. +[**Role Based Access Control**](rbac.md#role-based-access-control) sections +covers these in more detail. **Multi-Level Security** - This is an implementation based on the Bell-La Padula (BLP) model, and used by organizations where different @@ -51,14 +51,14 @@ Multi-Category Security (MCS). The MLS / MCS services are now more generally used to maintain application separation, for example SELinux enabled: -- virtual machines use MCS categories to allow each VM to run within - its own domain to isolate VMs from each other (see the - [**SELinux Virtual Machine Support**](vm_support.md#selinux-virtual-machine-support) - section). -- Android devices use dynamically generated MCS categories so that an - app running on behalf of one user cannot read or write files created - by the same app running on behalf of another user (see the - [**Security Enhancements for Android - Computing a Context**](seandroid.md#computing-process-context-examples) section). +- virtual machines use MCS categories to allow each VM to run within + its own domain to isolate VMs from each other (see the + [**SELinux Virtual Machine Support**](vm_support.md#selinux-virtual-machine-support) + section). +- Android devices use dynamically generated MCS categories so that an + app running on behalf of one user cannot read or write files created + by the same app running on behalf of another user (see the + [**Security Enhancements for Android - Computing a Context**](seandroid.md#computing-process-context-examples) section). From patchwork Wed Sep 2 13:17:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11775933 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 002DE139F for ; Tue, 15 Sep 2020 09:37:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id ABC512080C for ; Tue, 15 Sep 2020 09:37:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="BbIxsh0f" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726119AbgIOJhQ (ORCPT ); Tue, 15 Sep 2020 05:37:16 -0400 Received: from mailomta10-sa.btinternet.com ([213.120.69.16]:14299 "EHLO sa-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726102AbgIOJhP (ORCPT ); Tue, 15 Sep 2020 05:37:15 -0400 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-042.btinternet.com with ESMTP id <20200902131745.VSZA26396.sa-prd-fep-042.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:45 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052665; bh=5PGcYHMCN3Fy+tNhHTEN/QK+aIfiTYzRERfSRkoyMuk=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=BbIxsh0fPqlPFIH4zu5NuLDBWL+cRUKkhnIwpORb576H7yAam45ug6pdKhZIHxz9SuwCmG7fEn5cCXoqcfASpr9sRGBbp7z8Hix6zndi1RUprT95i0bUd5PgEJa5PmpP+6WBtUlhMGVYqkQnyjOXezCIuB662Po0S8ms90qZfUw/FC2VNltR2w+5rvj6KiwENYuvbDOtvnwOpB7vxG2n89531xBbKEraPqgHfEHqmYerFGDeXdGvxGoW2w/UeCl2+dOq5w0iOMxDsSSGxiozqoFuTG6ynLIMcbANAsYJiz19yyMpEpzCHLPaM0Io26xo6Zrx/Gafn8dO0n2qTH9lbw== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36B7F; Wed, 2 Sep 2020 14:17:45 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 03/13] modular_policy_statements: Convert to markdown Date: Wed, 2 Sep 2020 14:17:28 +0100 Message-Id: <20200902131738.18425-4-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines --- src/modular_policy_statements.md | 229 +++++++++++++------------------ 1 file changed, 95 insertions(+), 134 deletions(-) diff --git a/src/modular_policy_statements.md b/src/modular_policy_statements.md index e829e32..e62e6ac 100644 --- a/src/modular_policy_statements.md +++ b/src/modular_policy_statements.md @@ -1,5 +1,9 @@ # Modular Policy Support Statements +- [*module*](#module) +- [*require*](#require) +- [*optional*](#optional) + This section contains statements used to support policy modules. They are not part of the kernel policy language. @@ -9,7 +13,7 @@ This statement is mandatory for loadable modules (non-base) and must be the first line of any module policy source file. The identifier should not conflict with other module names within the overall policy, otherwise it will over-write an existing module when loaded via the -semodule command. The ***semodule -l*** command can be used to list all active +semodule command. The *semodule -l* command can be used to list all active modules within the policy. **The statement definition is:** @@ -20,49 +24,32 @@ module module_name version_number; **Where:** - - - - - - - - - - - - - - - -
moduleThe module keyword.
module_nameThe module name.
version_numberThe module version number in M.m.m format (where M = major version number and m = minor version numbers).
+*module* + +The *module* keyword. + +*module_name* + +The *module* name. + +*version_number* + +The module version number in M.m.m format (where M = major version number +and m = minor version numbers). **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
NoNoYes
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Example:** @@ -77,15 +64,15 @@ module bind 1.0.0; The require statement is used for two reasons: -1. Within loadable module policy source files to indicate what policy - components are required from an external source file (i.e. they are - not explicitly defined in this module but elsewhere). The examples - below show the usage. -2. Within a base policy source file, but only if preceded by the - [***optional***](#optional) to indicate what policy components - are required from an external source file (i.e. they are not - explicitly defined in the base policy but elsewhere). The examples - below show the usage. +1. Within loadable module policy source files to indicate what policy + components are required from an external source file (i.e. they are + not explicitly defined in this module but elsewhere). The examples + below show the usage. +2. Within a base policy source file, but only if preceded by the + [***optional***](#optional) to indicate what policy components + are required from an external source file (i.e. they are not + explicitly defined in the base policy but elsewhere). The examples + below show the usage. **The statement definition is:** @@ -95,49 +82,38 @@ require { rule_list } **Where:** - - - - - - - - - - - -
requireThe require keyword.
require_list

One or more specific statement keywords with their required identifiers in a semi-colon ';' separated list enclosed within braces '{}'.

-

The valid statement keywords are:

-

role, type, attribute, user, bool, sensitivity and category. The keyword is followed by one or more identifiers in a comma ',' separated list, with the last entry being terminated with a semi-colon (;).

-

class - The class keyword is followed by a single object class identifier and one or more permissions. Multiple permissions consist of a space separated list enclosed within braces '{}'. The list is then terminated with a semi-colon ';'.

-

The examples below show these in detail.

+*require* + +The *require* keyword. + +*require_list* + +One or more specific statement keywords with their required identifiers +in a semi-colon ';' separated list enclosed within braces '{}'. The examples +below show these in detail. The valid statement keywords are: + +- *role*, *type*, *attribute*, *user*, *bool*, *sensitivity* and + *category* - The keyword is followed by one or more identifiers in a + comma ',' separated list, with the last entry being terminated with a + semi-colon ';'. +- *class* - The class keyword is followed by a single object class identifier + and one or more permissions. Multiple permissions consist of a space + separated list enclosed within braces '{}'. The list is then terminated + with a semi-colon ';'. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
NoYes - But only if proceeded by the optional StatementYes
Conditional Policy if Statementoptional Statementrequire Statement
Yes - But only if proceeded by the optional StatementYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes (only if proceeded by the *optional* Statement) | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| Yes (only if proceeded by the *optional* Statement) | Yes | No | **Examples:** @@ -183,53 +159,38 @@ optional { rule_list } [ else { rule_list } ] **Where:** - - - - - - - - - - - - - - - - - - - -
optionalThe optional keyword.
rule_listOne or more statements enclosed within braces '{}'. The list of valid statements is given in Table 3: The policy language statements and rules that are allowed within each type of policy source file.
elseAn optional else keyword.
rule_listAs the rule_list above.
+*optional* + +The *optional* keyword. + +*rule_list* + +One or more statements enclosed within braces '{}'. The list of valid +statements is given in +[**Table 3:** of the Kernel Policy Language](kernel_policy_language.md#kernel-policy-language) +section. + +*else* + +An optional *else* keyword. + +*rule_list* + +As the *rule_list* above. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
NoYesYes
Conditional Policy if Statementoptional Statementrequire Statement
YesYesYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | **Examples:** From patchwork Wed Sep 2 13:17:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11778931 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 17610618 for ; Wed, 16 Sep 2020 05:16:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A529720936 for ; Wed, 16 Sep 2020 05:16:08 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="l9Kar5KU" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726069AbgIPFQI (ORCPT ); Wed, 16 Sep 2020 01:16:08 -0400 Received: from mailomta29-sa.btinternet.com ([213.120.69.35]:44954 "EHLO sa-prd-fep-046.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726068AbgIPFQH (ORCPT ); Wed, 16 Sep 2020 01:16:07 -0400 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-045.btinternet.com with ESMTP id <20200902131745.VNDB4112.sa-prd-fep-045.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:45 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052665; bh=7UovMaRWkhQ2n9+fT5lDImm1PPTEFwBvyFQOiVXNBxw=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=l9Kar5KUK+ut1kPFWubuO2J5uMDC10tu6mxcOBc30vUqtpqJvZ7wJvonXjn2vw28N+Z4tpxG0/LSK4hwtPci/IRVI/E+xNPAmTAsZWX1Neb5ZF1rlxrhp+ElxpYwvhWC98JprryRQtLDz997cR8HE2V+dJJoz4W5ZMr+omx8xXrVnAu+yQdL6d+ojzVTofsGVDtJMXJa0ghk4synEUladEGYdelDUNEKg6V4BvQUbMP4M8XImP7WmyAldoKP1ECTzGNX2K7ZmldHV5h8GvoPJE8PEmWEu0Y0qgbR9zwWANk+zt8ebMsCb5sjNCLj4OMWsjEYPirA3BaXyDO6nZaivA== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36B91; Wed, 2 Sep 2020 14:17:45 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 04/13] network_statements: Convert to markdown Date: Wed, 2 Sep 2020 14:17:29 +0100 Message-Id: <20200902131738.18425-5-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines --- src/network_statements.md | 261 ++++++++++++++++---------------------- 1 file changed, 108 insertions(+), 153 deletions(-) diff --git a/src/network_statements.md b/src/network_statements.md index a1e3b88..8ba411e 100644 --- a/src/network_statements.md +++ b/src/network_statements.md @@ -1,5 +1,13 @@ # Network Labeling Statements +- [Network Address Formats](#network-address-formats) + - [IPv4 Address Format](#ipv4-address-format) + - [IPv6 Address Formats](#ipv6-address-formats) +- [*netifcon*](#netifcon) +- [*nodecon*](#nodecon) +- [*portcon*](#portcon) + + The network labeling statements are used to label the following objects: **Network interfaces** - This covers those interfaces managed by the @@ -28,6 +36,8 @@ sid node system_u:object_r:node_t:s0 - s15:c0.c255 sid port system_u:object_r:port_t:s0 ``` +## Network Address Formats + ### IPv4 Address Format IPv4 addresses are represented in dotted-decimal notation (four @@ -49,34 +59,30 @@ where each group is separated by a colon ':' as follows: To shorten the writing and presentation of addresses, the following rules apply: -1. Any leading zeros in a group may be replaced with a single '0' as - shown: +Any leading zeros in a group may be replaced with a single '0' as shown: ``` 2001:db8:85a3:0:0:8a2e:370:7334 ``` -2. Any leading zeros in a group may be omitted and be replaced with two - colons '::', however this is only allowed once in an address as - follows: +Any leading zeros in a group may be omitted and be replaced with two +colons '::', however this is only allowed once in an address as follows: ``` 2001:db8:85a3::8a2e:370:7334 ``` -3. The *localhost* (loopback) address can be written as: +The *localhost* (loopback) address can be written as: ``` 0000:0000:0000:0000:0000:0000:0000:0001 -``` Or -``` ::1 ``` -4. An undetermined IPv6 address i.e. all bits are zero is written as: +An undetermined IPv6 address i.e. all bits are zero is written as: ``` :: @@ -88,8 +94,8 @@ The *netifcon* statement is used to label network interface objects (e.g. eth0) for peer labeling (see the [***netif* object class**](object_classes_permissions.md#network-object-classes)). -It is also possible to use the ***semanage**(8)* interface command to associate -the interface to a security context. +It is also possible to use the ***semanage**(8)* *interface* command to +associate the interface to a security context. **The statement definition is:** @@ -99,54 +105,38 @@ netifcon netif_id netif_context packet_context **Where:** - - - - - - - - - - - - - - - - - - - -
netifconThe netifcon keyword.
netif_idThe network interface name (e.g. eth0).
netif_contextThe security context allocated to the network interface.
packet_context

The security context allocated packets. Note that these are defined but unused.

-

The iptables(8)/nftables(8) SECMARK services should be used to label packets.

+*netifcon* + +The *netifcon* keyword. + +*netif_id* + +The network interface name (e.g. eth0). + +*netif_context* + +The security context allocated to the network interface. + +*packet_context* + +The security context allocated packets. Note that these are defined but unused. +The ***iptables**(8)* / ***nft**(8)* +[**SECMARK services**](network_support.md#packet-controls-secmark) should be +used to label packets. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Example:** @@ -165,9 +155,9 @@ semanage interface -a -t netif_t eth2 ``` This command will produce the following file in the default -<SELINUXTYPE> policy store and then activate the policy: +\ policy store and then activate the policy: -*/var/lib/selinux/<SELINUXTYPE>/active/interfaces.local*: +*/var/lib/selinux/\/active/interfaces.local*: ``` # This file is auto-generated by libsemanage @@ -185,7 +175,7 @@ labeling (see the that represent IPv4 or IPv6 IP addresses and network masks. It is also possible to add SELinux these outside the policy using the -***semanage**(8)* 'node' command that will associate the node to a security +***semanage**(8)* *node* command that will associate the node to a security context. **The statement definition is:** @@ -196,54 +186,37 @@ nodecon subnet netmask node_context **Where:** - - - - - - - - - - - - - - - - - - - -
nodeconThe nodecon keyword.
subnet

The subnet or specific IP address in IPv4 or IPv6 format.

-

Note that the subnet and netmask values are used to ensure that the node_context is assigned to all IP addresses within the subnet range.

netmaskThe subnet mask in IPv4 or IPv6 format.
node_contextThe security context for the node.
+*nodecon* + +The *nodecon* keyword. + +*subnet* + +The subnet or specific IP address in IPv4 or IPv6 format. +Note that the subnet and netmask values are used to ensure that the +*node_context* is assigned to all IP addresses within the subnet range. + +*netmask* + +The subnet mask in IPv4 or IPv6 format. + +*node_context* + +The security context for the node. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Examples:** @@ -267,9 +240,9 @@ semanage node -a -t node_t -p ipv4 -M 255.255.255.255 127.0.0.2 ``` This command will produce the following file in the default -<SELINUXTYPE> policy store and then activate the policy: +\ policy store and then activate the policy: -*/var/lib/selinux/<SELINUXTYPE>/active/nodes.local*: +*/var/lib/selinux/\/active/nodes.local*: ``` # This file is auto-generated by libsemanage @@ -283,7 +256,7 @@ nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0 The *portcon* statement is used to label udp, tcp, dccp or sctp ports. It is also possible to add a security context to ports outside the -policy using the ***semanage**(8)* 'port' command that will associate the port +policy using the ***semanage**(8)* *port* command that will associate the port (or range of ports) to a security context. **The statement definition is:** @@ -294,53 +267,35 @@ portcon protocol port_number port_context **Where:** - - - - - - - - - - - - - - - - - - - -
portconThe portcon keyword.
protocolThe protocol type. Valid entries are udp, tcp or dccp.
port_numberThe port number or range of ports. The ranges are separated by a hyphen (-).
port_contextThe security context for the port or range of ports.
+*portcon* + +The *portcon* keyword. + +*protocol* + +The protocol type. Valid entries are udp, tcp or dccp. + +*port_number* + +The port number or range of ports. The ranges are separated by a hyphen '-'. + +*port_context* + +The security context for the port or range of ports. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Examples:** @@ -361,9 +316,9 @@ semanage port -a -t reserved_port_t -p udp 1234 ``` This command will produce the following file in the default -<SELINUXTYPE> policy store and then activate the policy: +\ policy store and then activate the policy: -*/var/lib/selinux/<SELINUXTYPE>/active/ports.local*: +*/var/lib/selinux/\/active/ports.local*: ``` # This file is auto-generated by libsemanage From patchwork Wed Sep 2 13:17:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11779517 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B064F618 for ; Wed, 16 Sep 2020 10:04:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E52432220F for ; Wed, 16 Sep 2020 10:04:08 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="LrGlB5KP" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726349AbgIPKEI (ORCPT ); Wed, 16 Sep 2020 06:04:08 -0400 Received: from mailomta12-sa.btinternet.com ([213.120.69.18]:34379 "EHLO sa-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726669AbgIPKEI (ORCPT ); Wed, 16 Sep 2020 06:04:08 -0400 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-047.btinternet.com with ESMTP id <20200902131746.ILLU4609.sa-prd-fep-047.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:46 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052666; bh=jTK0IktSsmSWiH2+1y47k1mW/rTfNf57qprk2TR0Z/w=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=LrGlB5KPERpQSDoDIf2wFdoPXDGyDH95egcCR0AR1+4iCjhSZVQVEE3ktcLtrsLVJghhaATy8QSwTJNeW0Cz32Sb7d35naRn4LLHGzqne7mr/8B1bIgiZGIb9mRHK43M7J6X3XHkjylmBNMAqdN3FSmSENMRAIFAqkVJqh61pCOD6EG2yDd/21jeA1VJi8zLeAC1H0qu4YbQ2aRT461lyFPOjfqyB0koP3IXH76G0xlrZU+NXk3GoZsg693e7gletf5EaAAYN6Oow/y+GniRjKASj5OSFl/ljTSGU4Otza+iOBi41teP8CCMfvjr5ZDJ08MvSGE35CNDzZ0AZC1MYw== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=49/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecuogfuuhhsphgvtghtffhomhgrihhnucdlgeelmdenucfjughrpefhvffufffkofgjfhggtgfgsehtkeertdertdejnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeehgfegteevgeevueekvdejtdegkeevhfdvuddvueduudetffevtdekteefleeuvdenucffohhmrghinheplhhivhgvjhhouhhrnhgrlhdrtghomhdpihgvthhfrdhorhhgpdhrvgguhhgrthdrtghomhenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggp tggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 49 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36BA7; Wed, 2 Sep 2020 14:17:46 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 05/13] network_support: Convert to markdown Date: Wed, 2 Sep 2020 14:17:30 +0100 Message-Id: <20200902131738.18425-6-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Moved some text, but no text changes. Signed-off-by: Richard Haines --- src/network_support.md | 270 +++++++++++++++++++++-------------------- 1 file changed, 141 insertions(+), 129 deletions(-) diff --git a/src/network_support.md b/src/network_support.md index 5faa578..36af1f4 100644 --- a/src/network_support.md +++ b/src/network_support.md @@ -1,24 +1,33 @@ # SELinux Networking Support +- [Packet controls: SECMARK](#packet-controls-secmark) +- [Packet controls: NetLabel - Fallback Peer Labeling](#packet-controls-netlabel---fallback-peer-labeling) +- [Packet controls: NetLabel - CIPSO/CALIPSO](#packet-controls-netlabel-cipsocalipso) +- [Packet controls: Labeled IPSec](#packet-controls-labeled-ipsec) +- [Packet controls: Access Control for Network Interfaces](#packet-controls-access-control-for-network-interfaces) +- [Packet controls: Access Control for Network Nodes](#packet-controls-access-control-for-network-nodes) +- [Socket controls: Access Control for Network Ports](#socket-controls-access-control-for-network-ports) +- [Labeled Network FileSystem (NFS)](#labeled-network-filesystem-nfs) + SELinux controls network access in the kernel at two locations: at the socket interface, and when packets are processed by the protocol stacks. Controls at the socket interface are invoked when a task makes network related system calls and thus the access permission checks mimic the sockets programming interface (e.g. ***bind**(2)* -vs. `node_bind`). Packet controls are more distant from applications +vs. *node_bind*). Packet controls are more distant from applications and they are invoked whenever any packets are received, forwarded or sent. Packet level controls include: -* Packet labeling with SECMARK: class `packet` -* Peer labeling with Labeled IPSec or NetLabel: class `peer` -* Interface control: class `netif` -* Network node control: class `node` +- Packet labeling with SECMARK: class *packet* +- Peer labeling with Labeled IPSec or NetLabel: class *peer* +- Interface control: class *netif* +- Network node control: class *node* Controls at socket interface include: -* TCP/UDP/SCTP/DCCP ports: class `port` +- TCP/UDP/SCTP/DCCP ports: class *port* SECMARK is a security extension in Linux network packet processing, which allows packets or sessions to be marked with security labels. @@ -26,7 +35,7 @@ which allows packets or sessions to be marked with security labels. NetLabel is a framework for explicit network labeling that abstracts away the underlying labeling protocol from the LSMs. Labeled IPsec and the NetLabel framework are the current access controls for class -`peer`, with NetLabel supporting CIPSO for IPv4, CALIPSO for IPv6, and +*peer*, with NetLabel supporting CIPSO for IPv4, CALIPSO for IPv6, and a fallback/static labeling for unlabeled IPv4 and IPv6 networks. Packet controls can be organized further according to the source of @@ -37,8 +46,8 @@ managed internally within a single machine (i.e. their labels are not transmitted as part of the session with remote systems). There are two types supported: SECMARK and NetLabel with the static/fallback "protocol". As an example, SECMARK access controls could restrict -`firefox_t` to talking only to network services on TCP port 80 while -NetLabel fallback/static rules could restrict `firefox_t` to only +*firefox_t* to talking only to network services on TCP port 80 while +NetLabel fallback/static rules could restrict *firefox_t* to only receive data from specific IP addresses on a specific network interface. @@ -49,10 +58,10 @@ NetLabel/CIPSO (Commercial IP Security Option) and NetLabel/CALIPSO (Common Architecture Label IPv6 Security Option). With labeled networking, it's possible to compare the security attributes (SELinux label) of the sending peer with the security context of the receiving -peer. A simple example with Labeled IPSec is restricting `firefox_t` -to talking only to `httpd_t`, while NetLabel/CIPSO & CALIPSO could -restrict domains with MLS security level `s32` not to talk with -domains with level `s31`. +peer. A simple example with Labeled IPSec is restricting *firefox_t* +to talking only to *httpd_t*, while NetLabel/CIPSO & CALIPSO could +restrict domains with MLS security level *s32* not to talk with +domains with level *s31*. SELinux network access controls are not enabled by default. They can be enabled by configuring SECMARK, NetLabel or Labeled IPsec rules, or @@ -102,11 +111,11 @@ dnf install libreswan ``` It is important to note that the kernel must be configured to support -these services (`CONFIG_NETLABEL`, `CONFIG_NETWORK_SECMARK`, -`CONFIG_NF_CONNTRACK_SECMARK`, -`CONFIG_NETFILTER_XT_TARGET_CONNSECMARK`, -`CONFIG_NETFILTER_XT_TARGET_SECMARK`, `CONFIG_IP_NF_SECURITY`, -`CONFIG_IP6_NF_SECURITY`). At least Fedora and Debian kernels are +these services (*CONFIG_NETLABEL*, *CONFIG_NETWORK_SECMARK*, +*CONFIG_NF_CONNTRACK_SECMARK*, +*CONFIG_NETFILTER_XT_TARGET_CONNSECMARK*, +*CONFIG_NETFILTER_XT_TARGET_SECMARK*, *CONFIG_IP_NF_SECURITY*, +*CONFIG_IP6_NF_SECURITY*). At least Fedora and Debian kernels are configured to handle all the above services. The Linux networking package *iproute* has an SELinux aware socket @@ -125,7 +134,7 @@ automatically inspects all incoming and outgoing packets and can place controls on interfaces, IP addresses (nodes) and ports with the added advantage of connection tracking. The SECMARK security extensions allow security contexts to be added to packets (SECMARK) or sessions -(CONNSECMARK), belonging to object class of `packet`. +(CONNSECMARK), belonging to object class of *packet*. The NetFilter framework inspects and tag packets with labels as defined within ***iptables**(8)* (also 'nftables' ***nft**(8)* from version 9.3 with @@ -142,16 +151,16 @@ this Notebook, there are tutorials available. The **Figure 13: SECMARK Processing** shows the basic structure with the process working as follows: -- A table called the *security table* is used to define the parameters - that identify and 'mark' packets that can then be tracked as the - packet travels through the networking sub-system. These 'marks' are - called SECMARK and CONNSECMARK. -- A SECMARK is placed against a packet if it matches an entry in the - security table applying a label that can then be used to enforce - policy on the packet. -- The CONNSECMARK 'marks' all packets within a - session1 - with the appropriate label that can then be used to enforce policy. +- A table called the *security table* is used to define the parameters + that identify and 'mark' packets that can then be tracked as the + packet travels through the networking sub-system. These 'marks' are + called SECMARK and CONNSECMARK. +- A SECMARK is placed against a packet if it matches an entry in the + security table applying a label that can then be used to enforce + policy on the packet. +- The CONNSECMARK 'marks' all packets within a + session[^fn_ns_1] with the appropriate label that can then be used to + enforce policy. ![](./images/13-secmark.png) @@ -226,7 +235,7 @@ table ip6 security { Before the SECMARK rules can be loaded, TE rules must be added to define the types, and also allow domains to send and/or receive -objects of `packet` class: +objects of *packet* class: ``` type test_server_packet_t, packet_type; @@ -235,8 +244,9 @@ allow my_server_t test_server_packet_t:packet { send recv }; ``` The following articles explain the SECMARK service: -- [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html) -- [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html) + +- [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html) +- [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html) ## Packet controls: NetLabel - Fallback Peer Labeling @@ -277,20 +287,19 @@ commands will fail. Before the NetLabel rules can be loaded, TE rules must be added to define the types. Then the rules can allow domains to receive data -from objects of `peer` class: +from objects of *peer* class: ``` type netlabel_sctp_peer_t; allow my_server_t netlabel_sctp_peer_t:peer recv; ``` -Note that sending can't be controlled with `peer` class. +Note that sending can't be controlled with *peer* class. ## Packet controls: NetLabel – CIPSO/CALIPSO To allow MLS or MCS [**security levels**](mls_mcs.md#security-levels) -to be passed over a network between MLS or MCS systems2, +to be passed over a network between MLS or MCS systems[^fn_ns_2], the Commercial IP Security Option (CIPSO) protocol is used. This is defined in the [**CIPSO Internet Draft**](http://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01) document (this is an obsolete document, however the protocol is still in @@ -311,11 +320,12 @@ The protocol is configured by the NetLabel service ***netlabelctl**(8)* and can be used by other security modules that use the LSM infrastructure. The implementation supports: -1. A non-translation option (Tag Type 1 '**bit mapped**') where labels are - passed to / from systems unchanged (for host to host communications as - show in **Figure 15**). -- Note that CALIPSO only supports this option, and an example - ***netlabelctl**(8)* command setting a DOI of 16 is: +1. A non-translation option (Tag Type 1 '**bit mapped**') where labels are + passed to / from systems unchanged (for host to host communications as + show in **Figure 15**). + - Note that CALIPSO only supports this option, and an example + ***netlabelctl**(8)* command setting a DOI of 16 is: + ``` netlabelctl calipso add pass doi:16 ``` @@ -324,15 +334,15 @@ netlabelctl calipso add pass doi:16 **Figure 15:** - *MLS Systems on the same network* -2. Allow a maximum of 256 sensitivity levels and 240 categories to be mapped - (Tag Type 2 '**enumerated**'). +2. Allow a maximum of 256 sensitivity levels and 240 categories to be mapped + (Tag Type 2 '**enumerated**'). -3. A translation option (Tag Type 5 '**range**') where both the sensitivity - and category components can be mapped for systems that have either different - definitions for labels or information can be exchanged over different - networks (for example using an SELinux enabled gateway as a guard as - shown in **Figure 16**. An example ***netlabelctl**(8)* command setting - a DOI of 8 is: *netlabelctl cipsov4 add pass doi:8 tags:5* +3. A translation option (Tag Type 5 '**range**') where both the sensitivity + and category components can be mapped for systems that have either different + definitions for labels or information can be exchanged over different + networks (for example using an SELinux enabled gateway as a guard as + shown in **Figure 16**. An example ***netlabelctl**(8)* command setting + a DOI of 8 is: *netlabelctl cipsov4 add pass doi:8 tags:5* ![](./images/16-mls2.png) @@ -377,20 +387,18 @@ two systems as part of the channel set-up.* Basically what happens is as follows: -1. The security policy database (SPD) defines the security - communications characteristics to be used between the two systems. - This is populated using the **setkey**(8) or ***ip-xfrm**(8)* commands. -2. The SAs have their configuration parameters such as protocols used - for securing packets, encryption algorithms and how long the keys - are valid held in the Security Association database (SAD). For - Labeled IPSec the security context (or labels) is also defined - within the SAD. SAs can be negotiated between the two systems using - either racoon or - pluto3 - that will automatically populate the SAD or manually by the setkey utility - (see the example below). -3. Once the SAs have been negotiated and agreed, the link should be - active. +1. The security policy database (SPD) defines the security + communications characteristics to be used between the two systems. + This is populated using the **setkey**(8) or ***ip-xfrm**(8)* commands. +2. The SAs have their configuration parameters such as protocols used + for securing packets, encryption algorithms and how long the keys + are valid held in the Security Association database (SAD). For + Labeled IPSec the security context (or labels) is also defined + within the SAD. SAs can be negotiated between the two systems using + either racoon or pluto[^fn_ns_3] that will automatically populate the + SAD or manually by the setkey utility (see the example below). +3. Once the SAs have been negotiated and agreed, the link should be + active. A point to note is that SAs are one way only, therefore when two systems are communicating (using the above example), one system will have an SA, @@ -405,26 +413,25 @@ protocol (e.g. ESP (encapsulated security payload) and AH The object class used for the association of an SA is association and the permissions available are as follows: - - - - - - - - - - - - - - - - - - - -
polmatchMatch the SPD context (-ctx) entry to an SELinux domain (that is contained in the SAD -ctx entry)
recvfromReceive from an IPSec association.
sendtoSend to an IPSec association.
setcontextSet the context of an IPSec association on creation (e.g. when running setkey the process will require this permission to set the context in the SAD and SPD, also racoon / pluto will need this permission to build the SAD).
+*polmatch* + +- Match the SPD context (-ctx) entry to an SELinux domain (that is contained + in the SAD -ctx entry) + +*recvfrom* + +- Receive from an IPSec association. + +*sendto* + +- Send to an IPSec association. + +*setcontext* + +- Set the context of an IPSec association on creation (e.g. when running + ***setkey**(8)* the process will require this permission to set the context + in the SAD and SPD, also *racoon* / *pluto* will need this permission to + build the SAD). When running Labeled IPSec it is recommended that the systems use the same type/version of policy to avoid any problems with them having @@ -432,12 +439,11 @@ different meanings. There are two possible labeled IPSec solutions available on Fedora: -- IPSec Tools - This uses the ***setkey**(8)* tools and ***racoon**(8)* -Internet Key Exchange (IKE) daemon. - -- LibreSwan - This uses ***ipsec**(8)* tools and ***pluto**(8)* Internet -Key Exchange (IKE) daemon. Note that the Fedora build uses the kernel -**netkey** services as Libreswan can be built to support other types. +1. IPSec Tools - This uses the ***setkey**(8)* tools and ***racoon**(8)* + Internet Key Exchange (IKE) daemon. +2. LibreSwan - This uses ***ipsec**(8)* tools and ***pluto**(8)* Internet + Key Exchange (IKE) daemon. Note that the Fedora build uses the kernel + *netkey* services as Libreswan can be built to support other types. Both work in much the same way but use different configuration files. @@ -472,7 +478,7 @@ firewall-cmd --add-service ipsec There are two simple examples in the [***notebook-examples/network/ipsec***](notebook-examples/network/README.md) -section. These use ***setkey**(8)* and commands directly +section. These use ***setkey**(8)* and commands directly and therefore do not require the IKE daemons. The ***ip-xfrm**(8)* example: @@ -500,31 +506,11 @@ article and a good reference covering **Basic Labeled IPsec Configuration** available at: -## Labeled Network FileSystem (NFS) - -Version 4.2 of NFS supports labeling between client/server and requires -the ***exports**(5)* / ***exportfs**(8)* '*security_label*' option to -be set: - -``` -exportfs -o rw,no_root_squash,security_label localhost:$MOUNT -``` - -Labeled NFS requires kernel 3.14 and the following package installed: - -``` -dnf install nfs-utils -``` - -Labeled NFS clients must use a consistent security policy. - -The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels. - ## Packet controls: Access Control for Network Interfaces SELinux domains can be restricted to use only specific network interfaces. TE rules must define the interface types and then allow a -domain to `egress` in class `netif` for the defined interface types: +domain to *egress* in class *netif* for the defined interface types: ``` require { @@ -540,13 +526,14 @@ allow my_server_t loopback_if_t:netif egress; ``` The interfaces must also be labeled with ***semanage**(8)* (or by -using `netifcon` statements in the policy): +using *netifcon* statements in the policy): + ``` semanage interface -a -t loopback_if_t -r s0 lo semanage interface -a -t external_if_t -r s0 eth0 ``` -The checks for `ingress` in class `netif` however use the peer label +The checks for *ingress* in class *netif* however use the peer label of the remote peer (not the receiving task on the local system) as subject: @@ -569,9 +556,9 @@ Domains can be restricted by SELinux to access and bind sockets to only dedicated network nodes (in practice, IP addresses). The node types must be defined and then the node types can be used for -TE rules as target context. TE rules to allow a domain to `sendto` for -class `node` and to `node_bind` (for incoming connections) for class -`tcp_socket`: +TE rules as target context. TE rules to allow a domain to *sendto* for +class *node* and to *node_bind* (for incoming connections) for class +*tcp_socket*: ``` require { @@ -591,7 +578,8 @@ allow my_server_t internet_node_t:node sendto; ``` After the types have been defined, corresponding node rules can be -added with `semanage` (or `nodecon` statements): +added with *semanage* (or *nodecon* statements): + ``` semanage node -a -M /128 -p ipv6 -t loopback_node_t -r s0 ::1 semanage node -a -M /3 -p ipv6 -t internet_node_t -r s0 2000:: @@ -599,7 +587,7 @@ semanage node -a -M /8 -p ipv6 -t link_local_node_t -r s0 fe00:: semanage node -a -M /8 -p ipv6 -t multicast_node_t -r s0 ff00:: ``` -The checks for `recvfrom` in class `node` however use the peer label +The checks for *recvfrom* in class *node* however use the peer label as subject: ``` @@ -614,12 +602,12 @@ packet level controls, port controls are close to how networked applications use the socket system calls. Thus the controls typically involve checking if a task can perform an operation on a network socket, e.g. ***bind**(2)* would cause an access check for -`node_bind`. These are usually easy to understand and don't require +*node_bind*. These are usually easy to understand and don't require any special network configuration. TE rules must define the port types and then allow a domain to -`name_connect` (outgoing) or `name_bind` (incoming) in class -`tcp_socket` (or `udp_socket` etc) for the defined port types: +*name_connect* (outgoing) or *name_bind* (incoming) in class +*tcp_socket* (or *udp_socket* etc) for the defined port types: ``` require { @@ -633,19 +621,43 @@ allow my_server_t my_server_port_t:tcp_socket name_connect; allow my_server_t my_server_port_t:tcp_socket name_bind; ``` -The ports must also be labeled with `semanage` (or `portcon` +The ports must also be labeled with *semanage* (or *portcon* statements): ``` semanage port -a -t my_server_port_t -p tcp -r s0 12345 ``` -
-
    -
  1. For example, an ftp session where the server is listening on a specific port (the destination port) but the client will be assigned a random source port. The CONNSECMARK will ensure that all packets for the ftp session are marked with the same label.

  2. -
  3. Note only the security levels are passed over the network as the other components of the security context are not part of standard MLS systems (as it may be that the remote end is a Trusted Solaris system).

  4. -
  5. These are the Internet Key Exchange (IKE) daemons that exchange encryption keys securely and also supports Labeled IPSec parameter exchanges.

  6. -
-
+## Labeled Network FileSystem (NFS) + +Version 4.2 of NFS supports labeling between client/server and requires +the ***exports**(5)* / ***exportfs**(8)* '*security_label*' option to +be set: + +``` +exportfs -o rw,no_root_squash,security_label localhost:$MOUNT +``` + +Labeled NFS requires kernel 3.14 and the following package installed: + +``` +dnf install nfs-utils +``` + +Labeled NFS clients must use a consistent security policy. + +The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels. + +[^fn_ns_1]: For example, an ftp session where the server is listening on a +specific port (the destination port) but the client will be assigned a random +source port. The *CONNSECMARK* will ensure that all packets for the ftp session +are marked with the same label. + +[^fn_ns_2]: Note only the security levels are passed over the network as the +other components of the security context are not part of standard MLS systems +(as it may be that the remote end is a Trusted Solaris system) + +[^fn_ns_3]: These are the Internet Key Exchange (IKE) daemons that exchange +encryption keys securely and also supports Labeled IPSec parameter exchanges. From patchwork Wed Sep 2 13:17:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11777901 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 92336618 for ; Tue, 15 Sep 2020 22:04:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3B45720809 for ; Tue, 15 Sep 2020 22:04:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="posrajiv" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728122AbgIOWEM (ORCPT ); Tue, 15 Sep 2020 18:04:12 -0400 Received: from mailomta17-sa.btinternet.com ([213.120.69.23]:61355 "EHLO sa-prd-fep-040.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728037AbgIOWDP (ORCPT ); Tue, 15 Sep 2020 18:03:15 -0400 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-040.btinternet.com with ESMTP id <20200902131747.LIKU5290.sa-prd-fep-040.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:47 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052667; bh=mRFlu6AUIRasfGcfogtV+u9I3+Thj9E7BIG8PWv387o=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=posrajivUdrIEi7KLAHHLXcWQkUc/CLO40/y59UyjX7QR5dCry0801gBJ90YcziIvWDp4TGU8FJu31EYdK5MY5TGlYVS/QULdk7wjeJY3aHRi7zM4vRddUxbnp6y48e54Ck86Tz7NCOzdrxMwYh9/gEfW6mBQu0e5cEtr3xCYZxoXpDy4aZm+4C9BJTV4GiJRT3ADCrpqELD28hlasa9vR23f4ZGMq+paixJQ/YSs0Ec93bQYxptfCTMB18h5UTDNy1zq03OFGFsD+A+jvog49my8GEi5wmUNuB/v261HN3ZqzroyvqS9NUjY2kzH5rmyKsVZpos2m0wUoWl7eWlPQ== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfgggtgfesthekredtredtjeenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepgfekgffghffgleekgfellefftedvhfejveehhfekkefgvdehueetgfffffelkedtnecukfhppedutdelrdduheehrdefvddrudeljeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepuddtledrudehhedrfedvrdduleejpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36BC0; Wed, 2 Sep 2020 14:17:47 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 06/13] objects: Convert to markdown Date: Wed, 2 Sep 2020 14:17:31 +0100 Message-Id: <20200902131738.18425-7-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines --- src/objects.md | 185 +++++++++++++++++++++++++------------------------ 1 file changed, 95 insertions(+), 90 deletions(-) diff --git a/src/objects.md b/src/objects.md index 09c77f3..8762cb9 100644 --- a/src/objects.md +++ b/src/objects.md @@ -1,5 +1,13 @@ # Objects +- [Object Classes and Permissions](#object-classes-and-permissions) +- [Allowing a Process Access to Resources](#allowing-a-process-access-to-resources) +- [Labeling Objects](#labeling-objects) + - [Labeling Extended Attribute Filesystems](#labeling-extended-attribute-filesystems) + - [Copying and Moving Files](#copying-and-moving-files) +- [Labeling Subjects](#labeling-subjects) +- [Object Reuse](#object-reuse) + Within SELinux an object is a resource such as files, sockets, pipes or network interfaces that are accessed via processes (also known as subjects). These objects are classified according to the resource they @@ -11,8 +19,8 @@ in the following sections. ## Object Classes and Permissions Each object consists of a class identifier that defines its purpose -(e.g. file, socket) along with a set of permissions (Also known in SELinux -as Access Vectors (AV)) that describe what services the object can handle +(e.g. file, socket) along with a set of permissions (also known as Access +Vectors (AV)) that describe what services the object can handle (read, write, send etc.). When an object is instantiated it will be allocated a name (e.g. a file could be called config or a socket my_connection) and a security @@ -23,7 +31,7 @@ context (e.g. *system_u:object_r:selinux_config_t*) as shown in **Figure 5: Object Class = 'file' and permissions** - *the policy rules would define those permissions allowed for each process that needs access to -the */etc/selinux/config* file.* +the /etc/selinux/config file.* The objective of the policy is to enable the user of the object (the subject) access to the minimum permissions needed to complete the task @@ -45,9 +53,9 @@ permissions are described in This is a simple example that attempts to explain two points: -1. How a process is given permission to use an objects resource. -2. By using the *process* object class, show that a process can be - described as a process or object. +1. How a process is given permission to use an objects resource. +2. By using the *process* object class, show that a process can be + described as a process or object. An SELinux policy contains many rules and statements, the majority of which are *allow* rules that (simply) allows processes to be given @@ -66,36 +74,35 @@ allow unconfined_t ext_gateway_t : process transition; Where: - - - - - - - - - - - - - - - - - - - - - - - -
allowThe SELinux language allow rule.
unconfined_tThe source domain (or subject) identifier - in this case the shell that wants to exec the gateway application.
ext_gateway_tThe target object identifier - the object instance of the gateway application process.
processThe target object class - the *process* object class.
transitionThe permission granted to the source domain on the targets object - in this case the *unconfined_t* domain has transition permission on the *ext_gateway_t* *process* object.
+*allow* + +- The SELinux language *allow* rule. + +*unconfined_t* + +- The source domain (or subject) identifier - in this case the shell that + wants to *exec* the gateway application. + +*ext_gateway_t* + +- The target object identifier - the object instance of the gateway + application process. + +*process* + +- The target object class - the *process* object class. + +*transition* + +- The permission granted to the source domain on the targets object - in this + case the *unconfined_t* domain has transition permission on the + *ext_gateway_t process* object. ![](./images/6-allow-rule.png) **Figure 6: The *allow* rule** - *Showing that the subject (the processes -running in the *unconfined_t* domain) has been given the transition -permission on the *ext_gateway_t* *process* object.* +running in the unconfined_t domain) has been given the transition +permission on the ext_gateway_t process object.* It should be noted that there is more to a domain transition than described above, for a more detailed explanation, see the @@ -108,28 +115,28 @@ objects is managed by the system and generally unseen by the users (until labeling goes wrong !!). As processes and objects are created and destroyed, they either: -1. Inherit their labels from the parent process or object. The policy - default user, type, role and range statements can be used to - change the behavior as discussed in the [**Default Rules**](default_rules.md#default-object-rules) - section. -2. The policy type, role and range transition statements allow a - different label to be assigned as discussed in the - [**Domain and Object Transitions**](domain_object_transitions.md#domain-and-object-transitions) - section. -3. SELinux-aware applications can assign a new label (with the - policy's approval of course) using the **libselinux** API - functions. The `process setfscreate` permission can be used to - allow subjects to create files with a new label programmatically - using the ***setfscreatecon**(3)* function, overriding default - rules and transition statements. -4. An object manager (OM) can enforce a default label that can either - be built into the OM or obtained via a configuration file (such as - those used by - [**SELinux X-Windows Support**](x_windows.md#x-windows-selinux-support). -5. Use an '[**initial security identifier**](sid_statement.md#security-id-sid-statement)' - (or initial SID). These are defined in all policies and are used to either - set an initial context during the boot process, or if an object requires - a default (i.e. the object does not already have a valid context). +1. Inherit their labels from the parent process or object. The policy + default user, type, role and range statements can be used to + change the behavior as discussed in the [**Default Rules**](default_rules.md#default-object-rules) + section. +2. The policy type, role and range transition statements allow a + different label to be assigned as discussed in the + [**Domain and Object Transitions**](domain_object_transitions.md#domain-and-object-transitions) + section. +3. SELinux-aware applications can assign a new label (with the + policy's approval of course) using the **libselinux** API + functions. The *process { setfscreate }* permission can be used to + allow subjects to create files with a new label programmatically + using the ***setfscreatecon**(3)* function, overriding default + rules and transition statements. +4. An object manager (OM) can enforce a default label that can either + be built into the OM or obtained via a configuration file (such as + those used by + [**SELinux X-Windows Support**](x_windows.md#x-windows-selinux-support). +5. Use an '[**initial security identifier**](sid_statement.md#security-id-sid-statement)' + (or initial SID). These are defined in all policies and are used to either + set an initial context during the boot process, or if an object requires + a default (i.e. the object does not already have a valid context). The [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts) section gives detail on how some of the kernel based objects are computed. @@ -149,26 +156,24 @@ section. ### Labeling Extended Attribute Filesystems The labeling of file systems that implement extended -attributes1 -is supported by SELinux using: - -1. The *fs_use_xattr* statement within the policy to identify what - filesystems use extended attributes. This statement is used to - inform the security server how to label the filesystem. -2. A 'file contexts' file that defines what the initial contexts should - be for each file and directory within the filesystem. The format of - this file and how it is built from source policy is described in the - [**Policy Store Configuration Files - Building the File Labeling Support Files**](policy_store_config_files.md#building-the-file-labeling-support-files)2 - section. - -3. A method to initialise the filesystem with these extended - attributes. This is achieved by SELinux utilities such as - ***fixfiles**(8)* and ***setfiles**(8)*. There are also commands such as - ***chcon**(1)*, ***restorecon**(8)* and ***restorecond**(8)* that can be - used to relabel files. +attributes[^fn_objs_1] is supported by SELinux using: + +1. The *fs_use_xattr* statement within the policy to identify what + filesystems use extended attributes. This statement is used to + inform the security server how to label the filesystem. +2. A 'file contexts' file that defines what the initial contexts should + be for each file and directory within the filesystem. The format of + this file and how it is built from source policy is described in the + [**Policy Store Configuration Files - Building the File Labeling Support Files**](policy_store_config_files.md#building-the-file-labeling-support-files)[^fn_objs_2] + section. +3. A method to initialise the filesystem with these extended + attributes. This is achieved by SELinux utilities such as + ***fixfiles**(8)* and ***setfiles**(8)*. There are also commands such as + ***chcon**(1)*, ***restorecon**(8)* and ***restorecond**(8)* that can be + used to relabel files. Extended attributes containing the SELinux context of a file can be -viewed by the ls -Z or ***getfattr**(1)* commands as follows: +viewed by the *ls -Z* or ***getfattr**(1)* commands as follows: ``` ls -Z myfile @@ -191,8 +196,8 @@ Assuming that the correct permissions have been granted by the policy, the effects on the security context of a file when copied or moved differ as follows: -- copy a file - takes on label of new directory. -- move a file - retains the label of the file. +- copy a file - takes on label of new directory. +- move a file - retains the label of the file. However, if the ***restorecond**(8)* daemon is running and the [**restorecond.conf**](global_config_files.md#etcselinuxrestorecond.conf) @@ -262,26 +267,26 @@ discussed in the The policy language supports a number of statements to assign components to security contexts such as: -*user*, *role* and *type* statements. +- *user*, *role* and *type* statements. -and manage their scope: +and to manage their scope: -*role_allow* and *constrain* +- *role_allow* and *constrain* -and manage their transition: +and to manage their transition: -*type_transition*, *role_transition* and *range_transition* +- *type_transition*, *role_transition* and *range_transition* SELinux-aware applications can assign a new label (with the policy's approval of course) using the **libselinux** API functions. The -`process setexec`, `process setkeycreate` and `process setsockcreate` +*process { setexec setkeycreate setsockcreate }* permissions can be used to allow subjects to label processes, kernel keyrings, and sockets programmatically using the ***setexec**(3)*, ***setkeycreatecon**(3)* and ***setsockcreatecon**(3)* functions respectively, overriding transition statements. -The `kernel` **initial security identifier** is used to associate +The *kernel* **initial security identifier** is used to associate a specified label with kernel objects, including kernel threads (both those that are created during initialization but also kernel threads created later), kernel-private sockets and synthetic objects @@ -293,7 +298,7 @@ either a policy-defined transition or an explicit setcon or setexeccon+execve, but that's just the typical default inheritance from creating task behavior for processes. -The context associated with the `unlabeled` +The context associated with the *unlabeled* **initial security identifier** is used as the fallback context for both subjects and objects when their label is invalidated by a policy reload (their SID is unchanged but the SID is transparently remapped @@ -302,7 +307,7 @@ for various objects e.g. inodes, superblocks, etc until they reach a point where a more specific label can be determined e.g. from an xattr or from policy. -### Object Reuse +## Object Reuse As GNU / Linux runs it creates instances of objects and manages the information they contain (read, write, modify etc.) under the control of @@ -319,13 +324,13 @@ process itself should clear or shred the information before releasing the object (which can be difficult in some cases unless the source code is available). -
-
    -
  1. These file systems store the security context in an attribute -associated with the file.

  2. -
  3. Note that this file contains the contexts of all files in all extended attribute filesystems for the policy. However within a modular policy (and/or CIL modules) each module describes its own file context information, that is then used to build this file.

  4. -
-
+[^fn_objs_1]: These file systems store the security context in an attribute +associated with the file. + +[^fn_objs_2]: Note that this file contains the contexts of all files in all +extended attribute filesystems for the policy. However within a modular policy +(and/or CIL modules) each module describes its own file context information, +that is then used to build this file. From patchwork Wed Sep 2 13:17:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11955567 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1855BC1B0D9 for ; Mon, 7 Dec 2020 11:44:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E625623340 for ; Mon, 7 Dec 2020 11:44:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726961AbgLGLnw (ORCPT ); Mon, 7 Dec 2020 06:43:52 -0500 Received: from mailomta6-sa.btinternet.com ([213.120.69.12]:33966 "EHLO sa-prd-fep-040.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726254AbgLGLnw (ORCPT ); Mon, 7 Dec 2020 06:43:52 -0500 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-041.btinternet.com with ESMTP id <20200902131747.DGWH19995.sa-prd-fep-041.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:47 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052667; bh=za9FuHt0NlwXmDC39YdY/XeXg1bmc5I+Rp2nRv8pYq0=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=NYWVQ0IDGmox3G/m9MIhqYtRALIZOqn+u0RGfMCpZo3BQblDWtwgGQRoLOjwcTpsNrqMx5fN19sMg5IE6ubDihiU9C3jxx/m/H8YzDUM+O8j+K+eQLpbVxJv/V3/mK1J0Ns1aOSXZDtvsLitQh25+CGFL0T8iAZfybGTKUmaamndNWXFVyf5mwwLDh8EbA5V1JmyipR7IMX/CwtkDlfeLiNqemp6ogf5FpnILl/Atw/rRELNds8mrzGjij3Y0Ol+sAPY+2Yib2kf1gNcKa3JayAkfF5di7e5NLH1Iow6zsM1qm1NzXAg9rs9fzlDZXF6A6s8pXmrVWhY5C/bk2meWA== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36BCB; Wed, 2 Sep 2020 14:17:47 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 07/13] pam_login: Convert to markdown Date: Wed, 2 Sep 2020 14:17:32 +0100 Message-Id: <20200902131738.18425-8-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Convert to markdown. Signed-off-by: Richard Haines --- src/pam_login.md | 107 +++++++++++++++++++++++++---------------------- 1 file changed, 56 insertions(+), 51 deletions(-) diff --git a/src/pam_login.md b/src/pam_login.md index 08e1599..2b30bff 100644 --- a/src/pam_login.md +++ b/src/pam_login.md @@ -4,21 +4,18 @@ Applications used to provide login services (such as ***ssh**(1)*) in Fedora use the PAM (Pluggable Authentication Modules) infrastructure to provide the following services: -- **Account Management** - This manages services such as password expiry, -service entitlement (i.e. what services the login process is allowed to -access). - -- **Authentication Management** - Authenticate the user or subject and set -up the credentials. PAM can handle a variety of devices including -smart-cards and biometric devices. - -- **Password Management** - Manages password updates as needed by the -specific authentication mechanism being used and the password policy. - -- **Session Management** - Manages any services that must be invoked -before the login process completes and / or when the login process -terminates. For SELinux this is where hooks are used to manage the -domains the subject may enter. +- **Account Management** - This manages services such as password expiry, + service entitlement (i.e. what services the login process is allowed to + access). +- **Authentication Management** - Authenticate the user or subject and set + up the credentials. PAM can handle a variety of devices including + smart-cards and biometric devices. +- **Password Management** - Manages password updates as needed by the + specific authentication mechanism being used and the password policy. +- **Session Management** - Manages any services that must be invoked + before the login process completes and / or when the login process + terminates. For SELinux this is where hooks are used to manage the + domains the subject may enter. The ***pam**(8)* and ***pam.conf**(5)* *man* pages describe the services and configuration in detail and only a summary is provided here covering the @@ -43,32 +40,40 @@ service type control module-path arguments **Where:** - - - - - - - - - - - - - - - - - - - - - - - -
serviceThe service name such as gdm and login reflecting the login application. If there is a /etc/pam.d directory, then this is the name of a configuration file name under this directory. Alternatively, a configuration file called /etc/pam.conf can be used. Fedora uses the /etc/pam.d configuration.
typeThese are the management groups used by PAM with valid entries being: account, auth, password and session that correspond to the descriptions given above. Where there are multiple entries of the same 'type', the order they appear could be significant.
control

This entry states how the module should behave when the requested task fails. There can be two formats: a single keyword such as required, optional, and include; or multiple space separated entries enclosed in square brackets consisting of :

-

[value1=action1 value2=action2 ..]

-

Both formats are shown in the example file below, however see the pam.conf(5) man pages for the gory details.

module-pathEither the full path name of the module or its location relative to /lib/security (but does depend on the system architecture).
argumentsA space separated list of the arguments that are defined for the module.
+*service* + +- The service name such as *gdm* and *login* reflecting the login application. + If there is a */etc/pam.d* directory, then this is the name of a + configuration file name under this directory. Alternatively, a + configuration file called */etc/pam.conf* can be used. Fedora uses the + */etc/pam.d* configuration. + +*type* + +- These are the management groups used by PAM with valid entries being: + *account*, *auth*, *password* and *session* that correspond to the + descriptions given above. Where there are multiple entries of the same + '*type*', the order they appear could be significant. + +*control* + +- This entry states how the module should behave when the requested task + fails. There can be two formats: a single keyword such as *required*, + *optional*, and *include*; or multiple space separated entries enclosed in + square brackets consisting of (see the ***pam.conf**(5)* man pages): + +``` +[value1=action1 value2=action2 ..] +``` + +*module-path* + +- Either the full path name of the module or its location relative to + */lib/security* (but does depend on the system architecture). + +*arguments* + +- A space separated list of the arguments that are defined for the module. The */etc/pam.d/sshd* PAM configuration file for the OpenSSH service is as follows: @@ -99,17 +104,17 @@ the *libselinux* API to obtain its configuration information and the three SELinux PAM entries highlighted in the above configuration file perform the following functions: -- ***pam_sepermit.so*** - Allows pre-defined users the ability to - logon provided that SELinux is in enforcing mode (see the - [*/etc/security/sepermit.conf*](global_config_files.md#etcsecuritysepermit.conf) - section). -- ***pam_selinux.so open*** - Allows a security context to be set up for - the user at initial logon (as all programs exec'ed from here will use - this context). How the context is retrieved is described in the - [***Policy Configuration Files** - seusers*](policy_config_files.md#seusers) - section. +- ***pam_sepermit.so*** - Allows pre-defined users the ability to + logon provided that SELinux is in enforcing mode (see the + [*/etc/security/sepermit.conf*](global_config_files.md#etcsecuritysepermit.conf) + section). +- ***pam_selinux.so open*** - Allows a security context to be set up for + the user at initial logon (as all programs exec'ed from here will use + this context). How the context is retrieved is described in the + [***Policy Configuration Files** - seusers*](policy_config_files.md#seusers) + section. - ***pam_selinux.so close*** - This will reset the login programs context - to the context defined in the policy. + to the context defined in the policy. From patchwork Wed Sep 2 13:17:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11778661 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A2860746 for ; Wed, 16 Sep 2020 01:23:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 552A821D24 for ; Wed, 16 Sep 2020 01:23:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="J0kOAdn4" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726312AbgIPBXz (ORCPT ); Tue, 15 Sep 2020 21:23:55 -0400 Received: from mailomta29-sa.btinternet.com ([213.120.69.35]:38077 "EHLO sa-prd-fep-043.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726023AbgIPBXy (ORCPT ); Tue, 15 Sep 2020 21:23:54 -0400 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-046.btinternet.com with ESMTP id <20200902131747.DQEY4114.sa-prd-fep-046.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:47 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052667; bh=4H56Ju7m00EEie3KnnXKakippHv7ralv9RWMynRA9Gk=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=J0kOAdn4fYkcoNkqUmEgapX4BdFwT80nLlTjqMIWMSHp7xaPeH2iJ8NbH7VH2fZzaK28Ih25NIapLvRmcf22s1US/ncAQBBQxFkr05VwXM6ZRbRh20ctVwitUyim5whWKefENnkK+ZGow5E+0hcNay3VGyuJxvF4tAQZgykqxQ6Ooi5q0zKf2Mi5tIV58bJamISJLCcKi98JKpOkz3taHmZ+gz3F+sM1Y3Y59rq7gNnBk3e7O+P74pwsZsRJJYRQjsL/GO1yAOOwMaecpz7m+mCnOrWGuWs1TI+QMmA5ph+QnwNlb+KOq8lyf/+uR+yZFtZnpw2HcG96yCa1fujG+w== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36BD1; Wed, 2 Sep 2020 14:17:47 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 08/13] policy_config_statements: Convert to markdown Date: Wed, 2 Sep 2020 14:17:33 +0100 Message-Id: <20200902131738.18425-9-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Convert to markdown Signed-off-by: Richard Haines --- src/policy_config_statements.md | 54 +++++++++++---------------------- 1 file changed, 18 insertions(+), 36 deletions(-) diff --git a/src/policy_config_statements.md b/src/policy_config_statements.md index 156b434..d4eee48 100644 --- a/src/policy_config_statements.md +++ b/src/policy_config_statements.md @@ -16,45 +16,27 @@ policycap capability; **Where:** - - - - - - - - - - - -
policycapThe policycap keyword.
capabilityA single capability identifier that will be enabled for this policy.
+*policycap* + +The *policycap* keyword. + +*capability* + +A single *capability* identifier that will be enabled for this policy. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Example:** From patchwork Wed Sep 2 13:17:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11779515 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A1A05112E for ; Wed, 16 Sep 2020 10:04:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5AC502220F for ; Wed, 16 Sep 2020 10:04:08 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="qGbH8NIe" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726726AbgIPKEH (ORCPT ); Wed, 16 Sep 2020 06:04:07 -0400 Received: from mailomta4-sa.btinternet.com ([213.120.69.10]:54906 "EHLO sa-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726438AbgIPKEF (ORCPT ); Wed, 16 Sep 2020 06:04:05 -0400 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-048.btinternet.com with ESMTP id <20200902131747.PPP4139.sa-prd-fep-048.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:47 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052667; bh=NjhidpVpd/6m121M1ZJ1sjh63xQjRovGqfndLjJo40o=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=qGbH8NIeXKPQZmuy9CsDx8e5HcBBA/LbBQmADwuJQ3GVGLO3eANe64gCEI9RGtP1p0fxH/sQFxEx03AVjukfM7FT+nKDuyXnxPyYEJQ7tNg3fm5NWw4BqUkv1YsQQqKdG5bv5FCQQKA8h63ZDFNHP7ikXpmpRMb9r/owZYcVhatRPVCeVePB7anxtTZSHm6bSJkUcObvvIyBC3q0r9R1ehuKnof/mzt3GUtJpxEWAUDiH9fqpBAdsgCtOgk7Du75y/v+vB9+jWR6KlCNdJxtiaKx5jD5TVghr9DA7JMm9YvvRjeWkWE4LU8FJ+35lYp+UfH/E47yo/dVkTtiP+7iZg== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpedtfffgtdejffetgfehfeefgeduvdeiheelkeehhedvtdejkeeitdettdffjeekffenucffohhmrghinhepfihorhhluggtrghtrdhorhhgpdhgihhthhhusgdrtghomhenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeo shgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36BD4; Wed, 2 Sep 2020 14:17:47 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 09/13] policy_languages: Tidy up Date: Wed, 2 Sep 2020 14:17:34 +0100 Message-Id: <20200902131738.18425-10-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/policy_languages.md | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/src/policy_languages.md b/src/policy_languages.md index 90c17fe..add93e6 100644 --- a/src/policy_languages.md +++ b/src/policy_languages.md @@ -1,18 +1,20 @@ # The SELinux Policy Languages There are two methods of writing 'raw' policy statements and rules: -1. The [**Kernel Policy Language**](kernel_policy_language.md#kernel-policy-language) -section is intended as a reference of the kernel policy language statements -and rules with supporting examples taken from the Reference Policy sources. -Also all of the language updates to Policy DB version 32 should have been -captured. For a more detailed explanation of the policy language the -[**SELinux by Example**] (https://www.worldcat.org/title/selinux-by-example-using-security-enhanced-linux/oclc/85872880) book is recommended. -2. The Common Intermediate Language (CIL) project defines a new policy -definition language that has an overview of its motivation and design -at: , however some of the -language statement definitions are out of date. The -[**CIL Policy Language**](cil_overview.md#cil-overview) section gives -an overview. + +1. The [**Kernel Policy Language**](kernel_policy_language.md#kernel-policy-language) + section is intended as a reference of the kernel policy language statements + and rules with supporting examples taken from the Reference Policy sources. + Also all of the language updates to Policy DB version 32 should have been + captured. For a more detailed explanation of the policy language the + [**SELinux by Example**](https://www.worldcat.org/title/selinux-by-example-using-security-enhanced-linux/oclc/85872880) + book is recommended. +2. The Common Intermediate Language (CIL) project defines a new policy + definition language that has an overview of its motivation and design + at: , however some of the + language statement definitions are out of date. The + [**CIL Policy Language**](cil_overview.md#cil-overview) section gives + an overview. However more likely, policy is written using the [**The Reference Policy**](reference_policy.md#the-reference-policy) From patchwork Wed Sep 2 13:17:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11833103 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 62D1292C for ; Mon, 12 Oct 2020 15:25:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0ADBF2087E for ; Mon, 12 Oct 2020 15:25:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="r1uHYJNo" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389540AbgJLPZi (ORCPT ); Mon, 12 Oct 2020 11:25:38 -0400 Received: from mailomta9-sa.btinternet.com ([213.120.69.15]:29703 "EHLO sa-prd-fep-040.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2389951AbgJLPZi (ORCPT ); Mon, 12 Oct 2020 11:25:38 -0400 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-041.btinternet.com with ESMTP id <20200902131748.DGWK19995.sa-prd-fep-041.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:48 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052668; bh=DSD1nziWklDOmkkpGfGmb2HE2POtxVAGNLqdI4mpnFQ=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=r1uHYJNo84LbNdaxwWNhT3Qi21Osgny/vtqg3a/0RHcjMotfOZYmQzTB2/1Bh1bIwLaXuemjQBR5DeA1vBTe6+sqb4cyNq8u5vS3EGzAcxzUxJ9J+yWMYdlkqWv7o0J+InBEOuumqyTNsLrzRVxggsU9AsH9EvupFkVsGpZp0FkDXznXyDPTiIZodDQEpIkILYUgV/5O88Vpy3zpIKrai5rHuv1W04p5Cy7aa++2wjUDbX+OmqQ0kddCXwd4D2OQrupDFCV9N99s6gnt7u04QPHT9UnpSG4a89JrzCL/uZdu9n9rCYW/CZYWWp/GwrJqgJ3L2T63HfHNc3pHKP/OPg== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpefhjeehjeeijedvieeggffhkedtgfevveeuudegkeffveegfeefgfdvffejfeevveenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhkvghrnhgvlhdrrggtthhivhgvpdhpohhlihgthidrrggtthhivhgvnecukfhppedutdelrdduheehrdefvddrudeljeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepuddtledrudehhedrfedvrdduleejpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhn vghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36BEC; Wed, 2 Sep 2020 14:17:48 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 10/13] policy_store_config_files: Add TOC and tidy up formatting Date: Wed, 2 Sep 2020 14:17:35 +0100 Message-Id: <20200902131738.18425-11-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add TOC and tidy up formatting. Signed-off-by: Richard Haines --- src/policy_store_config_files.md | 432 +++++++++++++++++-------------- 1 file changed, 234 insertions(+), 198 deletions(-) diff --git a/src/policy_store_config_files.md b/src/policy_store_config_files.md index 3e7f8ab..93d3727 100644 --- a/src/policy_store_config_files.md +++ b/src/policy_store_config_files.md @@ -1,23 +1,47 @@ # Policy Store Configuration Files -**NOTE: Files in this area are private and subject to change, they should only -be modified using the** ***semodule**(8)* and ***semanage**(8)* commands. +- [*active/modules* Directory Contents](#activemodules-directory-contents) + - [*tmp* Policy Store (build failure)](#tmp-policy-store-build-failure) +- [*active/commit_num*](#activecommit_num) + - [*active/policy.kern*](#activepolicy.kern) +- [*active/policy.linked*](#activepolicy.linked) +- [*active/seusers.linked*](#activeseusers.linked) +- [*active/seusers_extra.linked*](#activeseusers_extra.linked) +- [*active/booleans.local*](#activebooleans.local) +- [*disable_dontaudit*](#disable_dontaudit) +- [*active/file_contexts*](#activefile_contexts) + - [Building the File Labeling Support Files](#building-the-file-labeling-support-files) +- [*active/file_contexts.local*](#activefile_contexts.local) +- [*active/homedir_template*](#activehomedir_template) + - [*active/file_contexts.homedirs*](#activefile_contexts.homedirs) +- [*active/seusers*](#activeseusers) +- [*active/seusers.local*](#activeseusers.local) +- [*active/users_extra*](#activeusers_extra) +- [*active/users_extra.local*](#activeusers_extra.local) +- [*active/users.local*](#activeusers.local) +- [*active/interfaces.local*](#activeinterfaces.local) +- [*active/nodes.local*](#activenodes.local) +- [*active/ports.local*](#activeports.local) +- [Set domain permissive mode](#set-domain-permissive-mode) + +**NOTE:** Files in this area are private and subject to change, they should only +be modified using the ***semodule**(8)* and ***semanage**(8)* commands. Depending on the SELinux userspace library release being used the default policy stores will be located at: -- */etc/selinux/<SELINUXTYPE>/modules* - This is the default for - systems that support versions < 2.4 of the SELinux userspace library. - The migration process to >= 2.4 is described at - . -- */var/lib/selinux* - This is the default base for systems that - support versions >= 2.4 of the SELinux userspace library. This base - may be overridden by the ***store-root*** parameter defined in the - [***semanage.conf**(5)*](global_config_files.md#etcselinuxsemanage.conf) - file. Multiple policy stores are supported by appending the - *<SELINUXTYPE>*, for example: -- */var/lib/selinux/mls* -- */var/lib/selinux/targeted* +- */etc/selinux/\/modules* - This is the default for + systems that support versions \< 2.4 of the SELinux userspace library. + The migration process to \>= 2.4 is described at + . +- */var/lib/selinux* - This is the default base for systems that + support versions \>= 2.4 of the SELinux userspace library. This base + may be overridden by the ***store-root*** parameter defined in the + [***semanage.conf**(5)*](global_config_files.md#etcselinuxsemanage.conf) + file. Multiple policy stores are supported by appending the + *\*, for example: + - */var/lib/selinux/mls* + - */var/lib/selinux/targeted* The Policy Store files are either installed, updated or built by the ***semodule**(8)* and ***semanage**(8)* commands as a part of the build @@ -25,34 +49,35 @@ process with the resulting files being copied over to the [**The Policy Store**](configuration_files.md#the-policy-store) area. The policy configuration files are described relative to the default -***store-root*** at */var/lib/selinux* with *<SELINUXTYPE>* being +***store-root*** at */var/lib/selinux* with *\* being *targeted*. The ***semanage**(8)* command must be used to configure policy (the actual policy and supporting configuration files) within a specific **Policy Store**. The command types are: -- [***semanage boolean***](#activebooleans.local) Manage booleans to - selectively enable functionality -- [***semanage dontaudit***](#disable_dontaudit) Disable/Enable *dontaudit* - rules in policy -- ***semanage export*** Output local customizations -- [***semanage fcontext***](#activefile_contexts.local) Manage file context - mapping definitions -- ***semanage ibendport*** Manage infiniband end port type definitions -- ***semanage ibpkey*** Manage infiniband pkey type definitions -- ***semanage import*** Import local customizations -- [***semanage interface***](#activeinterfaces.local) Manage network interface - type definitions -- [***semanage login***](#activeseusers.local) Manage login mappings between - linux users and SELinux confined users -- [***semanage module***](#activemodules-directory-contents) Manage SELinux - policy modules -- [***semanage node***](#activenodes.local) Manage network node type definitions -- [***semanage permissive***](#set-domain-permissive-mode) Manage process - type enforcement mode. -- [***semanage port***](#activeports.local) Manage network port type definitions -- [***semanage user***](#activeusers.local) Manage SELinux confined users -(Roles and levels for an SELinux user) + +- [***semanage boolean***](#activebooleans.local) Manage booleans to + selectively enable functionality +- [***semanage dontaudit***](#disable_dontaudit) Disable/Enable *dontaudit* + rules in policy +- ***semanage export*** Output local customizations +- [***semanage fcontext***](#activefile_contexts.local) Manage file context + mapping definitions +- ***semanage ibendport*** Manage infiniband end port type definitions +- ***semanage ibpkey*** Manage infiniband pkey type definitions +- ***semanage import*** Import local customizations +- [***semanage interface***](#activeinterfaces.local) Manage network interface + type definitions +- [***semanage login***](#activeseusers.local) Manage login mappings between + linux users and SELinux confined users +- [***semanage module***](#activemodules-directory-contents) Manage SELinux + policy modules +- [***semanage node***](#activenodes.local) Manage network node type definitions +- [***semanage permissive***](#set-domain-permissive-mode) Manage process + type enforcement mode. +- [***semanage port***](#activeports.local) Manage network port type definitions +- [***semanage user***](#activeusers.local) Manage SELinux confined users + (Roles and levels for an SELinux user) ## active/modules Directory Contents @@ -84,8 +109,8 @@ test_policy 400 pp ### *tmp* Policy Store (build failure) -When adding/updating a policy module and it fails to build for some reason, -the *tmp* directory (*/var/lib/selinux<SELINUXTYPE>/tmp*) will contain +When adding/updating a policy module and it fails to build for some reason, +the *tmp* directory (*/var/lib/selinux\/tmp*) will contain a copy of the failed policy for inspection. An example ***semodule*** failure message indicating the failing line number is: @@ -103,7 +128,7 @@ store. The format is not relevant to policy construction. This is the binary policy file built by either the ***semanage**(8)* or ***semodule**(8)* commands (depending on the configuration action), that is then becomes the -*/etc/selinux/<SELINUXTYPE>/policy/policy.<ver>* binary policy +*/etc/selinux/\/policy/policy.\* binary policy that will be loaded into the kernel. ## *active/policy.linked* @@ -145,7 +170,7 @@ such as ***audit2allow**(8)* to list all denials to assist debugging policy. ## *active/file_contexts* This file becomes the policy -[*/etc/selinux/<SELINUXTYPE>/contexts/files/file_contexts*](policy_config_files.md#contextsfilesfile_contexts) +[*/etc/selinux/\/contexts/files/file_contexts*](policy_config_files.md#contextsfilesfile_contexts) file. It is built as described in the [**Building the File Labeling Support Files**](#building-the-file-labeling-support-files) section. @@ -210,18 +235,18 @@ section. The process used to build the *file_contexts* and the *file_contexts.template* files is shown in **Figure 25: File Context Configuration Files**. -1. They are built by ***semanage**(8)* using entries from the 'Policy File - Labeling' statements extracted from the - [*active/modules*](#activemodules-directory-contents) entries - (the *<module_name>.fc* files, this will include any CIL *(filecon ....)* - statements that are within CIL policy files). -2. As a part of the ***semanage**(8)* build process, these two files - will also have *file_contexts.bin* and *file_contexts.homedirs.bin* - files present in the - [Policy Configuration Files](policy_config_files.md#contextsfilesfile_contexts) - *./contexts/files* directory. This is because ***semanage**(8)* requires - these in the Perl compatible regular expression (PCRE) internal format. - They are generated by the ***sefcontext_compile**(8)* utility. +1. They are built by ***semanage**(8)* using entries from the 'Policy File + Labeling' statements extracted from the + [*active/modules*](#activemodules-directory-contents) entries + (the *\.fc* files, this will include any CIL *(filecon ....)* + statements that are within CIL policy files). +2. As a part of the ***semanage**(8)* build process, these two files + will also have *file_contexts.bin* and *file_contexts.homedirs.bin* + files present in the + [Policy Configuration Files](policy_config_files.md#contextsfilesfile_contexts) + *./contexts/files* directory. This is because ***semanage**(8)* requires + these in the Perl compatible regular expression (PCRE) internal format. + They are generated by the ***sefcontext_compile**(8)* utility. ![](./images/25-file_contexts.png) @@ -237,66 +262,82 @@ pathname_regexp [file_type] security_context | <> **Where:** - - - - - - - - - - - - - - - -
pathname_regexp

An entry that defines the pathname that may be in the form of a regular expression.

-

The metacharacters '^' (match beginning of line) and '$' (match end of line) are automatically added to the expression by the routines that process this file, however they can be over-ridden by using '.*' at either the beginning or end of the expression (see the example file_contexts files below).

-

The source policy *.fc and file_contexts.template files may also contain the keywords HOME_ROOT, HOME_DIR, ROLE and USER that will be replaced as explained in the next table.

file_type

One of the following optional file_type entries (note if blank means "all file types"):

-

'-b' - Block Device '-c' - Character Device

-

'-d' - Directory '-p' - Named Pipe (FIFO)

-

'-l' - Symbolic Link '-s' - Socket File

-

'--' - Ordinary file

-

By convention this entry is known as 'file type', however it really represents the 'file object class'.

security_contextThis entry can be either: -

a. The security context, including the MLS / MCS level or range if applicable that will be assigned to the file.

-

b. A value of <<none>> can be used to indicate that matching files should not be re-labeled.

- -Keywords that can be in policy source \*.fc files and then form the *file_contexts.template* file entries are: - - - - - - - - - - - - - - - - - - - - -
HOME_ROOTThis keyword is replaced by the Linux users root home directory, normally /home is the default.
HOME_DIRThis keyword is replaced by the Linux users home directory, normally /home/ is the default.
USERThis keyword will be replaced by the users Linux user id.
ROLE

This keyword is replaced by the prefix entry from the users_extra configuration file that corresponds to the SELinux users user id. Example users_extra configuration file entries are:

-

user user_u prefix user;

-

user staff_u prefix staff;

-

It is used for files and directories within the users home directory area.

-

The prefix can be added by the semanage login command as follows (although note that the -P option is suppressed when help is displayed as it is generally it is not used (defaults to user:

-

# Add a Linux user:

-

adduser rch

-

# Modify staff_u SELinux user and prefix:

-

semanage user -m -R staff_r -P staff staff_u

-

# Associate the SELinux user to the Linux user:

-

semanage login -a -s staff_u rch

- -**Example policy source file from Reference Policy** *policy/modules/system/userdomain.fc*: +*pathname_regexp* + +- An entry that defines the pathname that may be in the form of a regular + expression. The metacharacters '^' (match beginning of line) and '\$' + (match end of line) are automatically added to the expression by the + routines that process this file, however they can be over-ridden by + using '\.\*' at either the beginning or end of the expression (see the + example *file_contexts* files below). +- The source policy *\*.fc* and *file_contexts.template* files may also + contain the keywords *HOME_ROOT*, *HOME_DIR*, *ROLE* and *USER* that will + be replaced as explained in the next table. + +*file_type* + +- One of the following optional file_type entries (note if blank means + "all file types"): + - *-b* - Block Device + - *-c* - Character Device + - *-d* - Directory + - *-p* - Named Pipe (FIFO) + - *-l* - Symbolic Link + - *-s* - Socket File + - *\-\-* - Ordinary file +- By convention this entry is known as *file type*, however it really + represents the 'file object class'. + +*security_context* + +- This entry can be either: + - The security context, including the MLS / MCS level or range if applicable + that will be assigned to the file. + - A value of \<\\> can be used to indicate that matching files should + not be re-labeled. + +Keywords that can be in policy source \*.fc files and then form the +*file_contexts.template* file entries are: + +*HOME_ROOT* + +- This keyword is replaced by the Linux users root home directory, + normally */home* is the default. + +*HOME_DIR* + +- This keyword is replaced by the Linux users home directory, + normally */home/* is the default. + +*USER* + +- This keyword will be replaced by the users Linux user id. + +*ROLE* + +- This keyword is replaced by the *prefix* entry from the *users_extra* + configuration file that corresponds to the SELinux users user id. Example + *users_extra* configuration file entries are: + - *user user_u prefix user;* + - *user staff_u prefix staff;* +- It is used for files and directories within the users home directory area. + The prefix can be added by the semanage *login* command as follows + (although note that the *-P* option is suppressed when help is displayed + as it is generally it is not used (defaults to *user*)): + +``` +# Add a Linux user: + +adduser rch +# Modify staff_u SELinux user and prefix: +semanage user -m -R staff_r -P staff staff_u + +# Associate the SELinux user to the Linux user: +semanage login -a -s staff_u rch +``` + +**Example policy source file from Reference Policy** +*policy/modules/system/userdomain.fc*: ``` HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -309,7 +350,8 @@ HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) /root/\.debug(/.*)? <> ``` -**Example policy source file from Reference Policy** *policy/modules/kernel/files.fc*: +**Example policy source file from Reference Policy** +*policy/modules/kernel/files.fc*: ``` # @@ -387,8 +429,8 @@ HOME_DIR/.+ system_u:object_r:user_home_t:s0 ### *active/file_contexts.homedirs* This file becomes the policy -[*/etc/selinux//contexts/files/file_contexts.homedirs*](policy_config_files.md#contextsfilesfile_contexts.homedirs) file. It is built -as described in the +[*/etc/selinux/\/contexts/files/file_contexts.homedirs*](policy_config_files.md#contextsfilesfile_contexts.homedirs) +file. It is built as described in the [**Building the File Labeling Support Files**](#building-the-file-labeling-support-files) section. It is then used by the file labeling utilities to ensure that users home directory areas are labeled according to the policy. @@ -419,32 +461,32 @@ libsepol library function. /home/[^/]+/.+ unconfined_u:object_r:user_home_t:s0 ``` -## active/seusers -## active/seusers.local +## *active/seusers* +## *active/seusers.local* -The *active/seusers* file becomes the policy */etc/selinux//seusers* +The *active/seusers* file becomes the policy */etc/selinux/\/seusers* file, the *active/seusers.local* file holds entries added when adding users via ***semanage**(8)*. The *seusers* file is built or modified when: -1. Building a policy where an optional *seusers* file has been included - in the base package via the ***semodule_package**(8)* command - (signified by the *-s* flag) as follows: -- *semodule_package -o base.pp -m base.mod -s seusers ...* -- The *seusers* file would be extracted by the subsequent ***semodule*** command - when building the policy to produce the *seusers.final* file. -2. The ***semanage login*** command is used to map Linux users to - SELinux users as follows: -- *semanage login -a -s staff_u rch* -- This action will update the *seusers* file that would then be used to - produce the seusers.final file with both policy and locally defined user - mapping. -3. It is also possible to associate a Linux group of users to an - SELinux user as follows: -- *semanage login -a -s staff_u %staff_group* - -**The format of the** *seusers* & *seusers.local* **files are as follows:** +1. Building a policy where an optional *seusers* file has been included + in the base package via the ***semodule_package**(8)* command + (signified by the *-s* flag) as follows: + - *semodule_package -o base.pp -m base.mod -s seusers ...* + - The *seusers* file would be extracted by the subsequent ***semodule*** + command when building the policy to produce the *seusers.final* file. +2. The ***semanage login*** command is used to map Linux users to + SELinux users as follows: + - *semanage login -a -s staff_u rch* + - This action will update the *seusers* file that would then be used to + produce the seusers.final file with both policy and locally defined user + mapping. +3. It is also possible to associate a Linux group of users to an + SELinux user as follows: + - *semanage login -a -s staff_u %staff_group* + +**The format of the** *seusers* and *seusers.local* **files are as follows:** ``` [%]user_id:seuser_id[:range] @@ -452,22 +494,18 @@ The *seusers* file is built or modified when: **Where:** - - - - - - - - - - - - - - - -
user_idWhere user_id is the Linux user identity. If this is a Linux group_id then it will be preceded with the '%' sign as shown in the example below.
seuser_idThe SELinux user identity.
rangeThe optional level or range.
+*user_id* + +- Where *user_id* is the Linux user identity. If this is a Linux *group_id* + then it will be preceded with the '*%*' sign as shown in the example below. + +*seuser_id* + +- The SELinux user identity. + +*range* + +- The optional *level* or *range*. **Example** *seusers* **file contents:** @@ -510,32 +548,32 @@ rch:user_u:s0 These three files work together to describe SELinux user information as follows: -1. The *users_extra* and *users_extra.local* files are used to map a - *prefix* to a users home directories as discussed in the - [**Building the File Labeling Support Files**](#building-the-file-labeling-support-files) - section, where it is used to replace the *ROLE* keyword. The - *prefix* is linked to an SELinux user id and should reflect the users role. -- The *users_extra* file contains all the policy *prefix* entries, and the - *users_extra.local* file contains those generated by the ***semanage user*** - command. -- The *users_extra* file can optionally be included in the base package via - the ***semodule_package**(8)* command (signified by the *-u* flag) as - follows: -- *semodule_package -o base.pp -m base.mod -u users_extra ...* -- The *users_extra* file would then be extracted by a subsequent semodule - command when building the policy. -2. The *users.local* file is used to add new SELinux users to the policy - without editing the policy source itself (with each line in the file - following a policy language - [**user Statement**](user_statements.md#user-statements)). - This is useful when only the Reference Policy headers are installed and - additional users need to be added. The ***semanage user*** command will allow - a new SELinux user to be added that would generate the *user.local* file - and if a *-P* flag has been specified, then a *users_extra.local* file is also - updated (note: if this is a new SELinux user and a prefix is not specified - a default *prefix* of user is generated). - -**The format of the** *users_extra* & *users_extra.local* **files are:** +1. The *users_extra* and *users_extra.local* files are used to map a + *prefix* to a users home directories as discussed in the + [**Building the File Labeling Support Files**](#building-the-file-labeling-support-files) + section, where it is used to replace the *ROLE* keyword. The + *prefix* is linked to an SELinux user id and should reflect the users role. + - The *users_extra* file contains all the policy *prefix* entries, and the + *users_extra.local* file contains those generated by the + ***semanage user*** command. + - The *users_extra* file can optionally be included in the base package via + the ***semodule_package**(8)* command (signified by the *-u* flag) as + follows: + - *semodule_package -o base.pp -m base.mod -u users_extra ...* + - The *users_extra* file would then be extracted by a subsequent semodule + command when building the policy. +2. The *users.local* file is used to add new SELinux users to the policy + without editing the policy source itself (with each line in the file + following a policy language + [**user Statement**](user_statements.md#user-statements)). + This is useful when only the Reference Policy headers are installed and + additional users need to be added. The ***semanage user*** command will allow + a new SELinux user to be added that would generate the *user.local* file + and if a *-P* flag has been specified, then a *users_extra.local* file is also + updated (note: if this is a new SELinux user and a prefix is not specified + a default *prefix* of user is generated). + +**The format of the** *users_extra* and *users_extra.local* **files are:** ``` user seuser_id prefix prefix_id; @@ -543,26 +581,24 @@ user seuser_id prefix prefix_id; **Where:** - - - - - - - - - - - - - - - - - - - -
userThe user keyword.
seuser_idThe SELinux user identity.
prefixThe prefix keyword.
prefix_idAn identifier that will be used to replace the ROLE keyword within the active/homedir_template file when building the active/file_contexts.homedirs file for the relabeling utilities to set the security context on users home directories.
+*user* + +- The user keyword. + +*seuser_id* + +- The SELinux user identity. + +*prefix* + +- The prefix keyword. + +*prefix_id* + +- An identifier that will be used to replace the *ROLE* keyword within the + *active/homedir_template* file when building the + *active/file_contexts.homedirs* file for the relabeling utilities to set + the security context on users home directories. **Example** *users_extra* **file contents:** From patchwork Wed Sep 2 13:17:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11777671 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 79C6759D for ; Tue, 15 Sep 2020 19:53:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4FCA62078E for ; Tue, 15 Sep 2020 19:53:35 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="fbPP+jOH" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727830AbgIOTxc (ORCPT ); Tue, 15 Sep 2020 15:53:32 -0400 Received: from mailomta8-sa.btinternet.com ([213.120.69.14]:28609 "EHLO sa-prd-fep-049.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727751AbgIOTxT (ORCPT ); Tue, 15 Sep 2020 15:53:19 -0400 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-040.btinternet.com with ESMTP id <20200902131748.LIKW5290.sa-prd-fep-040.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:48 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052668; bh=f9Xgk0jtnpb0PpwmGxZahurw7+LZbZCh8FkknZxjWOE=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=fbPP+jOHDk4wtgbO/843QzqPvmPsulAEKlzn3uEtyu7rGMepk8lXx+croaDSfpXWEFd8TfNrwen4iPQDHEp2KGNjIU6Aei887DXdLbwi+pU34McacZazpcZ8gF8l95DRz+GywAmZDXIX4obBrmQjW+uB284BWt0Wl1obqpJH4LTTnQZnoRUwL/yZgjlU5AnbuyiIKDan8CTQoyqopPNMqwD+jR7BxISC3QB4xFVVc2RAoHrVvQyIw0u0ZvI7IAAbE69/nM8vkKWXIFoSBOYfQxtBaXBLj7nB98KVoQ6ROFV1/8dUu3bL8wRAq8sXohL+gueiDm3DuLPB72m+dDrh7g== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36BF4; Wed, 2 Sep 2020 14:17:48 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 11/13] polyinstantiation: Convert to markdown Date: Wed, 2 Sep 2020 14:17:36 +0100 Message-Id: <20200902131738.18425-12-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines --- src/polyinstantiation.md | 108 ++++++++++++++++++++++----------------- 1 file changed, 60 insertions(+), 48 deletions(-) diff --git a/src/polyinstantiation.md b/src/polyinstantiation.md index 3a64918..16a13c2 100644 --- a/src/polyinstantiation.md +++ b/src/polyinstantiation.md @@ -1,5 +1,12 @@ # Polyinstantiation Support +- [Polyinstantiated Objects](#polyinstantiated-objects) +- [Polyinstantiation support in PAM](#polyinstantiation-support-in-pam) + - [*namespace.conf* Configuration File](#namespace.conf-configuration-file) + - [Example Configurations](#example-configurations) +- [Polyinstantiation support in X-Windows](#polyinstantiation-support-in-x-windows) +- [Polyinstantiation support in the Reference Policy](#polyinstantiation-support-in-the-reference-policy) + GNU / Linux supports the polyinstantiation of directories that can be utilised by SELinux via the Pluggable Authentication Module (PAM) as explained in the next section. The @@ -12,16 +19,16 @@ sockets are not yet supported. To clarify polyinstantiation support: -1. SELinux has *libselinux* functions and a policy rule to support - polyinstantiation. -2. The polyinstantiation of directories is a function of GNU / Linux - not SELinux (as more correctly, the GNU / Linux services such as PAM - have been modified to support polyinstantiation of directories and - have also been made SELinux-aware. Therefore their services can be - controlled via policy). -3. The polyinstantiation of X-windows selections and properties is a - function of the XSELinux Object Manager and the supporting XACE - service. +1. SELinux has *libselinux* functions and a policy rule to support + polyinstantiation. +2. The polyinstantiation of directories is a function of GNU / Linux + not SELinux (as more correctly, the GNU / Linux services such as PAM + have been modified to support polyinstantiation of directories and + have also been made SELinux-aware. Therefore their services can be + controlled via policy). +3. The polyinstantiation of X-windows selections and properties is a + function of the XSELinux Object Manager and the supporting XACE + service. ## Polyinstantiated Objects @@ -46,10 +53,11 @@ to enable the feature and some [**examples**](#example-configurations). To implement polyinstantiated directories PAM requires the following files to be configured: -1. A **pam_namespace** module entry added to the appropriate */etc/pam.d/* - login configuration file (e.g. login, sshd, gdm etc.). Fedora - already has these entries configured, with an example - */etc/pam.d/gdm-password* file being: +- A **pam_namespace** module entry added to the appropriate */etc/pam.d/* + login configuration file (e.g. login, sshd, gdm etc.). Fedora + already has these entries configured, with an example + */etc/pam.d/gdm-password* file being: + ``` auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth substack password-auth @@ -73,13 +81,13 @@ session optional pam_gnome_keyring.so auto_start session include postlogin ``` -2. Entries added to the */etc/security/namespace.conf* file that defines - the directories to be polyinstantiated by PAM (and other services - that may need to use the namespace service). The entries are - explained in the - [*namespace.conf*](#namespace.conf-configuration-file) section, - with the default entries in Fedora being (note that the entries are - commented out in the distribution): +- Entries added to the */etc/security/namespace.conf* file that defines + the directories to be polyinstantiated by PAM (and other services + that may need to use the namespace service). The entries are + explained in the + [*namespace.conf*](#namespace.conf-configuration-file) section, + with the default entries in Fedora being (note that the entries are + commented out in the distribution): ``` # polydir instance-prefix method list_of_uids @@ -108,33 +116,37 @@ Each line in the namespace.conf file is formatted as follows: polydir instance_prefix method list_of_uids ``` -Where: - - - - - - - - - - - - - - - - - - - - -
polydirThe absolute path name of the directory to polyinstantiate. The optional strings $USER and $HOME will be replaced by the user name and home directory respectively.
instance_prefixA string prefix used to build the pathname for the polyinstantiated directory. The optional strings $USER and $HOME will be replaced by the user name and home directory respectively.
method

This is used to determine the method of polyinstantiation with valid entries being:

-

user - Polyinstantiation is based on user name.

-

level - Polyinstantiation is based on the user name and MLS level.

-

context - Polyinstantiation is based on the user name and security context.

-

Note that level and context are only valid for SELinux enabled systems.

list_of_uids

A comma separated list of user names that will not have polyinstantiated directories. If blank, then all users are polyinstantiated. If the list is preceded with an '~' character, then only the users in the list will have polyinstantiated directories.

-

There are a number of optional flags available that are described in the namespace.conf(5) man page.

+**Where:** + +*polydir* + +- The absolute path name of the directory to polyinstantiate. The optional + strings *\$USER* and *\$HOME* will be replaced by the user name and home + directory respectively. + +*instance_prefix* + +- A string prefix used to build the pathname for the polyinstantiated + directory. The optional strings *\$USER* and *\$HOME* will be replaced by + the user name and home directory respectively. + +*method* + +- This is used to determine the method of polyinstantiation with valid + entries being: + - *user* - Polyinstantiation is based on user name. + - *level* - Polyinstantiation is based on user name and MLS level. + - *context* - Polyinstantiation is based on user name and security context. +- Note that *level* and *context* are only valid for SELinux enabled systems. + +*list_of_uids* + +- A comma separated list of user names that will not have polyinstantiated + directories. If blank, then all users are polyinstantiated. If the list is + preceded with an '~' character, then only the users in the list will have + polyinstantiated directories. + There are a number of optional flags available that are described in the + ***namespace.conf**(5)* man page. ### Example Configurations From patchwork Wed Sep 2 13:17:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11777667 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4CBBF746 for ; Tue, 15 Sep 2020 19:51:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 02F712078D for ; Tue, 15 Sep 2020 19:51:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="HX0jODTC" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727721AbgIOTt4 (ORCPT ); Tue, 15 Sep 2020 15:49:56 -0400 Received: from mailomta6-sa.btinternet.com ([213.120.69.12]:62158 "EHLO sa-prd-fep-043.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727952AbgIOTtn (ORCPT ); Tue, 15 Sep 2020 15:49:43 -0400 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-045.btinternet.com with ESMTP id <20200902131748.VNDJ4112.sa-prd-fep-045.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:48 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052668; bh=CHJo7+Mp8hJaF/i7p8CvP20Ym0pqyO3Fl0dzhORi41Y=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=HX0jODTCVnCyZ16DzdzG2QKdgS/4YqtELGjpIGPhYZOfva6Xx2q3WXxNGDMMVmQ/Y1pJLkt4yz24ujIpSRp+SaoBXNQNzNZuHbT3nW0w8B1tixLiU0YOYBlLwZG4FryEVmtR1oThpCIavdgJHGrrogpngxaWCua7BNNcvSMxrEfoQqeayjXv6CwHOpvgbwF+pdlzAUQrIBFfQ3gg1CvIb4TN25lidrd8wT5aQ9DjRwcgr8E+VntbVkDG68S+tGnSfpT6/98axdbMS63iQAq6++MoDf7BFtti0kdjstqQKGvgjMR+T+T1HffzczycVSZvxUSkq2jplDdU7o49WjS69g== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36BFB; Wed, 2 Sep 2020 14:17:48 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 12/13] rbac: Minor format fix Date: Wed, 2 Sep 2020 14:17:37 +0100 Message-Id: <20200902131738.18425-13-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/rbac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rbac.md b/src/rbac.md index 4063e38..0cf4c22 100644 --- a/src/rbac.md +++ b/src/rbac.md @@ -6,7 +6,7 @@ associated to one or more roles, where each role is then associated to one or more domain types as shown in **Figure 4: Role Based Access Control**. The SELinux role name is the second component of a 'security context' -and by convention SELinux roles end in *_r*, however this is not +and by convention SELinux roles end in *\_r*, however this is not enforced by any SELinux service (i.e. it is only used to identify the role component), although CIL with namespaces does make identification of a role easier for example a 'role' could be declared as From patchwork Wed Sep 2 13:17:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11955569 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBE1EC1B087 for ; Mon, 7 Dec 2020 11:44:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BFF0623358 for ; Mon, 7 Dec 2020 11:44:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726765AbgLGLnz (ORCPT ); Mon, 7 Dec 2020 06:43:55 -0500 Received: from mailomta12-sa.btinternet.com ([213.120.69.18]:19443 "EHLO sa-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726920AbgLGLnz (ORCPT ); Mon, 7 Dec 2020 06:43:55 -0500 Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6]) by sa-prd-fep-042.btinternet.com with ESMTP id <20200902131749.VSZJ26396.sa-prd-fep-042.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 2 Sep 2020 14:17:49 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599052669; bh=SiJK/x+UPWFOsLATevCqvVre/gI5Ap+L0Q69Dk7Hoys=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=pzgdPYW+73g8eNOPr4866ohW4irKoWNxwQeDMtH2jCHXAPhRscK6gyOx6NSMqBZS9oOFzZ4haT1Q449zB0611E/YOgyhJYWvvy1GX9KdXvNOG3Jo7WXlgRr4UGZhgbIOWL5qRte9UH8O11i351mf5nQyk/RblRQ84+vTgFsV3iG1I0i06Ps9PlW49Emb7SLJ9HL6hXDl1k07WazcTedhiVBr4T14gYR7l6YWdU3lOrUwR0e4iE0I/1sg1rC3QJhl3xKcJQCsuARdrMA7os2cw+O/d7NycEyhMgw4l4/DkVcKQBiomMqAoS9vT4xn2Dvn1HSRcDg4smeRB8LL+aPw5g== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.32.197] X-OWM-Source-IP: 109.155.32.197 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.32.197) by sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AFBE0EF36C0D; Wed, 2 Sep 2020 14:17:49 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 13/13] role_statements: Convert to markdown Date: Wed, 2 Sep 2020 14:17:38 +0100 Message-Id: <20200902131738.18425-14-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines --- src/role_statements.md | 443 +++++++++++++++++------------------------ 1 file changed, 178 insertions(+), 265 deletions(-) diff --git a/src/role_statements.md b/src/role_statements.md index c11a01d..b706234 100644 --- a/src/role_statements.md +++ b/src/role_statements.md @@ -1,5 +1,12 @@ # Role Statements +- [*role*](#role) +- [*attribute_role*](#attribute_role) +- [*roleattribute*](#roleattribute) +- [*allow*](#allow) +- [*role_transition*](#role_transition) +- [*dominance* - Deprecated](#dominance---deprecated) + Policy version 26 introduced two new role statements aimed at replacing the deprecated role *dominance* rule by making role relationships easier to understand. These new statements: *attribute_role* and *roleattribute* @@ -27,54 +34,42 @@ role role_id types type_id; **Where:** - - - - - - - - - - - - - - - - - - - -
roleThe role keyword.
role_idThe identifier of the role being declared. The same role identifier can be declared more than once in a policy, in which case the type_id entries will be amalgamated by the compiler.
typesThe optional types keyword.
type_id

When used with the types keyword, one or more type, typealias or attribute identifiers associated with the role_id. Multiple entries consist of a space separated list enclosed in braces '{}'. Entries can be excluded from the list by using the negative operator '-'.

-

For role statements, only type, typealias or attribute identifiers associated to domains have any meaning within SELinux.

+*role* + +The *role* keyword. + +*role_id* + +The identifier of the role being declared. The same *role* identifier can be +declared more than once in a policy, in which case the *type_id* entries will +be amalgamated by the compiler. + +*types* + +The optional *types* keyword. + +*type_id* + +When used with the *types* keyword, one or more type, *typealias* or +*attribute* identifiers associated with the *role_id*. Multiple entries +consist of a space separated list enclosed in braces '{}'. Entries can be +excluded from the list by using the negative operator '-'. +For *role* statements, only *type*, *typealias* or *attribute* identifiers +associated to domains have any meaning within SELinux. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | Yes | **Examples:** @@ -108,45 +103,27 @@ attribute_role attribute_id; **Where:** - - - - - - - - - - - -
attribute_roleThe attribute_role keyword.
attribute_idThe attribute identifier.
+*attribute_role* + +The *attribute_role* keyword. + +*attribute_id* + +The *attribute* identifier. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | Yes | **Examples:** @@ -161,8 +138,8 @@ attribute_role srole_list_2; ## *roleattribute* -The roleattribute statement allows the association of previously -declared roles to one or more previously declared attribute_roles. +The *roleattribute* statement allows the association of previously +declared roles to one or more previously declared *attribute_roles*. **The statement definition is:** @@ -172,49 +149,32 @@ roleattribute role_id attribute_id; **Where:** - - - - - - - - - - - - - - - -
roleattributeThe roleattribute keyword.
role_idThe identifier of a previously declared role.
attribute_idOne or more previously declared attribute_role identifiers. Multiple entries consist of a comma ',' separated list.
+*roleattribute* + +The *roleattribute* keyword. + +*role_id* + +The identifier of a previously declared *role*. + +*attribute_id* + +One or more previously declared *attribute_role* identifiers. Multiple entries +consist of a comma ',' separated list. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Examples:** @@ -232,11 +192,11 @@ roleattribute service_r role_list_1; ## *allow* -The role *allow* rule checks whether a request to change roles is allowed, +The 'role *allow*' rule checks whether a request to change roles is allowed, if it is, then there may be a further request for a *role_transition* so that the process runs with the new role or role set. -Note that the role allow rule has the same keyword as the allow AV rule. +Note that the 'role *allow*' rule has the same keyword as the *allow* AV rule. **The statement definition is:** @@ -246,49 +206,33 @@ allow from_role_id to_role_id; **Where:** - - - - - - - - - - - - - - - -
allowThe role allow rule keyword.
from_role_idOne or more role or attribute_role identifiers that identify the current role. Multiple entries consist of a space separated list enclosed in braces '{}'.
to_role_idOne or more role or attribute_role identifiers that identify the current role. Multiple entries consist of a space separated list enclosed in braces '{}'.
+*allow* + +The role *allow* rule keyword. + +*from_role_id* + +One or more *role* or *attribute_role* identifiers that identify the current +role. Multiple entries consist of a space separated list enclosed in braces '{}'. + +*to_role_id* + +One or more *role* or *attribute_role* identifiers that identify the current +role. Multiple entries consist of a space separated list enclosed in braces '{}'. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Example:** @@ -321,57 +265,43 @@ role_transition current_role_id type_id : class new_role_id; **Where:** - - - - - - - - - - - - - - - - - - - - - - - -
role_transitionThe role_transition keyword.
current_role_idOne or more role or attribute_role identifiers that identify the current role. Multiple entries consist of a space separated list enclosed in braces '{}'.
type_idOne or more type, typealias or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'. Entries can be excluded from the list by using the negative operator '-'.
classFor policy versions >= 25 an object class that applies to the role transition. If omitted defaults to the process object class.
new_role_idA single role identifier that will become the new role.
+*role_transition* + +The *role_transition* keyword. + +*current_role_id* + +One or more *role* or *attribute_role* identifiers that identify the current +role. Multiple entries consist of a space separated list enclosed in braces '{}'. + +*type_id* + +One or more *type*, *typealias* or *attribute* identifiers. Multiple entries +consist of a space separated list enclosed in braces '{}'. Entries can be +excluded from the list by using the negative operator '-'. + +*class* + +For policy versions \>= 25 an object *class* that applies to the role +transition. If omitted defaults to the *process* object class. + +*new_role_id* + +A single *role* identifier that will become the new role. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Example:** @@ -388,12 +318,12 @@ inherit all the type associations of the other roles. Notes: -1. There is another dominance rule for MLS (see the - [**MLS *dominance***](mls_statements.md#dominance) statement. -2. The role dominance rule is not used by the **Reference Policy** as - the policy manages role dominance using the - [***constrain***](constraint_statements.md#constraint-statements) statement. -3. Note the usage of braces '{}' and the ';' in the statement. +1. There is another dominance rule for MLS (see the + [**MLS *dominance***](mls_statements.md#dominance) statement. +2. The role dominance rule is not used by the **Reference Policy** as + the policy manages role dominance using the + [***constrain***](constraint_statements.md#constraint-statements) statement. +3. Note the usage of braces '{}' and the ';' in the statement. **The statement definition is:** @@ -401,55 +331,38 @@ Notes: dominance { role dom_role_id { role role_id; } } ``` -Where: - - - - - - - - - - - - - - - - - - - - -
dominanceThe dominance keyword.
roleThe role keyword.
dom_role_idThe dominant role identifier.
role_idFor the simple case each { role role_id; } pair defines the role_id that will be dominated by the dom_role_id.
+**Where:** + +*dominance* + +The *dominance* keyword. + +*role* + +The *role* keyword. + +*dom_role_id* + +The dominant role identifier. + +*role_id* + +For the simple case each *{ role role_id; }* pair defines the *role_id* that +will be dominated by the *dom_role_id*. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Example:**