From patchwork Wed Sep 9 13:30:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11768869 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 918D759D for ; Thu, 10 Sep 2020 19:17:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 42EF5214F1 for ; Thu, 10 Sep 2020 19:17:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="JHlg4750" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726807AbgIJTRJ (ORCPT ); Thu, 10 Sep 2020 15:17:09 -0400 Received: from mailomta3-re.btinternet.com ([213.120.69.96]:48668 "EHLO re-prd-fep-047.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725933AbgIJTPk (ORCPT ); Thu, 10 Sep 2020 15:15:40 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-045.btinternet.com with ESMTP id <20200909133043.LPHH4080.re-prd-fep-045.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:43 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658243; bh=QNmkcD5nnmw72A16rADGX88Uk+/U5nU6iwmREQRffEY=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=JHlg4750ZkJh+ZteSFlKvJxzr5Vxy49xp4JR0LLit2u7/LU06iNyYI1yHaOnLw64tRV9g2x88XX4XLPvTckYfS7GrbghPHRoeDcOksMYaQ9tIGZ3t8bQHo2XP4o3lUwWgN/eY2SDNfNyoxGTTGjP1yUbg8l3h/ZvFiRt7KOsUBojlObUX5j8t4lKq2F8lS7gIL3eWTJhgm9yrd+9I0F+APqOJoWOfdsDfvma4rlREyNUyvU5LGsdhFRl3KVBnsrEUpUl9i/uOzDj5+EcjBlAgcjTWM+naSPNo01YaQBNsUmL4B1E5vhd4AYld5V82NFGN0vp1kjT08GYXDSZJtNA5w== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134D5E; Wed, 9 Sep 2020 14:30:43 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 01/22] kernel_policy_language: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:18 +0100 Message-Id: <20200909133039.44498-2-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/kernel_policy_language.md | 106 +++++++++++++++++----------------- 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/src/kernel_policy_language.md b/src/kernel_policy_language.md index 921c7d0..f1910dd 100644 --- a/src/kernel_policy_language.md +++ b/src/kernel_policy_language.md @@ -1,10 +1,10 @@ # Kernel Policy Language -- [Policy Source Files](#policy-source-files) -- [Conditional, Optional and Require Statement Rules](#conditional-optional-and-require-statement-rules) -- [MLS Statements and Optional MLS Components](#mls-statements-and-optional-mls-components) -- [General Statement Information](#general-statement-information) -- [Policy Language Index](#policy-language-index) +- [Policy Source Files](#policy-source-files) +- [Conditional, Optional and Require Statement Rules](#conditional-optional-and-require-statement-rules) +- [MLS Statements and Optional MLS Components](#mls-statements-and-optional-mls-components) +- [General Statement Information](#general-statement-information) +- [Policy Language Index](#policy-language-index) This section covers the policy source file types and what kernel policy statements and rule are allowed in each. The @@ -93,30 +93,30 @@ what circumstances each one is valid within a policy source file. *Monolithic Policy* -- Whether the statement is allowed within a monolithic policy source file or not. +- Whether the statement is allowed within a monolithic policy source file or not. *Base Policy* -- Whether the statement is allowed within a base (for loadable module support) - policy source file or not. +- Whether the statement is allowed within a base (for loadable module support) + policy source file or not. *Module Policy* -- Whether the statement is allowed within the optional loadable module policy - source file or not. +- Whether the statement is allowed within the optional loadable module policy + source file or not. ## Conditional, Optional and Require Statement Rules The language grammar specifies what statements and rules can be included within: -1. [**Conditional Policy**](conditional_statements.md#conditional-policy-statements) - rules that are part of the kernel policy language. -2. *optional* and *require* rules that are NOT part of the kernel policy - language, but **Reference Policy** ***m4**(1)* macros used to control - policy builds (see the - [**Modular Policy Support Statements**](modular_policy_statements.md#modular-policy-support-statements) - section. +1. [**Conditional Policy**](conditional_statements.md#conditional-policy-statements) + rules that are part of the kernel policy language. +2. *optional* and *require* rules that are NOT part of the kernel policy + language, but **Reference Policy** ***m4**(1)* macros used to control + policy builds (see the + [**Modular Policy Support Statements**](modular_policy_statements.md#modular-policy-support-statements) + section. To highlight these rules the following table is included in each statement and rule section to show what circumstances each one is valid @@ -132,17 +132,17 @@ within a policy source file: *if Statement* -- Whether the statement is allowed within a conditional statement - (*if/else* construct). Conditional statements can be in all types - of policy source file. +- Whether the statement is allowed within a conditional statement + (*if/else* construct). Conditional statements can be in all types + of policy source file. *optional Statement* -- Whether the statement is allowed within the *optional { rule_list }* construct. +- Whether the statement is allowed within the *optional { rule_list }* construct. *require Statement* -- Whether the statement is allowed within the *require { rule_list }* construct. +- Whether the statement is allowed within the *require { rule_list }* construct. ## MLS Statements and Optional MLS Components @@ -156,14 +156,14 @@ MLS **Reference Policy** build. ## General Statement Information -1. Identifiers can generally be any length but should be restricted to - the following characters: a-z, A-Z, 0-9 and \_ (underscore). -2. A '\#' indicates the start of a comment in policy source files. -3. All statements available to policy version 29 have been included. -4. When multiple source and target entries are shown in a single - statement or rule, the compiler (***checkpolicy**(8)* or - ***checkmodule**(8)*) will expand these to individual statements or - rules as shown in the following example: +1. Identifiers can generally be any length but should be restricted to + the following characters: a-z, A-Z, 0-9 and \_ (underscore). +2. A '\#' indicates the start of a comment in policy source files. +3. All statements available to policy version 29 have been included. +4. When multiple source and target entries are shown in a single + statement or rule, the compiler (***checkpolicy**(8)* or + ***checkmodule**(8)*) will expand these to individual statements or + rules as shown in the following example: ``` # This allow rule has two target entries console_device_t and tty_device_t: @@ -180,11 +180,11 @@ using (for example) ***apol**(8)*, **sedispol** or **sedismod**, the results will differ (however the resulting policy rules will be the same). -1. Some statements can be added to a policy via the policy store using - the **semanage**(8) command. Examples of these are shown where - applicable, however the **semanage** man page should be consulted - for all the possible command line options. -2. **Table 2** lists words reserved for the SELinux policy language. +1. Some statements can be added to a policy via the policy store using + the **semanage**(8) command. Examples of these are shown where + applicable, however the **semanage** man page should be consulted + for all the possible command line options. +2. **Table 2** lists words reserved for the SELinux policy language. | | | | | | :-------------- | :------------- | :----------------- | :--------------- | @@ -294,28 +294,28 @@ or require {rule_list} statement.* The policy language statement and rule sections are as follows: -- [Policy Configuration Statements](policy_config_statements.md#policy-configuration-statements) -- [Default Rules](default_rules.md#default-object-rules) -- [User Statements](user_statements.md#user-statements) -- [Role Statements](role_statements.md#role-statements) -- [Type Statements](type_statements.md#type-statements) -- [Bounds Rules](bounds_rules.md#bounds-rules) -- [Access Vector Rules](avc_rules.md#access-vector-rules) -- [Extended Access Vector Rules](xperm_rules.md#extended-access-vector-rules) -- [Object Class and Permission Statements](class_permission_statements.md#object-class-and-permission-statements) -- [Conditional Policy Statements](conditional_statements.md#conditional-policy-statements) -- [Constraint Statements](constraint_statements.md#constraint-statements) -- [MLS Statements](mls_statements.md#mls-statements) -- [Security ID (SID) Statement](sid_statement.md#security-id-sid-statement) -- [File System Labeling Statements](file-labeling-statements.md#file-system-labeling-statements) -- [Network Labeling Statements](network_statements.md#network-labeling-statements) -- [InfiniBand Labeling Statements](infiniband_statements.md#infiniband-labeling-statements) -- [XEN Statements](xen_statements.md#xen-statements) +- [Policy Configuration Statements](policy_config_statements.md#policy-configuration-statements) +- [Default Rules](default_rules.md#default-object-rules) +- [User Statements](user_statements.md#user-statements) +- [Role Statements](role_statements.md#role-statements) +- [Type Statements](type_statements.md#type-statements) +- [Bounds Rules](bounds_rules.md#bounds-rules) +- [Access Vector Rules](avc_rules.md#access-vector-rules) +- [Extended Access Vector Rules](xperm_rules.md#extended-access-vector-rules) +- [Object Class and Permission Statements](class_permission_statements.md#object-class-and-permission-statements) +- [Conditional Policy Statements](conditional_statements.md#conditional-policy-statements) +- [Constraint Statements](constraint_statements.md#constraint-statements) +- [MLS Statements](mls_statements.md#mls-statements) +- [Security ID (SID) Statement](sid_statement.md#security-id-sid-statement) +- [File System Labeling Statements](file-labeling-statements.md#file-system-labeling-statements) +- [Network Labeling Statements](network_statements.md#network-labeling-statements) +- [InfiniBand Labeling Statements](infiniband_statements.md#infiniband-labeling-statements) +- [XEN Statements](xen_statements.md#xen-statements) Note these are not kernel policy statements, but used by the Reference Policy to assist policy build: -- [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements) +- [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements) [^fn_kpl_1]: It is important to note that the Reference Policy builds policy using makefiles and m4 support macros within its own source file structure. From patchwork Wed Sep 9 13:30:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11769501 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9DADA59D for ; Thu, 10 Sep 2020 22:01:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 549C3221E5 for ; Thu, 10 Sep 2020 22:01:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="KCBe8mP7" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725287AbgIJWBz (ORCPT ); Thu, 10 Sep 2020 18:01:55 -0400 Received: from mailomta23-re.btinternet.com ([213.120.69.116]:55114 "EHLO re-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725306AbgIJWBz (ORCPT ); Thu, 10 Sep 2020 18:01:55 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-049.btinternet.com with ESMTP id <20200909133043.HJKH4131.re-prd-fep-049.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:43 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658243; bh=fDp+aiYMiKuGOrDkASPb9CISSP9yZVmBgu7MP00KTiM=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=KCBe8mP79KdUY+qAdznaP7QIlZXIfbau0TJwLCmZGp0/A+KKsG7m0YsBxqM6bLfslLpvOht4B0CZghcNOeV5iGTuhyP3HTmgT5Z+/6rxjbtCjQU/GHZEDP37kbGkHJI9OGBRxj2PuN3CPSynjdTBvRlWWQtvcCAlJ+0e6xSgCq6fk50qo223R80pIkHf3MxR762GwiSR9DM5sqTH4om7JQ0Esis28sCf/Q5pMlZFBRpuQaZN5csqlEpd7jmTl0tuUNbVFx+pR54TgDQ7lZQwyXw5KWWfyiB2eWBVsu4hWvp6Rjf551iOQfUxFJwHdhBfRGSgQW5Ru2m9PsANJTjVkw== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeffieeigefgkeekteeifeffheevgfettdehjeeifeffudfggfdvkeefhefggeehveenucffohhmrghinheptghomhhprghrthhmvghnthhsrdgtvghnthgvrhdptggrthgvghhorhhivghsrdgtvghnthgvrhdpphholhhitgihrdgtvghnthgvrhenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgr ihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134D7F; Wed, 9 Sep 2020 14:30:43 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 02/22] mls_statements: Convert to markdown Date: Wed, 9 Sep 2020 14:30:19 +0100 Message-Id: <20200909133039.44498-3-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Remove table 1 as didn't seem to add anything. Signed-off-by: Richard Haines --- src/mls_statements.md | 461 +++++++++++++++--------------------------- 1 file changed, 167 insertions(+), 294 deletions(-) diff --git a/src/mls_statements.md b/src/mls_statements.md index f61ced6..05ba185 100644 --- a/src/mls_statements.md +++ b/src/mls_statements.md @@ -1,74 +1,30 @@ # MLS Statements +- [MLS range Definition](#mls-range-definition) +- [*sensitivity*](#sensitivity) +- [*dominance*](#dominance) +- [*category*](#category) +- [*level*](#level) +- [*range_transition*](#range_transition) +- [*mlsconstrain*](#mlsconstrain) +- [*mlsvalidatetrans*](#mlsvalidatetrans) + The optional MLS policy extension adds an additional security context component that consists of the following highlighted entries: -``` -user:role:type:sensitivity[:category,...]- sensitivity [:category,...] -``` +*user:role:type:* ***sensitivity[:category,...] - sensitivity [:category,...]*** -These consist of a mandatory hierarchical -[**sensitivity**](#sensitivity) and optional -non-hierarchical [**category**](#category)'s. The -combination of the two comprise a [**level**](#level) or security level as -shown in **Table 1: Sensitivity and Category = Security Level**. Depending on -the circumstances, there can be one level defined or a -[**range**](#mls-range-definition) as shown in **Table 1**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Security Level (or Level)

-

Consisting of a sensitivity and zero or more category entries:

Note that SELinux uses level, sensitivity and category
in the language statements (see the MLS Language Statements section),
however when discussing these the following terms can also be used:
labels, classifications, and compartments.

sensitivity [: category, ... ]
also known as:

-

Sensitivity Label

-

Consisting of a classification and compartment.

<-------------- Range -------------->
Low
-
High
sensitivity [: category, ... ]
sensitivity [: category, ... ]
For a process or subject this is the current level or sensitivity
For a process or subject this is the Clearance
For an object this is the current level or sensitivity
For an object this is the maximum range
SystemLow
SystemHigh
This is the lowest level or classification for the system
(for SELinux this is generally 's0', note that there are no categories).
This is the highest level or classification for the system
(for SELinux this is generally 's15:c0,c255',
although note that they will be the highest set by the policy).
- -**Table 1: Sensitivity and Category = Security Level** - *this table shows -the meanings depending on the context being discussed.* +These consist of a mandatory hierarchical [**sensitivity**](#sensitivity) and +optional non-hierarchical [**category**](#category)'s. The combination of the +two comprise a [**level**](#level) or security level. Depending on the +circumstances, there can be one level or a [**range**](#mls-range-definition). To make the security levels more meaningful, it is possible to use the -setransd daemon to translate these to human readable formats. The -**semanage**(8) command will allow this mapping to be defined as discussed +***mcstransd**(8)* daemon to translate these to human readable formats. The +***semanage**(8)* command will allow this mapping to be defined as discussed in the [**setrans.conf**](policy_config_files.md#setrans.conf) section. -#### MLS range Definition +## MLS range Definition The MLS range is appended to a number of statements and defines the lowest and highest security levels. The range can also consist of a single level as @@ -82,23 +38,20 @@ low_level [ - high_level ] **Where:** - - - - - - - - - - - - - - - -
low_level

The processes lowest level identifier that has been previously declared by a level statement.

-

If a high_level is not defined, then it is taken as the same as the low_level.

-The optional hyphen '-' separator if a high_level is also being defined.
high_levelThe processes highest level identifier that has been previously declared by a level statement.
+*low_level* + +The processes lowest level identifier that has been previously declared by a +[*level*](#level) statement. If a *high_level* is not defined, then it is taken +as the same as the *low_level*. + +*\-* + +The optional hyphen '-' separator if a *high_level* is also being defined. + +*high_level* + +The processes highest level identifier that has been previously declared by +a [*level*](#level) statement. ## *sensitivity* @@ -113,53 +66,35 @@ sensitivity sens_id [alias sensitivityalias_id ...]; **Where:** - - - - - - - - - - - - - - - - - - - -
sensitivityThe sensitivity keyword.
sens_idThe sensitivity identifier.
aliasThe optional alias keyword.
sensitivityalias_idOne or more sensitivity alias identifiers in a space separated list.
+*sensitivity* + +The *sensitivity* keyword. + +*sens_id* + +The *sensitivity* identifier. + +*alias* + +The optional *alias* keyword. + +*sensitivityalias_id* + +One or more sensitivity alias identifiers in a space separated list. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | Yes | **Examples:** @@ -193,45 +128,29 @@ dominance { sensitivity_id ... } **Where:** - - - - - - - - - - - -
dominanceThe dominance keyword.
sensitivity_idA space separated list of previously declared sensitivity or sensitivityalias identifiers in the order lowest to highest. They are enclosed in braces '{}', and note that there is no terminating semi-colon ';'.
- -The statement is valid in: - - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+*dominance* + +The *dominance* keyword. + +*sensitivity_id* + +A space separated list of previously declared *sensitivity* or +*sensitivityalias* identifiers in the order lowest to highest. They are +enclosed in braces '{}', and note that there is no terminating semi-colon ';'. + +**The statement is valid in:** + +Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Example:** @@ -255,53 +174,35 @@ category category_id [alias categoryalias_id ...]; **Where:** - - - - - - - - - - - - - - - - - - - -
categoryThe category keyword.
category_idThe category identifier.
aliasThe optional alias keyword.
categoryalias_idOne or more alias identifiers in a space separated list.
+*category* + +The *category* keyword. + +*category_id* + +The *category* identifier. + +*alias* + +The optional *alias* keyword. + +*categoryalias_id* + +One or more *alias* identifiers in a space separated list. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | Yes | **Examples:** @@ -337,52 +238,40 @@ level sensitivity_id [ :category_id ]; **Where:** - - - - - - - - - - - - - - - -
levelThe level keyword.
sensitivity_idA previously declared sensitivity or sensitivityalias identifier.
category_idAn optional set of zero or more previously declared category or categoryalias identifiers that are preceded by a colon ':', that can be written as follows: -

The period '.' separating two category identifiers means an inclusive set (e.g. c0.c16).

-

The comma ',' separating two category identifiers means a non-contiguous list (e.g. c21,c36,c45).

-

Both separators may be used (e.g. c0.c16,c21,c36,c45).

+*level* + +The *level* keyword. + +*sensitivity_id* + +A previously declared *sensitivity* or *sensitivityalias* identifier. + +*category_id* + +An optional set of zero or more previously declared *category* or +*categoryalias* identifiers that are preceded by a colon ':', that can be +written as follows: + +- The period '.' separating two *category* identifiers means an inclusive + set (e.g. *c0.c16*). +- The comma ',' separating two *category* identifiers means a non-contiguous + list (e.g. *c21,c36,c45*). + +Both separators may be used (e.g. *c0.c16,c21,c36,c45*). **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Example:** @@ -417,55 +306,39 @@ range_transition source_type target_type : class new_range; **Where:** - - - - - - - - - - - - - - - - - - - -
range_transitionThe range_transition keyword.

source_type

-

target_type

One or more source / target type or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces'{}'.

-

Entries can be excluded from the list by using the negative operator '-'.

classThe optional object class keyword (this allows policy versions 21 and greater to specify a class other than the default of process).
new_rangeThe new MLS range for the object class. The format of this field is described in the "MLS range Definition" section.
+*range_transition* + +The *range_transition* keyword. + +*source_type*, *target_type* + +One or more source / target *type* or *attribute* identifiers. Multiple entries +consist of a space separated list enclosed in braces'{}'. +Entries can be excluded from the list by using the negative operator '-'. + +*class* + +The optional object *class* keyword (this allows policy versions 21 and greater +to specify a class other than the default of *process*). + +*new_range* + +The new MLS range for the object class. The format of this field is described +in the [MLS range Definition](#mls-range-definition) section. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Examples:** From patchwork Wed Sep 9 13:30:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11767123 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9C379112E for ; Thu, 10 Sep 2020 08:46:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5DFC22078E for ; Thu, 10 Sep 2020 08:46:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="cX357jGJ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730077AbgIJIqf (ORCPT ); Thu, 10 Sep 2020 04:46:35 -0400 Received: from mailomta10-re.btinternet.com ([213.120.69.103]:56989 "EHLO re-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729990AbgIJIqS (ORCPT ); Thu, 10 Sep 2020 04:46:18 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-045.btinternet.com with ESMTP id <20200909133044.LPHK4080.re-prd-fep-045.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:44 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658244; bh=b3ipCmpFZs1a3Q+0vsJFLIGzCrl1GikbcDNEI0LxSB4=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=cX357jGJyCb+z9NY1GS3QlbeCF6IATi1HoedzU2nM684Y3m3/aHQfy/3JbfjUv3oVumcFcUnvdzswqHOJUP3L7c138w0oW8HbWNU2EAulzG222zo8ExmZ6v3iBbB2hAhYHlU7mShNzKxwWvA8P028FCBjRxgsc6NNoRUlX5aG10JnzGzu9Zg6/H8nbReODI8n9YNwmAepDeljrY1BrF/D2TB47HUHrGaHGYCMtgLeFuOFC1ggGxf+Z9y7X61PUjJA3BjCz1o/mgjF6tZuSNvmq8zMcJ6/LetOovhwzW6XEfXWSKVe77fJla0QMaAmEwZ/V0DAcY4WrSWeOpiaXOsRA== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfgggtgfesthekredtredtjeenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepgfekgffghffgleekgfellefftedvhfejveehhfekkefgvdehueetgfffffelkedtnecukfhppeekiedrudehgedrudehgedrudeffeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepkeeirdduheegrdduheegrddufeefpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134D91; Wed, 9 Sep 2020 14:30:44 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 03/22] object_classes_permissions: : Tidy up formatting Date: Wed, 9 Sep 2020 14:30:20 +0100 Message-Id: <20200909133039.44498-4-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/object_classes_permissions.md | 299 +++++++++++++++--------------- 1 file changed, 151 insertions(+), 148 deletions(-) diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md index c51d36b..fa16024 100644 --- a/src/object_classes_permissions.md +++ b/src/object_classes_permissions.md @@ -3,137 +3,137 @@ - [Introduction](#introduction) - [Defining Object Classes and Permissions](#defining-object-classes-and-permissions) - [Kernel Object Classes and Permissions](#kernel-object-classes-and-permissions) - - [Common Permissions](#common-permissions) - - [Common File Permissions](#common-file-permissions) - - [Common Socket Permissions](#common-socket-permissions) - - [Common IPC Permissions](#common-ipc-permissions) - - [Common Capability Permissions](#common-capability-permissions) - - [Common Capability2 Permissions](#common-capability2-permissions) - - [Common Database Permissions](#common-database-permissions) - - [Common X_Device Permissions](#common-x_device-permissions) - - [File Object Classes](#file-object-classes) - - [*filesystem*](#filesystem) - - [*dir*](#dir) - - [*file*](#file) - - [*lnk_file*](#lnk_file) - - [*chr_file*](#chr_file) - - [*blk_file*](#blk_file) - - [*sock_file*](#sock_file) - - [*fifo_file*](#fifo_file) - - [*fd*](#fd) - - [Network Object Classes](#network-object-classes) - - [*node*](#node) - - [*netif*](#netif) - - [*socket*](#socket) - - [*tcp_socket*](#tcp_socket) - - [*udp_socket*](#udp_socket) - - [*rawip_socket*](#rawip_socket) - - [*packet_socket*](#packet_socket) - - [*unix_stream_socket*](#unix_stream_socket) - - [*unix_dgram_socket*](#unix_dgram_socket) - - [*tun_socket*](#tun_socket) - - [IPSec Network Object Classes](#ipsec-network-object-classes) - - [*association*](#association) - - [*key_socket*](#key_socket) - - [*netlink_xfrm_socket*](#netlink_xfrm_socket) - - [Netlink Object Classes](#netlink-object-classes) - - [*netlink_socket*](#netlink_socket) - - [*netlink_route_socket*](#netlink_route_socket) - - [*netlink_firewall_socket* (Deprecated)](#netlink_firewall_socket-deprecated) - - [*netlink_tcpdiag_socket*](#netlink_tcpdiag_socket) - - [*netlink_nflog_socket*](#netlink_nflog_socket) - - [*netlink_selinux_socket*](#netlink_selinux_socket) - - [*netlink_audit_socket*](#netlink_audit_socket) - - [*netlink_ip6fw_socket* (Deprecated)](#netlink_ip6fw_socket-deprecated) - - [*netlink_dnrt_socket*](#netlink_dnrt_socket) - - [*netlink_kobject_uevent_socket*](#netlink_kobject_uevent_socket) - - [*netlink_iscsi_socket*](#netlink_iscsi_socket) - - [*netlink_fib_lookup_socket*](#netlink_fib_lookup_socket) - - [*netlink_connector_socket*](#netlink_connector_socket) - - [*netlink_netfilter_socket*](#netlink_netfilter_socket) - - [*netlink_generic_socket*](#netlink_generic_socket) - - [*netlink_scsitransport_socket*](#netlink_scsitransport_socket) - - [*netlink_rdma_socket*](#netlink_rdma_socket) - - [*netlink_crypto_socket*](#netlink_crypto_socket) - - [Miscellaneous Network Object Classes](#miscellaneous-network-object-classes) - - [*peer*](#peer) - - [*packet*](#packet) - - [*appletalk_socket*](#appletalk_socket) - - [*dccp_socket*](#dccp_socket) - - [Sockets via *extended_socket_class*](#sockets-via-extended_socket_class) - - [*sctp_socket*](#sctp_socket) - - [*icmp_socket*](#icmp_socket) - - [Miscellaneous Extended Socket Classes](#miscellaneous-extended-socket-classes) - - [BPF Object Class](#bpf-object-class) - - [*bpf*](#bpf) - - [Performance Event Object Class](#performance-event-object-class) - - [*perf_event*](#perf_event) - - [Lockdown Object Class](#lockdown-object-class) - - [*lockdown*](#lockdown) - - [IPC Object Classes](#ipc-object-classes) - - [*ipc* (Deprecated)](#ipc-deprecated) - - [*sem*](#sem) - - [*msgq*](#msgq) - - [*msg*](#msg) - - [*shm*](#shm) - - [Process Object Class](#process-object-class) - - [*process*](#process) - - [*process2*](#process2) - - [Security Object Class](#security-object-class) - - [*security*](#security) - - [System Operation Object Class](#system-operation-object-class) - - [*system*](#system) - - [Miscellaneous Kernel Object Classes](#miscellaneous-kernel-object-classes) - - [*kernel_service*](#kernel_service) - - [*key*](#key) - - [*memprotect*](#memprotect) - - [*binder*](#binder) - - [Capability Object Classes](#capability-object-classes) - - [*capability*](#capability) - - [*capability2*](#capability2) - - [*cap_userns*](#cap_userns) - - [*cap2_userns*](#cap2_userns) - - [InfiniBand Object Classes](#infiniband-object-classes) - - [*infiniband_pkey*](#infiniband_pkey) - - [*infiniband_endport*](#infiniband_endport) + - [Common Permissions](#common-permissions) + - [Common File Permissions](#common-file-permissions) + - [Common Socket Permissions](#common-socket-permissions) + - [Common IPC Permissions](#common-ipc-permissions) + - [Common Capability Permissions](#common-capability-permissions) + - [Common Capability2 Permissions](#common-capability2-permissions) + - [Common Database Permissions](#common-database-permissions) + - [Common X_Device Permissions](#common-x_device-permissions) + - [File Object Classes](#file-object-classes) + - [*filesystem*](#filesystem) + - [*dir*](#dir) + - [*file*](#file) + - [*lnk_file*](#lnk_file) + - [*chr_file*](#chr_file) + - [*blk_file*](#blk_file) + - [*sock_file*](#sock_file) + - [*fifo_file*](#fifo_file) + - [*fd*](#fd) + - [Network Object Classes](#network-object-classes) + - [*node*](#node) + - [*netif*](#netif) + - [*socket*](#socket) + - [*tcp_socket*](#tcp_socket) + - [*udp_socket*](#udp_socket) + - [*rawip_socket*](#rawip_socket) + - [*packet_socket*](#packet_socket) + - [*unix_stream_socket*](#unix_stream_socket) + - [*unix_dgram_socket*](#unix_dgram_socket) + - [*tun_socket*](#tun_socket) + - [IPSec Network Object Classes](#ipsec-network-object-classes) + - [*association*](#association) + - [*key_socket*](#key_socket) + - [*netlink_xfrm_socket*](#netlink_xfrm_socket) + - [Netlink Object Classes](#netlink-object-classes) + - [*netlink_socket*](#netlink_socket) + - [*netlink_route_socket*](#netlink_route_socket) + - [*netlink_firewall_socket* (Deprecated)](#netlink_firewall_socket-deprecated) + - [*netlink_tcpdiag_socket*](#netlink_tcpdiag_socket) + - [*netlink_nflog_socket*](#netlink_nflog_socket) + - [*netlink_selinux_socket*](#netlink_selinux_socket) + - [*netlink_audit_socket*](#netlink_audit_socket) + - [*netlink_ip6fw_socket* (Deprecated)](#netlink_ip6fw_socket-deprecated) + - [*netlink_dnrt_socket*](#netlink_dnrt_socket) + - [*netlink_kobject_uevent_socket*](#netlink_kobject_uevent_socket) + - [*netlink_iscsi_socket*](#netlink_iscsi_socket) + - [*netlink_fib_lookup_socket*](#netlink_fib_lookup_socket) + - [*netlink_connector_socket*](#netlink_connector_socket) + - [*netlink_netfilter_socket*](#netlink_netfilter_socket) + - [*netlink_generic_socket*](#netlink_generic_socket) + - [*netlink_scsitransport_socket*](#netlink_scsitransport_socket) + - [*netlink_rdma_socket*](#netlink_rdma_socket) + - [*netlink_crypto_socket*](#netlink_crypto_socket) + - [Miscellaneous Network Object Classes](#miscellaneous-network-object-classes) + - [*peer*](#peer) + - [*packet*](#packet) + - [*appletalk_socket*](#appletalk_socket) + - [*dccp_socket*](#dccp_socket) + - [Sockets via *extended_socket_class*](#sockets-via-extended_socket_class) + - [*sctp_socket*](#sctp_socket) + - [*icmp_socket*](#icmp_socket) + - [Miscellaneous Extended Socket Classes](#miscellaneous-extended-socket-classes) + - [BPF Object Class](#bpf-object-class) + - [*bpf*](#bpf) + - [Performance Event Object Class](#performance-event-object-class) + - [*perf_event*](#perf_event) + - [Lockdown Object Class](#lockdown-object-class) + - [*lockdown*](#lockdown) + - [IPC Object Classes](#ipc-object-classes) + - [*ipc* (Deprecated)](#ipc-deprecated) + - [*sem*](#sem) + - [*msgq*](#msgq) + - [*msg*](#msg) + - [*shm*](#shm) + - [Process Object Class](#process-object-class) + - [*process*](#process) + - [*process2*](#process2) + - [Security Object Class](#security-object-class) + - [*security*](#security) + - [System Operation Object Class](#system-operation-object-class) + - [*system*](#system) + - [Miscellaneous Kernel Object Classes](#miscellaneous-kernel-object-classes) + - [*kernel_service*](#kernel_service) + - [*key*](#key) + - [*memprotect*](#memprotect) + - [*binder*](#binder) + - [Capability Object Classes](#capability-object-classes) + - [*capability*](#capability) + - [*capability2*](#capability2) + - [*cap_userns*](#cap_userns) + - [*cap2_userns*](#cap2_userns) + - [InfiniBand Object Classes](#infiniband-object-classes) + - [*infiniband_pkey*](#infiniband_pkey) + - [*infiniband_endport*](#infiniband_endport) - [Userspace Object Classes](#userspace-object-classes) - - [X Windows Object Classes](#x-windows-object-classes) - - [*x_drawable*](#x_drawable) - - [*x_screen*](#x_screen) - - [*x_gc*](#x_gc) - - [*x_font*](#x_font) - - [*x_colormap*](#x_colormap) - - [*x_property*](#x_property) - - [*x_selection*](#x_selection) - - [*x_cursor*](#x_cursor) - - [*x_client*](#x_client) - - [*x_device*](#x_device) - - [*x_server*](#x_server) - - [*x_extension*](#x_extension) - - [*x_resource*](#x_resource) - - [*x_event*](#x_event) - - [*x_synthetic_event*](#x_synthetic_event) - - [*x_application_data*](#x_application_data) - - [*x_pointer*](#x_pointer) - - [*x_keyboard*](#x_keyboard) - - [Database Object Classes](#database-object-classes) - - [*db_database*](#db_database) - - [*db_table*](#db_table) - - [*db_schema*](#db_schema) - - [*db_procedure*](#db_procedure) - - [*db_column*](#db_column) - - [*db_tuple*](#db_tuple) - - [*db_blob*](#db_blob) - - [*db_view*](#db_view) - - [*db_sequence*](#db_sequence) - - [*db_language*](#db_language) - - [Miscellaneous Userspace Object Classes](#miscellaneous-userspace-object-classes) - - [*passwd*](#passwd) - - [*nscd*](#nscd) - - [*dbus*](#dbus) - - [*context*](#context) - - [*service*](#service) - - [*proxy*](#proxy) + - [X Windows Object Classes](#x-windows-object-classes) + - [*x_drawable*](#x_drawable) + - [*x_screen*](#x_screen) + - [*x_gc*](#x_gc) + - [*x_font*](#x_font) + - [*x_colormap*](#x_colormap) + - [*x_property*](#x_property) + - [*x_selection*](#x_selection) + - [*x_cursor*](#x_cursor) + - [*x_client*](#x_client) + - [*x_device*](#x_device) + - [*x_server*](#x_server) + - [*x_extension*](#x_extension) + - [*x_resource*](#x_resource) + - [*x_event*](#x_event) + - [*x_synthetic_event*](#x_synthetic_event) + - [*x_application_data*](#x_application_data) + - [*x_pointer*](#x_pointer) + - [*x_keyboard*](#x_keyboard) + - [Database Object Classes](#database-object-classes) + - [*db_database*](#db_database) + - [*db_table*](#db_table) + - [*db_schema*](#db_schema) + - [*db_procedure*](#db_procedure) + - [*db_column*](#db_column) + - [*db_tuple*](#db_tuple) + - [*db_blob*](#db_blob) + - [*db_view*](#db_view) + - [*db_sequence*](#db_sequence) + - [*db_language*](#db_language) + - [Miscellaneous Userspace Object Classes](#miscellaneous-userspace-object-classes) + - [*passwd*](#passwd) + - [*nscd*](#nscd) + - [*dbus*](#dbus) + - [*context*](#context) + - [*service*](#service) + - [*proxy*](#proxy) ## Introduction @@ -141,7 +141,8 @@ This section contains a list of object classes and their associated permissions that have been taken from the Fedora policy sources. There are also additional entries for Xen. The Android specific classes and permissions are shown in the -[**Security Enhancements for Android**](seandroid.md#security-enhancements-for-android) section. +[**Security Enhancements for Android**](seandroid.md#security-enhancements-for-android) +section. The SElinux Testsuite has tests that exercise a number of these object classes/permissions and is a useful reference: @@ -153,23 +154,28 @@ used in the standard Linux function calls (such as 'create a socket' or *relabelfrom* -- Used on most objects to allow the objects security context to be changed from the current type. +- Used on most objects to allow the objects security context to be changed from + the current type. *relabelto* -- Used on most objects to allow the objects security context to be changed to the new type. +- Used on most objects to allow the objects security context to be changed to + the new type. *entrypoint* -- Used for files to indicate that they can be used as an entry point into a domain via a domain transition. +- Used for files to indicate that they can be used as an entry point into a + domain via a domain transition. *execute_no_trans* -- Used for files to indicate that they can be used as an entry point into the calling domain (i.e. does not require a domain transition). +- Used for files to indicate that they can be used as an entry point into the + calling domain (i.e. does not require a domain transition). *execmod* -Generally used for files to indicate that they can execute the modified file in memory. +- Generally used for files to indicate that they can execute the modified file + in memory. Where possible the specific object class permissions are explained, however for some permissions it is difficult to determine what they are @@ -189,10 +195,10 @@ Note: In theory a policy could be defined with no classes or permissions then set the *handle_unknown* flag when building the policy to *allow* (***checkpolicy**(8)* and ***secilc**(8)* *[-U handle-unknown (allow,deny,reject)]*). However: -- CIL requires at least one class to be defined. -- The *process* class with its *transition* and *dyntransition* permissions - are still required for default labeling behaviors, role and range - transitions in older policy versions. +- CIL requires at least one class to be defined. +- The *process* class with its *transition* and *dyntransition* permissions + are still required for default labeling behaviors, role and range + transitions in older policy versions. The [**Object Class and Permission Statements**](class_permission_statements.md#object-class-and-permission-statements) section specifies how these are defined within the Kernel Policy Language, @@ -465,7 +471,6 @@ inherited by a number of object classes. - msgq - Send message to message queue. - sem - Change semaphore value. - ### Common Capability Permissions **Permission** - 32 permissions - Text from */usr/include/linux/capability.h* @@ -843,7 +848,6 @@ A mounted *filesystem* ### *dir* - A Directory **Permissions** - Inherit 25 @@ -1125,7 +1129,7 @@ IPSec security association *polmatch* - Match IPSec Security Policy Database (SPD) context (-ctx) entries to an - SELinux domain (contained in the Security Association Database (SAD) . + SELinux domain (contained in the Security Association Database (SAD)). *recvfrom* @@ -1169,7 +1173,7 @@ IPSec key management. Protocol: *PF_KEY* Family Type: All ## Netlink Object Classes -Netlink sockets communicate between userspace and the kernel – also see +Netlink sockets communicate between userspace and the kernel - also see ***netlink**(7)*. ### *netlink_socket* @@ -2913,7 +2917,6 @@ Manage a database view. - Allows the expansion of a 'view'. - ### *db_sequence* A sequential number generator. @@ -3090,11 +3093,11 @@ Manage ***systemd**(1)* services. *reload* -- Restart systemd services. +- Restart *systemd* services. *start* -- Start systemd services. +- Start *systemd* services. *status* @@ -3102,7 +3105,7 @@ Manage ***systemd**(1)* services. *stop* -- Stop systemd services. +- Stop *systemd* services. ### *proxy* From patchwork Wed Sep 9 13:30:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11769763 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 126FE618 for ; Fri, 11 Sep 2020 04:20:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AD6B3221EB for ; Fri, 11 Sep 2020 04:20:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="nTdlCGvT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725440AbgIKEUU (ORCPT ); Fri, 11 Sep 2020 00:20:20 -0400 Received: from mailomta10-re.btinternet.com ([213.120.69.103]:47789 "EHLO re-prd-fep-040.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725283AbgIKEUO (ORCPT ); Fri, 11 Sep 2020 00:20:14 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-043.btinternet.com with ESMTP id <20200909133044.EKJE29506.re-prd-fep-043.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:44 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658244; bh=/c8dSZRaLWZ0f3YXhNykkte2gzQZ5rl20pV20UhPUlQ=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=nTdlCGvTyEk1AXIJ8xMH/VZ/jFCtIHWjgBQwVeIDb37VnXq5vXv80nlsROALkCS+tIdi/msOTyMTHfpUiQwrKbjBThJegkuZ4OH03ZU5jqRXENsOtO1PIgz9wZ/tNgvckh0PC/bSJOxEa6pDTk0AUFVpk/CzJ9sjpJ2ar96xMY0gQxup1hbEHAhGN0dI2TucJ21em2N682jLRV1wkMygfA66WIU55FIGo1jifSRCD3dXAQ1JWwJcSBlQw1d/RCrkXu1FmCwQyKiyKecP+1gyNqtwLTBnnZDQi5VenWKfP8pxt0gNcVYt+CSZl+wITX9mKWV6lDFF2ik7iH/M6BBr3w== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134DAB; Wed, 9 Sep 2020 14:30:44 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 04/22] policy_config_files: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:21 +0100 Message-Id: <20200909133039.44498-5-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/policy_config_files.md | 442 ++++++++++++++++++------------------- 1 file changed, 220 insertions(+), 222 deletions(-) diff --git a/src/policy_config_files.md b/src/policy_config_files.md index e7fab1e..9ad9b42 100644 --- a/src/policy_config_files.md +++ b/src/policy_config_files.md @@ -1,36 +1,36 @@ # Policy Configuration Files -- [setrans.conf](#setrans.conf) -- [*secolor.conf*](#secolor.conf) -- [*policy/policy.\*](#policypolicy.ver) -- [*contexts/customizable_types*](#contextscustomizable_types) -- [*contexts/default_contexts*](#contextsdefault_contexts) -- [*contexts/dbus_contexts*](#contextsdbus_contexts) -- [*contexts/default_type*](#contextsdefault_type) -- [*contexts/failsafe_context*](#contextsfailsafe_context) -- [*contexts/initrc_context*](#contextsinitrc_context) -- [*contexts/lxc_contexts*](#contextslxc_contexts) -- [*contexts/netfilter_contexts* - Obsolete](#contextsnetfilter_contexts---obsolete) -- [*contexts/openrc_contexts*](#contextsopenrc_contexts) -- [*contexts/openssh_contexts*](#contextsopenssh_contexts) -- [*contexts/removable_context*](#contextsremovable_context) -- [*contexts/sepgsql_contexts*](#contextssepgsql_contexts) -- [*contexts/snapperd_contexts*](#contextssnapperd_contexts) -- [*contexts/securetty_types*](#contextssecuretty_types) -- [*contexts/systemd_contexts*](#contextssystemd_contexts) -- [*contexts/userhelper_context*](#contextsuserhelper_context) -- [*contexts/virtual_domain_context*](#contextsvirtual_domain_context) -- [*contexts/virtual_image_context*](#contextsvirtual_image_context) -- [*contexts/x_contexts*](#contextsx_contexts) -- [*contexts/files/file_contexts*](#contextsfilesfile_contexts) -- [*contexts/files/file_contexts.local*](#contextsfilesfile_contexts.local) -- [*contexts/files/file_contexts.homedirs*](#contextsfilesfile_contexts.homedirs) -- [*contexts/files/file_contexts.subs*](#contextsfilesfile_contexts.subs) -- [*contexts/files/file_contexts.subs_dist*](#contextsfilesfile_contexts.subs_dist) -- [*contexts/files/media*](#contextsfilesmedia) -- [*contexts/users/[seuser_id]*](#contextsusersseuser_id) -- [*logins/\*](#loginslinuxuser_id) -- [*users/local.users*](#userslocal.users) +- [setrans.conf](#setrans.conf) +- [*secolor.conf*](#secolor.conf) +- [*policy/policy.\*](#policypolicy.ver) +- [*contexts/customizable_types*](#contextscustomizable_types) +- [*contexts/default_contexts*](#contextsdefault_contexts) +- [*contexts/dbus_contexts*](#contextsdbus_contexts) +- [*contexts/default_type*](#contextsdefault_type) +- [*contexts/failsafe_context*](#contextsfailsafe_context) +- [*contexts/initrc_context*](#contextsinitrc_context) +- [*contexts/lxc_contexts*](#contextslxc_contexts) +- [*contexts/netfilter_contexts* - Obsolete](#contextsnetfilter_contexts---obsolete) +- [*contexts/openrc_contexts*](#contextsopenrc_contexts) +- [*contexts/openssh_contexts*](#contextsopenssh_contexts) +- [*contexts/removable_context*](#contextsremovable_context) +- [*contexts/sepgsql_contexts*](#contextssepgsql_contexts) +- [*contexts/snapperd_contexts*](#contextssnapperd_contexts) +- [*contexts/securetty_types*](#contextssecuretty_types) +- [*contexts/systemd_contexts*](#contextssystemd_contexts) +- [*contexts/userhelper_context*](#contextsuserhelper_context) +- [*contexts/virtual_domain_context*](#contextsvirtual_domain_context) +- [*contexts/virtual_image_context*](#contextsvirtual_image_context) +- [*contexts/x_contexts*](#contextsx_contexts) +- [*contexts/files/file_contexts*](#contextsfilesfile_contexts) +- [*contexts/files/file_contexts.local*](#contextsfilesfile_contexts.local) +- [*contexts/files/file_contexts.homedirs*](#contextsfilesfile_contexts.homedirs) +- [*contexts/files/file_contexts.subs*](#contextsfilesfile_contexts.subs) +- [*contexts/files/file_contexts.subs_dist*](#contextsfilesfile_contexts.subs_dist) +- [*contexts/files/media*](#contextsfilesmedia) +- [*contexts/users/[seuser_id]*](#contextsusersseuser_id) +- [*logins/\*](#loginslinuxuser_id) +- [*users/local.users*](#userslocal.users) Each file discussed in this section is relative to the policy name as follows: @@ -52,16 +52,16 @@ For example the simple described in the Notebook examples could run at init 3 (i.e. no X-Windows) and only require the following configuration files: -- *seusers* - For login programs. -- *policy/policy.\* - The binary policy loaded into the kernel. -- *context/files/file_contexts* - To allow the filesystem to be relabeled. +- *seusers* - For login programs. +- *policy/policy.\* - The binary policy loaded into the kernel. +- *context/files/file_contexts* - To allow the filesystem to be relabeled. If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional two files are required: -- *context/dbus_contexts* - To allow the dbus messaging service to run under - SELinux. -- *context/x_contexts* - To allow the X-Windows service to run under SELinux. +- *context/dbus_contexts* - To allow the dbus messaging service to run under + SELinux. +- *context/x_contexts* - To allow the X-Windows service to run under SELinux. ## *seusers* @@ -70,19 +70,16 @@ The ***seusers**(5)* file is used by login programs (normally via the *user* / *passwd* files) to SELinux users (defined in the policy). A typical login sequence would be: -- Using the GNU / Linux *user_id*, lookup the *seuser_id* from this - file. If an entry cannot be found, then use the *__default__* - entry. -- To determine the remaining context to be used as the security - context, read the - [*contexts/users/[seuser_id]*](#contextsusersseuser_id) - file. If this file is not present, then: -- Check for a default context in the - [*contexts/default_contexts*](#contextsdefault_contexts) - file. If no default context is found, then: -- Read the - [*contexts/failsafe_context*](#contextsfailsafe_context) file - to allow a fail safe context to be set. +- Using the GNU / Linux *user_id*, lookup the *seuser_id* from this + file. If an entry cannot be found, then use the *\_\_default\_\_* entry. +- To determine the remaining context to be used as the security + context, read the [*contexts/users/[seuser_id]*](#contextsusersseuser_id) + file. If this file is not present, then: +- Check for a default context in the + [*contexts/default_contexts*](#contextsdefault_contexts) file. If no default + context is found, then: +- Read the [*contexts/failsafe_context*](#contextsfailsafe_context) file + to allow a fail safe context to be set. Note: The *system_u* user is defined in this file, however there must be **no** *system_u* Linux user configured on the system. @@ -104,8 +101,8 @@ __default__:user_u:s0-s0 **Supporting libselinux API functions are:** -- ***getseuser**(3)* -- ***getseuserbyname**(3)* +- ***getseuser**(3)* +- ***getseuserbyname**(3)* ## *booleans* ## *booleans.local* @@ -120,10 +117,10 @@ file section. For systems that do use these files: -- ***security_set_boolean_list**(3)* - Writes a *boolean.local* file if - flag *permanent* = '*1*'. -- ***security_load_booleans**(3)* - Will look for a *booleans* or - *booleans.local* file here unless a specific path is specified. +- ***security_set_boolean_list**(3)* - Writes a *boolean.local* file if + flag *permanent* = '*1*'. +- ***security_load_booleans**(3)* - Will look for a *booleans* or + *booleans.local* file here unless a specific path is specified. Both files have the same format and contain one or more boolean names. @@ -137,12 +134,12 @@ boolean_name value *boolean_name* -- The name of the boolean. +- The name of the boolean. *value* -- The default setting for the boolean that can be one of the following: - - *true* | *false* | *1* | *0* +- The default setting for the boolean that can be one of the following: + - *true* | *false* | *1* | *0* Note that if *SETLOCALDEFS* is set in the SELinux [*/etc/selinux/config*](global_config_files.md#etcselinuxconfig) file, then @@ -172,11 +169,11 @@ policy_bool_name new_name *policy_bool_name* -- The policy boolean name. +- The policy boolean name. *new_name* -- The new boolean name. +- The new boolean name. **Example:** @@ -195,10 +192,10 @@ the name will be looked up and if using the *new_name*, then the Supporting libselinux API functions are: -- ***selinux_booleans_subs_path**(3)* -- ***selinux_booleans_sub**(3)* -- ***security_get_boolean_names**(3)* -- ***security_set_boolean**(3)* +- ***selinux_booleans_subs_path**(3)* +- ***selinux_booleans_sub**(3)* +- ***security_get_boolean_names**(3)* +- ***security_set_boolean**(3)* ## *setrans.conf* @@ -254,9 +251,10 @@ Include=/etc/selinux/mls/setrans.d/constraints.conf ``` Supporting libselinux API functions are: -- ***selinux_translations_path**(3)* -- ***selinux_raw_to_trans_context**(3)* -- ***selinux_trans_to_raw_context**(3)* + +- ***selinux_translations_path**(3)* +- ***selinux_raw_to_trans_context**(3)* +- ***selinux_trans_to_raw_context**(3)* ## *secolor.conf* @@ -278,39 +276,39 @@ context_component string fg_color_name bg_color_name *color* -- The color keyword. +- The color keyword. *color_name* -- A descriptive name for the colour (e.g. *red*). +- A descriptive name for the colour (e.g. *red*). *color_mask* -- A colour mask starting with a hash '*#*' that describes the RGB colours - with black being *#000000* and white being *#ffffff*. +- A colour mask starting with a hash '*#*' that describes the RGB colours + with black being *#000000* and white being *#ffffff*. *context_component* -- The colour translation supports different colours on the context string - components (*user*, *role*, *type* and *range*). Each component is on a - separate line. +- The colour translation supports different colours on the context string + components (*user*, *role*, *type* and *range*). Each component is on a + separate line. *string* -- This is the *context_component* string that will be matched with the - *raw* context component passed by ***selinux_raw_context_to_color**(3)*. - A wildcard '*\**' may be used to match any undefined *string* for the - *user*, *role* and *type* *context_component* entries only. +- This is the *context_component* string that will be matched with the + *raw* context component passed by ***selinux_raw_context_to_color**(3)*. + A wildcard '*\**' may be used to match any undefined *string* for the + *user*, *role* and *type* *context_component* entries only. *fg_color_name* -- The *color_name* string that will be used as the foreground colour. - A *color_mask* may also be used. +- The *color_name* string that will be used as the foreground colour. + A *color_mask* may also be used. *bg_color_name* -- The *color_name* string that will be used as the background colour. - A *color_mask* may also be used.

+- The *color_name* string that will be used as the background colour. + A *color_mask* may also be used. **Example file contents:** @@ -337,10 +335,10 @@ range s15:c0.c1023 = black yellow **Supporting libselinux API functions are:** -- ***selinux_colors_path**(3)* -- ***selinux_raw_context_to_color**(3)* - this call returns the foreground - and background colours of the context string as the specified RGB 'colour' - hex digits as follows: +- ***selinux_colors_path**(3)* +- ***selinux_raw_context_to_color**(3)* - this call returns the foreground + and background colours of the context string as the specified RGB 'colour' + hex digits as follows: ``` user : role : type : range @@ -380,9 +378,9 @@ type *type* -- The type defined in the policy that needs to excluded from relabeling. - An example is when a file has been purposely relabeled with a different - type to allow an application to work. +- The type defined in the policy that needs to excluded from relabeling. + An example is when a file has been purposely relabeled with a different + type to allow an application to work. **Example file contents:** @@ -397,9 +395,9 @@ sysadm_untrusted_content_tmp_t **Supporting libselinux API functions are:** -- ***is_context_customizable**(3)* -- ***selinux_customizable_types_path**(3)* -- ***selinux_context_path**(3)* +- ***is_context_customizable**(3)* +- ***selinux_customizable_types_path**(3)* +- ***selinux_context_path**(3)* ## *contexts/default_contexts* @@ -407,14 +405,14 @@ The ***default_contexts**(5)* file is used by SELinux-aware applications that need to set a security context for user processes (generally the login applications) where: -1. The GNU / Linux user identity should be known by the application. -2. If a login application, then the SELinux user (seuser), would have - been determined as described in the [*seusers*](#seusers) file - section. -3. The login applications will check the - [*contexts/users/[seuser_id]*](#contextsusersseuser_id) file - first and if no valid entry, will then look in the *[seuser_id]* - file for a default context to use. +1. The GNU / Linux user identity should be known by the application. +2. If a login application, then the SELinux user (seuser), would have + been determined as described in the [*seusers*](#seusers) file + section. +3. The login applications will check the + [*contexts/users/[seuser_id]*](#contextsusersseuser_id) file + first and if no valid entry, will then look in the *[seuser_id]* + file for a default context to use. **The file format is as follows:** @@ -426,12 +424,12 @@ role:type[:range] role:type[:range] ... *role:type[:range]* -- The file contains one or more lines that consist of *role:type[:range]* - pairs (including the MLS / MCS *level* or *range* if applicable). - - The entry at the start of a new line corresponds to the partial - *role:type[:range]* context of (generally) the login application. - - The other *role:type[:range]* entries on that line represent an ordered - list of valid contexts that may be used to set the users context. +- The file contains one or more lines that consist of *role:type[:range]* + pairs (including the MLS / MCS *level* or *range* if applicable). +- The entry at the start of a new line corresponds to the partial + *role:type[:range]* context of (generally) the login application. +- The other *role:type[:range]* entries on that line represent an ordered + list of valid contexts that may be used to set the users context. **Example file contents:** @@ -449,16 +447,16 @@ system_r:xdm_t:s0 user_r:user_t:s0 Note that the *contexts/users/[seuser_id]* file is also read by some of these functions. -- ***selinux_contexts_path**(3)* -- ***selinux_default_context_path**(3)* -- ***get_default_context**(3)* -- ***get_ordered_context_list**(3)* -- ***get_ordered_context_list_with_level**(3)* -- ***get_default_context_with_level**(3)* -- ***get_default_context_with_role**(3)* -- ***get_default_context_with_rolelevel**(3)* -- ***query_user_context**(3)* -- ***manual_user_enter_context**(3)* +- ***selinux_contexts_path**(3)* +- ***selinux_default_context_path**(3)* +- ***get_default_context**(3)* +- ***get_ordered_context_list**(3)* +- ***get_ordered_context_list_with_level**(3)* +- ***get_default_context_with_level**(3)* +- ***get_default_context_with_role**(3)* +- ***get_default_context_with_rolelevel**(3)* +- ***query_user_context**(3)* +- ***manual_user_enter_context**(3)* An example use in this Notebook (to get over a small feature) is that when the initial **basic policy** was built, no default_contexts file @@ -511,7 +509,7 @@ information at: **Supporting libselinux API function is:** -- ***selinux_context_path**(3)* +- ***selinux_context_path**(3)* ## *contexts/default_type* @@ -528,8 +526,8 @@ role:type *role:type* -- The file contains one or more lines that consist of *role:type* entries. - There should be one line for each role defined within the policy. +- The file contains one or more lines that consist of *role:type* entries. + There should be one line for each role defined within the policy. **Example file contents:** @@ -544,8 +542,8 @@ user_r:user_t **Supporting libselinux API functions are:** -- ***selinux_default_type_path**(3)* -- ***get_default_type**(3)* +- ***selinux_default_type_path**(3)* +- ***get_default_type**(3)* ## *contexts/failsafe_context* @@ -563,8 +561,8 @@ role:type[:range] *role:type[:range]* -- A single line that has a valid context to allow an administrator access - to the system, including the MLS / MCS *level* or *range* if applicable. +- A single line that has a valid context to allow an administrator access + to the system, including the MLS / MCS *level* or *range* if applicable. **Example file contents:** @@ -576,14 +574,14 @@ sysadm_r:sysadm_t:s0 **Supporting libselinux API functions are:** -- ***selinux_context_path**(3)* -- ***selinux_failsafe_context_path**(3)* -- ***get_default_context**(3)* -- ***get_default_context_with_role**(3)* -- ***get_default_context_with_level**(3)* -- ***get_default_context_with_rolelevel**(3)* -- ***get_ordered_context_list**(3)* -- ***get_ordered_context_list_with_level**(3)* +- ***selinux_context_path**(3)* +- ***selinux_failsafe_context_path**(3)* +- ***get_default_context**(3)* +- ***get_default_context_with_role**(3)* +- ***get_default_context_with_level**(3)* +- ***get_default_context_with_rolelevel**(3)* +- ***get_ordered_context_list**(3)* +- ***get_ordered_context_list_with_level**(3)* ## *contexts/initrc_context* @@ -601,8 +599,8 @@ user:role:type[:range] *user:role:type[:range]* -- The file contains one line that consists of a security context, - including the MLS / MCS *level* or *range* if applicable. +- The file contains one line that consists of a security context, + including the MLS / MCS *level* or *range* if applicable. **Example file contents:** @@ -615,7 +613,7 @@ system_u:system_r:initrc_t:s0-s15:c0.c255 **Supporting libselinux API functions are:** -- ***selinux_context_path**(3)* +- ***selinux_context_path**(3)* ## *contexts/lxc_contexts* @@ -634,24 +632,24 @@ content = "security_context" *process* -- A single *process* entry that contains the lxc domain security context, - including the MLS / MCS *level* or *range* if applicable. +- A single *process* entry that contains the lxc domain security context, + including the MLS / MCS *level* or *range* if applicable. *file* -- A single *file* entry that contains the lxc file security context, - including the MLS / MCS *level* or *range* if applicable. +- A single *file* entry that contains the lxc file security context, + including the MLS / MCS *level* or *range* if applicable. *content* -- A single *content* entry that contains the lxc content security context, - including the MLS / MCS *level* or *range* if applicable. +- A single *content* entry that contains the lxc content security context, + including the MLS / MCS *level* or *range* if applicable. *sandbox_kvm_process* *sandbox_lxc_process* -- These entries may be present and contain the security context. +- These entries may be present and contain the security context. **Example file contents:** @@ -667,8 +665,8 @@ sandbox_lxc_process = "system_u:system_r:container_t:s0" **Supporting libselinux API functions are:** -- ***selinux_context_path**(3)* -- ***selinux_lxc_context_path**(3)* +- ***selinux_context_path**(3)* +- ***selinux_lxc_context_path**(3)* ## *contexts/netfilter_contexts* - Obsolete @@ -677,8 +675,8 @@ matching of network packets - Never been used. **Supporting libselinux API functions are:** -- ***selinux_context_path**(3)* -- ***selinux_netfilter_context_path**(3)* +- ***selinux_context_path**(3)* +- ***selinux_netfilter_context_path**(3)* ## *contexts/openrc_contexts* @@ -690,8 +688,8 @@ matching of network packets - Never been used. **Supporting libselinux API functions are:** -- ***selinux_context_path**(3)* -- ***selinux_openrc_contexts_path**(3)* +- ***selinux_context_path**(3)* +- ***selinux_openrc_contexts_path**(3)* ## *contexts/openssh_contexts* @@ -707,8 +705,8 @@ privsep_preauth=sshd_net_t **Supporting libselinux API functions are:** -- ***selinux_context_path**(3)* -- ***selinux_openssh_contexts_path**(3)* +- ***selinux_context_path**(3)* +- ***selinux_openssh_contexts_path**(3)* ## *contexts/removable_context* @@ -726,8 +724,8 @@ user:role:type[:range] *user:role:type[:range]* -- The file contains one line that consists of a security context, - including the MLS / MCS *level* or *range* if applicable. +- The file contains one line that consists of a security context, + including the MLS / MCS *level* or *range* if applicable. **Example file contents:** @@ -737,7 +735,7 @@ system_u:object_r:removable_t:s0 **Supporting libselinux API functions are:** -- ***selinux_removable_context_path**(3)* +- ***selinux_removable_context_path**(3)* ## *contexts/sepgsql_contexts* @@ -754,20 +752,20 @@ object_type object_name context *object_type* -- This is the string representation of the object type. +- This is the string representation of the object type. *object_name* -- These are the object names of the specific database objects. - The entry can contain '*\**' for wildcard matching or '*?*' for - substitution. Note that if the '*\**' is used, then be aware that the order - of entries in the file is important. The '*\**' on its own is used to ensure - a default fallback context is assigned and should be the last entry in the - *object_type* block. +- These are the object names of the specific database objects. + The entry can contain '*\**' for wildcard matching or '*?*' for + substitution. Note that if the '*\**' is used, then be aware that the order + of entries in the file is important. The '*\**' on its own is used to ensure + a default fallback context is assigned and should be the last entry in the + *object_type* block. *context* -- The security *context* that will be applied to the object. +- The security *context* that will be applied to the object. **Example file contents:** @@ -792,8 +790,8 @@ snapperd_data = system_u:object_r:snapperd_data_t:s0 **Supporting libselinux API functions are:** -- ***selinux_context_path**(3)* -- ***selinux_snapperd_contexts_path**(3)* +- ***selinux_context_path**(3)* +- ***selinux_snapperd_contexts_path**(3)* ## *contexts/securetty_types* @@ -810,7 +808,7 @@ type *type* -- Zero or more type entries that are defined in the policy for tty devices. +- Zero or more type entries that are defined in the policy for tty devices. **Example file contents:** @@ -822,7 +820,7 @@ staff_tty_device_t **Supporting libselinux API functions are:** -- ***selinux_securetty_types_path**(3)* +- ***selinux_securetty_types_path**(3)* ## *contexts/systemd_contexts* @@ -838,13 +836,13 @@ service_class = security_context *service_class* -- One or more entries that relate to the ***systemd**(1)* service (e.g. - runtime, transient). +- One or more entries that relate to the ***systemd**(1)* service (e.g. + runtime, transient). *security_context* -- The security context, including the MLS / MCS *level* or *range* if - applicable of the service to be run. +- The security context, including the MLS / MCS *level* or *range* if + applicable of the service to be run. **Example file contents:** @@ -854,8 +852,8 @@ runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 **Supporting libselinux API functions are:** -- ***selinux_context_path**(3)* -- ***selinux_systemd_contexts_path**(3)* +- ***selinux_context_path**(3)* +- ***selinux_systemd_contexts_path**(3)* ## *contexts/userhelper_context* @@ -872,8 +870,8 @@ security_context *security_context* -- The file contains one line that consists of a full security context, - including the MLS / MCS *level* or *range* if applicable. +- The file contains one line that consists of a full security context, + including the MLS / MCS *level* or *range* if applicable. **Example file contents:** @@ -883,7 +881,7 @@ system_u:sysadm_r:sysadm_t:s0 **Supporting libselinux API functions are:** -- ***selinux_context_path**(3)* +- ***selinux_context_path**(3)* ## *contexts/virtual_domain_context* @@ -902,7 +900,7 @@ system_u:system_r:svirt_tcg_t:s0 **Supporting libselinux API functions are:** -- ***selinux_virtual_domain_context_path**(3)* +- ***selinux_virtual_domain_context_path**(3)* ## *contexts/virtual_image_context* @@ -921,7 +919,7 @@ system_u:object_r:virt_content_t:s0 **Supporting libselinux API functions are:** -- ***selinux_virtual_image_context_path**(3)* +- ***selinux_virtual_image_context_path**(3)* ## *contexts/x_contexts* @@ -943,32 +941,32 @@ selection PRIMARY system_u:object_r:clipboard_xselection_t:s0 *object_type* -- These are types of object supported and valid entries are: *client*, - *property*, *poly_property*, *extension*, *selection*, *poly_selection* - and *events*. +- These are types of object supported and valid entries are: *client*, + *property*, *poly_property*, *extension*, *selection*, *poly_selection* + and *events*. *object_name* -- These are the object names of the specific X-server resource such as - *PRIMARY*, *CUT_BUFFER0* etc. They are generally defined in the X-server - source code (*protocol.txt* and *BuiltInAtoms* in the *dix* directory of - the *xorg-server* source package). This can contain '*\**' for 'any' - or '*?*' for 'substitute' (see the *CUT_BUFFER?* entry where the '*?*' - would be substituted for a number between 0 and 7 that represents the - number of these buffers). +- These are the object names of the specific X-server resource such as + *PRIMARY*, *CUT_BUFFER0* etc. They are generally defined in the X-server + source code (*protocol.txt* and *BuiltInAtoms* in the *dix* directory of + the *xorg-server* source package). This can contain '*\**' for 'any' + or '*?*' for 'substitute' (see the *CUT_BUFFER?* entry where the '*?*' + would be substituted for a number between 0 and 7 that represents the + number of these buffers). *context* -- This is the security context that will be applied to the object. - For MLS/MCS systems there would be the additional MLS label. +- This is the security context that will be applied to the object. + For MLS/MCS systems there would be the additional MLS label. **Supporting libselinux API functions are:** -- ***selinux_x_context_path**(3)* -- ***selabel_open**(3)* -- ***selabel_close**(3)* -- ***selabel_lookup**(3)* -- ***selabel_stats**(3)* +- ***selinux_x_context_path**(3)* +- ***selabel_open**(3)* +- ***selabel_close**(3)* +- ***selabel_lookup**(3)* +- ***selabel_stats**(3)* ## *contexts/files/file_contexts* @@ -996,11 +994,11 @@ compatible regular expression (PCRE) internal format. **Supporting libselinux API functions are:** -- ***selinux_file_context_path**(3)* -- ***selabel_open**(3)* -- ***selabel_close**(3)* -- ***selabel_lookup**(3)* -- ***selabel_stats**(3)* +- ***selinux_file_context_path**(3)* +- ***selabel_open**(3)* +- ***selabel_close**(3)* +- ***selabel_lookup**(3)* +- ***selabel_stats**(3)* ## *contexts/files/file_contexts.local* @@ -1011,7 +1009,7 @@ file section to allow locally defined files to be labeled correctly. The **Supporting libselinux API functions are:** -- ***selinux_file_context_local_path**(3)* +- ***selinux_file_context_local_path**(3)* ## *contexts/files/file_contexts.homedirs* @@ -1034,8 +1032,8 @@ Perl compatible regular expression (PCRE) internal format. **Supporting libselinux API functions are:** -- ***selinux_file_context_homedir_path**(3)* -- ***selinux_homedir_context_path**(3)* +- ***selinux_file_context_homedir_path**(3)* +- ***selinux_homedir_context_path**(3)* ## *contexts/files/file_contexts.subs* ## *contexts/files/file_contexts.subs_dist* @@ -1062,11 +1060,11 @@ with */var/www*, with the final result being: **Supporting libselinux API functions are:** -- ***selinux_file_context_subs_path**(3)* -- ***selinux_file_context_subs_dist_path**(3)* -- ***selabel_lookup**(3)* -- ***matchpathcon**(3)* (deprecated) -- ***matchpathcon_index**(3)* (deprecated) +- ***selinux_file_context_subs_path**(3)* +- ***selinux_file_context_subs_dist_path**(3)* +- ***selabel_lookup**(3)* +- ***matchpathcon**(3)* (deprecated) +- ***matchpathcon_index**(3)* (deprecated) ## *contexts/files/media* @@ -1085,12 +1083,12 @@ media_id file_context *media_id* -- The media identifier (those known are: cdrom, floppy, disk and usb). +- The media identifier (those known are: cdrom, floppy, disk and usb). *file_context* -- The context to be used for the device. Note that it does not have the - MLS / MCS level). +- The context to be used for the device. Note that it does not have the + MLS / MCS level). **Example file contents:** @@ -1102,7 +1100,7 @@ disk system_u:object_r:fixed_disk_device_t:s0 **Supporting libselinux API functions are:** -- ***selinux_media_context_path**(3)* +- ***selinux_media_context_path**(3)* ## *contexts/users/[seuser_id]* @@ -1131,15 +1129,15 @@ system_r:init_t:s0 unconfined_r:unconfined_t:s0 **Supporting libselinux API functions are:** -- ***selinux_user_contexts_path**(3)* -- ***selinux_users_path**(3)* -- ***selinux_usersconf_path**(3)* -- ***get_default_context**(3)* -- ***get_default_context_with_role**(3)* -- ***get_default_context_with_level**(3)* -- ***get_default_context_with_rolelevel**(3)* -- ***get_ordered_context_list**(3)* -- ***get_ordered_context_list_with_level**(3)* +- ***selinux_user_contexts_path**(3)* +- ***selinux_users_path**(3)* +- ***selinux_usersconf_path**(3)* +- ***get_default_context**(3)* +- ***get_default_context_with_role**(3)* +- ***get_default_context_with_level**(3)* +- ***get_default_context_with_rolelevel**(3)* +- ***get_ordered_context_list**(3)* +- ***get_ordered_context_list_with_level**(3)* ## *logins/\* @@ -1168,11 +1166,11 @@ service_name:seuser_id:level *service_name* -- The name of the service. +- The name of the service. *seuser_id* -- The SELinux user name. +- The SELinux user name. *level* @@ -1188,7 +1186,7 @@ another_service:unconfined_u:s0 **Supporting libselinux API functions are:** -- ***getseuser**(3)* +- ***getseuser**(3)* ## *users/local.users* From patchwork Wed Sep 9 13:30:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11829637 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D1C68109B for ; Fri, 9 Oct 2020 20:34:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8BD752225B for ; Fri, 9 Oct 2020 20:34:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="L6uPUU48" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387822AbgJIUe4 (ORCPT ); Fri, 9 Oct 2020 16:34:56 -0400 Received: from mailomta26-re.btinternet.com ([213.120.69.119]:35321 "EHLO re-prd-fep-049.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726386AbgJIUe4 (ORCPT ); Fri, 9 Oct 2020 16:34:56 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-044.btinternet.com with ESMTP id <20200909133045.TZMP21348.re-prd-fep-044.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:45 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658245; bh=OF0EKvMzFKPDtf30JqaFM4KHcxgNOCPSMBvzkAT5oJA=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=L6uPUU48RMiTiv4bqNY5E78WH7eJsBzcJqdDxz828LXcw2a2EHoViK9TxdA4s1vbkokLbpn6cgRpzeI+69MzFxQlDjf4/PHZUf57gqQLTk3Y/8tKDInwBCuBPXoMSpKlmobN9nAMARyrolaczlFDykuoz0GJOFjiFlvqwkTgOBUNMxKYroi2o5wD+rl3zhdGHOsUbuj6YRAj59NdSsO6SqKGu3rTTbkxSyNRVebsWrJ8kT+P7FHUELCB7z3a5oQjht4YqeSHQNdjJ1i/ORMAtHkz7KV9pGFsHzH3O0Ck4gUAEPzgwQbt/lfq2LZRWznlOAQXZOJ8Y9dVTwTbfLfwbg== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeduuddvfeeiueekteekudehffffffeuudfgvefhgffhtdetudeihfdugfeugeeuteenucffohhmrghinhepshgvlhhinhhugihprhhojhgvtghtrdhorhhgnecukfhppeekiedrudehgedrudehgedrudeffeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepkeeirdduheegrdduheegrddufeefpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhn uhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134DB2; Wed, 9 Sep 2020 14:30:45 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 05/22] policy_validation_example: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:22 +0100 Message-Id: <20200909133039.44498-6-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/policy_validation_example.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/policy_validation_example.md b/src/policy_validation_example.md index 8b7513f..222d216 100644 --- a/src/policy_validation_example.md +++ b/src/policy_validation_example.md @@ -1,7 +1,8 @@ # Appendix E - Policy Validation Example This example has been taken from -[**http://selinuxproject.org/page/PolicyValidate**](http://selinuxproject.org/page/PolicyValidate) just in case the site is removed some day. +[**http://selinuxproject.org/page/PolicyValidate**](http://selinuxproject.org/page/PolicyValidate) +just in case the site is removed some day. ***libsemanage(8)*** is the library responsible for building a kernel policy from policy modules. It has many features but one that is rarely From patchwork Wed Sep 9 13:30:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11768977 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 21F41618 for ; Thu, 10 Sep 2020 19:47:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 022D521D91 for ; Thu, 10 Sep 2020 19:47:07 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="sNbvoWhH" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726293AbgIJTrF (ORCPT ); Thu, 10 Sep 2020 15:47:05 -0400 Received: from mailomta17-re.btinternet.com ([213.120.69.110]:57765 "EHLO re-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731273AbgIJPZ2 (ORCPT ); Thu, 10 Sep 2020 11:25:28 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-045.btinternet.com with ESMTP id <20200909133045.LPHP4080.re-prd-fep-045.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:45 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658245; bh=OnkyRBRJw2TQ853ECUwXGINbaynbTZLPvaT+sF02rG4=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=sNbvoWhH5V2pbhqfqSxUQ0ubkAIhiBiNiul8TbgSlj6TlqU5A7uFM19dNTNZvy32mEJy0g154LSIA467uLeN26LSMrAdDwV48cge0V3iEctB4zUh1vxWLYQOQyrsu45QE6lobMQeFHJRptIsSFCrpQbsXuL7cKORwUEuaMHCZaluGAzWGEE0kgCN74C4zd8MKJFsr1rp3yjM2khyZYmISaXLGwf2/BfjQ/0Uu9veg0HrIJqLEAoIEwDvnEWRMaKSG8WeQG+Yt2jW1IrH3gdAa3yMfvVtXIb1aSVkl2JDB+CLbH5gToU5lDilOozAL1LS/V4oWOgY89WUQmU0iLpUTg== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134DB9; Wed, 9 Sep 2020 14:30:45 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 06/22] postgresql: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:23 +0100 Message-Id: <20200909133039.44498-7-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/postgresql.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/src/postgresql.md b/src/postgresql.md index 8e69f3f..595a594 100644 --- a/src/postgresql.md +++ b/src/postgresql.md @@ -1,12 +1,12 @@ # PostgreSQL SELinux Support -- [**sepgsql Overview**](#sepgsql-overview) -- [**Installing SE-PostgreSQL**](#installing-se-postgresql) -- [***SECURITY LABEL* SQL Command**](#security-label-sql-command) -- [**Additional SQL Functions**](#additional-sql-functions) -- [***postgresql.conf* Entries**](#postgresql.conf-entries) -- [**Logging Security Events**](#logging-security-events) -- [**Internal Tables**](#internal-tables) +- [sepgsql Overview](#sepgsql-overview) +- [Installing SE-PostgreSQL](#installing-se-postgresql) +- [*SECURITY LABEL* SQL Command](#security-label-sql-command) +- [Additional SQL Functions](#additional-sql-functions) +- [*postgresql.conf* Entries](#postgresql.conf-entries) +- [Logging Security Events](#logging-security-events) +- [Internal Tables](#internal-tables) This section gives an overview of PostgreSQL version 11.x with the *sepgsql* extension to support SELinux. It assumes some basic knowledge @@ -144,14 +144,13 @@ by the *sepgsql.sql* script. If the parameter is NULL, then the default The *postgresql.conf* file supports the following additional entries to enable and manage SE-PostgreSQL: -1. This entry is mandatory to enable the *sepgsql* extension to be - loaded: +- This entry is mandatory to enable the *sepgsql* extension to be loaded: ``` shared_preload_libraries = 'sepgsql' ``` -2. These entries are optional and default to '*off*'. +- These entries are optional and default to '*off*'. ``` # This enables sepgsql to always run in permissive mode: From patchwork Wed Sep 9 13:30:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11769223 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BA646746 for ; Thu, 10 Sep 2020 20:58:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7247D20829 for ; Thu, 10 Sep 2020 20:58:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="ItVywOaC" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725971AbgIJU6f (ORCPT ); Thu, 10 Sep 2020 16:58:35 -0400 Received: from mailomta28-re.btinternet.com ([213.120.69.121]:53250 "EHLO re-prd-fep-041.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726932AbgIJU51 (ORCPT ); Thu, 10 Sep 2020 16:57:27 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-040.btinternet.com with ESMTP id <20200909133046.UFHJ10362.re-prd-fep-040.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:46 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658246; bh=YOdsWTFlwrLM266uakaEjj9lU2lAlvZU/OkQNECuCzY=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=ItVywOaClUU3EK0MfcDjWfCeklmNGI5mSuD6GJLa85TYjMZv1IgqXrT834QPgZb5FACrYxxLwkyR7qh9bgqzoFIPMixgNr3HdKTFC6FuwPsvIFCsgztu+XKnULEPPWkRrBCDAWlT74gfCxzk6BtLssUBQb40CSdo3pwluYey9YH8mn2ymg1/Opzn2gCWJsPS7epfQNQPDoTwNLhgd22r3CLjvWjNW34A2qFiyXg8nlEdLJtiaKymcgBaScAke/qqtNRkSMn6a8ry8JjXOhPunEWqkvnrx6Ukm+s3SLJ/Q8FMXnnGHQ+AhqClWRfBNo7qJ1lSwdjDf+c5KHVAWrVKjg== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134DD1; Wed, 9 Sep 2020 14:30:46 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 07/22] security_context: Convert to markdown Date: Wed, 9 Sep 2020 14:30:24 +0100 Message-Id: <20200909133039.44498-8-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/security_context.md | 83 ++++++++++++++++++++++------------------- 1 file changed, 45 insertions(+), 38 deletions(-) diff --git a/src/security_context.md b/src/security_context.md index 3ca93a2..cb0fc4a 100644 --- a/src/security_context.md +++ b/src/security_context.md @@ -20,47 +20,50 @@ user:role:type[:range] **Where:** - - - - - - - - - - - - - - - - - - - -
userThe SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.
roleThe SELinux role. This can be associated to one or more types the SELinux user is allowed to access.
type

When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access.

-

When a type is associated with an object, it defines what access permissions the SELinux user has to that object.

range

This field can also be know as a level and is only present if the policy supports MCS or MLS. The entry can consist of: -

A single security level that contains a sensitivity level and zero or more categories (e.g. s0, s1:c0, s7:c10.c15).

-

A range that consists of two security levels (a low and high) separated by a hyphen (e.g. s0 - s15:c0.c1023).

-

These components are discussed in the Security Levels section.

+*user* + +- The SELinux user identity. This can be associated to one or more roles + that the SELinux user is allowed to use. + +*role* + +- The SELinux role. This can be associated to one or more types the SELinux + user is allowed to access. + +*type* + +- When a type is associated with a process, it defines what processes + (or domains) the SELinux user (the subject) can access. + When a type is associated with an object, it defines what access + permissions the SELinux user has to that object. + +*range* + +- This field can also be know as a *level* and is only present if the policy + supports MCS or MLS. The entry can consist of: + - A single security level that contains a sensitivity level and zero + or more categories (e.g. *s0*, *s1:c0*, *s7:c10.c15*). + - A range that consists of two security levels (a low and high) separated + by a hyphen (e.g. *s0 - s15:c0.c1023*). +- These components are discussed in the + [**Security Levels**]( mls_mcs.md#security-levels) section. However note that: -1. Access decisions regarding a subject make use of all the components - of the **security context**. -2. Access decisions regarding an object make use of the components as - follows: - 1. the user is either set to a special user called system_u or it - is set to the SELinux user id of the creating process. It is - possible to add constraints on users within policy based on - their object class (an example of this is the Reference Policy - UBAC (User Based Access Control) option. - 2. the role is generally set to a special SELinux internal role of - 'object_r`, although policy version 26 with kernel 2.6.39 and - above do support role transitions on any object class. It is - then possible to add constraints on the role within policy - based on their object class. +1. Access decisions regarding a subject make use of all the components + of the **security context**. +2. Access decisions regarding an object make use of the components as + follows: + 1. the user is either set to a special user called *system_u*[^fn_sc_1] + or it is set to the SELinux user id of the creating process. It is + possible to add constraints on users within policy based on + their object class (an example of this is the Reference Policy + UBAC (User Based Access Control) option. + 2. the role is generally set to a special SELinux internal role of + *object_r*, although policy version 26 with kernel 2.6.39 and + above do support role transitions on any object class. It is + then possible to add constraints on the role within policy + based on their object class. The [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts) section decribes how SELinux computes the security context components based @@ -116,6 +119,10 @@ unconfined_u:object_r:out_file_t Message-11 # (see the process example above). The role remained as object_r. ``` +[^fn_sc_1]: The user *system_u* name is not mandatory, it is used to signify +a special user in the Reference Policy. It is also used in some SELinux +utilities. + --- From patchwork Wed Sep 9 13:30:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11767125 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1675A618 for ; Thu, 10 Sep 2020 08:48:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D94272078E for ; Thu, 10 Sep 2020 08:48:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="rgfEb/pr" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729953AbgIJIsT (ORCPT ); Thu, 10 Sep 2020 04:48:19 -0400 Received: from mailomta6-re.btinternet.com ([213.120.69.99]:21506 "EHLO re-prd-fep-042.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729135AbgIJIsP (ORCPT ); Thu, 10 Sep 2020 04:48:15 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-048.btinternet.com with ESMTP id <20200909133046.DGWR4701.re-prd-fep-048.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:46 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658246; bh=MWcY4gFODAUErfsa+raLTiCW1t8Xt0IYYYt+upT/xwY=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=rgfEb/pr5Ti1MHT4e7TGBEOWrvMmKpBO/YrJVczPG49CbxF2jDNz+vXFxDuZi//cRrw5VsKeH1Fhm0qURRzPwiMYyjwk0pGjFK8slGcxNGI5olM57aVSVGm7l+G1HUkWD7CNfLkviNUs55T7hR6klnyf2S95WlJxwZQFpnVKVin0n2myuRGAB+h+mTMZZ/M8Xq9AKy/IQujTA5dQ2mjpkJkBZqyTJwZ4nVihZhhIGUUr6h1FYvo2lHXnAeTA/z+iEu+wT4q+vFxLPqJ2+kwzParndhnP+8+/El+54kyU92wSKoQLvv/UEnnfj4Ytg3CFFUGr3VydwLgTOdrXU9xsOg== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeujeduvdejkeevtddtgfejiedtvefggfekgeehudetjeefffekteelgeefkeevieenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeekiedrudehgedrudehgedrudeffeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepkeeirdduheegrdduheegrddufeefpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdr khgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134DDB; Wed, 9 Sep 2020 14:30:46 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 08/22] selinux_cmds: Convert to markdown Date: Wed, 9 Sep 2020 14:30:25 +0100 Message-Id: <20200909133039.44498-9-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/selinux_cmds.md | 256 +++++++++++++++++++------------------------- 1 file changed, 112 insertions(+), 144 deletions(-) diff --git a/src/selinux_cmds.md b/src/selinux_cmds.md index 918d4c1..1b68771 100644 --- a/src/selinux_cmds.md +++ b/src/selinux_cmds.md @@ -7,150 +7,118 @@ has a page that details all the available tools and commands at: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CommandMan PagePurpose
audit2allow1Generates policy allow rules from the audit.log file.
audit2why8Describes audit.log messages and why access was denied.
avcstat8Displays the AVC statistics.
chcat8Change or remove a catergory from a file or user.
chcon1Changes the security context of a file.
checkmodule8Compiles base and loadable modules from source.
checkpolicy8Compiles a monolithic policy from source.
fixfiles8Update / correct the security context of for filesystems that use extended attributes.
genhomedircon8Generates file configuration entries for users home directories. This command has also been built into semanage(8), therefore when using the policy store / loadable modules this does not need to be used.
getenforce1Shows the current enforcement state.
getsebool8Shows the state of the booleans.
load_policy8Loads a new policy into the kernel. Not required when using semanage(8) / semodule(8) commands.
matchpathcon8Show a files path and security context.
newrole1Allows users to change roles - runs a new shell with the new security context.
restorecon8Sets the security context on one or more files.
run_init8Runs an init script under the correct context.
runcon1Runs a command with the specified context.
selinuxenabled 1Shows whether SELinux is enabled or not.
semanage8Used to configure various areas of a policy within a policy store.
semodule8Used to manage the installation, upgrading etc. of policy modules.
semodule_expand8Manually expand a base policy package into a kernel binary policy file.
semodule_link 8Manually link a set of module packages.
semodule_package8Create a module package with various configuration files (file context etc.)
sestatus8Show the current status of SELinux and the loaded policy.
setenforce1Sets / unsets enforcement mode.
setfiles8Initialise the extended attributes of filesystems.
setsebool8Sets the state of a boolean to on or off persistently across reboots or for this session only.
+***audit2allow**(1)* + +Generates policy allow rules from an audit log file. + +***audit2why**(8)* + +Describes audit log messages and why access was denied. + +***avcstat**(8)* + +Displays the AVC statistics. + +***chcat**(8)* + +Change or remove a catergory from a file or user. + +***chcon**(1)* + +Changes the security context of a file. + +***checkmodule**(8)* + +Compiles base and loadable modules from source. + +***checkpolicy**(8)* + +Compiles a monolithic policy from source. + +***fixfiles**(8)* + +Update / correct the security context of for filesystems that use extended +attributes. + +***genhomedircon**(8)* + +Generates file configuration entries for users home directories. +This command has also been built into ***semanage**(8)*, therefore when using +the policy store / loadable modules this does not need to be used. + +***getenforce**(1)* + +Shows the current enforcement state. + +***getsebool**(8)* + +Shows the state of the booleans. + +***load_policy**(8)* + +Loads a new policy into the kernel. Not required when using ***semanage**(8)* / +***semodule**(8)* commands. + +***matchpathcon**(8)* + +Show a files path and security context. + +***newrole**(1)* + +Allows users to change roles - runs a new shell with the new security context. + +***restorecon**(8)* + +Sets the security context on one or more files. + +***run_init**(8)* + +Runs an *init* script under the correct context. + +***runcon**(1)* + +Runs a command with the specified context. + +***selinuxenabled**(1)* + +Shows whether SELinux is enabled or not. + +***semanage**(8)* + +Used to configure various areas of a policy within a policy store. + +***semodule**(8)* + +Used to manage the installation, upgrading etc. of policy modules. + +***semodule_expand**(8)* + +Manually expand a base policy package into a kernel binary policy file. + +***semodule_link**(8)* + +Manually link a set of module packages. + +***semodule_package**(8)* + +Create a module package with various configuration files (file context etc.) + +***sestatus**(8)* + +Show the current status of SELinux and the loaded policy. + +***setenforce**(1)* + +Sets / unsets enforcement mode. + +***setfiles**(8)* + +Initialise the extended attributes of filesystems. + +***setsebool**(8)* + +Sets the state of a boolean to on or off persistently across reboots or for +this session only. From patchwork Wed Sep 9 13:30:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11767599 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B0A4A112E for ; Thu, 10 Sep 2020 11:02:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 65F8C21941 for ; Thu, 10 Sep 2020 11:02:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="HKuB5bot" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730430AbgIJLBn (ORCPT ); Thu, 10 Sep 2020 07:01:43 -0400 Received: from mailomta14-re.btinternet.com ([213.120.69.107]:63680 "EHLO re-prd-fep-047.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730624AbgIJK7k (ORCPT ); Thu, 10 Sep 2020 06:59:40 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-044.btinternet.com with ESMTP id <20200909133046.TZMU21348.re-prd-fep-044.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:46 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658246; bh=k7BuApAyARLlOa3DhQvt3GzjE/Ow9jrXky/+d7T4vGY=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=HKuB5botd125p2JWUY94Gn/6ZIr21c8zQ1YEwxiK4ckP/GzDMak3FumG0AbAM0gkMJwMSJdYiGyqpskMZMwMK5T0q88RsHf8aMqh+QqT4p+LpqjTGzhzdtWDXedXUyeYNPqc8qC4dwSbM1EhlI60GmWxUz0zhueIMQi3NlIov7MF/u0BAnDRqbtIrxQ+w+j59/n7DJQiyU3Lkw8TwsJbV8N2Byv39oDklzKPxY7QP6MSbWkPTcqqtrWCz2yoKUK5gJjBqwYbVe7Z5EqR06K7oETaH8u6ttXz8bFAa8AuTfFJI7dNND+qtQt1ncB9Ty1vTkIdHjteXcO92SOlMZbEJA== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134DE2; Wed, 9 Sep 2020 14:30:46 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 09/22] selinux_overview: Convert to markdown Date: Wed, 9 Sep 2020 14:30:26 +0100 Message-Id: <20200909133039.44498-10-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/selinux_overview.md | 33 +++++---------------------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/src/selinux_overview.md b/src/selinux_overview.md index a71b762..33f00eb 100644 --- a/src/selinux_overview.md +++ b/src/selinux_overview.md @@ -14,34 +14,11 @@ Note: When SELinux is installed, there are three well defined directory locations referenced. Two of these will change with the old and new locations as follows: - - - - - - - - - - - - - - - - - - - - - - - -
DescriptionOld LocationNew Location

The SELinux filesystem that interfaces with the kernel based security server.

-

The new location has been available since Fedora 17.

/selinux/sys/fs/selinux
The SELinux configuration directory that holds the sub-system configuration files and policies./etc/selinuxNo change

The SELinux policy store that holds policy modules and configuration details.

-

The new location has been available since Fedora 23.

/etc/selinux/

-

<SELINUXTYPE>/module

/var/lib/selinux/

-

<SELINUXTYPE>

+| Description | Old Location | New Location | +| :--------- | :----------- | :----------- | +The SELinux filesystem that interfaces with the kernel based security server. The new location has been available since Fedora 17. | */selinux* | */sys/fs/selinux* | +| The SELinux configuration directory that holds the sub-system configuration files and policies. | */etc/selinux* | No change | +| The SELinux policy store that holds policy modules and configuration details. The new location has been available since Fedora 23. | */etc/selinux/\/module* | */var/lib/selinux/\* | ## Is SELinux useful From patchwork Wed Sep 9 13:30:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11834347 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C99E716BC for ; Mon, 12 Oct 2020 22:19:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 85AE6206DC for ; Mon, 12 Oct 2020 22:19:15 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="DnrJ2KSI" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388626AbgJLWTK (ORCPT ); Mon, 12 Oct 2020 18:19:10 -0400 Received: from mailomta31-re.btinternet.com ([213.120.69.124]:14194 "EHLO re-prd-fep-044.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2388510AbgJLWSu (ORCPT ); Mon, 12 Oct 2020 18:18:50 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-044.btinternet.com with ESMTP id <20200909133046.TZMX21348.re-prd-fep-044.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:46 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658246; bh=lPFLzFsdNoO8Xkp6GfwuHFL3gAvxNJEQJjS5qMIqtwE=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=DnrJ2KSIjqGyROoS8qs3eSoDf5xoMJuRPDUs9aeDDg6Ct9ERP9AzcWx79GzgcefPiFSq/rXpv4DWOq9CAkYjknX7ODWhHGi253QCF2r63zC9Y9AH0IDQSP447q4LPHsZojUcXDultxFOzPm9sLI7rcNOvklKGHkXq1BjoqdluX/SoSucmOpXm5eZN4fZ2iKkJUxa+AQFiBRy/qvcOJlVesApVJkUFngIs8T91L8Kp7vlXRzZx/7qBa/T9m3QyxwWTkPZcw5WKMVoNNNKK0h0WvU8WTgvQE6uaLbs6IeCKg/1teC3eHH+9iC5SV0TrEQxXPv+MFR0Co9SWOz2w7OfnA== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134DE9; Wed, 9 Sep 2020 14:30:46 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 10/22] sid_statement: Convert to markdown Date: Wed, 9 Sep 2020 14:30:27 +0100 Message-Id: <20200909133039.44498-11-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/sid_statement.md | 119 ++++++++++++++++--------------------------- 1 file changed, 43 insertions(+), 76 deletions(-) diff --git a/src/sid_statement.md b/src/sid_statement.md index 07feb2c..7d6bfcd 100644 --- a/src/sid_statement.md +++ b/src/sid_statement.md @@ -1,5 +1,8 @@ # Security ID (SID) Statement +- [*sid*](#sid) +- [*sid context*](#sid-context) + There are two *sid* statements, the first one declares the actual *sid* identifier and is defined at the start of a policy source file. The second statement is used to associate an initial security context to the @@ -20,45 +23,27 @@ sid sid_id **Where:** - - - - - - - - - - - -
sidThe sid keyword.
sid_idThe sid identifier.
+*sid* + +The *sid* keyword. + +*sid_id* + +The *sid* identifier. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Example:** @@ -86,49 +71,31 @@ sid sid_id context **Where:** - - - - - - - - - - - - - - - -
sidThe sid keyword.
sid_idThe previously declared sid identifier.
contextThe initial security context.
+*sid* + +The *sid* keyword. + +*sid_id* + +The previously declared *sid* identifier. + +*context* + +The initial security context. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Examples:** From patchwork Wed Sep 9 13:30:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11767121 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 414D5618 for ; Thu, 10 Sep 2020 08:46:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E5D122078E for ; Thu, 10 Sep 2020 08:46:35 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="O5DtZ/Cl" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730309AbgIJIqf (ORCPT ); Thu, 10 Sep 2020 04:46:35 -0400 Received: from mailomta24-re.btinternet.com ([213.120.69.117]:37014 "EHLO re-prd-fep-049.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730278AbgIJIqR (ORCPT ); Thu, 10 Sep 2020 04:46:17 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-044.btinternet.com with ESMTP id <20200909133047.TZMY21348.re-prd-fep-044.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:47 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658247; bh=pzha7khpJL4E/90/eTKgAikz1W8y43PtnuK4ih7Hk5w=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=O5DtZ/ClSbfhWJmlg6P/OatA4qMyci+Wp28v6EGcjidV8CYru4lQb1DlGqHodvVnjkUdiaF+5SOxKXLPiY+gVgOfjuzKxmFBb9J/6hSRbj9xtQ+WqzgB6OLif+FuVJk7qKbjs+xXSmiuODhAbnDvpQn2J4rWJ9vMRopa+g1+wy7wCFvJ/wg2+WILiCJ8VaSAobIRe5l5CLAY8mJQgS2afDK+XJaPci1AbyEFkPkKzrJh9vW1HHB723w7UOyoMWt5Cb2LLGDp76ZXUPavrDHBZaiaJnaG7b7oGwo4XxQP2OaoXAxKX+EN2wZLCF3MGKzXwinKByqvCAmF/g3zIJi5Fw== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfgggtgfesthekredtredtjeenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepgfekgffghffgleekgfellefftedvhfejveehhfekkefgvdehueetgfffffelkedtnecukfhppeekiedrudehgedrudehgedrudeffeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepkeeirdduheegrdduheegrddufeefpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134DEE; Wed, 9 Sep 2020 14:30:46 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 11/22] subjects: Convert to markdown Date: Wed, 9 Sep 2020 14:30:28 +0100 Message-Id: <20200909133039.44498-12-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/subjects.md | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/src/subjects.md b/src/subjects.md index 4f677cb..bc7a89a 100644 --- a/src/subjects.md +++ b/src/subjects.md @@ -9,13 +9,13 @@ Within SELinux a subject is an active process and has a it, however a process can also be referred to as an object depending on the context in which it is being taken, for example: -1. A running process (i.e. an active entity) is a subject because it - causes information to flow among objects or can change the system - state. -2. The process can also be referred to as an object because each - process has an associated object class1 - called '**process**'. This process 'object', defines what permissions the - policy is allowed to grant or deny on the active process. +1. A running process (i.e. an active entity) is a subject because it + causes information to flow among objects or can change the system + state. +2. The process can also be referred to as an object because each + process has an associated object class[^fn_sub_1] + called ***process***. This process 'object', defines what permissions the + policy is allowed to grant or deny on the active process. An example is given of the above scenarios in the [**Allowing a Process Access to Resources**](objects.md#allowing-a-process-access-to-resources) @@ -37,11 +37,8 @@ under *semanage_t*). **Untrusted** - Everything else. -
-
    -
  1. The object class and its associated permissions are explained in the Appendix A - Object Classes and Permissions - Process Object Class section.

  2. -
-
+[^fn_sub_1]: The object class and its associated permissions are explained in +[**Appendix A - Object Classes and Permissions - Process Object Class**](object_classes_permissions.md#process-object-class) From patchwork Wed Sep 9 13:30:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11769023 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DB43B59D for ; Thu, 10 Sep 2020 19:54:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8B83621D92 for ; Thu, 10 Sep 2020 19:54:19 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="WI/WlN+d" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726539AbgIJTyS (ORCPT ); Thu, 10 Sep 2020 15:54:18 -0400 Received: from mailomta4-re.btinternet.com ([213.120.69.97]:17464 "EHLO re-prd-fep-049.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726776AbgIJTx6 (ORCPT ); Thu, 10 Sep 2020 15:53:58 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-041.btinternet.com with ESMTP id <20200909133047.HINL30588.re-prd-fep-041.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:47 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658247; bh=BTQb1hc37GyeHoCYt6ayI0S4hBC3F2wYC7jvesHTHA0=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=WI/WlN+do0QRaftDsBW0vpErF61tC0J7K/RdCnAwcICI2KKTxsQg8gx0dPdGVNWLW+8VEKQGPeyg9H8R5rgEzG9eJ2I0UFm6VC1jJ+CfQQHFGHGmfD6cudxc8mVdF8uqz5byAHZrFc0HOSNsd++VL3vcDd68XMTYT/1X8z4tNPtvTWM7kX/LU7JwtA/7jqXurpitxYgj/6A7hgW3r/ryK89XYN4sp5olIiCqWxgObEiCHQ8yiq7hd6Gp79H+7jsEFVUPW1QFSl35IIg3PJtLoZQP9xPwK47sWDeDKNoHi44Sn9V0Zjjeixn6R3y6c5kzi2nnfucsKV5Hv2/Qi7kQtQ== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgepieenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134DF8; Wed, 9 Sep 2020 14:30:47 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 12/22] toc: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:29 +0100 Message-Id: <20200909133039.44498-13-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/toc.md | 120 ++++++++++++++++++++++++++--------------------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/src/toc.md b/src/toc.md index d7a4a72..d915b42 100644 --- a/src/toc.md +++ b/src/toc.md @@ -1,65 +1,65 @@ ## Table of Contents -- [Abbreviations and Terminology](terminology.md#abbreviations-and-terminology) -- [SELinux Overview](selinux_overview.md#selinux-overview) -- [Core Components](core_components.md#core-selinux-components) -- [Mandatory Access Control (MAC)](mac.md#mandatory-access-control) -- [SELinux Users](users.md#selinux-users) -- [Role-Based Access Control (RBAC)](rbac.md#role-based-access-control) -- [Type Enforcement (TE)](type_enforcement.md#type-enforcement) -- [Security Context](security_context.md#security-context) -- [Subjects](subjects.md#subjects) -- [Objects](objects.md#objects) -- [Computing Security Contexts](computing_security_contexts.md#computing-security-contexts) -- [Computing Access Decisions](computing_access_decisions.md#computing-access-decisions) -- [Domain and Object Transitions](domain_object_transitions.md#domain-and-object-transitions) -- [Multi-Level and Multi-Category Security](mls_mcs.md#multi-level-and-multi-category-security) -- [Types of SELinux Policy](types_of_policy.md#types-of-selinux-policy) -- [Permissive and Enforcing Modes](modes.md#selinux-permissive-and-enforcing-modes) -- [Auditing Events](auditing.md#auditing-selinux-events) -- [Polyinstantiation Support](polyinstantiation.md#polyinstantiation-support) -- [PAM Login Process](pam_login.md#pam-login-process) -- [Linux Security Module and SELinux](lsm_selinux.md#linux-security-module-and-selinux) -- [Userspace Libraries](userspace_libraries.md#selinux-userspace-libraries) -- [Networking Support](network_support.md#selinux-networking-support) -- [Virtual Machine Support](vm_support.md#selinux-virtual-machine-support) -- [X-Windows Support](x_windows.md#x-windows-selinux-support) -- [SE-PostgreSQL Support](postgresql.md#postgresql-selinux-support) -- [Apache-Plus Support](apache_support.md#apache-selinux-support) -- [SELinux Configuration Files](configuration_files.md#selinux-configuration-files) - - [Global Configuration Files](global_config_files.md#global-configuration-files) - - [Policy Store Configuration Files](policy_store_config_files.md#policy-store-configuration-files) - - [Policy Configuration Files](policy_config_files.md#policy-configuration-files) -- [SELinux Policy Languages](policy_languages.md#the-selinux-policy-languages) - - [CIL Policy Language](cil_overview.md#cil-overview) - - [CIL Reference Guide](notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf) - - [Kernel Policy Language](kernel_policy_language.md#kernel-policy-language) - - [Policy Configuration Statements](policy_config_statements.md#policy-configuration-statements) - - [Default Rules](default_rules.md#default-object-rules) - - [User Statements](user_statements.md#user-statements) - - [Role Statements](role_statements.md#role-statements) - - [Type Statements](type_statements.md#type-statements) - - [Bounds Rules](bounds_rules.md#bounds-rules) - - [Access Vector Rules](avc_rules.md#access-vector-rules) - - [Extended Access Vector Rules](xperm_rules.md#extended-access-vector-rules) - - [Object Class and Permission Statements](class_permission_statements.md#object-class-and-permission-statements) - - [Conditional Policy Statements](conditional_statements.md#conditional-policy-statements) - - [Constraint Statements](constraint_statements.md#constraint-statements) - - [MLS Statements](mls_statements.md#mls-statements) - - [Security ID (SID) Statement](sid_statement.md#security-id-sid-statement) - - [File System Labeling Statements](file_labeling_statements.md#file-system-labeling-statements) - - [Network Labeling Statements](network_statements.md#network-labeling-statements) - - [InfiniBand Labeling Statements](infiniband_statements.md#infiniband-labeling-statements) - - [XEN Statements](xen_statements.md#xen-statements) - - [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements) -- [The Reference Policy](reference_policy.md#the-reference-policy) -- [Implementing SELinux-aware Applications](implementing_seaware_apps.md#implementing-selinux-aware-applications) -- [SE for Android](seandroid.md#security-enhancements-for-android) -- [Appendix A - Object Classes and Permissions](object_classes_permissions.md#appendix-a---object-classes-and-permissions) -- [Appendix B - *libselinux* API Summary](libselinux_functions.md#appendix-b---libselinux-api-summary) -- [Appendix C - SELinux Commands](selinux_cmds.md#appendix-c---selinux-commands) -- [Appendix D - Debugging Policy - Hints and Tips](debug_policy_hints.md#appendix-d---debugging-policy---hints-and-tips) -- [Appendix E - Policy Validation Example](policy_validation_example.md#appendix-e---policy-validation-example) +- [Abbreviations and Terminology](terminology.md#abbreviations-and-terminology) +- [SELinux Overview](selinux_overview.md#selinux-overview) +- [Core Components](core_components.md#core-selinux-components) +- [Mandatory Access Control (MAC)](mac.md#mandatory-access-control) +- [SELinux Users](users.md#selinux-users) +- [Role-Based Access Control (RBAC)](rbac.md#role-based-access-control) +- [Type Enforcement (TE)](type_enforcement.md#type-enforcement) +- [Security Context](security_context.md#security-context) +- [Subjects](subjects.md#subjects) +- [Objects](objects.md#objects) +- [Computing Security Contexts](computing_security_contexts.md#computing-security-contexts) +- [Computing Access Decisions](computing_access_decisions.md#computing-access-decisions) +- [Domain and Object Transitions](domain_object_transitions.md#domain-and-object-transitions) +- [Multi-Level and Multi-Category Security](mls_mcs.md#multi-level-and-multi-category-security) +- [Types of SELinux Policy](types_of_policy.md#types-of-selinux-policy) +- [Permissive and Enforcing Modes](modes.md#selinux-permissive-and-enforcing-modes) +- [Auditing Events](auditing.md#auditing-selinux-events) +- [Polyinstantiation Support](polyinstantiation.md#polyinstantiation-support) +- [PAM Login Process](pam_login.md#pam-login-process) +- [Linux Security Module and SELinux](lsm_selinux.md#linux-security-module-and-selinux) +- [Userspace Libraries](userspace_libraries.md#selinux-userspace-libraries) +- [Networking Support](network_support.md#selinux-networking-support) +- [Virtual Machine Support](vm_support.md#selinux-virtual-machine-support) +- [X-Windows Support](x_windows.md#x-windows-selinux-support) +- [SE-PostgreSQL Support](postgresql.md#postgresql-selinux-support) +- [Apache-Plus Support](apache_support.md#apache-selinux-support) +- [SELinux Configuration Files](configuration_files.md#selinux-configuration-files) + - [Global Configuration Files](global_config_files.md#global-configuration-files) + - [Policy Store Configuration Files](policy_store_config_files.md#policy-store-configuration-files) + - [Policy Configuration Files](policy_config_files.md#policy-configuration-files) +- [SELinux Policy Languages](policy_languages.md#the-selinux-policy-languages) + - [CIL Policy Language](cil_overview.md#cil-overview) + - [CIL Reference Guide](notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf) + - [Kernel Policy Language](kernel_policy_language.md#kernel-policy-language) + - [Policy Configuration Statements](policy_config_statements.md#policy-configuration-statements) + - [Default Rules](default_rules.md#default-object-rules) + - [User Statements](user_statements.md#user-statements) + - [Role Statements](role_statements.md#role-statements) + - [Type Statements](type_statements.md#type-statements) + - [Bounds Rules](bounds_rules.md#bounds-rules) + - [Access Vector Rules](avc_rules.md#access-vector-rules) + - [Extended Access Vector Rules](xperm_rules.md#extended-access-vector-rules) + - [Object Class and Permission Statements](class_permission_statements.md#object-class-and-permission-statements) + - [Conditional Policy Statements](conditional_statements.md#conditional-policy-statements) + - [Constraint Statements](constraint_statements.md#constraint-statements) + - [MLS Statements](mls_statements.md#mls-statements) + - [Security ID (SID) Statement](sid_statement.md#security-id-sid-statement) + - [File System Labeling Statements](file_labeling_statements.md#file-system-labeling-statements) + - [Network Labeling Statements](network_statements.md#network-labeling-statements) + - [InfiniBand Labeling Statements](infiniband_statements.md#infiniband-labeling-statements) + - [XEN Statements](xen_statements.md#xen-statements) + - [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements) +- [The Reference Policy](reference_policy.md#the-reference-policy) +- [Implementing SELinux-aware Applications](implementing_seaware_apps.md#implementing-selinux-aware-applications) +- [SE for Android](seandroid.md#security-enhancements-for-android) +- [Appendix A - Object Classes and Permissions](object_classes_permissions.md#appendix-a---object-classes-and-permissions) +- [Appendix B - *libselinux* API Summary](libselinux_functions.md#appendix-b---libselinux-api-summary) +- [Appendix C - SELinux Commands](selinux_cmds.md#appendix-c---selinux-commands) +- [Appendix D - Debugging Policy - Hints and Tips](debug_policy_hints.md#appendix-d---debugging-policy---hints-and-tips) +- [Appendix E - Policy Validation Example](policy_validation_example.md#appendix-e---policy-validation-example) From patchwork Wed Sep 9 13:30:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11769159 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3F77559D for ; Thu, 10 Sep 2020 20:37:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E720321D90 for ; Thu, 10 Sep 2020 20:37:28 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="k91IK/hb" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726926AbgIJUhZ (ORCPT ); Thu, 10 Sep 2020 16:37:25 -0400 Received: from mailomta29-re.btinternet.com ([213.120.69.122]:37533 "EHLO re-prd-fep-043.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727095AbgIJUgs (ORCPT ); Thu, 10 Sep 2020 16:36:48 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-046.btinternet.com with ESMTP id <20200909133047.XPYC4657.re-prd-fep-046.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:47 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658247; bh=eduegantj3dfN2YFOqqp8bjctyeuMflYLW19ih1dtD4=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=k91IK/hb3KyIk3xX/hzyN+lK3FAM+esAKuTfiyNRfKI9tg1EdWbrbvXPKccGJPvWxNVYIn7MtYOlxKtol6ZIPGe/+UheVfCK6+UrLl70u7gDW8UqNHYPCCO/iCVP6PEf1WqUOE0gBLf4qoE+C75OlIv5SvWS+2qBL97Qcy2PQcVYF2cqUG/zOhoWbFw1360APpcFIMiQG+lHdwpOMr1vFk2mbR07V0hOt8GA2tJ4TYQnLrtaCFrA+vA3w71fSLS+1C3UrtceRjQ3u3sCDhWyjMIMHLdnCuWPfCyn6We6iAxVrYa1hjR/xeupnhnQgnLjIHzPUiOY0Vks329HXWqrbQ== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgepieenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134DFF; Wed, 9 Sep 2020 14:30:47 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 13/22] type_enforcement: Convert to markdown Date: Wed, 9 Sep 2020 14:30:30 +0100 Message-Id: <20200909133039.44498-14-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines --- src/type_enforcement.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/type_enforcement.md b/src/type_enforcement.md index d8d08be..bfd75b8 100644 --- a/src/type_enforcement.md +++ b/src/type_enforcement.md @@ -1,5 +1,8 @@ # Type Enforcement +- [Constraints](#constraints) +- [Bounds](#bounds) + SELinux makes use of a specific style of type enforcement (TE) to enforce mandatory access control. For SELinux it means that all [**subjects**](subjects.md#subjects) and [**objects**](objects.md#objects) @@ -17,7 +20,7 @@ server, enforce policy via the object managers. Because the *type* identifier (or just 'type') is associated to all subjects and objects, it can sometimes be difficult to distinguish what the type is actually associated with (it's not helped by the fact that -by convention, type identifiers end in *_t*). In the end it comes down +by convention, type identifiers end in *\_t*). In the end it comes down to understanding how they are allocated in the policy itself and how they are used by SELinux services (although CIL policies with namespaces do help in that a domain process 'type' could be declared as @@ -33,7 +36,7 @@ While SELinux refers to a subject as being an active process that is associated to a domain type, the scope of an SELinux type enforcement domain can vary widely. For example in the simple [**Kernel policy**](./notebook-examples/selinux-policy/kernel/kern-nb-policy.txt) -in the notebook-examples, all the processes on the system run in the +in the *notebook-examples*, all the processes on the system run in the *unconfined_t* domain, therefore every process is 'of type *unconfined_t*' (that means it can do whatever it likes within the limits of the standard Linux DAC policy as all access is allowed by @@ -49,7 +52,7 @@ where the majority of user space processes run under the *unconfined_t* domain. The SELinux type is the third component of a 'security context' and by -convention SELinux types end in *_t*, however this is not enforced by +convention SELinux types end in *\_t*, however this is not enforced by any SELinux service (i.e. it is only used to identify the type component), although as explained above CIL with namespaces does make identification of types easier. From patchwork Wed Sep 9 13:30:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11819827 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 01141618 for ; Wed, 7 Oct 2020 06:50:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C6F55207EA for ; Wed, 7 Oct 2020 06:50:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="swZI4/bK" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726771AbgJGGuC (ORCPT ); Wed, 7 Oct 2020 02:50:02 -0400 Received: from mailomta22-re.btinternet.com ([213.120.69.115]:53107 "EHLO re-prd-fep-047.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725970AbgJGGuC (ORCPT ); Wed, 7 Oct 2020 02:50:02 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-045.btinternet.com with ESMTP id <20200909133047.LPHR4080.re-prd-fep-045.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:47 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658247; bh=Q2sy49vY9OWzdQFitOviWWg3p8dZ6dI4unF7PXhsrlE=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=swZI4/bK0pPyq1hSyTwkymBTOiIHECaJ6e4KCHAWFIaNUxt9yPMBwfGDThASJM+lUM8S5RKwwKLBCiSvCWkJWGv94WH9cuPxfpiNvDHh+ov/XFTvkteRxwLYf9ucLQY93CCy8HTqx7wB8Msces90v0GgAStx3T6spgoRRJc5V2FArZfC47JFZg+ulvyFzcasIaoyPZfGuUE3g/4zwiirQlYMr8/OutrwHHxlEPTTmU4HYh2fmWISkmdRrwgDirKbtr1xL3EPbrEwtflc22+vOUXYMiUae3PlLdX5HweNC6aFLgAr9mb2ioDRBrTU9UVZbZR18hKnO174AQ65bDlvjw== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgepieenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134E17; Wed, 9 Sep 2020 14:30:47 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 14/22] type_statements: Add toc, tidy up formatting Date: Wed, 9 Sep 2020 14:30:31 +0100 Message-Id: <20200909133039.44498-15-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/type_statements.md | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/src/type_statements.md b/src/type_statements.md index b947fdd..0d7f137 100644 --- a/src/type_statements.md +++ b/src/type_statements.md @@ -1,7 +1,17 @@ # Type Statements +- [*type*](#type) +- [*attribute*](#attribute) +- [*expandattribute*](#expandattribute) +- [*typeattribute*](#typeattribute) +- [*typealias*](#typealias) +- [*permissive*](#permissive) +- [*type_transition*](#type_transition) +- [*type_change*](#type_change) +- [*type_member*](#type_member) + These statements share the same namespace, therefore the general -convention is to use *_t* as the final two characters of a type +convention is to use *\_t* as the final two characters of a *type* identifier to differentiate it from an attribute identifier as shown in the following examples: @@ -62,7 +72,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | Yes | Yes | @@ -152,7 +162,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | Yes | Yes | @@ -210,7 +220,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | Yes | Yes | No | @@ -263,7 +273,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | Yes | No | @@ -304,7 +314,7 @@ typeattribute setroubleshootd_exec_t file_type, non_security_file_type; The *typealias* statement allows the association of a previously declared *type* to one or more *alias* identifiers (an alternative way is to use the -*type* statement. +*type* statement). **The statement definition is:** @@ -341,7 +351,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | Yes | No | @@ -402,7 +412,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | Yes | No | @@ -500,7 +510,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | Yes | Yes | No | @@ -606,6 +616,7 @@ One or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'. *change_type* + A single *type* or *typealias* identifier that will become the new *type*. **The statement is valid in:** @@ -618,7 +629,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | Yes | Yes | No | @@ -691,7 +702,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | Yes | Yes | No | From patchwork Wed Sep 9 13:30:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11767725 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A880C92C for ; Thu, 10 Sep 2020 12:16:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5897B2074B for ; Thu, 10 Sep 2020 12:16:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="fO8RbJ0p" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730252AbgIJMPq (ORCPT ); Thu, 10 Sep 2020 08:15:46 -0400 Received: from mailomta28-re.btinternet.com ([213.120.69.121]:54945 "EHLO re-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730408AbgIJMNr (ORCPT ); Thu, 10 Sep 2020 08:13:47 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-043.btinternet.com with ESMTP id <20200909133048.EKJL29506.re-prd-fep-043.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:48 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658248; bh=m/xLRItvvIlsfdKfksgXgc3A96SYWY3zUHvq/SS7128=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=fO8RbJ0pPD+i80zvmsKBzog03j2UoQAIMRX/jujr87ZBFhkyd16InI4o0dFcRppVuBNJ0AuC9CDac+EMRmmkQXwfcIkpUCGY6zykzGSjEIwq3UOLg99kIa4WHZjI/OazBFWbJksnTBmGbzWgED8May5K/GDhClS/BXjqy9Hm/zCWpg4vYBGumcgcP6R0fthSut/wsMcrGPFTynJGlWCRecvbTjGidt6n3KVLz7gA578Ww5plmVpBjc0zL0jnJXK26AtzBwIY8YAw0b/Ocky9zOtcKBDAjIJf2bkGhgZZn7Yv2zJ6Bwd6zc3A4uUUXKQtTeiO7Tz5QM1QLpdHh/jEYQ== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=70/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecugfgrrhhlhicushhprhhinhhgucdljedtmdenucfjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnheptdehheehvdfhfefgffduhffgffeltdehgffghffhudekkefhteekfeduveetieegnecuffhomhgrihhnpehgohhoghhlvggtohguvgdrtghomhenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdp rhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 70 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134E24; Wed, 9 Sep 2020 14:30:48 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 15/22] types_of_policy: Convert to markdown Date: Wed, 9 Sep 2020 14:30:32 +0100 Message-Id: <20200909133039.44498-16-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines --- src/types_of_policy.md | 359 +++++++++++++++++++++-------------------- 1 file changed, 184 insertions(+), 175 deletions(-) diff --git a/src/types_of_policy.md b/src/types_of_policy.md index a55fdd0..b9ae190 100644 --- a/src/types_of_policy.md +++ b/src/types_of_policy.md @@ -1,32 +1,42 @@ # Types of SELinux Policy +- [Reference Policy](#reference-policy) +- [Policy Functionality Based on Name or Type](#policy-functionality-based-on-name-or-type) +- [Custom Policy](#custom-policy) +- [Monolithic Policy](#monolithic-policy) +- [Loadable Module Policy](#loadable-module-policy) + - [Optional Policy](#optional-policy) +- [Conditional Policy](#conditional-policy) +- [Binary Policy](#binary-policy) +- [Policy Versions](#policy-versions) + This section describes the different type of policy descriptions and versions that can be found within SELinux. The type of SELinux policy can described in a number of ways: -1. Source code - These can be described as: - [**Reference Policy**](types_of_policy.md#reference-policy) or - [**Custom**](types_of_policy.md#custom-policy). - They are generally written using - [**Kernel Policy Language**](kernel_policy_language.md#kernel-policy-language), - [**Reference Policy Support Macros**](reference_policy.md#reference-policy-support-macros), - or using [**CIL**](cil_overview.md#cil-overview) -2. They can also be classified as: [**Monolithic**](types_of_policy.md#monolithic-policy), - [**Base Module or Loadable Module**](types_of_policy.md#reference-policy). -3. Policies can also be described by the - [**type of policy functionality**](types_of_policy.md#policy-functionality-based-on-name-or-type) they - provide such as: targeted, mls, mcs, standard, strict or minimum. -4. Classified using language statements - These can be described as - [**Modular, Optional**](types_of_policy.md#reference-policy) or - [**Conditional**](types_of_policy.md#conditional-policy). -5. Binary or Kernel policy. These are the compiled policy used by the kernel. -6. Classification can also be on the '[**policy version**](types_of_policy.md#policy-versions)' - used (examples are version 22, 23 and 24). -7. Policy can also be generated depending on the target platform of - either 'selinux' (the default) or 'xen' (see the SELinux policy - generation tools ***checkpolicy**(8)*, ***secilc**(8)* and ***semanage**(8)* - *target_platform* options). +1. Source code - These can be described as: + [**Reference Policy**](types_of_policy.md#reference-policy) or + [**Custom**](types_of_policy.md#custom-policy). + They are generally written using + [**Kernel Policy Language**](kernel_policy_language.md#kernel-policy-language), + [**Reference Policy Support Macros**](reference_policy.md#reference-policy-support-macros), + or using [**CIL**](cil_overview.md#cil-overview) +2. They can also be classified as: [**Monolithic**](types_of_policy.md#monolithic-policy), + [**Base Module or Loadable Module**](types_of_policy.md#reference-policy). +3. Policies can also be described by the + [**type of policy functionality**](types_of_policy.md#policy-functionality-based-on-name-or-type) they + provide such as: targeted, mls, mcs, standard, strict or minimum. +4. Classified using language statements - These can be described as + [**Modular, Optional**](types_of_policy.md#reference-policy) or + [**Conditional**](types_of_policy.md#conditional-policy). +5. Binary or Kernel policy. These are the compiled policy used by the kernel. +6. Classification can also be on the '[**policy version**](types_of_policy.md#policy-versions)' + used (examples are version 22, 23 and 24). +7. Policy can also be generated depending on the target platform of + either 'selinux' (the default) or 'xen' (see the SELinux policy + generation tools ***checkpolicy**(8)*, ***secilc**(8)* and ***semanage**(8)* + *target_platform* options). As can be seen the description of a policy can vary depending on the context. @@ -61,30 +71,32 @@ Generally a policy is installed with a given name such as *targeted*, *mls*, *refpolicy* or *minimum* that attempts to describes its functionality. This name then becomes the entry in: -1. The directory pointing to the policy location (e.g. if the name is - *targeted*, then the policy will be installed in - */etc/selinux/targeted*). -2. The *SELINUXTYPE* entry in the */etc/selinux/config* file when it is - the active policy (e.g. if the name is *targeted*, then a - *SELINUXTYPE=targeted* entry would be in the */etc/selinux/config* - file). +1. The directory pointing to the policy location (e.g. if the name is + *targeted*, then the policy will be installed in + */etc/selinux/targeted*). +2. The *SELINUXTYPE* entry in the */etc/selinux/config* file when it is + the active policy (e.g. if the name is *targeted*, then a + *SELINUXTYPE=targeted* entry would be in the */etc/selinux/config* + file). This is how the reference policies distributed with Fedora are named, where: -- minimum - supports a minimal set of confined daemons within their own - domains. The remainder run in the unconfined_t space. Red Hat - pre-configure MCS support within this policy. -- targeted - supports a greater number of confined daemons and can also - confine other areas and users. Red Hat pre-configure MCS support within - this policy. -- mls - supports server based MLS systems. + +- minimum - supports a minimal set of confined daemons within their own + domains. The remainder run in the unconfined_t space. Red Hat + pre-configure MCS support within this policy. +- targeted - supports a greater number of confined daemons and can also + confine other areas and users. Red Hat pre-configure MCS support within + this policy. +- mls - supports server based MLS systems. The Reference Policy also has a *TYPE* description that describes the type of policy being built by the build process, these are: -- standard - supports confined daemons and can also confine other areas - and users. -- mcs - As standard but supports MCS labels. -- mls - supports server based MLS systems. + +- standard - supports confined daemons and can also confine other areas + and users. +- mcs - As standard but supports MCS labels. +- mls - supports server based MLS systems. The *NAME* and *TYPE* entries are defined in the reference policy *build.conf* file that is described in the Reference Policy @@ -95,14 +107,14 @@ section. This generally refers to a policy source that is either: -1. A customised version of the Reference Policy (i.e. not the standard - distribution version e.g. Red Hat policies). -2. A policy that has been built using policy language statements - (CIL or Kernel) to build a specific policy such as the basic policy built - in the Notebook *notebook-examples/selinux-policy* there are following - policies: -- [**Kernel Policy Language**](./notebook-examples/selinux-policy/kernel/kern-nb-policy.txt) -- [**CIL Policy Language**](./notebook-examples/selinux-policy/cil/cil-nb-policy.txt) +1. A customised version of the Reference Policy (i.e. not the standard + distribution version e.g. Red Hat policies). +2. A policy that has been built using policy language statements + (CIL or Kernel) to build a specific policy such as the basic policy built + in the Notebook *notebook-examples/selinux-policy* there are following + policies: + - [**Kernel Policy Language**](./notebook-examples/selinux-policy/kernel/kern-nb-policy.txt) + - [**CIL Policy Language**](./notebook-examples/selinux-policy/cil/cil-nb-policy.txt) These examples were built using the Notebook 'build-sepolicy' command that is described in @@ -140,12 +152,12 @@ but ftp is not used, then that module could be unloaded). There are number of components that form the infrastructure: -1. Policy source code that is constructed for a modular policy with a - base module and optional loadable modules. -2. Utilities to compile and link modules and place them into a 'policy - store'. -3. Utilities to manage the modules and associated configuration files - within the 'policy store'. +1. Policy source code that is constructed for a modular policy with a + base module and optional loadable modules. +2. Utilities to compile and link modules and place them into a 'policy + store'. +3. Utilities to manage the modules and associated configuration files + within the 'policy store'. [**Figure 2: High Level SELinux Architecture**](core_components.md#core-selinux-components) shows these components along the top of the diagram. The files contained in @@ -196,9 +208,9 @@ section. This is also know as the kernel policy and is the policy file that is loaded into the kernel and is located at -/etc/selinux/<SELINUXTYPE>/policy/policy.<version>. Where -*<SELINUXTYPE>* is the policy name specified in the SELinux -configuration file /etc/selinux/config and <version> is the +/etc/selinux/\/policy/policy.\. Where +*\* is the policy name specified in the SELinux +configuration file /etc/selinux/config and \ is the SELinux [**policy version**](#policy-versions). The binary policy can be built from source files supplied by the @@ -245,124 +257,121 @@ Max kernel policy version: 32 ``` -**Table 1: Policy version descriptions** describes the different versions, although note -that there is also another version that applies to the modular policy, -however the main policy database version is the one that is generally -quoted (some SELinux utilities give both version numbers). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
policy db Versionmodular db VersionDescription
154The base version when SELinux was merged into the kernel.
16-Added Conditional Policy support (the bool feature).
17-Added support for IPv6.
18-Added Netlink support.
195Added MLS support, plus the validatetrans Statement.
20-Reduced the size of the access vector table.
216Added support for the MLS range_transition Statement.
227Added policycap Statement that allows various kernel options to be enabled as described in the Policy Configuration Statements section.
238Added support for the permissive statement. This allows a domain to run in permissive mode while the others are still confined (instead of the all or nothing set by the SELINUX entry in the /etc/selinux/config file).
249 / 10Add support for the typebounds statement. This was added to support a hierarchical relationship between two domains in multi-threaded web servers as described in "A secure web application platform powered by SELinux".
2511Add support for file name transition in the type_transition rule. Requires kernel 2.6.39 minimum.
2612/13

Add support for a class parameter in the role_transition rule.

-

Add support for the attribute_role and roleattribute statements.

-

These require kernel 2.6.39 minimum.

-14Separate tunables.
2715Support setting object defaults for the user, role and range components when computing a new context. Requires kernel 3.5 minimum.
2816Support setting object defaults for the type component when computing a new context. Requires kernel 3.5 minimum.
2917Support attribute names within constraints. This allows attributes as well as the types to be retrieved from a kernel policy to assist audit2allow(8) etc. to determine what attribute needs to be updated. Note that the attribute does not determine the constraint outcome, it is still the list of types associated to the constraint. Requires kernel 3.14 minimum.
3018

For the 'selinux' target platform adds new 'xperm' rules as explained in the Extended Access Vector Rules section. This is to support 'ioctl whitelisting' as explained in the ioctl Operation Rules section. Requires kernel 4.3 minimum. For modular support, requires libsepol 2.7 minimum.

30For the 'xen' target platform support the devicetreecon statement and also expand the existing I/O memory range to 64 bits as explained in the Xen Statements section.
3119InfiniBand (IB) partition key (Pkey) and IB end port object labeling that requires kernel 4.13 minimum. See the InfiniBand Labeling Statements section.
3220Specify glblub as a default_range default and the computed transition will be the intersection of the MLS range of the two contexts. See default_range for details. Requires kernel 5.5 minimum. See the Default Rules section.
- -**Table 1: Policy version descriptions** +The following table describes the features added for each policy version and +its corresponding modular policy version. When these features are implemented +there may also be functionality added to the kernel, libselinux and/or libsepol. +If known, these version requirements are also listed. + +**Policy: 15 Module: 4** + +The base version when SELinux was merged into the kernel. + +**Policy: 16** + +Added [**Conditional Policy**](#conditional-policy) support (the bool feature). + +**Policy: 17** + +Added support for IPv6. + +**Policy: 18** + +Added Netlink support. + +**Policy: 19 Module: 5** + +Added MLS support, plus the *validatetrans* Statement. + +**Policy: 20** + +Reduced the size of the access vector table. + +**Policy: 21 Module: 6** + +Added support for the MLS *range_transition* Statement. + +**Policy: 22 Module: 7** + +Added *policycap* Statement that allows various kernel options to be +enabled as described in the +[**Policy Configuration Statements**](policy_config_statements.md#policy-configuration-statements) +section. + +**Policy: 23 Module: 8** + +Added support for the *permissive* statement. This allows a domain to run +in permissive mode while the others are still confined (instead of the all +or nothing set by the *SELINUX* entry in the */etc/selinux/config* file). + +**Policy: 24 Module: 9 / 10** + +Add support for the *typebounds* statement. This was added to support a +hierarchical relationship between two domains in multi-threaded web servers +as described in +[**A secure web application platform powered by SELinux**](http://sepgsql.googlecode.com/files/LCA20090120-lapp-selinux.pdf). + +**Policy: 25 Module: 11** + +Add support for file name transition in the *type_transition* rule. +Requires kernel 2.6.39 minimum. + +**Policy: 26 Module: 12 / 13** + +Add support for a class parameter in the *role_transition* rule and +support for the *attribute_role* and *roleattribute* statements. +These require kernel 2.6.39 minimum. + +**Module: 14** + +Separate tunables. + +**Policy: 27 Module: 15** + +Support setting object defaults for the user, role and range components +when computing a new context. Requires kernel 3.5 minimum. + +**Policy: 28 Module: 16** + +Support setting object defaults for the type component when computing a +new context. Requires kernel 3.5 minimum. + +**Policy: 29 Module: 17** + +Support attribute names within constraints. This allows attributes as well +as the types to be retrieved from a kernel policy to assist +***audit2allow**(8)* etc. to determine what attribute needs to be updated. +Note that the attribute does not determine the constraint outcome, it is +still the list of types associated to the constraint. +Requires kernel 3.14 minimum. + +**Policy: 30 Module: 18** + +For the *selinux* target platform adds new *xperm* rules as explained in the +[**Extended Access Vector Rules**](xperm_rules.md#extended-access-vector-rules) +section. This is to support 'ioctl whitelisting' as explained in the +[***ioctl* Operation Rules**](xperm_rules.md#ioctl-operation-rules) section. +Requires kernel 4.3 minimum. +For modular policy support requires libsepol 2.7 minimum. + +**Policy: 30** + +For the '*xen*' target platform support the *devicetreecon* statement and +also expand the existing I/O memory range to 64 bits as explained in the +[**Xen Statements**](xen_statements.md#xen-statements) section. + +**Policy: 31 Module: 19** + +Add InfiniBand (IB) partition key (Pkey) and IB end port object labeling +as explained in the +[**InfiniBand Labeling Statements**](infiniband_statements.md#infiniband-labeling-statements) +section. Requires kernel 4.13 minimum. + +**Policy: 32 Module: 20** + +Specify *glblub* as a *default_range* default and the computed transition +will be the intersection of the MLS range of the two contexts. +See the [**default_range**](default_rules.md#default_range) for details. +Requires kernel 5.5 minimum. From patchwork Wed Sep 9 13:30:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11813043 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 312F36CB for ; Fri, 2 Oct 2020 09:07:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D406020672 for ; Fri, 2 Oct 2020 09:07:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="J/Ee6O1z" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726181AbgJBJHu (ORCPT ); Fri, 2 Oct 2020 05:07:50 -0400 Received: from mailomta14-re.btinternet.com ([213.120.69.107]:17930 "EHLO re-prd-fep-041.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725993AbgJBJHu (ORCPT ); Fri, 2 Oct 2020 05:07:50 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-042.btinternet.com with ESMTP id <20200909133048.UPNO13627.re-prd-fep-042.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:48 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658248; bh=fRoy7//t2hqJx2OAzFvyCb2o9dDs5ilPr2gtBBMgQKc=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=J/Ee6O1zYAtrCFDF47CjKzcwiAGCkIYQmH/c7cYoOYHsNh1+UVy9d/Kok4YX2LpO0mghDNS2QdKtEbGRWkYoFQFOSYACG7GjvZqjwMrsZE/zg1f1Pe/LTx+cG4kuOhtrut7BWn77LdZPC4CEY4oK/f0biz79ZieHm46yWBop2aQX/sr1WJFaFsQeGiBy67L53wynJix9pVd6HyCLTGyFjOs7sj+804CSBa9yvMiYmq2fjPPrGh7JnS7s358qO6deGofZWtNuhogWsozWwNOtj+arIxIseomK7hrLPQaTW/9oIw0Ukr8ZHcL8Z6dLE+heQAMY+zDpbuOGI1ujzj7/KQ== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgepieenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134E2B; Wed, 9 Sep 2020 14:30:48 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 16/22] user_statements:: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:33 +0100 Message-Id: <20200909133039.44498-17-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/user_statements.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/user_statements.md b/src/user_statements.md index 7a5ff8a..ee3eed1 100644 --- a/src/user_statements.md +++ b/src/user_statements.md @@ -70,7 +70,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | Yes | Yes | @@ -116,9 +116,9 @@ semanage user -a -R unconfined_r mque_u ``` This command will produce the following files in the default -<SELINUXTYPE> policy store and then activate the policy: +\ policy store and then activate the policy: -*/var/lib/selinux/<SELINUXTYPE>/active/users.local*: +*/var/lib/selinux/\/active/users.local*: ``` # This file is auto-generated by libsemanage @@ -127,7 +127,7 @@ This command will produce the following files in the default user mque_u roles { unconfined_r } ; ``` -*/var/lib/selinux/<SELINUXTYPE>/active/users_extra*: +*/var/lib/selinux/\/active/users_extra*: ``` # This file is auto-generated by libsemanage @@ -136,7 +136,7 @@ user mque_u roles { unconfined_r } ; user mque_u prefix user; ``` -*/var/lib/selinux/<SELINUXTYPE>/active/users_extra.local*: +*/var/lib/selinux/\/active/users_extra.local*: ``` # This file is auto-generated by libsemanage From patchwork Wed Sep 9 13:30:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11831341 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4D920697 for ; Mon, 12 Oct 2020 01:13:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 026472074D for ; Mon, 12 Oct 2020 01:13:35 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="S0dQwLx7" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727236AbgJLBNf (ORCPT ); Sun, 11 Oct 2020 21:13:35 -0400 Received: from mailomta24-re.btinternet.com ([213.120.69.117]:38829 "EHLO re-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727132AbgJLBNf (ORCPT ); Sun, 11 Oct 2020 21:13:35 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-043.btinternet.com with ESMTP id <20200909133048.EKJM29506.re-prd-fep-043.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:48 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658248; bh=ESdkPYZawKdw2LQrnbogIWp3PGnFWR4KxIhcw3/xNFo=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=S0dQwLx7QvKHW3CkzP/NN0qixLRJFggGK2EGAxutU6yhPgACB6QvdWfbFn3AzRcr5nwVsKlqJU5GEy2D55djeqt3dkWco14uE4utfpnGv7EX9HVxuyd285jV4vL0yDd25UgaS/qzCAw+oqUm/TcFgkBwGakxX7nkwCcbzVuP4UJOu8nqMiTzfiDi8Vf9mx2+oFp5jO0wTIyWecmeR753QOiKEGYMBZnlqlUk/dG4AsOt48C61ldX93ONxQ/WLABUs6oa8vmpjfbna6YriwHzNXMFnV/v88JqnAK2HIyAyvFqVVslA0dfdueQ3LWNNqUHtpkVs0RCRrKT44a1T+8opQ== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgepieenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134E2F; Wed, 9 Sep 2020 14:30:48 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 17/22] users: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:34 +0100 Message-Id: <20200909133039.44498-18-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/users.md b/src/users.md index a1a86b1..4be8356 100644 --- a/src/users.md +++ b/src/users.md @@ -13,7 +13,7 @@ objects, this user is *system_u*. The SELinux user name is the first component of a [**Security Context**](security_context.md#security-context) and -by convention SELinux user names end in *_u*, however this is not +by convention SELinux user names end in *\_u*, however this is not enforced by any SELinux service (i.e. it is only to identify the user component), although CIL with namespaces does make identification of an SELinux user easier for example a 'user' could be declared as From patchwork Wed Sep 9 13:30:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11768219 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3992092C for ; Thu, 10 Sep 2020 17:14:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E5C4D214F1 for ; Thu, 10 Sep 2020 17:14:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="It8BaE3m" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726918AbgIJROL (ORCPT ); Thu, 10 Sep 2020 13:14:11 -0400 Received: from mailomta29-re.btinternet.com ([213.120.69.122]:53598 "EHLO re-prd-fep-042.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726769AbgIJRLm (ORCPT ); Thu, 10 Sep 2020 13:11:42 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-047.btinternet.com with ESMTP id <20200909133048.SKEM4599.re-prd-fep-047.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:48 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658248; bh=WiaiRTgesQ81sJH6cV2BTbRKKW/OBVOCw/7UFcS9j5A=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=It8BaE3mo9VEfdDJfGU8kxNjvvJYVqJmnS2Dq+mN/rhxJhdL7T0K+aLOMLKtsd9rCGe3bQaE8aiZjKYZ7zIK+e80gVCfy3Dopy9sDFi9co2gatyYcsEJ6+hxM/Ej8+oazHWVqFXppCLfzBeAu7Df+MRECCzTBWxHeOD1c4mX/zAYmnFFGP19iu/n+GO5g99Ns5Z8E1/qEJfQC/NnA/pfrqIiR3EW48ejDH/5+y5qIDUQ2SX3wcQqAvtL1xB8T0dSjcxDaD2KIZ+hprFWlYjJgMTXjS4/5ThNYgJbsHs88M8WQk/MgigRhL+dTktpeoWE7OiU8cLzAdGCpEveKJYVWA== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgepieenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134E35; Wed, 9 Sep 2020 14:30:48 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 18/22] userspace_libraries: Tidy up formatting, add toc Date: Wed, 9 Sep 2020 14:30:35 +0100 Message-Id: <20200909133039.44498-19-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/userspace_libraries.md | 58 ++++++++++++++++++++------------------ 1 file changed, 31 insertions(+), 27 deletions(-) diff --git a/src/userspace_libraries.md b/src/userspace_libraries.md index 4f70321..5be703a 100644 --- a/src/userspace_libraries.md +++ b/src/userspace_libraries.md @@ -1,5 +1,9 @@ # SELinux Userspace Libraries +- [libselinux Library](#libselinux-library) +- [libsepol Library](#libsepol-library) +- [libsemanage Library](#libsemanage-library) + The versions of kernel and SELinux tools and libraries influence the features available, therefore it is important to establish what level of functionality is required for the application. The @@ -19,13 +23,13 @@ Python, Ruby and PHP languages. The library hides the low level functionality of (but not limited to): -- The SELinux filesystem that interfaces to the SELinux kernel - security server. -- The proc filesystem that maintains process state information and - security contexts - see ***proc**(5)*. -- Extended attribute services that manage the extended attributes - associated to files, sockets etc. - see ***attr**(5)*. -- The SELinux policy and its associated configuration files. +- The SELinux filesystem that interfaces to the SELinux kernel + security server. +- The proc filesystem that maintains process state information and + security contexts - see ***proc**(5)*. +- Extended attribute services that manage the extended attributes + associated to files, sockets etc. - see ***attr**(5)*. +- The SELinux policy and its associated configuration files. The general category of functions available in *libselinux* are shown below, with [**Appendix B - *libselinux* API Summary**](libselinux_functions.md#appendix-b---libselinux-api-summary) @@ -102,24 +106,23 @@ Retrieve default contexts for user sessions. The *libselinux* functions make use of a number of files within the SELinux sub-system: -1. The SELinux configuration file *config* that is described in the - [*/etc/selinux/config*](global_config_files.md#etcselinuxconfig) section. -2. The SELinux filesystem interface between userspace and kernel that - is generally mounted as */selinux* or */sys/fs/selinux* and - described in the - [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) - section. -3. The *proc* filesystem that maintains process state information and - security contexts - see ***proc**(5)*. -4. The extended attribute services that manage the extended attributes - associated to files, sockets etc. - see ***attr**(5)*. -5. The SELinux kernel binary policy that describes the enforcement - policy. -6. A number of *libselinux* functions have their own configuration - files that in conjunction with the policy, allow additional levels - of configuration. These are described in the - [**Policy Configuration Files**](policy_config_files.md#policy-configuration-files) - section. +1. The SELinux configuration file *config* that is described in the + [*/etc/selinux/config*](global_config_files.md#etcselinuxconfig) section. +2. The SELinux filesystem interface between userspace and kernel that + is generally mounted as */selinux* or */sys/fs/selinux* and + described in the + [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section. +3. The *proc* filesystem that maintains process state information and + security contexts - see ***proc**(5)*. +4. The extended attribute services that manage the extended attributes + associated to files, sockets etc. - see ***attr**(5)*. +5. The SELinux kernel binary policy that describes the enforcement + policy. +6. A number of *libselinux* functions have their own configuration + files that in conjunction with the policy, allow additional levels + of configuration. These are described in the + [**Policy Configuration Files**](policy_config_files.md#policy-configuration-files) + section. There is a static version of the library that is not installed by default: @@ -140,10 +143,11 @@ dnf install libsepol-static This is used by commands such as ***audit2allow**(8)* and ***checkpolicy**(8)* as they require access to functions that are not available in the dynamic -library (such as sepol_compute_av(), sepol_compute_av_reason() and -sepol_context_to_sid(). +library, such as *sepol_compute_av()*, *sepol_compute_av_reason()* and +*sepol_context_to_sid()*. ## libsemanage Library + *libsemanage* - To manage the policy infrastructure. From patchwork Wed Sep 9 13:30:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11768729 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 61D1E746 for ; Thu, 10 Sep 2020 18:40:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 10CED208E4 for ; Thu, 10 Sep 2020 18:40:34 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="aNaieDpZ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725951AbgIJSk3 (ORCPT ); Thu, 10 Sep 2020 14:40:29 -0400 Received: from mailomta21-re.btinternet.com ([213.120.69.114]:16749 "EHLO re-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726899AbgIJSih (ORCPT ); Thu, 10 Sep 2020 14:38:37 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-045.btinternet.com with ESMTP id <20200909133049.LPHW4080.re-prd-fep-045.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:49 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658249; bh=Wau+/e9lkW4vlEGydTH/sQUvV3HmjL2rq9g1CYbEKnU=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=aNaieDpZr7ZNJt0EZdVKssPpvkWTCnflBV2QV0jlyGeavlmkBPoLQwqGylwhLHddH4Hbq6tE0vC7DfXmL/v6hp+BHga/ql1HFzE+0x53KCVuvd0w+YsG3zGSbXX5wK5+BHhchIDvZiOGLC0YfX73Cgy5o9baQ8jq0oOyqslz4T87rKKrtsSGtVaYKDLSmFDir+qYz5+2SyUPqM4JDbgAYMxE/c087jO2ghHC90900qHEgf5v/Zo1+zccbIn7IA3uvrNsm6nzpMyQEEWCQWxgVRP6lGytApPxyKrBV3qhQNqqHAJCSUq3lLnVNw8MTqA20Z0mlTNuTBE5KXVFTZ7gGQ== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgepieenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134E3F; Wed, 9 Sep 2020 14:30:48 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 19/22] vm_support: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:36 +0100 Message-Id: <20200909133039.44498-20-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/vm_support.md | 84 ++++++++++++++++++++++++++--------------------- 1 file changed, 46 insertions(+), 38 deletions(-) diff --git a/src/vm_support.md b/src/vm_support.md index 80d5cd5..a60fe6c 100644 --- a/src/vm_support.md +++ b/src/vm_support.md @@ -1,5 +1,13 @@ # SELinux Virtual Machine Support +- [KVM / QEMU Support](#kvm-qemu-support) +- [*libvirt* Support](#libvirt-support) +- [VM Image Labeling](#vm-image-labeling) + - [Dynamic Labeling](#dynamic-labeling) + - [Shared Image](#shared-image) + - [Static Labeling](#static-labeling) +- [Xen Support](#xen-support) + SELinux support is available in the KVM/QEMU and Xen virtual machine (VM) technologies[^fn_vms_1] that are discussed in the sections that follow, however the package documentation should be read for how these products actually work @@ -90,20 +98,20 @@ other (i.e. every time the VM is run a different and unique MCS label will be generated to confine each VM to its own domain). This mode is implemented as follows: -1. An initial context for the process is obtained from the - */etc/selinux/<SELINUXTYPE>/contexts/virtual_domain_context* - file (the default is *system_u:system_r:svirt_tcg_t:s0*). -2. An initial context for the image file label is obtained from the - */etc/selinux/<SELINUXTYPE>/contexts/virtual_image_context* - file. The default is *system_u:system_r:svirt_image_t:s0* that - allows read/write of image files. -3. When the image is used to start the VM, a random MCS *level* is - generated and added to the process context and the image file - context. The process and image files are then transitioned to the - context by the* libselinux* API calls *setfilecon* and *setexeccon* - respectively (see *security_selinux.c* in the *libvirt *source). - The following example shows two running VM sessions each having - different labels: +1. An initial context for the process is obtained from the + */etc/selinux/\/contexts/virtual_domain_context* + file (the default is *system_u:system_r:svirt_tcg_t:s0*). +2. An initial context for the image file label is obtained from the + */etc/selinux/\/contexts/virtual_image_context* + file. The default is *system_u:system_r:svirt_image_t:s0* that + allows read/write of image files. +3. When the image is used to start the VM, a random MCS *level* is + generated and added to the process context and the image file + context. The process and image files are then transitioned to the + context by the *libselinux* API calls *setfilecon* and *setexeccon* + respectively (see *security_selinux.c* in the *libvirt *source). + The following example shows two running VM sessions each having + different labels: | VM Image | Object | Dynamically assigned security context | | ------------| --------- | ------------------------------------------------- | @@ -152,7 +160,7 @@ checking the *Shareable* box as shown in **Figure 19**. This will set the image (*Shareable_VM.xml*) resource XML configuration file located in the */etc/libvirt/qemu* directory -*<disk>* contents as follows: +*\* contents as follows: ``` # /etc/libvirt/qemu/Shareable_VM.xml: @@ -172,7 +180,7 @@ needs to be cloned and the VM resource name selected was ![](./images/20-clone.png) -The resource XML file *<disk>* contents generated are shown - note +The resource XML file *\* contents generated are shown - note that it has the same *source file* name as the *Shareable_VM.xml* file shown above. @@ -191,7 +199,7 @@ shown above. With the targeted policy on Fedora the shareable option gave a error when the VMs were run as follows: -- **Could not allocate dynamic translator buffer** +- **Could not allocate dynamic translator buffer** The audit log contained the following AVC message: @@ -213,19 +221,19 @@ setsebool -P virt_use_execmem on Now that the image has been configured as shareable, the following initialisation process will take place: -1. An initial context for the process is obtained from the - */etc/selinux/<SELINUXTYPE>/contexts/virtual_domain_context* - file (the default is *system_u:system_r:svirt_tcg_t:s0*). -2. An initial context for the image file label is obtained from the - */etc/selinux/<SELINUXTYPE>/contexts/virtual_image_context* - file. The default is *system_u:system_r:svirt_image_t:s0* that - allows read/write of image files. -3. When the image is used to start the VM a random MCS level is - generated and added to the process context (but not the image file). - The process is then transitioned to the appropriate context by the* - libselinux* API calls *setfilecon* and *setexeccon* respectively. - The following example shows each VM having the same file label but - different process labels: +1. An initial context for the process is obtained from the + */etc/selinux/\/contexts/virtual_domain_context* + file (the default is *system_u:system_r:svirt_tcg_t:s0*). +2. An initial context for the image file label is obtained from the + */etc/selinux/\/contexts/virtual_image_context* + file. The default is *system_u:system_r:svirt_image_t:s0* that + allows read/write of image files. +3. When the image is used to start the VM a random MCS level is + generated and added to the process context (but not the image file). + The process is then transitioned to the appropriate context by the* + libselinux* API calls *setfilecon* and *setexeccon* respectively. + The following example shows each VM having the same file label but + different process labels: | VM Image | Object | Security context | | -------------------| ----------| -------------------------------------------- | @@ -273,8 +281,8 @@ need to be relabeled. An example VM configuration follows where the VM has been created as *Static_VM1* using the Fedora *targeted* policy in enforcing mode (just so all errors are flagged during the build): -1. To set the required security context requires editing the - *Static_VM1* configuration file using ***virsh**(1)* as follows: +1. To set the required security context requires editing the + *Static_VM1* configuration file using ***virsh**(1)* as follows: ``` virsh edit Static_VM1 @@ -301,11 +309,11 @@ For this example *svirt_t* has been chosen as it is a valid context written to the *Static_VM1.xml* configuration file in */etc/libvirt/qemu*. -2. If the VM is now started an error will be shown as follows: +2. If the VM is now started an error will be shown as follows: ![](./images/21-error.png) -**Figure 2.21: Image Start Error** +**Figure 21: Image Start Error** This is because the image file label is incorrect as by default it is labeled *virt_image_t* when the VM image is built (and @@ -340,12 +348,12 @@ the same as the process using *chcon* as follows: chcon -l s0:c1022,c1023 Static_VM1.img ``` -3. Now that the image has been relabeled, the VM can now be started. +3. Now that the image has been relabeled, the VM can now be started. The following example shows two static VMs (one is configured for *unconfined_t* that is allowed to run under the targeted policy - this -was possible because the 's*etsebool -P virt_transition_userdomain -on*'* *boolean was set that allows *virtd_t* domain to transition to a +was possible because the '*setsebool -P virt_transition_userdomain +on*' boolean was set that allows *virtd_t* domain to transition to a user domain (e.g. *unconfined_t*). | VM Image | Object | Static security context | @@ -383,7 +391,7 @@ system_u:object_r:virt_image_t:s0 Static_VM2.img ## Xen Support This is not supported by SELinux in the usual way as it is built into -the actual Xen software as a 'Flask/TE' extension[24] for the XSM (Xen +the actual Xen software as a 'Flask/TE' extension for the XSM (Xen Security Module). Also the Xen implementation has its own built-in policy (*xen.te*) and supporting definitions for access vectors, security classes and initial SIDs for the policy. These Flask/TE From patchwork Wed Sep 9 13:30:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11813049 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B0B2B6CB for ; Fri, 2 Oct 2020 09:31:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 68B9820658 for ; Fri, 2 Oct 2020 09:31:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="snVVvD7J" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726029AbgJBJbv (ORCPT ); Fri, 2 Oct 2020 05:31:51 -0400 Received: from mailomta4-re.btinternet.com ([213.120.69.97]:41491 "EHLO re-prd-fep-046.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725993AbgJBJbu (ORCPT ); Fri, 2 Oct 2020 05:31:50 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-048.btinternet.com with ESMTP id <20200909133051.DGXD4701.re-prd-fep-048.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658251; bh=3DJycm+BKNpbo2ifqCmiHO2+UqnuODvDDgXTgh8Ae4g=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=snVVvD7JOE1JeupD9pk2nE3YBfGuTvKxAmIj7MwYC9xO5/Zb4xe/EjE2UvZaYmRrAP9BF80gOH06GgQq4JSjEiNh18pzwCS6GDayCUa8Bi4zXucvEiZ5qTX28CzAUqphvLXyN3eDi+2MgwkvoXbrEt+MeS48xswG9N3qzvHGNjpyAezcaLCRMXqRr1hdnQsNJ6mQUYaYLN2UdQ1tTOYNKd20nRfUzM0aSSlEHd2ZztppcxpIlpqyaNwXIOW9pOtSo6ZXQ1XzU+DXkFlWbhzNdbxPVL5J9DKX8rdhBFuHBN58ubgAHnHs8Fhokc7v6fvddIMZleoJTyQxsTL5Z1YeOA== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgepieenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134E79; Wed, 9 Sep 2020 14:30:51 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 20/22] x_windows: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:37 +0100 Message-Id: <20200909133039.44498-21-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/x_windows.md | 52 ++++++++++++++++++++++++------------------------ 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/src/x_windows.md b/src/x_windows.md index 74edc62..86d93f9 100644 --- a/src/x_windows.md +++ b/src/x_windows.md @@ -1,13 +1,13 @@ # X-Windows SELinux Support -- [**Infrastructure Overview**](#infrastructure-overview) -- [**Polyinstantiation**](#polyinstantiation) -- [**Configuration Information**](#configuration-information) - - [**Enable/Disable the OM from Policy Decisions**](#enabledisable-the-om-from-policy-decisions) - - [**Configure OM Enforcement Mode**](#configure-om-enforcement-mode) - - [**Determine OM X-extension Opcode**](#determine-om-x-extension-opcode) - - [**The *x_contexts* File**](#the-x_contexts-file) -- [**SELinux Extension Functions**](#selinux-extension-functions) +- [Infrastructure Overview](#infrastructure-overview) +- [Polyinstantiation](#polyinstantiation) +- [Configuration Information](#configuration-information) + - [Enable/Disable the OM from Policy Decisions](#enabledisable-the-om-from-policy-decisions) + - [Configure OM Enforcement Mode](#configure-om-enforcement-mode) + - [Determine OM X-extension Opcode](#determine-om-x-extension-opcode) + - [The *x_contexts* File](#the-x_contexts-file) +- [SELinux Extension Functions](#selinux-extension-functions) The SELinux X-Windows (XSELinux) implementation provides fine grained access control over the majority of the X-server objects (known as @@ -116,10 +116,10 @@ of properties and selections. This section covers: -- How to enable/disable the OM X-extension. -- How to determine the OM X-extension opcode. -- How to configure the OM in a specific SELinux enforcement mode. -- The *x-contexts* configuration file. +- How to enable/disable the OM X-extension. +- How to determine the OM X-extension opcode. +- How to configure the OM in a specific SELinux enforcement mode. +- The *x-contexts* configuration file. ### Enable/Disable the OM from Policy Decisions @@ -148,9 +148,9 @@ If the X-server object manager needs to be run in a specific SELinux enforcement mode, then the option may be added to the *xorg.conf* file (normally in */etc/X11/xorg.conf.d*). The option entries are as follows: -- SELinux mode disabled -- SELinux mode permissive -- SELinux mode enforcing +- SELinux mode disabled +- SELinux mode permissive +- SELinux mode enforcing Note that the entry must be exact otherwise it will be ignored. An example entry is: @@ -222,17 +222,17 @@ the Xlib libraries (e.g. *XInternAtom*). **Notes:** -1. The way the XSELinux extension code works (see - *xselinux_label.c* - SELinuxAtomToSIDLookup()) is that non-poly - entries are searched for first, if an entry is not found then it - searches for a matching poly entry. The reason for this behavior is - that when operating in a secure environment all objects would be - polyinstantiated unless there are specific exemptions made for - individual objects to make them non-polyinstantiated. There would - then be a 'poly_selection' or 'poly_property' at the end of the section. -2. For systems using the Reference Policy all X-clients connecting - remotely will be allocated a security context from the *x_contexts* - file of: +1. The way the XSELinux extension code works (see + *xselinux_label.c* - SELinuxAtomToSIDLookup()) is that non-poly + entries are searched for first, if an entry is not found then it + searches for a matching poly entry. The reason for this behavior is + that when operating in a secure environment all objects would be + polyinstantiated unless there are specific exemptions made for + individual objects to make them non-polyinstantiated. There would + then be a 'poly_selection' or 'poly_property' at the end of the section. +2. For systems using the Reference Policy all X-clients connecting + remotely will be allocated a security context from the *x_contexts* + file of: ``` # object_type object_name context From patchwork Wed Sep 9 13:30:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11768461 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 92B6013B1 for ; Thu, 10 Sep 2020 17:56:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 49641214F1 for ; Thu, 10 Sep 2020 17:56:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="T4G1Iyan" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725913AbgIJR4J (ORCPT ); Thu, 10 Sep 2020 13:56:09 -0400 Received: from mailomta20-re.btinternet.com ([213.120.69.113]:38541 "EHLO re-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726810AbgIJRyk (ORCPT ); Thu, 10 Sep 2020 13:54:40 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-045.btinternet.com with ESMTP id <20200909133053.LPIF4080.re-prd-fep-045.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:53 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658253; bh=y1r4vzFsmPpbm4z3UWrE7N0fVgChZngxdViObrcVJ3o=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=T4G1Iyan2ojbEaLGSCVbSIN0Jzn5YDMv4nBtEZoI29nr/0bVpsy6EL6dZFc9F0UeLmOGgp5GdCOLHDi6UPwgegQyebT1AC2j1Ne5BIiuXK7EhABF/KGzq2qV5Gmgnz+/2/YWOBq1SBz4n36KZQVeLr47rXq6KHvZQsKMvbcGwxBUZXU5EOEZM6Jk4IG0VKK2VnTSeFZiG9A2LWCzpeyyfdxBFLA4M8RjAhBfjuqzlYO6AEbUCxFTOxESkpHiTj600ikvglzyLkZkCte4jZg8OEb+20ke2iSbfr9PgVwtOFxLBZliqdyzvq2lZ6WqvI1vHzfnBqq8pAWvBFBeBiuJ9g== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgepudegnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepkeeirdduheegrdduheegrddufeefpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134EC3; Wed, 9 Sep 2020 14:30:53 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 21/22] xen_statements: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:38 +0100 Message-Id: <20200909133039.44498-22-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/xen_statements.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/xen_statements.md b/src/xen_statements.md index e2c4cc3..c7bbe70 100644 --- a/src/xen_statements.md +++ b/src/xen_statements.md @@ -1,5 +1,11 @@ # Xen Statements +- [*iomemcon*](#iomemcon) +- [*ioportcon*](#ioportcon) +- [*pcidevicecon*](#pcidevicecon) +- [*pirqcon*](#pirqcon) +- [*devicetreecon*](#devicetreecon) + Xen policy supports additional policy language statements: *iomemcon*, *ioportcon*, *pcidevicecon*, *pirqcon* and *devicetreecon* that are discussed in the sections that follow, also the @@ -49,7 +55,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | No | No | @@ -95,7 +101,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | No | No | @@ -140,7 +146,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | No | No | @@ -184,7 +190,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | No | No | @@ -229,7 +235,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | No | No | From patchwork Wed Sep 9 13:30:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11768163 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CA60613B1 for ; Thu, 10 Sep 2020 16:41:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 88A4F214F1 for ; Thu, 10 Sep 2020 16:41:48 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="cM8nIk3W" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726794AbgIJQlf (ORCPT ); Thu, 10 Sep 2020 12:41:35 -0400 Received: from mailomta31-re.btinternet.com ([213.120.69.124]:32045 "EHLO re-prd-fep-042.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726419AbgIJQkh (ORCPT ); Thu, 10 Sep 2020 12:40:37 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-044.btinternet.com with ESMTP id <20200909133055.TZNQ21348.re-prd-fep-044.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:55 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658255; bh=87zVF68tcchdgBHEoPopuWruvFN/T/mHQmVwxz58igQ=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=cM8nIk3WAL3UwOm6ZCJ3IHGdU1Qt9hC0CPG/L2OK/sjpjlAqEk6SDnlMYNDBATmccYJs+HKDQgrIyeru8QGA2jfv+ifKb4Bluuk+GJeykqZf/bO5UfbVHfyErB7J1uPZd7kpCSGeDMcT4/Dw/ZeBkddUWKiS9Tc7mRvUsa/HpnMtJzmDTGUJHHVZmj7DKabxqsiSiWi1dum1VlamLL3Lahj93pWl5BZucQniPSfRxRMfqQEedAYPpKA5UqfJKOyWgGI8ruzF1mdScTFWcqS88I+ChiuYXqzEm8/6TkDu2jO9KMVYc5HZhtAVZVKMJ0t4px8vYU6UoX4mgq9vkH4uZw== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgepudegnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepkeeirdduheegrdduheegrddufeefpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134F25; Wed, 9 Sep 2020 14:30:55 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 22/22] xperm_rules: Tidy up formatting Date: Wed, 9 Sep 2020 14:30:39 +0100 Message-Id: <20200909133039.44498-23-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/xperm_rules.md | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/src/xperm_rules.md b/src/xperm_rules.md index 7f8744b..849b2ac 100644 --- a/src/xperm_rules.md +++ b/src/xperm_rules.md @@ -1,5 +1,7 @@ # Extended Access Vector Rules +- [*ioctl* Operation Rules](#ioctl-operation-rules) + There are three extended AV rules implemented from Policy version 30 with the target platform 'selinux' that expand the permission sets from a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*, @@ -66,7 +68,7 @@ Policy Type Conditional Policy Statements -| *if* statement | *optional* Statement | *require* Statement | +| *if* Statement | *optional* Statement | *require* Statement | | ----------------------- | ----------------------- | ----------------------- | | No | No | No | @@ -80,7 +82,7 @@ policy format changes shown in the example below with a brief overview the final upstream kernel patch). Ioctl calls are generally used to get or set device options. Policy -versions < 30 only controls whether an *ioctl* permission is allowed +versions \> 30 only controls whether an *ioctl* permission is allowed or not, for example this rule allows the object class *tcp_socket* the *ioctl* permission: @@ -116,17 +118,17 @@ tclass=udp_socket permissive=0 Notes: -1. Important: The ioctl operation is not 'deny all' ioctl requests - (hence whitelisting). It is targeted at the specific - source/target/class set of ioctl commands. As no other *allowxperm* - rules have been defined in the example, all other ioctl calls may - continue to use any valid request parameters (provided there are - *allow* rules for the *ioctl* permission). -2. As the ***ioctl**(2)* function requires a file descriptor, its - context must match the process context otherwise the *fd { use }* - class/permission is required. -3. To deny all ioctl requests for a specific source/target/class the - *xperm_set* should be set to *0* or *0x0*. +1. Important: The ioctl operation is not 'deny all' ioctl requests + (hence whitelisting). It is targeted at the specific + source/target/class set of ioctl commands. As no other *allowxperm* + rules have been defined in the example, all other ioctl calls may + continue to use any valid request parameters (provided there are + *allow* rules for the *ioctl* permission). +2. As the ***ioctl**(2)* function requires a file descriptor, its + context must match the process context otherwise the *fd { use }* + class/permission is required. +3. To deny all ioctl requests for a specific source/target/class the + *xperm_set* should be set to *0* or *0x0*.