* [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up
@ 2020-09-09 13:30 Richard Haines
2020-09-09 13:30 ` [PATCH 01/22] kernel_policy_language: Tidy up formatting Richard Haines
` (22 more replies)
0 siblings, 23 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Converted to Markdown or just tidy up formatting. Added TOC to aid
navigation where required.
No text changes.
This is the final batch of basic changes that should bring the sections to
a standard markdown format. The reference_policy.md update to tidy up the
formatting is large so I'll send patch direct to Paul (no text changes).
The only two sections left are: lsm_selinux.md and mls_mcs.md - These
require moving and updating text to convert to markdown, will send
each separately.
Richard Haines (22):
kernel_policy_language: Tidy up formatting
mls_statements: Convert to markdown
object_classes_permissions: : Tidy up formatting
policy_config_files: Tidy up formatting
policy_validation_example: Tidy up formatting
postgresql: Tidy up formatting
security_context: Convert to markdown
selinux_cmds: Convert to markdown
selinux_overview: Convert to markdown
sid_statement: Convert to markdown
subjects: Convert to markdown
toc: Tidy up formatting
type_enforcement: Convert to markdown
type_statements: Convert to markdown
types_of_policy: Convert to markdown
user_statements:: Tidy up formatting
users: Tidy up formatting
userspace_libraries: Tidy up formatting, add toc
vm_support: Tidy up formatting
x_windows: Tidy up formatting
xen_statements: Tidy up formatting
xperm_rules: Tidy up formatting
src/kernel_policy_language.md | 106 +++----
src/mls_statements.md | 461 +++++++++++-------------------
src/object_classes_permissions.md | 299 +++++++++----------
src/policy_config_files.md | 442 ++++++++++++++--------------
src/policy_validation_example.md | 3 +-
src/postgresql.md | 19 +-
src/security_context.md | 83 +++---
src/selinux_cmds.md | 256 ++++++++---------
src/selinux_overview.md | 33 +--
src/sid_statement.md | 119 +++-----
src/subjects.md | 21 +-
src/toc.md | 120 ++++----
src/type_enforcement.md | 9 +-
src/type_statements.md | 33 ++-
src/types_of_policy.md | 359 +++++++++++------------
src/user_statements.md | 10 +-
src/users.md | 2 +-
src/userspace_libraries.md | 58 ++--
src/vm_support.md | 84 +++---
src/x_windows.md | 52 ++--
src/xen_statements.md | 16 +-
src/xperm_rules.md | 28 +-
22 files changed, 1223 insertions(+), 1390 deletions(-)
--
2.26.2
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 01/22] kernel_policy_language: Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 02/22] mls_statements: Convert to markdown Richard Haines
` (21 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/kernel_policy_language.md | 106 +++++++++++++++++-----------------
1 file changed, 53 insertions(+), 53 deletions(-)
diff --git a/src/kernel_policy_language.md b/src/kernel_policy_language.md
index 921c7d0..f1910dd 100644
--- a/src/kernel_policy_language.md
+++ b/src/kernel_policy_language.md
@@ -1,10 +1,10 @@
# Kernel Policy Language
-- [Policy Source Files](#policy-source-files)
-- [Conditional, Optional and Require Statement Rules](#conditional-optional-and-require-statement-rules)
-- [MLS Statements and Optional MLS Components](#mls-statements-and-optional-mls-components)
-- [General Statement Information](#general-statement-information)
-- [Policy Language Index](#policy-language-index)
+- [Policy Source Files](#policy-source-files)
+- [Conditional, Optional and Require Statement Rules](#conditional-optional-and-require-statement-rules)
+- [MLS Statements and Optional MLS Components](#mls-statements-and-optional-mls-components)
+- [General Statement Information](#general-statement-information)
+- [Policy Language Index](#policy-language-index)
This section covers the policy source file types and what kernel policy
statements and rule are allowed in each. The
@@ -93,30 +93,30 @@ what circumstances each one is valid within a policy source file.
*Monolithic Policy*
-- Whether the statement is allowed within a monolithic policy source file or not.
+- Whether the statement is allowed within a monolithic policy source file or not.
*Base Policy*
-- Whether the statement is allowed within a base (for loadable module support)
- policy source file or not.
+- Whether the statement is allowed within a base (for loadable module support)
+ policy source file or not.
*Module Policy*
-- Whether the statement is allowed within the optional loadable module policy
- source file or not.
+- Whether the statement is allowed within the optional loadable module policy
+ source file or not.
## Conditional, Optional and Require Statement Rules
The language grammar specifies what statements and rules can be included
within:
-1. [**Conditional Policy**](conditional_statements.md#conditional-policy-statements)
- rules that are part of the kernel policy language.
-2. *optional* and *require* rules that are NOT part of the kernel policy
- language, but **Reference Policy** ***m4**(1)* macros used to control
- policy builds (see the
- [**Modular Policy Support Statements**](modular_policy_statements.md#modular-policy-support-statements)
- section.
+1. [**Conditional Policy**](conditional_statements.md#conditional-policy-statements)
+ rules that are part of the kernel policy language.
+2. *optional* and *require* rules that are NOT part of the kernel policy
+ language, but **Reference Policy** ***m4**(1)* macros used to control
+ policy builds (see the
+ [**Modular Policy Support Statements**](modular_policy_statements.md#modular-policy-support-statements)
+ section.
To highlight these rules the following table is included in each
statement and rule section to show what circumstances each one is valid
@@ -132,17 +132,17 @@ within a policy source file:
*if Statement*
-- Whether the statement is allowed within a conditional statement
- (*if/else* construct). Conditional statements can be in all types
- of policy source file.
+- Whether the statement is allowed within a conditional statement
+ (*if/else* construct). Conditional statements can be in all types
+ of policy source file.
*optional Statement*
-- Whether the statement is allowed within the *optional { rule_list }* construct.
+- Whether the statement is allowed within the *optional { rule_list }* construct.
*require Statement*
-- Whether the statement is allowed within the *require { rule_list }* construct.
+- Whether the statement is allowed within the *require { rule_list }* construct.
## MLS Statements and Optional MLS Components
@@ -156,14 +156,14 @@ MLS **Reference Policy** build.
## General Statement Information
-1. Identifiers can generally be any length but should be restricted to
- the following characters: a-z, A-Z, 0-9 and \_ (underscore).
-2. A '\#' indicates the start of a comment in policy source files.
-3. All statements available to policy version 29 have been included.
-4. When multiple source and target entries are shown in a single
- statement or rule, the compiler (***checkpolicy**(8)* or
- ***checkmodule**(8)*) will expand these to individual statements or
- rules as shown in the following example:
+1. Identifiers can generally be any length but should be restricted to
+ the following characters: a-z, A-Z, 0-9 and \_ (underscore).
+2. A '\#' indicates the start of a comment in policy source files.
+3. All statements available to policy version 29 have been included.
+4. When multiple source and target entries are shown in a single
+ statement or rule, the compiler (***checkpolicy**(8)* or
+ ***checkmodule**(8)*) will expand these to individual statements or
+ rules as shown in the following example:
```
# This allow rule has two target entries console_device_t and tty_device_t:
@@ -180,11 +180,11 @@ using (for example) ***apol**(8)*, **sedispol** or **sedismod**, the
results will differ (however the resulting policy rules will be the
same).
-1. Some statements can be added to a policy via the policy store using
- the **semanage**(8) command. Examples of these are shown where
- applicable, however the **semanage** man page should be consulted
- for all the possible command line options.
-2. **Table 2** lists words reserved for the SELinux policy language.
+1. Some statements can be added to a policy via the policy store using
+ the **semanage**(8) command. Examples of these are shown where
+ applicable, however the **semanage** man page should be consulted
+ for all the possible command line options.
+2. **Table 2** lists words reserved for the SELinux policy language.
| | | | |
| :-------------- | :------------- | :----------------- | :--------------- |
@@ -294,28 +294,28 @@ or require {rule_list} statement.*
The policy language statement and rule sections are as follows:
-- [Policy Configuration Statements](policy_config_statements.md#policy-configuration-statements)
-- [Default Rules](default_rules.md#default-object-rules)
-- [User Statements](user_statements.md#user-statements)
-- [Role Statements](role_statements.md#role-statements)
-- [Type Statements](type_statements.md#type-statements)
-- [Bounds Rules](bounds_rules.md#bounds-rules)
-- [Access Vector Rules](avc_rules.md#access-vector-rules)
-- [Extended Access Vector Rules](xperm_rules.md#extended-access-vector-rules)
-- [Object Class and Permission Statements](class_permission_statements.md#object-class-and-permission-statements)
-- [Conditional Policy Statements](conditional_statements.md#conditional-policy-statements)
-- [Constraint Statements](constraint_statements.md#constraint-statements)
-- [MLS Statements](mls_statements.md#mls-statements)
-- [Security ID (SID) Statement](sid_statement.md#security-id-sid-statement)
-- [File System Labeling Statements](file-labeling-statements.md#file-system-labeling-statements)
-- [Network Labeling Statements](network_statements.md#network-labeling-statements)
-- [InfiniBand Labeling Statements](infiniband_statements.md#infiniband-labeling-statements)
-- [XEN Statements](xen_statements.md#xen-statements)
+- [Policy Configuration Statements](policy_config_statements.md#policy-configuration-statements)
+- [Default Rules](default_rules.md#default-object-rules)
+- [User Statements](user_statements.md#user-statements)
+- [Role Statements](role_statements.md#role-statements)
+- [Type Statements](type_statements.md#type-statements)
+- [Bounds Rules](bounds_rules.md#bounds-rules)
+- [Access Vector Rules](avc_rules.md#access-vector-rules)
+- [Extended Access Vector Rules](xperm_rules.md#extended-access-vector-rules)
+- [Object Class and Permission Statements](class_permission_statements.md#object-class-and-permission-statements)
+- [Conditional Policy Statements](conditional_statements.md#conditional-policy-statements)
+- [Constraint Statements](constraint_statements.md#constraint-statements)
+- [MLS Statements](mls_statements.md#mls-statements)
+- [Security ID (SID) Statement](sid_statement.md#security-id-sid-statement)
+- [File System Labeling Statements](file-labeling-statements.md#file-system-labeling-statements)
+- [Network Labeling Statements](network_statements.md#network-labeling-statements)
+- [InfiniBand Labeling Statements](infiniband_statements.md#infiniband-labeling-statements)
+- [XEN Statements](xen_statements.md#xen-statements)
Note these are not kernel policy statements, but used by the Reference Policy
to assist policy build:
-- [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements)
+- [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements)
[^fn_kpl_1]: It is important to note that the Reference Policy builds policy
using makefiles and m4 support macros within its own source file structure.
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 02/22] mls_statements: Convert to markdown
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
2020-09-09 13:30 ` [PATCH 01/22] kernel_policy_language: Tidy up formatting Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 03/22] object_classes_permissions: : Tidy up formatting Richard Haines
` (20 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Add a TOC to aid navigation and convert to markdown.
Remove table 1 as didn't seem to add anything.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/mls_statements.md | 461 +++++++++++++++---------------------------
1 file changed, 167 insertions(+), 294 deletions(-)
diff --git a/src/mls_statements.md b/src/mls_statements.md
index f61ced6..05ba185 100644
--- a/src/mls_statements.md
+++ b/src/mls_statements.md
@@ -1,74 +1,30 @@
# MLS Statements
+- [MLS range Definition](#mls-range-definition)
+- [*sensitivity*](#sensitivity)
+- [*dominance*](#dominance)
+- [*category*](#category)
+- [*level*](#level)
+- [*range_transition*](#range_transition)
+- [*mlsconstrain*](#mlsconstrain)
+- [*mlsvalidatetrans*](#mlsvalidatetrans)
+
The optional MLS policy extension adds an additional security context
component that consists of the following highlighted entries:
-```
-user:role:type:sensitivity[:category,...]- sensitivity [:category,...]
-```
+*user:role:type:* ***sensitivity[:category,...] - sensitivity [:category,...]***
-These consist of a mandatory hierarchical
-[**sensitivity**](#sensitivity) and optional
-non-hierarchical [**category**](#category)'s. The
-combination of the two comprise a [**level**](#level) or security level as
-shown in **Table 1: Sensitivity and Category = Security Level**. Depending on
-the circumstances, there can be one level defined or a
-[**range**](#mls-range-definition) as shown in **Table 1**.
-
-<table>
-<tbody>
-<tr>
-<td><center><p><strong>Security Level (or Level)</strong></p></center>
-<p><center>Consisting of a sensitivity and zero or more category entries:</center></p></td>
-<td colspan="2"; rowspan="2";><center>Note that SELinux uses <code>level</code>, <code>sensitivity</code> and <code>category</code><br>in the language statements (see the <a href="mls_statements.md#mls-statements"> MLS Language Statements</a> section),<br>however when discussing these the following terms can also be used:<br> labels, classifications, and compartments.</center></td>
-</tr>
-<tr>
-<td><center><p><code>sensitivity [: category, ... ]</code><br>also known as:</p>
-<p><strong>Sensitivity Label</strong></p>
-<p>Consisting of a classification and compartment.</p></center></td>
-</tr>
-<tr>
-<td colspan="3"><center><strong><-------------- Range --------------></strong></center></td>
-</tr>
-<tr>
-<td><center><strong>Low</strong></center></td>
-<td rowspan="6"><center><strong>-</strong></center></td>
-<td><center><strong>High</strong></center></td>
-</tr>
-<tr>
-<td><center><code>sensitivity [: category, ... ]</code></center></td>
-<td><center><code>sensitivity [: category, ... ]</code></center></td>
-</tr>
-<tr>
-<td><center>For a process or subject this is the current level or sensitivity</center></td>
-<td><center>For a process or subject this is the Clearance</center></td>
-</tr>
-<tr>
-<td><center>For an object this is the current level or sensitivity</center></td>
-<td><center>For an object this is the maximum range</center></td>
-</tr>
-<tr>
-<td><center><strong>SystemLow</strong></center></td>
-
-<td><center><strong>SystemHigh</strong></center></td>
-</tr>
-<tr>
-<td><center>This is the lowest level or classification for the system<br>(for SELinux this is generally 's0', note that there are no categories).</center></td>
-
-<td><center>This is the highest level or classification for the system<br>(for SELinux this is generally 's15:c0,c255',<br>although note that they will be the highest set by the policy).</center></td>
-</tr>
-</tbody>
-</table>
-
-**Table 1: Sensitivity and Category = Security Level** - *this table shows
-the meanings depending on the context being discussed.*
+These consist of a mandatory hierarchical [**sensitivity**](#sensitivity) and
+optional non-hierarchical [**category**](#category)'s. The combination of the
+two comprise a [**level**](#level) or security level. Depending on the
+circumstances, there can be one level or a [**range**](#mls-range-definition).
To make the security levels more meaningful, it is possible to use the
-setransd daemon to translate these to human readable formats. The
-**semanage**(8) command will allow this mapping to be defined as discussed
+***mcstransd**(8)* daemon to translate these to human readable formats. The
+***semanage**(8)* command will allow this mapping to be defined as discussed
in the [**setrans.conf**](policy_config_files.md#setrans.conf) section.
-#### MLS range Definition
+## MLS range Definition
The MLS range is appended to a number of statements and defines the lowest and
highest security levels. The range can also consist of a single level as
@@ -82,23 +38,20 @@ low_level [ - high_level ]
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>low_level</code></td>
-<td><p>The processes lowest level identifier that has been previously declared by a <a href="#level"><code>level</code></a> statement.</p>
-<p>If a <code>high_level</code> is not defined, then it is taken as the same as the <code>low_level</code>.</p></td>
-</tr>
-<tr>
-<td>-</td>
-<td>The optional hyphen '-' separator if a <code>high_level</code> is also being defined.</td>
-</tr>
-<tr>
-<td><code>high_level</code></td>
-<td>The processes highest level identifier that has been previously declared by a <a href="#level"><code>level</code></a> statement. </td>
-</tr>
-</tbody>
-</table>
+*low_level*
+
+The processes lowest level identifier that has been previously declared by a
+[*level*](#level) statement. If a *high_level* is not defined, then it is taken
+as the same as the *low_level*.
+
+*\-*
+
+The optional hyphen '-' separator if a *high_level* is also being defined.
+
+*high_level*
+
+The processes highest level identifier that has been previously declared by
+a [*level*](#level) statement.
## *sensitivity*
@@ -113,53 +66,35 @@ sensitivity sens_id [alias sensitivityalias_id ...];
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>sensitivity</code></td>
-<td>The <code>sensitivity</code> keyword.</td>
-</tr>
-<tr>
-<td><code>sens_id</code></td>
-<td>The <code>sensitivity</code> identifier.</td>
-</tr>
-<tr>
-<td><code>alias</code></td>
-<td>The optional <code>alias</code> keyword.</td>
-</tr>
-<tr>
-<td><code>sensitivityalias_id</code></td>
-<td>One or more sensitivity alias identifiers in a space separated list.</td>
-</tr>
-</tbody>
-</table>
+*sensitivity*
+
+The *sensitivity* keyword.
+
+*sens_id*
+
+The *sensitivity* identifier.
+
+*alias*
+
+The optional *alias* keyword.
+
+*sensitivityalias_id*
+
+One or more sensitivity alias identifiers in a space separated list.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>Yes</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* Statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | Yes |
**Examples:**
@@ -193,45 +128,29 @@ dominance { sensitivity_id ... }
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>dominance</code></td>
-<td>The <code>dominance</code> keyword.</td>
-</tr>
-<tr>
-<td><code>sensitivity_id</code></td>
-<td>A space separated list of previously declared <code>sensitivity</code> or <code>sensitivityalias</code> identifiers in the order lowest to highest. They are enclosed in braces '{}', and note that there is no terminating semi-colon ';'.</td>
-</tr>
-</tbody>
-</table>
-
-The statement is valid in:
-
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+*dominance*
+
+The *dominance* keyword.
+
+*sensitivity_id*
+
+A space separated list of previously declared *sensitivity* or
+*sensitivityalias* identifiers in the order lowest to highest. They are
+enclosed in braces '{}', and note that there is no terminating semi-colon ';'.
+
+**The statement is valid in:**
+
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* Statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
**Example:**
@@ -255,53 +174,35 @@ category category_id [alias categoryalias_id ...];
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>category</code></td>
-<td>The <code>category</code> keyword.</td>
-</tr>
-<tr>
-<td><code>category_id</code></td>
-<td>The <code>category</code> identifier.</td>
-</tr>
-<tr>
-<td><code>alias</code></td>
-<td>The optional <code>alias</code> keyword.</td>
-</tr>
-<tr>
-<td><code>categoryalias_id</code></td>
-<td>One or more <code>alias</code> identifiers in a space separated list.</td>
-</tr>
-</tbody>
-</table>
+*category*
+
+The *category* keyword.
+
+*category_id*
+
+The *category* identifier.
+
+*alias*
+
+The optional *alias* keyword.
+
+*categoryalias_id*
+
+One or more *alias* identifiers in a space separated list.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>Yes</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* Statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | Yes |
**Examples:**
@@ -337,52 +238,40 @@ level sensitivity_id [ :category_id ];
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>level</code></td>
-<td>The <code>level</code> keyword.</td>
-</tr>
-<tr>
-<td><code>sensitivity_id</code></td>
-<td>A previously declared <code>sensitivity</code> or <code>sensitivityalias</code> identifier.</td>
-</tr>
-<tr>
-<td><code>category_id</code></td>
-<td>An optional set of zero or more previously declared <code>category</code> or <code>categoryalias</code> identifiers that are preceded by a colon ':', that can be written as follows:
-<p>The period '.' separating two <code>category</code> identifiers means an inclusive set (e.g. <code>c0.c16</code>).</p>
-<p>The comma ',' separating two <code>category</code> identifiers means a non-contiguous list (e.g. <code>c21,c36,c45</code>).</p>
-<p>Both separators may be used (e.g. <code>c0.c16,c21,c36,c45</code>).</p></td>
-</tr>
-</tbody>
-</table>
+*level*
+
+The *level* keyword.
+
+*sensitivity_id*
+
+A previously declared *sensitivity* or *sensitivityalias* identifier.
+
+*category_id*
+
+An optional set of zero or more previously declared *category* or
+*categoryalias* identifiers that are preceded by a colon ':', that can be
+written as follows:
+
+- The period '.' separating two *category* identifiers means an inclusive
+ set (e.g. *c0.c16*).
+- The comma ',' separating two *category* identifiers means a non-contiguous
+ list (e.g. *c21,c36,c45*).
+
+Both separators may be used (e.g. *c0.c16,c21,c36,c45*).
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* Statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
**Example:**
@@ -417,55 +306,39 @@ range_transition source_type target_type : class new_range;
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>range_transition</code></td>
-<td>The <code>range_transition</code> keyword.</td>
-</tr>
-<tr>
-<td><p><code>source_type</code></p>
-<p><code>target_type</code></p></td>
-<td><p>One or more source / target <code>type</code> or <code>attribute</code> identifiers. Multiple entries consist of a space separated list enclosed in braces'{}'.</p>
-<p>Entries can be excluded from the list by using the negative operator '-'.</p></td>
-</tr>
-<tr>
-<td><code>class</code></td>
-<td>The optional object <code>class</code> keyword (this allows policy versions 21 and greater to specify a class other than the default of <code>process</code>).</td>
-</tr>
-<tr>
-<td><code>new_range</code></td>
-<td>The new MLS range for the object class. The format of this field is described in the <a href="#mls-range-definition">"MLS range Definition"</a> section.</td>
-</tr>
-</tbody>
-</table>
+*range_transition*
+
+The *range_transition* keyword.
+
+*source_type*, *target_type*
+
+One or more source / target *type* or *attribute* identifiers. Multiple entries
+consist of a space separated list enclosed in braces'{}'.
+Entries can be excluded from the list by using the negative operator '-'.
+
+*class*
+
+The optional object *class* keyword (this allows policy versions 21 and greater
+to specify a class other than the default of *process*).
+
+*new_range*
+
+The new MLS range for the object class. The format of this field is described
+in the [MLS range Definition](#mls-range-definition) section.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | Yes |
+
+Conditional Policy Statements
+
+| *if* Statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | Yes | No |
**Examples:**
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 03/22] object_classes_permissions: : Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
2020-09-09 13:30 ` [PATCH 01/22] kernel_policy_language: Tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 02/22] mls_statements: Convert to markdown Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 04/22] policy_config_files: " Richard Haines
` (19 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/object_classes_permissions.md | 299 +++++++++++++++---------------
1 file changed, 151 insertions(+), 148 deletions(-)
diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
index c51d36b..fa16024 100644
--- a/src/object_classes_permissions.md
+++ b/src/object_classes_permissions.md
@@ -3,137 +3,137 @@
- [Introduction](#introduction)
- [Defining Object Classes and Permissions](#defining-object-classes-and-permissions)
- [Kernel Object Classes and Permissions](#kernel-object-classes-and-permissions)
- - [Common Permissions](#common-permissions)
- - [Common File Permissions](#common-file-permissions)
- - [Common Socket Permissions](#common-socket-permissions)
- - [Common IPC Permissions](#common-ipc-permissions)
- - [Common Capability Permissions](#common-capability-permissions)
- - [Common Capability2 Permissions](#common-capability2-permissions)
- - [Common Database Permissions](#common-database-permissions)
- - [Common X_Device Permissions](#common-x_device-permissions)
- - [File Object Classes](#file-object-classes)
- - [*filesystem*](#filesystem)
- - [*dir*](#dir)
- - [*file*](#file)
- - [*lnk_file*](#lnk_file)
- - [*chr_file*](#chr_file)
- - [*blk_file*](#blk_file)
- - [*sock_file*](#sock_file)
- - [*fifo_file*](#fifo_file)
- - [*fd*](#fd)
- - [Network Object Classes](#network-object-classes)
- - [*node*](#node)
- - [*netif*](#netif)
- - [*socket*](#socket)
- - [*tcp_socket*](#tcp_socket)
- - [*udp_socket*](#udp_socket)
- - [*rawip_socket*](#rawip_socket)
- - [*packet_socket*](#packet_socket)
- - [*unix_stream_socket*](#unix_stream_socket)
- - [*unix_dgram_socket*](#unix_dgram_socket)
- - [*tun_socket*](#tun_socket)
- - [IPSec Network Object Classes](#ipsec-network-object-classes)
- - [*association*](#association)
- - [*key_socket*](#key_socket)
- - [*netlink_xfrm_socket*](#netlink_xfrm_socket)
- - [Netlink Object Classes](#netlink-object-classes)
- - [*netlink_socket*](#netlink_socket)
- - [*netlink_route_socket*](#netlink_route_socket)
- - [*netlink_firewall_socket* (Deprecated)](#netlink_firewall_socket-deprecated)
- - [*netlink_tcpdiag_socket*](#netlink_tcpdiag_socket)
- - [*netlink_nflog_socket*](#netlink_nflog_socket)
- - [*netlink_selinux_socket*](#netlink_selinux_socket)
- - [*netlink_audit_socket*](#netlink_audit_socket)
- - [*netlink_ip6fw_socket* (Deprecated)](#netlink_ip6fw_socket-deprecated)
- - [*netlink_dnrt_socket*](#netlink_dnrt_socket)
- - [*netlink_kobject_uevent_socket*](#netlink_kobject_uevent_socket)
- - [*netlink_iscsi_socket*](#netlink_iscsi_socket)
- - [*netlink_fib_lookup_socket*](#netlink_fib_lookup_socket)
- - [*netlink_connector_socket*](#netlink_connector_socket)
- - [*netlink_netfilter_socket*](#netlink_netfilter_socket)
- - [*netlink_generic_socket*](#netlink_generic_socket)
- - [*netlink_scsitransport_socket*](#netlink_scsitransport_socket)
- - [*netlink_rdma_socket*](#netlink_rdma_socket)
- - [*netlink_crypto_socket*](#netlink_crypto_socket)
- - [Miscellaneous Network Object Classes](#miscellaneous-network-object-classes)
- - [*peer*](#peer)
- - [*packet*](#packet)
- - [*appletalk_socket*](#appletalk_socket)
- - [*dccp_socket*](#dccp_socket)
- - [Sockets via *extended_socket_class*](#sockets-via-extended_socket_class)
- - [*sctp_socket*](#sctp_socket)
- - [*icmp_socket*](#icmp_socket)
- - [Miscellaneous Extended Socket Classes](#miscellaneous-extended-socket-classes)
- - [BPF Object Class](#bpf-object-class)
- - [*bpf*](#bpf)
- - [Performance Event Object Class](#performance-event-object-class)
- - [*perf_event*](#perf_event)
- - [Lockdown Object Class](#lockdown-object-class)
- - [*lockdown*](#lockdown)
- - [IPC Object Classes](#ipc-object-classes)
- - [*ipc* (Deprecated)](#ipc-deprecated)
- - [*sem*](#sem)
- - [*msgq*](#msgq)
- - [*msg*](#msg)
- - [*shm*](#shm)
- - [Process Object Class](#process-object-class)
- - [*process*](#process)
- - [*process2*](#process2)
- - [Security Object Class](#security-object-class)
- - [*security*](#security)
- - [System Operation Object Class](#system-operation-object-class)
- - [*system*](#system)
- - [Miscellaneous Kernel Object Classes](#miscellaneous-kernel-object-classes)
- - [*kernel_service*](#kernel_service)
- - [*key*](#key)
- - [*memprotect*](#memprotect)
- - [*binder*](#binder)
- - [Capability Object Classes](#capability-object-classes)
- - [*capability*](#capability)
- - [*capability2*](#capability2)
- - [*cap_userns*](#cap_userns)
- - [*cap2_userns*](#cap2_userns)
- - [InfiniBand Object Classes](#infiniband-object-classes)
- - [*infiniband_pkey*](#infiniband_pkey)
- - [*infiniband_endport*](#infiniband_endport)
+ - [Common Permissions](#common-permissions)
+ - [Common File Permissions](#common-file-permissions)
+ - [Common Socket Permissions](#common-socket-permissions)
+ - [Common IPC Permissions](#common-ipc-permissions)
+ - [Common Capability Permissions](#common-capability-permissions)
+ - [Common Capability2 Permissions](#common-capability2-permissions)
+ - [Common Database Permissions](#common-database-permissions)
+ - [Common X_Device Permissions](#common-x_device-permissions)
+ - [File Object Classes](#file-object-classes)
+ - [*filesystem*](#filesystem)
+ - [*dir*](#dir)
+ - [*file*](#file)
+ - [*lnk_file*](#lnk_file)
+ - [*chr_file*](#chr_file)
+ - [*blk_file*](#blk_file)
+ - [*sock_file*](#sock_file)
+ - [*fifo_file*](#fifo_file)
+ - [*fd*](#fd)
+ - [Network Object Classes](#network-object-classes)
+ - [*node*](#node)
+ - [*netif*](#netif)
+ - [*socket*](#socket)
+ - [*tcp_socket*](#tcp_socket)
+ - [*udp_socket*](#udp_socket)
+ - [*rawip_socket*](#rawip_socket)
+ - [*packet_socket*](#packet_socket)
+ - [*unix_stream_socket*](#unix_stream_socket)
+ - [*unix_dgram_socket*](#unix_dgram_socket)
+ - [*tun_socket*](#tun_socket)
+ - [IPSec Network Object Classes](#ipsec-network-object-classes)
+ - [*association*](#association)
+ - [*key_socket*](#key_socket)
+ - [*netlink_xfrm_socket*](#netlink_xfrm_socket)
+ - [Netlink Object Classes](#netlink-object-classes)
+ - [*netlink_socket*](#netlink_socket)
+ - [*netlink_route_socket*](#netlink_route_socket)
+ - [*netlink_firewall_socket* (Deprecated)](#netlink_firewall_socket-deprecated)
+ - [*netlink_tcpdiag_socket*](#netlink_tcpdiag_socket)
+ - [*netlink_nflog_socket*](#netlink_nflog_socket)
+ - [*netlink_selinux_socket*](#netlink_selinux_socket)
+ - [*netlink_audit_socket*](#netlink_audit_socket)
+ - [*netlink_ip6fw_socket* (Deprecated)](#netlink_ip6fw_socket-deprecated)
+ - [*netlink_dnrt_socket*](#netlink_dnrt_socket)
+ - [*netlink_kobject_uevent_socket*](#netlink_kobject_uevent_socket)
+ - [*netlink_iscsi_socket*](#netlink_iscsi_socket)
+ - [*netlink_fib_lookup_socket*](#netlink_fib_lookup_socket)
+ - [*netlink_connector_socket*](#netlink_connector_socket)
+ - [*netlink_netfilter_socket*](#netlink_netfilter_socket)
+ - [*netlink_generic_socket*](#netlink_generic_socket)
+ - [*netlink_scsitransport_socket*](#netlink_scsitransport_socket)
+ - [*netlink_rdma_socket*](#netlink_rdma_socket)
+ - [*netlink_crypto_socket*](#netlink_crypto_socket)
+ - [Miscellaneous Network Object Classes](#miscellaneous-network-object-classes)
+ - [*peer*](#peer)
+ - [*packet*](#packet)
+ - [*appletalk_socket*](#appletalk_socket)
+ - [*dccp_socket*](#dccp_socket)
+ - [Sockets via *extended_socket_class*](#sockets-via-extended_socket_class)
+ - [*sctp_socket*](#sctp_socket)
+ - [*icmp_socket*](#icmp_socket)
+ - [Miscellaneous Extended Socket Classes](#miscellaneous-extended-socket-classes)
+ - [BPF Object Class](#bpf-object-class)
+ - [*bpf*](#bpf)
+ - [Performance Event Object Class](#performance-event-object-class)
+ - [*perf_event*](#perf_event)
+ - [Lockdown Object Class](#lockdown-object-class)
+ - [*lockdown*](#lockdown)
+ - [IPC Object Classes](#ipc-object-classes)
+ - [*ipc* (Deprecated)](#ipc-deprecated)
+ - [*sem*](#sem)
+ - [*msgq*](#msgq)
+ - [*msg*](#msg)
+ - [*shm*](#shm)
+ - [Process Object Class](#process-object-class)
+ - [*process*](#process)
+ - [*process2*](#process2)
+ - [Security Object Class](#security-object-class)
+ - [*security*](#security)
+ - [System Operation Object Class](#system-operation-object-class)
+ - [*system*](#system)
+ - [Miscellaneous Kernel Object Classes](#miscellaneous-kernel-object-classes)
+ - [*kernel_service*](#kernel_service)
+ - [*key*](#key)
+ - [*memprotect*](#memprotect)
+ - [*binder*](#binder)
+ - [Capability Object Classes](#capability-object-classes)
+ - [*capability*](#capability)
+ - [*capability2*](#capability2)
+ - [*cap_userns*](#cap_userns)
+ - [*cap2_userns*](#cap2_userns)
+ - [InfiniBand Object Classes](#infiniband-object-classes)
+ - [*infiniband_pkey*](#infiniband_pkey)
+ - [*infiniband_endport*](#infiniband_endport)
- [Userspace Object Classes](#userspace-object-classes)
- - [X Windows Object Classes](#x-windows-object-classes)
- - [*x_drawable*](#x_drawable)
- - [*x_screen*](#x_screen)
- - [*x_gc*](#x_gc)
- - [*x_font*](#x_font)
- - [*x_colormap*](#x_colormap)
- - [*x_property*](#x_property)
- - [*x_selection*](#x_selection)
- - [*x_cursor*](#x_cursor)
- - [*x_client*](#x_client)
- - [*x_device*](#x_device)
- - [*x_server*](#x_server)
- - [*x_extension*](#x_extension)
- - [*x_resource*](#x_resource)
- - [*x_event*](#x_event)
- - [*x_synthetic_event*](#x_synthetic_event)
- - [*x_application_data*](#x_application_data)
- - [*x_pointer*](#x_pointer)
- - [*x_keyboard*](#x_keyboard)
- - [Database Object Classes](#database-object-classes)
- - [*db_database*](#db_database)
- - [*db_table*](#db_table)
- - [*db_schema*](#db_schema)
- - [*db_procedure*](#db_procedure)
- - [*db_column*](#db_column)
- - [*db_tuple*](#db_tuple)
- - [*db_blob*](#db_blob)
- - [*db_view*](#db_view)
- - [*db_sequence*](#db_sequence)
- - [*db_language*](#db_language)
- - [Miscellaneous Userspace Object Classes](#miscellaneous-userspace-object-classes)
- - [*passwd*](#passwd)
- - [*nscd*](#nscd)
- - [*dbus*](#dbus)
- - [*context*](#context)
- - [*service*](#service)
- - [*proxy*](#proxy)
+ - [X Windows Object Classes](#x-windows-object-classes)
+ - [*x_drawable*](#x_drawable)
+ - [*x_screen*](#x_screen)
+ - [*x_gc*](#x_gc)
+ - [*x_font*](#x_font)
+ - [*x_colormap*](#x_colormap)
+ - [*x_property*](#x_property)
+ - [*x_selection*](#x_selection)
+ - [*x_cursor*](#x_cursor)
+ - [*x_client*](#x_client)
+ - [*x_device*](#x_device)
+ - [*x_server*](#x_server)
+ - [*x_extension*](#x_extension)
+ - [*x_resource*](#x_resource)
+ - [*x_event*](#x_event)
+ - [*x_synthetic_event*](#x_synthetic_event)
+ - [*x_application_data*](#x_application_data)
+ - [*x_pointer*](#x_pointer)
+ - [*x_keyboard*](#x_keyboard)
+ - [Database Object Classes](#database-object-classes)
+ - [*db_database*](#db_database)
+ - [*db_table*](#db_table)
+ - [*db_schema*](#db_schema)
+ - [*db_procedure*](#db_procedure)
+ - [*db_column*](#db_column)
+ - [*db_tuple*](#db_tuple)
+ - [*db_blob*](#db_blob)
+ - [*db_view*](#db_view)
+ - [*db_sequence*](#db_sequence)
+ - [*db_language*](#db_language)
+ - [Miscellaneous Userspace Object Classes](#miscellaneous-userspace-object-classes)
+ - [*passwd*](#passwd)
+ - [*nscd*](#nscd)
+ - [*dbus*](#dbus)
+ - [*context*](#context)
+ - [*service*](#service)
+ - [*proxy*](#proxy)
## Introduction
@@ -141,7 +141,8 @@ This section contains a list of object classes and their associated
permissions that have been taken from the Fedora policy sources. There
are also additional entries for Xen. The Android specific classes and
permissions are shown in the
-[**Security Enhancements for Android**](seandroid.md#security-enhancements-for-android) section.
+[**Security Enhancements for Android**](seandroid.md#security-enhancements-for-android)
+section.
The SElinux Testsuite has tests that exercise a number of these object
classes/permissions and is a useful reference:
@@ -153,23 +154,28 @@ used in the standard Linux function calls (such as 'create a socket' or
*relabelfrom*
-- Used on most objects to allow the objects security context to be changed from the current type.
+- Used on most objects to allow the objects security context to be changed from
+ the current type.
*relabelto*
-- Used on most objects to allow the objects security context to be changed to the new type.
+- Used on most objects to allow the objects security context to be changed to
+ the new type.
*entrypoint*
-- Used for files to indicate that they can be used as an entry point into a domain via a domain transition.
+- Used for files to indicate that they can be used as an entry point into a
+ domain via a domain transition.
*execute_no_trans*
-- Used for files to indicate that they can be used as an entry point into the calling domain (i.e. does not require a domain transition).
+- Used for files to indicate that they can be used as an entry point into the
+ calling domain (i.e. does not require a domain transition).
*execmod*
-Generally used for files to indicate that they can execute the modified file in memory.
+- Generally used for files to indicate that they can execute the modified file
+ in memory.
Where possible the specific object class permissions are explained,
however for some permissions it is difficult to determine what they are
@@ -189,10 +195,10 @@ Note: In theory a policy could be defined with no classes or permissions
then set the *handle_unknown* flag when building the policy to *allow*
(***checkpolicy**(8)* and ***secilc**(8)*
*[-U handle-unknown (allow,deny,reject)]*). However:
-- CIL requires at least one class to be defined.
-- The *process* class with its *transition* and *dyntransition* permissions
- are still required for default labeling behaviors, role and range
- transitions in older policy versions.
+- CIL requires at least one class to be defined.
+- The *process* class with its *transition* and *dyntransition* permissions
+ are still required for default labeling behaviors, role and range
+ transitions in older policy versions.
The [**Object Class and Permission Statements**](class_permission_statements.md#object-class-and-permission-statements)
section specifies how these are defined within the Kernel Policy Language,
@@ -465,7 +471,6 @@ inherited by a number of object classes.
- msgq - Send message to message queue.
- sem - Change semaphore value.
-
### Common Capability Permissions
**Permission** - 32 permissions - Text from */usr/include/linux/capability.h*
@@ -843,7 +848,6 @@ A mounted *filesystem*
### *dir*
-
A Directory
**Permissions** - Inherit 25
@@ -1125,7 +1129,7 @@ IPSec security association
*polmatch*
- Match IPSec Security Policy Database (SPD) context (-ctx) entries to an
- SELinux domain (contained in the Security Association Database (SAD) .
+ SELinux domain (contained in the Security Association Database (SAD)).
*recvfrom*
@@ -1169,7 +1173,7 @@ IPSec key management. Protocol: *PF_KEY* Family Type: All
## Netlink Object Classes
-Netlink sockets communicate between userspace and the kernel – also see
+Netlink sockets communicate between userspace and the kernel - also see
***netlink**(7)*.
### *netlink_socket*
@@ -2913,7 +2917,6 @@ Manage a database view.
- Allows the expansion of a 'view'.
-
### *db_sequence*
A sequential number generator.
@@ -3090,11 +3093,11 @@ Manage ***systemd**(1)* services.
*reload*
-- Restart systemd services.
+- Restart *systemd* services.
*start*
-- Start systemd services.
+- Start *systemd* services.
*status*
@@ -3102,7 +3105,7 @@ Manage ***systemd**(1)* services.
*stop*
-- Stop systemd services.
+- Stop *systemd* services.
### *proxy*
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 04/22] policy_config_files: Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (2 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 03/22] object_classes_permissions: : Tidy up formatting Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 05/22] policy_validation_example: " Richard Haines
` (18 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/policy_config_files.md | 442 ++++++++++++++++++-------------------
1 file changed, 220 insertions(+), 222 deletions(-)
diff --git a/src/policy_config_files.md b/src/policy_config_files.md
index e7fab1e..9ad9b42 100644
--- a/src/policy_config_files.md
+++ b/src/policy_config_files.md
@@ -1,36 +1,36 @@
# Policy Configuration Files
-- [setrans.conf](#setrans.conf)
-- [*secolor.conf*](#secolor.conf)
-- [*policy/policy.\<ver\>*](#policypolicy.ver)
-- [*contexts/customizable_types*](#contextscustomizable_types)
-- [*contexts/default_contexts*](#contextsdefault_contexts)
-- [*contexts/dbus_contexts*](#contextsdbus_contexts)
-- [*contexts/default_type*](#contextsdefault_type)
-- [*contexts/failsafe_context*](#contextsfailsafe_context)
-- [*contexts/initrc_context*](#contextsinitrc_context)
-- [*contexts/lxc_contexts*](#contextslxc_contexts)
-- [*contexts/netfilter_contexts* - Obsolete](#contextsnetfilter_contexts---obsolete)
-- [*contexts/openrc_contexts*](#contextsopenrc_contexts)
-- [*contexts/openssh_contexts*](#contextsopenssh_contexts)
-- [*contexts/removable_context*](#contextsremovable_context)
-- [*contexts/sepgsql_contexts*](#contextssepgsql_contexts)
-- [*contexts/snapperd_contexts*](#contextssnapperd_contexts)
-- [*contexts/securetty_types*](#contextssecuretty_types)
-- [*contexts/systemd_contexts*](#contextssystemd_contexts)
-- [*contexts/userhelper_context*](#contextsuserhelper_context)
-- [*contexts/virtual_domain_context*](#contextsvirtual_domain_context)
-- [*contexts/virtual_image_context*](#contextsvirtual_image_context)
-- [*contexts/x_contexts*](#contextsx_contexts)
-- [*contexts/files/file_contexts*](#contextsfilesfile_contexts)
-- [*contexts/files/file_contexts.local*](#contextsfilesfile_contexts.local)
-- [*contexts/files/file_contexts.homedirs*](#contextsfilesfile_contexts.homedirs)
-- [*contexts/files/file_contexts.subs*](#contextsfilesfile_contexts.subs)
-- [*contexts/files/file_contexts.subs_dist*](#contextsfilesfile_contexts.subs_dist)
-- [*contexts/files/media*](#contextsfilesmedia)
-- [*contexts/users/[seuser_id]*](#contextsusersseuser_id)
-- [*logins/\<linuxuser_id\>*](#loginslinuxuser_id)
-- [*users/local.users*](#userslocal.users)
+- [setrans.conf](#setrans.conf)
+- [*secolor.conf*](#secolor.conf)
+- [*policy/policy.\<ver\>*](#policypolicy.ver)
+- [*contexts/customizable_types*](#contextscustomizable_types)
+- [*contexts/default_contexts*](#contextsdefault_contexts)
+- [*contexts/dbus_contexts*](#contextsdbus_contexts)
+- [*contexts/default_type*](#contextsdefault_type)
+- [*contexts/failsafe_context*](#contextsfailsafe_context)
+- [*contexts/initrc_context*](#contextsinitrc_context)
+- [*contexts/lxc_contexts*](#contextslxc_contexts)
+- [*contexts/netfilter_contexts* - Obsolete](#contextsnetfilter_contexts---obsolete)
+- [*contexts/openrc_contexts*](#contextsopenrc_contexts)
+- [*contexts/openssh_contexts*](#contextsopenssh_contexts)
+- [*contexts/removable_context*](#contextsremovable_context)
+- [*contexts/sepgsql_contexts*](#contextssepgsql_contexts)
+- [*contexts/snapperd_contexts*](#contextssnapperd_contexts)
+- [*contexts/securetty_types*](#contextssecuretty_types)
+- [*contexts/systemd_contexts*](#contextssystemd_contexts)
+- [*contexts/userhelper_context*](#contextsuserhelper_context)
+- [*contexts/virtual_domain_context*](#contextsvirtual_domain_context)
+- [*contexts/virtual_image_context*](#contextsvirtual_image_context)
+- [*contexts/x_contexts*](#contextsx_contexts)
+- [*contexts/files/file_contexts*](#contextsfilesfile_contexts)
+- [*contexts/files/file_contexts.local*](#contextsfilesfile_contexts.local)
+- [*contexts/files/file_contexts.homedirs*](#contextsfilesfile_contexts.homedirs)
+- [*contexts/files/file_contexts.subs*](#contextsfilesfile_contexts.subs)
+- [*contexts/files/file_contexts.subs_dist*](#contextsfilesfile_contexts.subs_dist)
+- [*contexts/files/media*](#contextsfilesmedia)
+- [*contexts/users/[seuser_id]*](#contextsusersseuser_id)
+- [*logins/\<linuxuser_id\>*](#loginslinuxuser_id)
+- [*users/local.users*](#userslocal.users)
Each file discussed in this section is relative to the policy name as
follows:
@@ -52,16 +52,16 @@ For example the simple
described in the Notebook examples could run at init 3 (i.e. no X-Windows)
and only require the following configuration files:
-- *seusers* - For login programs.
-- *policy/policy.\<ver\>* - The binary policy loaded into the kernel.
-- *context/files/file_contexts* - To allow the filesystem to be relabeled.
+- *seusers* - For login programs.
+- *policy/policy.\<ver\>* - The binary policy loaded into the kernel.
+- *context/files/file_contexts* - To allow the filesystem to be relabeled.
If the simple policy is to run at init 5, (i.e. with X-Windows) then an
additional two files are required:
-- *context/dbus_contexts* - To allow the dbus messaging service to run under
- SELinux.
-- *context/x_contexts* - To allow the X-Windows service to run under SELinux.
+- *context/dbus_contexts* - To allow the dbus messaging service to run under
+ SELinux.
+- *context/x_contexts* - To allow the X-Windows service to run under SELinux.
## *seusers*
@@ -70,19 +70,16 @@ The ***seusers**(5)* file is used by login programs (normally via the
*user* / *passwd* files) to SELinux users (defined in the policy). A
typical login sequence would be:
-- Using the GNU / Linux *user_id*, lookup the *seuser_id* from this
- file. If an entry cannot be found, then use the *__default__*
- entry.
-- To determine the remaining context to be used as the security
- context, read the
- [*contexts/users/[seuser_id]*](#contextsusersseuser_id)
- file. If this file is not present, then:
-- Check for a default context in the
- [*contexts/default_contexts*](#contextsdefault_contexts)
- file. If no default context is found, then:
-- Read the
- [*contexts/failsafe_context*](#contextsfailsafe_context) file
- to allow a fail safe context to be set.
+- Using the GNU / Linux *user_id*, lookup the *seuser_id* from this
+ file. If an entry cannot be found, then use the *\_\_default\_\_* entry.
+- To determine the remaining context to be used as the security
+ context, read the [*contexts/users/[seuser_id]*](#contextsusersseuser_id)
+ file. If this file is not present, then:
+- Check for a default context in the
+ [*contexts/default_contexts*](#contextsdefault_contexts) file. If no default
+ context is found, then:
+- Read the [*contexts/failsafe_context*](#contextsfailsafe_context) file
+ to allow a fail safe context to be set.
Note: The *system_u* user is defined in this file, however there must be
**no** *system_u* Linux user configured on the system.
@@ -104,8 +101,8 @@ __default__:user_u:s0-s0
**Supporting libselinux API functions are:**
-- ***getseuser**(3)*
-- ***getseuserbyname**(3)*
+- ***getseuser**(3)*
+- ***getseuserbyname**(3)*
## *booleans*
## *booleans.local*
@@ -120,10 +117,10 @@ file section.
For systems that do use these files:
-- ***security_set_boolean_list**(3)* - Writes a *boolean.local* file if
- flag *permanent* = '*1*'.
-- ***security_load_booleans**(3)* - Will look for a *booleans* or
- *booleans.local* file here unless a specific path is specified.
+- ***security_set_boolean_list**(3)* - Writes a *boolean.local* file if
+ flag *permanent* = '*1*'.
+- ***security_load_booleans**(3)* - Will look for a *booleans* or
+ *booleans.local* file here unless a specific path is specified.
Both files have the same format and contain one or more boolean names.
@@ -137,12 +134,12 @@ boolean_name value
*boolean_name*
-- The name of the boolean.
+- The name of the boolean.
*value*
-- The default setting for the boolean that can be one of the following:
- - *true* | *false* | *1* | *0*
+- The default setting for the boolean that can be one of the following:
+ - *true* | *false* | *1* | *0*
Note that if *SETLOCALDEFS* is set in the SELinux
[*/etc/selinux/config*](global_config_files.md#etcselinuxconfig) file, then
@@ -172,11 +169,11 @@ policy_bool_name new_name
*policy_bool_name*
-- The policy boolean name.
+- The policy boolean name.
*new_name*
-- The new boolean name.
+- The new boolean name.
**Example:**
@@ -195,10 +192,10 @@ the name will be looked up and if using the *new_name*, then the
Supporting libselinux API functions are:
-- ***selinux_booleans_subs_path**(3)*
-- ***selinux_booleans_sub**(3)*
-- ***security_get_boolean_names**(3)*
-- ***security_set_boolean**(3)*
+- ***selinux_booleans_subs_path**(3)*
+- ***selinux_booleans_sub**(3)*
+- ***security_get_boolean_names**(3)*
+- ***security_set_boolean**(3)*
## *setrans.conf*
@@ -254,9 +251,10 @@ Include=/etc/selinux/mls/setrans.d/constraints.conf
```
Supporting libselinux API functions are:
-- ***selinux_translations_path**(3)*
-- ***selinux_raw_to_trans_context**(3)*
-- ***selinux_trans_to_raw_context**(3)*
+
+- ***selinux_translations_path**(3)*
+- ***selinux_raw_to_trans_context**(3)*
+- ***selinux_trans_to_raw_context**(3)*
## *secolor.conf*
@@ -278,39 +276,39 @@ context_component string fg_color_name bg_color_name
*color*
-- The color keyword.
+- The color keyword.
*color_name*
-- A descriptive name for the colour (e.g. *red*).
+- A descriptive name for the colour (e.g. *red*).
*color_mask*
-- A colour mask starting with a hash '*#*' that describes the RGB colours
- with black being *#000000* and white being *#ffffff*.
+- A colour mask starting with a hash '*#*' that describes the RGB colours
+ with black being *#000000* and white being *#ffffff*.
*context_component*
-- The colour translation supports different colours on the context string
- components (*user*, *role*, *type* and *range*). Each component is on a
- separate line.
+- The colour translation supports different colours on the context string
+ components (*user*, *role*, *type* and *range*). Each component is on a
+ separate line.
*string*
-- This is the *context_component* string that will be matched with the
- *raw* context component passed by ***selinux_raw_context_to_color**(3)*.
- A wildcard '*\**' may be used to match any undefined *string* for the
- *user*, *role* and *type* *context_component* entries only.
+- This is the *context_component* string that will be matched with the
+ *raw* context component passed by ***selinux_raw_context_to_color**(3)*.
+ A wildcard '*\**' may be used to match any undefined *string* for the
+ *user*, *role* and *type* *context_component* entries only.
*fg_color_name*
-- The *color_name* string that will be used as the foreground colour.
- A *color_mask* may also be used.
+- The *color_name* string that will be used as the foreground colour.
+ A *color_mask* may also be used.
*bg_color_name*
-- The *color_name* string that will be used as the background colour.
- A *color_mask* may also be used.</p></td>
+- The *color_name* string that will be used as the background colour.
+ A *color_mask* may also be used.
**Example file contents:**
@@ -337,10 +335,10 @@ range s15:c0.c1023 = black yellow
**Supporting libselinux API functions are:**
-- ***selinux_colors_path**(3)*
-- ***selinux_raw_context_to_color**(3)* - this call returns the foreground
- and background colours of the context string as the specified RGB 'colour'
- hex digits as follows:
+- ***selinux_colors_path**(3)*
+- ***selinux_raw_context_to_color**(3)* - this call returns the foreground
+ and background colours of the context string as the specified RGB 'colour'
+ hex digits as follows:
```
user : role : type : range
@@ -380,9 +378,9 @@ type
*type*
-- The type defined in the policy that needs to excluded from relabeling.
- An example is when a file has been purposely relabeled with a different
- type to allow an application to work.
+- The type defined in the policy that needs to excluded from relabeling.
+ An example is when a file has been purposely relabeled with a different
+ type to allow an application to work.
**Example file contents:**
@@ -397,9 +395,9 @@ sysadm_untrusted_content_tmp_t
**Supporting libselinux API functions are:**
-- ***is_context_customizable**(3)*
-- ***selinux_customizable_types_path**(3)*
-- ***selinux_context_path**(3)*
+- ***is_context_customizable**(3)*
+- ***selinux_customizable_types_path**(3)*
+- ***selinux_context_path**(3)*
## *contexts/default_contexts*
@@ -407,14 +405,14 @@ The ***default_contexts**(5)* file is used by SELinux-aware applications
that need to set a security context for user processes (generally the
login applications) where:
-1. The GNU / Linux user identity should be known by the application.
-2. If a login application, then the SELinux user (seuser), would have
- been determined as described in the [*seusers*](#seusers) file
- section.
-3. The login applications will check the
- [*contexts/users/[seuser_id]*](#contextsusersseuser_id) file
- first and if no valid entry, will then look in the *[seuser_id]*
- file for a default context to use.
+1. The GNU / Linux user identity should be known by the application.
+2. If a login application, then the SELinux user (seuser), would have
+ been determined as described in the [*seusers*](#seusers) file
+ section.
+3. The login applications will check the
+ [*contexts/users/[seuser_id]*](#contextsusersseuser_id) file
+ first and if no valid entry, will then look in the *[seuser_id]*
+ file for a default context to use.
**The file format is as follows:**
@@ -426,12 +424,12 @@ role:type[:range] role:type[:range] ...
*role:type[:range]*
-- The file contains one or more lines that consist of *role:type[:range]*
- pairs (including the MLS / MCS *level* or *range* if applicable).
- - The entry at the start of a new line corresponds to the partial
- *role:type[:range]* context of (generally) the login application.
- - The other *role:type[:range]* entries on that line represent an ordered
- list of valid contexts that may be used to set the users context.
+- The file contains one or more lines that consist of *role:type[:range]*
+ pairs (including the MLS / MCS *level* or *range* if applicable).
+- The entry at the start of a new line corresponds to the partial
+ *role:type[:range]* context of (generally) the login application.
+- The other *role:type[:range]* entries on that line represent an ordered
+ list of valid contexts that may be used to set the users context.
**Example file contents:**
@@ -449,16 +447,16 @@ system_r:xdm_t:s0 user_r:user_t:s0
Note that the *contexts/users/[seuser_id]* file is also read by some of
these functions.
-- ***selinux_contexts_path**(3)*
-- ***selinux_default_context_path**(3)*
-- ***get_default_context**(3)*
-- ***get_ordered_context_list**(3)*
-- ***get_ordered_context_list_with_level**(3)*
-- ***get_default_context_with_level**(3)*
-- ***get_default_context_with_role**(3)*
-- ***get_default_context_with_rolelevel**(3)*
-- ***query_user_context**(3)*
-- ***manual_user_enter_context**(3)*
+- ***selinux_contexts_path**(3)*
+- ***selinux_default_context_path**(3)*
+- ***get_default_context**(3)*
+- ***get_ordered_context_list**(3)*
+- ***get_ordered_context_list_with_level**(3)*
+- ***get_default_context_with_level**(3)*
+- ***get_default_context_with_role**(3)*
+- ***get_default_context_with_rolelevel**(3)*
+- ***query_user_context**(3)*
+- ***manual_user_enter_context**(3)*
An example use in this Notebook (to get over a small feature) is that
when the initial **basic policy** was built, no default_contexts file
@@ -511,7 +509,7 @@ information at:
**Supporting libselinux API function is:**
-- ***selinux_context_path**(3)*
+- ***selinux_context_path**(3)*
## *contexts/default_type*
@@ -528,8 +526,8 @@ role:type
*role:type*
-- The file contains one or more lines that consist of *role:type* entries.
- There should be one line for each role defined within the policy.
+- The file contains one or more lines that consist of *role:type* entries.
+ There should be one line for each role defined within the policy.
**Example file contents:**
@@ -544,8 +542,8 @@ user_r:user_t
**Supporting libselinux API functions are:**
-- ***selinux_default_type_path**(3)*
-- ***get_default_type**(3)*
+- ***selinux_default_type_path**(3)*
+- ***get_default_type**(3)*
## *contexts/failsafe_context*
@@ -563,8 +561,8 @@ role:type[:range]
*role:type[:range]*
-- A single line that has a valid context to allow an administrator access
- to the system, including the MLS / MCS *level* or *range* if applicable.
+- A single line that has a valid context to allow an administrator access
+ to the system, including the MLS / MCS *level* or *range* if applicable.
**Example file contents:**
@@ -576,14 +574,14 @@ sysadm_r:sysadm_t:s0
**Supporting libselinux API functions are:**
-- ***selinux_context_path**(3)*
-- ***selinux_failsafe_context_path**(3)*
-- ***get_default_context**(3)*
-- ***get_default_context_with_role**(3)*
-- ***get_default_context_with_level**(3)*
-- ***get_default_context_with_rolelevel**(3)*
-- ***get_ordered_context_list**(3)*
-- ***get_ordered_context_list_with_level**(3)*
+- ***selinux_context_path**(3)*
+- ***selinux_failsafe_context_path**(3)*
+- ***get_default_context**(3)*
+- ***get_default_context_with_role**(3)*
+- ***get_default_context_with_level**(3)*
+- ***get_default_context_with_rolelevel**(3)*
+- ***get_ordered_context_list**(3)*
+- ***get_ordered_context_list_with_level**(3)*
## *contexts/initrc_context*
@@ -601,8 +599,8 @@ user:role:type[:range]
*user:role:type[:range]*
-- The file contains one line that consists of a security context,
- including the MLS / MCS *level* or *range* if applicable.
+- The file contains one line that consists of a security context,
+ including the MLS / MCS *level* or *range* if applicable.
**Example file contents:**
@@ -615,7 +613,7 @@ system_u:system_r:initrc_t:s0-s15:c0.c255
**Supporting libselinux API functions are:**
-- ***selinux_context_path**(3)*
+- ***selinux_context_path**(3)*
## *contexts/lxc_contexts*
@@ -634,24 +632,24 @@ content = "security_context"
*process*
-- A single *process* entry that contains the lxc domain security context,
- including the MLS / MCS *level* or *range* if applicable.
+- A single *process* entry that contains the lxc domain security context,
+ including the MLS / MCS *level* or *range* if applicable.
*file*
-- A single *file* entry that contains the lxc file security context,
- including the MLS / MCS *level* or *range* if applicable.</td>
+- A single *file* entry that contains the lxc file security context,
+ including the MLS / MCS *level* or *range* if applicable.
*content*
-- A single *content* entry that contains the lxc content security context,
- including the MLS / MCS *level* or *range* if applicable.</td>
+- A single *content* entry that contains the lxc content security context,
+ including the MLS / MCS *level* or *range* if applicable.
*sandbox_kvm_process*
*sandbox_lxc_process*
-- These entries may be present and contain the security context.
+- These entries may be present and contain the security context.
**Example file contents:**
@@ -667,8 +665,8 @@ sandbox_lxc_process = "system_u:system_r:container_t:s0"
**Supporting libselinux API functions are:**
-- ***selinux_context_path**(3)*
-- ***selinux_lxc_context_path**(3)*
+- ***selinux_context_path**(3)*
+- ***selinux_lxc_context_path**(3)*
## *contexts/netfilter_contexts* - Obsolete
@@ -677,8 +675,8 @@ matching of network packets - Never been used.
**Supporting libselinux API functions are:**
-- ***selinux_context_path**(3)*
-- ***selinux_netfilter_context_path**(3)*
+- ***selinux_context_path**(3)*
+- ***selinux_netfilter_context_path**(3)*
## *contexts/openrc_contexts*
@@ -690,8 +688,8 @@ matching of network packets - Never been used.
**Supporting libselinux API functions are:**
-- ***selinux_context_path**(3)*
-- ***selinux_openrc_contexts_path**(3)*
+- ***selinux_context_path**(3)*
+- ***selinux_openrc_contexts_path**(3)*
## *contexts/openssh_contexts*
@@ -707,8 +705,8 @@ privsep_preauth=sshd_net_t
**Supporting libselinux API functions are:**
-- ***selinux_context_path**(3)*
-- ***selinux_openssh_contexts_path**(3)*
+- ***selinux_context_path**(3)*
+- ***selinux_openssh_contexts_path**(3)*
## *contexts/removable_context*
@@ -726,8 +724,8 @@ user:role:type[:range]
*user:role:type[:range]*
-- The file contains one line that consists of a security context,
- including the MLS / MCS *level* or *range* if applicable.
+- The file contains one line that consists of a security context,
+ including the MLS / MCS *level* or *range* if applicable.
**Example file contents:**
@@ -737,7 +735,7 @@ system_u:object_r:removable_t:s0
**Supporting libselinux API functions are:**
-- ***selinux_removable_context_path**(3)*
+- ***selinux_removable_context_path**(3)*
## *contexts/sepgsql_contexts*
@@ -754,20 +752,20 @@ object_type object_name context
*object_type*
-- This is the string representation of the object type.
+- This is the string representation of the object type.
*object_name*
-- These are the object names of the specific database objects.
- The entry can contain '*\**' for wildcard matching or '*?*' for
- substitution. Note that if the '*\**' is used, then be aware that the order
- of entries in the file is important. The '*\**' on its own is used to ensure
- a default fallback context is assigned and should be the last entry in the
- *object_type* block.
+- These are the object names of the specific database objects.
+ The entry can contain '*\**' for wildcard matching or '*?*' for
+ substitution. Note that if the '*\**' is used, then be aware that the order
+ of entries in the file is important. The '*\**' on its own is used to ensure
+ a default fallback context is assigned and should be the last entry in the
+ *object_type* block.
*context*
-- The security *context* that will be applied to the object.
+- The security *context* that will be applied to the object.
**Example file contents:**
@@ -792,8 +790,8 @@ snapperd_data = system_u:object_r:snapperd_data_t:s0
**Supporting libselinux API functions are:**
-- ***selinux_context_path**(3)*
-- ***selinux_snapperd_contexts_path**(3)*
+- ***selinux_context_path**(3)*
+- ***selinux_snapperd_contexts_path**(3)*
## *contexts/securetty_types*
@@ -810,7 +808,7 @@ type
*type*
-- Zero or more type entries that are defined in the policy for tty devices.
+- Zero or more type entries that are defined in the policy for tty devices.
**Example file contents:**
@@ -822,7 +820,7 @@ staff_tty_device_t
**Supporting libselinux API functions are:**
-- ***selinux_securetty_types_path**(3)*
+- ***selinux_securetty_types_path**(3)*
## *contexts/systemd_contexts*
@@ -838,13 +836,13 @@ service_class = security_context
*service_class*
-- One or more entries that relate to the ***systemd**(1)* service (e.g.
- runtime, transient).
+- One or more entries that relate to the ***systemd**(1)* service (e.g.
+ runtime, transient).
*security_context*
-- The security context, including the MLS / MCS *level* or *range* if
- applicable of the service to be run.
+- The security context, including the MLS / MCS *level* or *range* if
+ applicable of the service to be run.
**Example file contents:**
@@ -854,8 +852,8 @@ runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
**Supporting libselinux API functions are:**
-- ***selinux_context_path**(3)*
-- ***selinux_systemd_contexts_path**(3)*
+- ***selinux_context_path**(3)*
+- ***selinux_systemd_contexts_path**(3)*
## *contexts/userhelper_context*
@@ -872,8 +870,8 @@ security_context
*security_context*
-- The file contains one line that consists of a full security context,
- including the MLS / MCS *level* or *range* if applicable.
+- The file contains one line that consists of a full security context,
+ including the MLS / MCS *level* or *range* if applicable.
**Example file contents:**
@@ -883,7 +881,7 @@ system_u:sysadm_r:sysadm_t:s0
**Supporting libselinux API functions are:**
-- ***selinux_context_path**(3)*
+- ***selinux_context_path**(3)*
## *contexts/virtual_domain_context*
@@ -902,7 +900,7 @@ system_u:system_r:svirt_tcg_t:s0
**Supporting libselinux API functions are:**
-- ***selinux_virtual_domain_context_path**(3)*
+- ***selinux_virtual_domain_context_path**(3)*
## *contexts/virtual_image_context*
@@ -921,7 +919,7 @@ system_u:object_r:virt_content_t:s0
**Supporting libselinux API functions are:**
-- ***selinux_virtual_image_context_path**(3)*
+- ***selinux_virtual_image_context_path**(3)*
## *contexts/x_contexts*
@@ -943,32 +941,32 @@ selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
*object_type*
-- These are types of object supported and valid entries are: *client*,
- *property*, *poly_property*, *extension*, *selection*, *poly_selection*
- and *events*.
+- These are types of object supported and valid entries are: *client*,
+ *property*, *poly_property*, *extension*, *selection*, *poly_selection*
+ and *events*.
*object_name*
-- These are the object names of the specific X-server resource such as
- *PRIMARY*, *CUT_BUFFER0* etc. They are generally defined in the X-server
- source code (*protocol.txt* and *BuiltInAtoms* in the *dix* directory of
- the *xorg-server* source package). This can contain '*\**' for 'any'
- or '*?*' for 'substitute' (see the *CUT_BUFFER?* entry where the '*?*'
- would be substituted for a number between 0 and 7 that represents the
- number of these buffers).
+- These are the object names of the specific X-server resource such as
+ *PRIMARY*, *CUT_BUFFER0* etc. They are generally defined in the X-server
+ source code (*protocol.txt* and *BuiltInAtoms* in the *dix* directory of
+ the *xorg-server* source package). This can contain '*\**' for 'any'
+ or '*?*' for 'substitute' (see the *CUT_BUFFER?* entry where the '*?*'
+ would be substituted for a number between 0 and 7 that represents the
+ number of these buffers).
*context*
-- This is the security context that will be applied to the object.
- For MLS/MCS systems there would be the additional MLS label.
+- This is the security context that will be applied to the object.
+ For MLS/MCS systems there would be the additional MLS label.
**Supporting libselinux API functions are:**
-- ***selinux_x_context_path**(3)*
-- ***selabel_open**(3)*
-- ***selabel_close**(3)*
-- ***selabel_lookup**(3)*
-- ***selabel_stats**(3)*
+- ***selinux_x_context_path**(3)*
+- ***selabel_open**(3)*
+- ***selabel_close**(3)*
+- ***selabel_lookup**(3)*
+- ***selabel_stats**(3)*
## *contexts/files/file_contexts*
@@ -996,11 +994,11 @@ compatible regular expression (PCRE) internal format.
**Supporting libselinux API functions are:**
-- ***selinux_file_context_path**(3)*
-- ***selabel_open**(3)*
-- ***selabel_close**(3)*
-- ***selabel_lookup**(3)*
-- ***selabel_stats**(3)*
+- ***selinux_file_context_path**(3)*
+- ***selabel_open**(3)*
+- ***selabel_close**(3)*
+- ***selabel_lookup**(3)*
+- ***selabel_stats**(3)*
## *contexts/files/file_contexts.local*
@@ -1011,7 +1009,7 @@ file section to allow locally defined files to be labeled correctly. The
**Supporting libselinux API functions are:**
-- ***selinux_file_context_local_path**(3)*
+- ***selinux_file_context_local_path**(3)*
## *contexts/files/file_contexts.homedirs*
@@ -1034,8 +1032,8 @@ Perl compatible regular expression (PCRE) internal format.
**Supporting libselinux API functions are:**
-- ***selinux_file_context_homedir_path**(3)*
-- ***selinux_homedir_context_path**(3)*
+- ***selinux_file_context_homedir_path**(3)*
+- ***selinux_homedir_context_path**(3)*
## *contexts/files/file_contexts.subs*
## *contexts/files/file_contexts.subs_dist*
@@ -1062,11 +1060,11 @@ with */var/www*, with the final result being:
**Supporting libselinux API functions are:**
-- ***selinux_file_context_subs_path**(3)*
-- ***selinux_file_context_subs_dist_path**(3)*
-- ***selabel_lookup**(3)*
-- ***matchpathcon**(3)* (deprecated)
-- ***matchpathcon_index**(3)* (deprecated)
+- ***selinux_file_context_subs_path**(3)*
+- ***selinux_file_context_subs_dist_path**(3)*
+- ***selabel_lookup**(3)*
+- ***matchpathcon**(3)* (deprecated)
+- ***matchpathcon_index**(3)* (deprecated)
## *contexts/files/media*
@@ -1085,12 +1083,12 @@ media_id file_context
*media_id*
-- The media identifier (those known are: cdrom, floppy, disk and usb).
+- The media identifier (those known are: cdrom, floppy, disk and usb).
*file_context*
-- The context to be used for the device. Note that it does not have the
- MLS / MCS level).
+- The context to be used for the device. Note that it does not have the
+ MLS / MCS level).
**Example file contents:**
@@ -1102,7 +1100,7 @@ disk system_u:object_r:fixed_disk_device_t:s0
**Supporting libselinux API functions are:**
-- ***selinux_media_context_path**(3)*
+- ***selinux_media_context_path**(3)*
## *contexts/users/[seuser_id]*
@@ -1131,15 +1129,15 @@ system_r:init_t:s0 unconfined_r:unconfined_t:s0
**Supporting libselinux API functions are:**
-- ***selinux_user_contexts_path**(3)*
-- ***selinux_users_path**(3)*
-- ***selinux_usersconf_path**(3)*
-- ***get_default_context**(3)*
-- ***get_default_context_with_role**(3)*
-- ***get_default_context_with_level**(3)*
-- ***get_default_context_with_rolelevel**(3)*
-- ***get_ordered_context_list**(3)*
-- ***get_ordered_context_list_with_level**(3)*
+- ***selinux_user_contexts_path**(3)*
+- ***selinux_users_path**(3)*
+- ***selinux_usersconf_path**(3)*
+- ***get_default_context**(3)*
+- ***get_default_context_with_role**(3)*
+- ***get_default_context_with_level**(3)*
+- ***get_default_context_with_rolelevel**(3)*
+- ***get_ordered_context_list**(3)*
+- ***get_ordered_context_list_with_level**(3)*
## *logins/\<linuxuser_id\>*
@@ -1168,11 +1166,11 @@ service_name:seuser_id:level
*service_name*
-- The name of the service.
+- The name of the service.
*seuser_id*
-- The SELinux user name.
+- The SELinux user name.
*level*
@@ -1188,7 +1186,7 @@ another_service:unconfined_u:s0
**Supporting libselinux API functions are:**
-- ***getseuser**(3)*
+- ***getseuser**(3)*
## *users/local.users*
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 05/22] policy_validation_example: Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (3 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 04/22] policy_config_files: " Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 06/22] postgresql: " Richard Haines
` (17 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/policy_validation_example.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/policy_validation_example.md b/src/policy_validation_example.md
index 8b7513f..222d216 100644
--- a/src/policy_validation_example.md
+++ b/src/policy_validation_example.md
@@ -1,7 +1,8 @@
# Appendix E - Policy Validation Example
This example has been taken from
-[**http://selinuxproject.org/page/PolicyValidate**](http://selinuxproject.org/page/PolicyValidate) just in case the site is removed some day.
+[**http://selinuxproject.org/page/PolicyValidate**](http://selinuxproject.org/page/PolicyValidate)
+just in case the site is removed some day.
***libsemanage(8)*** is the library responsible for building a kernel policy
from policy modules. It has many features but one that is rarely
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 06/22] postgresql: Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (4 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 05/22] policy_validation_example: " Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 07/22] security_context: Convert to markdown Richard Haines
` (16 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/postgresql.md | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/src/postgresql.md b/src/postgresql.md
index 8e69f3f..595a594 100644
--- a/src/postgresql.md
+++ b/src/postgresql.md
@@ -1,12 +1,12 @@
# PostgreSQL SELinux Support
-- [**sepgsql Overview**](#sepgsql-overview)
-- [**Installing SE-PostgreSQL**](#installing-se-postgresql)
-- [***SECURITY LABEL* SQL Command**](#security-label-sql-command)
-- [**Additional SQL Functions**](#additional-sql-functions)
-- [***postgresql.conf* Entries**](#postgresql.conf-entries)
-- [**Logging Security Events**](#logging-security-events)
-- [**Internal Tables**](#internal-tables)
+- [sepgsql Overview](#sepgsql-overview)
+- [Installing SE-PostgreSQL](#installing-se-postgresql)
+- [*SECURITY LABEL* SQL Command](#security-label-sql-command)
+- [Additional SQL Functions](#additional-sql-functions)
+- [*postgresql.conf* Entries](#postgresql.conf-entries)
+- [Logging Security Events](#logging-security-events)
+- [Internal Tables](#internal-tables)
This section gives an overview of PostgreSQL version 11.x with the
*sepgsql* extension to support SELinux. It assumes some basic knowledge
@@ -144,14 +144,13 @@ by the *sepgsql.sql* script. If the parameter is NULL, then the default
The *postgresql.conf* file supports the following additional entries to
enable and manage SE-PostgreSQL:
-1. This entry is mandatory to enable the *sepgsql* extension to be
- loaded:
+- This entry is mandatory to enable the *sepgsql* extension to be loaded:
```
shared_preload_libraries = 'sepgsql'
```
-2. These entries are optional and default to '*off*'.
+- These entries are optional and default to '*off*'.
```
# This enables sepgsql to always run in permissive mode:
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 07/22] security_context: Convert to markdown
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (5 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 06/22] postgresql: " Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 08/22] selinux_cmds: " Richard Haines
` (15 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/security_context.md | 83 ++++++++++++++++++++++-------------------
1 file changed, 45 insertions(+), 38 deletions(-)
diff --git a/src/security_context.md b/src/security_context.md
index 3ca93a2..cb0fc4a 100644
--- a/src/security_context.md
+++ b/src/security_context.md
@@ -20,47 +20,50 @@ user:role:type[:range]
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>user</code></td>
-<td>The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.</td>
-</tr>
-<tr>
-<td><code>role</code></td>
-<td>The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.</td>
-</tr>
-<tr>
-<td><code>type</code></td>
-<td><p>When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access.</p>
-<p>When a type is associated with an object, it defines what access permissions the SELinux user has to that object.</p></td>
-</tr>
-<tr>
-<td><code>range</code></td>
-<td><p>This field can also be know as a <em>level</em> and is only present if the policy supports MCS or MLS. The entry can consist of:
-<p>A single security level that contains a sensitivity level and zero or more categories (e.g. s0, s1:c0, s7:c10.c15).</p>
-<p>A range that consists of two security levels (a low and high) separated by a hyphen (e.g. s0 - s15:c0.c1023).</p>
-<p>These components are discussed in the <a href="mls_mcs.md#security-levels">Security Levels</a> section.</p></td>
-</tr>
-</tbody>
-</table>
+*user*
+
+- The SELinux user identity. This can be associated to one or more roles
+ that the SELinux user is allowed to use.
+
+*role*
+
+- The SELinux role. This can be associated to one or more types the SELinux
+ user is allowed to access.
+
+*type*
+
+- When a type is associated with a process, it defines what processes
+ (or domains) the SELinux user (the subject) can access.
+ When a type is associated with an object, it defines what access
+ permissions the SELinux user has to that object.
+
+*range*
+
+- This field can also be know as a *level* and is only present if the policy
+ supports MCS or MLS. The entry can consist of:
+ - A single security level that contains a sensitivity level and zero
+ or more categories (e.g. *s0*, *s1:c0*, *s7:c10.c15*).
+ - A range that consists of two security levels (a low and high) separated
+ by a hyphen (e.g. *s0 - s15:c0.c1023*).
+- These components are discussed in the
+ [**Security Levels**]( mls_mcs.md#security-levels) section.
However note that:
-1. Access decisions regarding a subject make use of all the components
- of the **security context**.
-2. Access decisions regarding an object make use of the components as
- follows:
- 1. the user is either set to a special user called system_u or it
- is set to the SELinux user id of the creating process. It is
- possible to add constraints on users within policy based on
- their object class (an example of this is the Reference Policy
- UBAC (User Based Access Control) option.
- 2. the role is generally set to a special SELinux internal role of
- 'object_r`, although policy version 26 with kernel 2.6.39 and
- above do support role transitions on any object class. It is
- then possible to add constraints on the role within policy
- based on their object class.
+1. Access decisions regarding a subject make use of all the components
+ of the **security context**.
+2. Access decisions regarding an object make use of the components as
+ follows:
+ 1. the user is either set to a special user called *system_u*[^fn_sc_1]
+ or it is set to the SELinux user id of the creating process. It is
+ possible to add constraints on users within policy based on
+ their object class (an example of this is the Reference Policy
+ UBAC (User Based Access Control) option.
+ 2. the role is generally set to a special SELinux internal role of
+ *object_r*, although policy version 26 with kernel 2.6.39 and
+ above do support role transitions on any object class. It is
+ then possible to add constraints on the role within policy
+ based on their object class.
The [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts)
section decribes how SELinux computes the security context components based
@@ -116,6 +119,10 @@ unconfined_u:object_r:out_file_t Message-11
# (see the process example above). The role remained as object_r.
```
+[^fn_sc_1]: The user *system_u* name is not mandatory, it is used to signify
+a special user in the Reference Policy. It is also used in some SELinux
+utilities.
+
<!-- %CUTHERE% -->
---
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 08/22] selinux_cmds: Convert to markdown
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (6 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 07/22] security_context: Convert to markdown Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 09/22] selinux_overview: " Richard Haines
` (14 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/selinux_cmds.md | 256 +++++++++++++++++++-------------------------
1 file changed, 112 insertions(+), 144 deletions(-)
diff --git a/src/selinux_cmds.md b/src/selinux_cmds.md
index 918d4c1..1b68771 100644
--- a/src/selinux_cmds.md
+++ b/src/selinux_cmds.md
@@ -7,150 +7,118 @@ has a page that details all the available tools and commands at:
<https://github.com/SELinuxProject/selinux/wiki/Tools>
-<table>
-<tbody>
-<tr style="background-color:#F2F2F2;">
-<td><strong>Command</strong></td>
-<td><strong>Man Page</strong></td>
-<td><strong>Purpose</strong></td>
-</tr>
-<tr>
-<td>audit2allow</td>
-<td>1</td>
-<td>Generates policy allow rules from the audit.log file.</td>
-</tr>
-<tr>
-<td>audit2why</td>
-<td>8</td>
-<td>Describes audit.log messages and why access was denied.</td>
-</tr>
-<tr>
-<td>avcstat</td>
-<td>8</td>
-<td>Displays the AVC statistics.</td>
-</tr>
-<tr>
-<td>chcat</td>
-<td>8</td>
-<td>Change or remove a catergory from a file or user. </td>
-</tr>
-<tr>
-<td>chcon</td>
-<td>1</td>
-<td>Changes the security context of a file.</td>
-</tr>
-<tr>
-<td>checkmodule</td>
-<td>8</td>
-<td>Compiles base and loadable modules from source.</td>
-</tr>
-<tr>
-<td>checkpolicy</td>
-<td>8</td>
-<td>Compiles a monolithic policy from source.</td>
-</tr>
-<tr>
-<td>fixfiles</td>
-<td>8</td>
-<td>Update / correct the security context of for filesystems that use extended attributes.</td>
-</tr>
-<tr>
-<td>genhomedircon</td>
-<td>8</td>
-<td>Generates file configuration entries for users home directories. This command has also been built into <em><strong>semanage</strong>(8)</em>, therefore when using the policy store / loadable modules this does not need to be used.</td>
-</tr>
-<tr>
-<td>getenforce</td>
-<td>1</td>
-<td>Shows the current enforcement state.</td>
-</tr>
-<tr>
-<td>getsebool</td>
-<td>8</td>
-<td>Shows the state of the booleans.</td>
-</tr>
-<tr>
-<td>load_policy</td>
-<td>8</td>
-<td>Loads a new policy into the kernel. Not required when using <em><strong>semanage</strong>(8)</em> / <em><strong>semodule</strong>(8)</em> commands.</td>
-</tr>
-<tr>
-<td>matchpathcon</td>
-<td>8</td>
-<td>Show a files path and security context.</td>
-</tr>
-<tr>
-<td>newrole</td>
-<td>1</td>
-<td>Allows users to change roles - runs a new shell with the new security context.</td>
-</tr>
-<tr>
-<td>restorecon</td>
-<td>8</td>
-<td>Sets the security context on one or more files.</td>
-</tr>
-<tr>
-<td>run_init</td>
-<td>8</td>
-<td>Runs an <em>init</em> script under the correct context.</td>
-</tr>
-<tr>
-<td>runcon</td>
-<td>1</td>
-<td>Runs a command with the specified context.</td>
-</tr>
-<tr>
-<td>selinuxenabled </td>
-<td>1</td>
-<td>Shows whether SELinux is enabled or not.</td>
-</tr>
-<tr>
-<td>semanage</td>
-<td>8</td>
-<td>Used to configure various areas of a policy within a policy store.</td>
-</tr>
-<tr>
-<td>semodule</td>
-<td>8</td>
-<td>Used to manage the installation, upgrading etc. of policy modules.</td>
-</tr>
-<tr>
-<td>semodule_expand</td>
-<td>8</td>
-<td>Manually expand a base policy package into a kernel binary policy file.</td>
-</tr>
-<tr>
-<td>semodule_link </td>
-<td>8</td>
-<td>Manually link a set of module packages.</td>
-</tr>
-<tr>
-<td>semodule_package</td>
-<td>8</td>
-<td>Create a module package with various configuration files (file context etc.)</td>
-</tr>
-<tr>
-<td>sestatus</td>
-<td>8</td>
-<td>Show the current status of SELinux and the loaded policy.</td>
-</tr>
-<tr>
-<td>setenforce</td>
-<td>1</td>
-<td>Sets / unsets enforcement mode.</td>
-</tr>
-<tr>
-<td>setfiles</td>
-<td>8</td>
-<td>Initialise the extended attributes of filesystems.</td>
-</tr>
-<tr>
-<td>setsebool</td>
-<td>8</td>
-<td>Sets the state of a boolean to on or off persistently across reboots or for this session only. </td>
-</tr>
-</tbody>
-</table>
+***audit2allow**(1)*
+
+Generates policy allow rules from an audit log file.
+
+***audit2why**(8)*
+
+Describes audit log messages and why access was denied.
+
+***avcstat**(8)*
+
+Displays the AVC statistics.
+
+***chcat**(8)*
+
+Change or remove a catergory from a file or user.
+
+***chcon**(1)*
+
+Changes the security context of a file.
+
+***checkmodule**(8)*
+
+Compiles base and loadable modules from source.
+
+***checkpolicy**(8)*
+
+Compiles a monolithic policy from source.
+
+***fixfiles**(8)*
+
+Update / correct the security context of for filesystems that use extended
+attributes.
+
+***genhomedircon**(8)*
+
+Generates file configuration entries for users home directories.
+This command has also been built into ***semanage**(8)*, therefore when using
+the policy store / loadable modules this does not need to be used.
+
+***getenforce**(1)*
+
+Shows the current enforcement state.
+
+***getsebool**(8)*
+
+Shows the state of the booleans.
+
+***load_policy**(8)*
+
+Loads a new policy into the kernel. Not required when using ***semanage**(8)* /
+***semodule**(8)* commands.
+
+***matchpathcon**(8)*
+
+Show a files path and security context.
+
+***newrole**(1)*
+
+Allows users to change roles - runs a new shell with the new security context.
+
+***restorecon**(8)*
+
+Sets the security context on one or more files.
+
+***run_init**(8)*
+
+Runs an *init* script under the correct context.
+
+***runcon**(1)*
+
+Runs a command with the specified context.
+
+***selinuxenabled**(1)*
+
+Shows whether SELinux is enabled or not.
+
+***semanage**(8)*
+
+Used to configure various areas of a policy within a policy store.
+
+***semodule**(8)*
+
+Used to manage the installation, upgrading etc. of policy modules.
+
+***semodule_expand**(8)*
+
+Manually expand a base policy package into a kernel binary policy file.
+
+***semodule_link**(8)*
+
+Manually link a set of module packages.
+
+***semodule_package**(8)*
+
+Create a module package with various configuration files (file context etc.)
+
+***sestatus**(8)*
+
+Show the current status of SELinux and the loaded policy.
+
+***setenforce**(1)*
+
+Sets / unsets enforcement mode.
+
+***setfiles**(8)*
+
+Initialise the extended attributes of filesystems.
+
+***setsebool**(8)*
+
+Sets the state of a boolean to on or off persistently across reboots or for
+this session only.
<!-- %CUTHERE% -->
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 09/22] selinux_overview: Convert to markdown
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (7 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 08/22] selinux_cmds: " Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 10/22] sid_statement: " Richard Haines
` (13 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/selinux_overview.md | 33 +++++----------------------------
1 file changed, 5 insertions(+), 28 deletions(-)
diff --git a/src/selinux_overview.md b/src/selinux_overview.md
index a71b762..33f00eb 100644
--- a/src/selinux_overview.md
+++ b/src/selinux_overview.md
@@ -14,34 +14,11 @@ Note: When SELinux is installed, there are three well defined directory
locations referenced. Two of these will change with the old and new
locations as follows:
-<table>
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Description</strong></td>
-<td><strong>Old Location</strong></td>
-<td><strong>New Location</strong></td>
-</tr>
-<tr>
-<td><p>The SELinux filesystem that interfaces with the kernel based security server.</p>
-<p>The new location has been available since Fedora 17.</p></td>
-<td><em>/selinux</em></td>
-<td><em>/sys/fs/selinux</em></td>
-</tr>
-<tr>
-<td>The SELinux configuration directory that holds the sub-system configuration files and policies.</td>
-<td><em>/etc/selinux</em></td>
-<td>No change</td>
-</tr>
-<tr>
-<td><p>The SELinux policy store that holds policy modules and configuration details.</p>
-<p>The new location has been available since Fedora 23.</p></td>
-<td><p><em>/etc/selinux/</em></p>
-<p><em><SELINUXTYPE>/module</em></p></td>
-<td><p><em>/var/lib/selinux/</em></p>
-<p><em><SELINUXTYPE></em></p></td>
-</tr>
-</tbody>
-</table>
+| Description | Old Location | New Location |
+| :--------- | :----------- | :----------- |
+The SELinux filesystem that interfaces with the kernel based security server. The new location has been available since Fedora 17. | */selinux* | */sys/fs/selinux* |
+| The SELinux configuration directory that holds the sub-system configuration files and policies. | */etc/selinux* | No change |
+| The SELinux policy store that holds policy modules and configuration details. The new location has been available since Fedora 23. | */etc/selinux/\<SELINUXTYPE\>/module* | */var/lib/selinux/\<SELINUXTYPE\>* |
## Is SELinux useful
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 10/22] sid_statement: Convert to markdown
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (8 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 09/22] selinux_overview: " Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 11/22] subjects: " Richard Haines
` (12 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/sid_statement.md | 119 ++++++++++++++++---------------------------
1 file changed, 43 insertions(+), 76 deletions(-)
diff --git a/src/sid_statement.md b/src/sid_statement.md
index 07feb2c..7d6bfcd 100644
--- a/src/sid_statement.md
+++ b/src/sid_statement.md
@@ -1,5 +1,8 @@
# Security ID (SID) Statement
+- [*sid*](#sid)
+- [*sid context*](#sid-context)
+
There are two *sid* statements, the first one declares the actual *sid*
identifier and is defined at the start of a policy source file. The
second statement is used to associate an initial security context to the
@@ -20,45 +23,27 @@ sid sid_id
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>sid</code></td>
-<td>The <code>sid</code> keyword.</td>
-</tr>
-<tr>
-<td><code>sid_id</code></td>
-<td>The <code>sid</code> identifier.</td>
-</tr>
-</tbody>
-</table>
+*sid*
+
+The *sid* keyword.
+
+*sid_id*
+
+The *sid* identifier.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* Statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
**Example:**
@@ -86,49 +71,31 @@ sid sid_id context
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>sid</code></td>
-<td>The <code>sid<code> keyword.</td>
-</tr>
-<tr>
-<td><code>sid_id</code></td>
-<td>The previously declared sid identifier. </td>
-</tr>
-<tr>
-<td><code>context</code></td>
-<td>The initial security context.</td>
-</tr>
-</tbody>
-</table>
+*sid*
+
+The *sid* keyword.
+
+*sid_id*
+
+The previously declared *sid* identifier.
+
+*context*
+
+The initial security context.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* Statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
**Examples:**
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 11/22] subjects: Convert to markdown
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (9 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 10/22] sid_statement: " Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 12/22] toc: Tidy up formatting Richard Haines
` (11 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/subjects.md | 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)
diff --git a/src/subjects.md b/src/subjects.md
index 4f677cb..bc7a89a 100644
--- a/src/subjects.md
+++ b/src/subjects.md
@@ -9,13 +9,13 @@ Within SELinux a subject is an active process and has a
it, however a process can also be referred to as an object depending on the
context in which it is being taken, for example:
-1. A running process (i.e. an active entity) is a subject because it
- causes information to flow among objects or can change the system
- state.
-2. The process can also be referred to as an object because each
- process has an associated object class<a href="#fns1" class="footnote-ref" id="fnsub1"><strong><sup>1</sup></strong></a>
- called '**process**'. This process 'object', defines what permissions the
- policy is allowed to grant or deny on the active process.
+1. A running process (i.e. an active entity) is a subject because it
+ causes information to flow among objects or can change the system
+ state.
+2. The process can also be referred to as an object because each
+ process has an associated object class[^fn_sub_1]
+ called ***process***. This process 'object', defines what permissions the
+ policy is allowed to grant or deny on the active process.
An example is given of the above scenarios in the
[**Allowing a Process Access to Resources**](objects.md#allowing-a-process-access-to-resources)
@@ -37,11 +37,8 @@ under *semanage_t*).
**Untrusted** - Everything else.
-<section class="footnotes">
-<ol>
-<li id="fns1"><p>The object class and its associated permissions are explained in the <strong><a href="object_classes_permissions.md#process-object-class"> Appendix A - Object Classes and Permissions - Process Object Class</a></strong> section.<a href="#fnsub1" class="footnote-back">↩</a></p></li>
-</ol>
-</section>
+[^fn_sub_1]: The object class and its associated permissions are explained in
+[**Appendix A - Object Classes and Permissions - Process Object Class**](object_classes_permissions.md#process-object-class)
<!-- %CUTHERE% -->
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 12/22] toc: Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (10 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 11/22] subjects: " Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 13/22] type_enforcement: Convert to markdown Richard Haines
` (10 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/toc.md | 120 ++++++++++++++++++++++++++---------------------------
1 file changed, 60 insertions(+), 60 deletions(-)
diff --git a/src/toc.md b/src/toc.md
index d7a4a72..d915b42 100644
--- a/src/toc.md
+++ b/src/toc.md
@@ -1,65 +1,65 @@
## Table of Contents
-- [Abbreviations and Terminology](terminology.md#abbreviations-and-terminology)
-- [SELinux Overview](selinux_overview.md#selinux-overview)
-- [Core Components](core_components.md#core-selinux-components)
-- [Mandatory Access Control (MAC)](mac.md#mandatory-access-control)
-- [SELinux Users](users.md#selinux-users)
-- [Role-Based Access Control (RBAC)](rbac.md#role-based-access-control)
-- [Type Enforcement (TE)](type_enforcement.md#type-enforcement)
-- [Security Context](security_context.md#security-context)
-- [Subjects](subjects.md#subjects)
-- [Objects](objects.md#objects)
-- [Computing Security Contexts](computing_security_contexts.md#computing-security-contexts)
-- [Computing Access Decisions](computing_access_decisions.md#computing-access-decisions)
-- [Domain and Object Transitions](domain_object_transitions.md#domain-and-object-transitions)
-- [Multi-Level and Multi-Category Security](mls_mcs.md#multi-level-and-multi-category-security)
-- [Types of SELinux Policy](types_of_policy.md#types-of-selinux-policy)
-- [Permissive and Enforcing Modes](modes.md#selinux-permissive-and-enforcing-modes)
-- [Auditing Events](auditing.md#auditing-selinux-events)
-- [Polyinstantiation Support](polyinstantiation.md#polyinstantiation-support)
-- [PAM Login Process](pam_login.md#pam-login-process)
-- [Linux Security Module and SELinux](lsm_selinux.md#linux-security-module-and-selinux)
-- [Userspace Libraries](userspace_libraries.md#selinux-userspace-libraries)
-- [Networking Support](network_support.md#selinux-networking-support)
-- [Virtual Machine Support](vm_support.md#selinux-virtual-machine-support)
-- [X-Windows Support](x_windows.md#x-windows-selinux-support)
-- [SE-PostgreSQL Support](postgresql.md#postgresql-selinux-support)
-- [Apache-Plus Support](apache_support.md#apache-selinux-support)
-- [SELinux Configuration Files](configuration_files.md#selinux-configuration-files)
- - [Global Configuration Files](global_config_files.md#global-configuration-files)
- - [Policy Store Configuration Files](policy_store_config_files.md#policy-store-configuration-files)
- - [Policy Configuration Files](policy_config_files.md#policy-configuration-files)
-- [SELinux Policy Languages](policy_languages.md#the-selinux-policy-languages)
- - [CIL Policy Language](cil_overview.md#cil-overview)
- - [CIL Reference Guide](notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf)
- - [Kernel Policy Language](kernel_policy_language.md#kernel-policy-language)
- - [Policy Configuration Statements](policy_config_statements.md#policy-configuration-statements)
- - [Default Rules](default_rules.md#default-object-rules)
- - [User Statements](user_statements.md#user-statements)
- - [Role Statements](role_statements.md#role-statements)
- - [Type Statements](type_statements.md#type-statements)
- - [Bounds Rules](bounds_rules.md#bounds-rules)
- - [Access Vector Rules](avc_rules.md#access-vector-rules)
- - [Extended Access Vector Rules](xperm_rules.md#extended-access-vector-rules)
- - [Object Class and Permission Statements](class_permission_statements.md#object-class-and-permission-statements)
- - [Conditional Policy Statements](conditional_statements.md#conditional-policy-statements)
- - [Constraint Statements](constraint_statements.md#constraint-statements)
- - [MLS Statements](mls_statements.md#mls-statements)
- - [Security ID (SID) Statement](sid_statement.md#security-id-sid-statement)
- - [File System Labeling Statements](file_labeling_statements.md#file-system-labeling-statements)
- - [Network Labeling Statements](network_statements.md#network-labeling-statements)
- - [InfiniBand Labeling Statements](infiniband_statements.md#infiniband-labeling-statements)
- - [XEN Statements](xen_statements.md#xen-statements)
- - [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements)
-- [The Reference Policy](reference_policy.md#the-reference-policy)
-- [Implementing SELinux-aware Applications](implementing_seaware_apps.md#implementing-selinux-aware-applications)
-- [SE for Android](seandroid.md#security-enhancements-for-android)
-- [Appendix A - Object Classes and Permissions](object_classes_permissions.md#appendix-a---object-classes-and-permissions)
-- [Appendix B - *libselinux* API Summary](libselinux_functions.md#appendix-b---libselinux-api-summary)
-- [Appendix C - SELinux Commands](selinux_cmds.md#appendix-c---selinux-commands)
-- [Appendix D - Debugging Policy - Hints and Tips](debug_policy_hints.md#appendix-d---debugging-policy---hints-and-tips)
-- [Appendix E - Policy Validation Example](policy_validation_example.md#appendix-e---policy-validation-example)
+- [Abbreviations and Terminology](terminology.md#abbreviations-and-terminology)
+- [SELinux Overview](selinux_overview.md#selinux-overview)
+- [Core Components](core_components.md#core-selinux-components)
+- [Mandatory Access Control (MAC)](mac.md#mandatory-access-control)
+- [SELinux Users](users.md#selinux-users)
+- [Role-Based Access Control (RBAC)](rbac.md#role-based-access-control)
+- [Type Enforcement (TE)](type_enforcement.md#type-enforcement)
+- [Security Context](security_context.md#security-context)
+- [Subjects](subjects.md#subjects)
+- [Objects](objects.md#objects)
+- [Computing Security Contexts](computing_security_contexts.md#computing-security-contexts)
+- [Computing Access Decisions](computing_access_decisions.md#computing-access-decisions)
+- [Domain and Object Transitions](domain_object_transitions.md#domain-and-object-transitions)
+- [Multi-Level and Multi-Category Security](mls_mcs.md#multi-level-and-multi-category-security)
+- [Types of SELinux Policy](types_of_policy.md#types-of-selinux-policy)
+- [Permissive and Enforcing Modes](modes.md#selinux-permissive-and-enforcing-modes)
+- [Auditing Events](auditing.md#auditing-selinux-events)
+- [Polyinstantiation Support](polyinstantiation.md#polyinstantiation-support)
+- [PAM Login Process](pam_login.md#pam-login-process)
+- [Linux Security Module and SELinux](lsm_selinux.md#linux-security-module-and-selinux)
+- [Userspace Libraries](userspace_libraries.md#selinux-userspace-libraries)
+- [Networking Support](network_support.md#selinux-networking-support)
+- [Virtual Machine Support](vm_support.md#selinux-virtual-machine-support)
+- [X-Windows Support](x_windows.md#x-windows-selinux-support)
+- [SE-PostgreSQL Support](postgresql.md#postgresql-selinux-support)
+- [Apache-Plus Support](apache_support.md#apache-selinux-support)
+- [SELinux Configuration Files](configuration_files.md#selinux-configuration-files)
+ - [Global Configuration Files](global_config_files.md#global-configuration-files)
+ - [Policy Store Configuration Files](policy_store_config_files.md#policy-store-configuration-files)
+ - [Policy Configuration Files](policy_config_files.md#policy-configuration-files)
+- [SELinux Policy Languages](policy_languages.md#the-selinux-policy-languages)
+ - [CIL Policy Language](cil_overview.md#cil-overview)
+ - [CIL Reference Guide](notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf)
+ - [Kernel Policy Language](kernel_policy_language.md#kernel-policy-language)
+ - [Policy Configuration Statements](policy_config_statements.md#policy-configuration-statements)
+ - [Default Rules](default_rules.md#default-object-rules)
+ - [User Statements](user_statements.md#user-statements)
+ - [Role Statements](role_statements.md#role-statements)
+ - [Type Statements](type_statements.md#type-statements)
+ - [Bounds Rules](bounds_rules.md#bounds-rules)
+ - [Access Vector Rules](avc_rules.md#access-vector-rules)
+ - [Extended Access Vector Rules](xperm_rules.md#extended-access-vector-rules)
+ - [Object Class and Permission Statements](class_permission_statements.md#object-class-and-permission-statements)
+ - [Conditional Policy Statements](conditional_statements.md#conditional-policy-statements)
+ - [Constraint Statements](constraint_statements.md#constraint-statements)
+ - [MLS Statements](mls_statements.md#mls-statements)
+ - [Security ID (SID) Statement](sid_statement.md#security-id-sid-statement)
+ - [File System Labeling Statements](file_labeling_statements.md#file-system-labeling-statements)
+ - [Network Labeling Statements](network_statements.md#network-labeling-statements)
+ - [InfiniBand Labeling Statements](infiniband_statements.md#infiniband-labeling-statements)
+ - [XEN Statements](xen_statements.md#xen-statements)
+ - [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements)
+- [The Reference Policy](reference_policy.md#the-reference-policy)
+- [Implementing SELinux-aware Applications](implementing_seaware_apps.md#implementing-selinux-aware-applications)
+- [SE for Android](seandroid.md#security-enhancements-for-android)
+- [Appendix A - Object Classes and Permissions](object_classes_permissions.md#appendix-a---object-classes-and-permissions)
+- [Appendix B - *libselinux* API Summary](libselinux_functions.md#appendix-b---libselinux-api-summary)
+- [Appendix C - SELinux Commands](selinux_cmds.md#appendix-c---selinux-commands)
+- [Appendix D - Debugging Policy - Hints and Tips](debug_policy_hints.md#appendix-d---debugging-policy---hints-and-tips)
+- [Appendix E - Policy Validation Example](policy_validation_example.md#appendix-e---policy-validation-example)
<!-- %CUTHERE% -->
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 13/22] type_enforcement: Convert to markdown
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (11 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 12/22] toc: Tidy up formatting Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 14/22] type_statements: Add toc, tidy up formatting Richard Haines
` (9 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Add a TOC to aid navigation and convert to markdown.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/type_enforcement.md | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/type_enforcement.md b/src/type_enforcement.md
index d8d08be..bfd75b8 100644
--- a/src/type_enforcement.md
+++ b/src/type_enforcement.md
@@ -1,5 +1,8 @@
# Type Enforcement
+- [Constraints](#constraints)
+- [Bounds](#bounds)
+
SELinux makes use of a specific style of type enforcement (TE) to enforce
mandatory access control. For SELinux it means that all
[**subjects**](subjects.md#subjects) and [**objects**](objects.md#objects)
@@ -17,7 +20,7 @@ server, enforce policy via the object managers.
Because the *type* identifier (or just 'type') is associated to all
subjects and objects, it can sometimes be difficult to distinguish what
the type is actually associated with (it's not helped by the fact that
-by convention, type identifiers end in *_t*). In the end it comes down
+by convention, type identifiers end in *\_t*). In the end it comes down
to understanding how they are allocated in the policy itself and how
they are used by SELinux services (although CIL policies with namespaces
do help in that a domain process 'type' could be declared as
@@ -33,7 +36,7 @@ While SELinux refers to a subject as being an active process that is
associated to a domain type, the scope of an SELinux type enforcement
domain can vary widely. For example in the simple
[**Kernel policy**](./notebook-examples/selinux-policy/kernel/kern-nb-policy.txt)
-in the notebook-examples, all the processes on the system run in the
+in the *notebook-examples*, all the processes on the system run in the
*unconfined_t* domain, therefore every process is
'of type *unconfined_t*' (that means it can do whatever it likes within
the limits of the standard Linux DAC policy as all access is allowed by
@@ -49,7 +52,7 @@ where the majority of user space processes run under the *unconfined_t*
domain.
The SELinux type is the third component of a 'security context' and by
-convention SELinux types end in *_t*, however this is not enforced by
+convention SELinux types end in *\_t*, however this is not enforced by
any SELinux service (i.e. it is only used to identify the type
component), although as explained above CIL with namespaces does make
identification of types easier.
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 14/22] type_statements: Add toc, tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (12 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 13/22] type_enforcement: Convert to markdown Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 15/22] types_of_policy: Convert to markdown Richard Haines
` (8 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/type_statements.md | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/src/type_statements.md b/src/type_statements.md
index b947fdd..0d7f137 100644
--- a/src/type_statements.md
+++ b/src/type_statements.md
@@ -1,7 +1,17 @@
# Type Statements
+- [*type*](#type)
+- [*attribute*](#attribute)
+- [*expandattribute*](#expandattribute)
+- [*typeattribute*](#typeattribute)
+- [*typealias*](#typealias)
+- [*permissive*](#permissive)
+- [*type_transition*](#type_transition)
+- [*type_change*](#type_change)
+- [*type_member*](#type_member)
+
These statements share the same namespace, therefore the general
-convention is to use *_t* as the final two characters of a type
+convention is to use *\_t* as the final two characters of a *type*
identifier to differentiate it from an attribute identifier as shown in
the following examples:
@@ -62,7 +72,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | Yes | Yes |
@@ -152,7 +162,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | Yes | Yes |
@@ -210,7 +220,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| Yes | Yes | No |
@@ -263,7 +273,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | Yes | No |
@@ -304,7 +314,7 @@ typeattribute setroubleshootd_exec_t file_type, non_security_file_type;
The *typealias* statement allows the association of a previously declared
*type* to one or more *alias* identifiers (an alternative way is to use the
-*type* statement.
+*type* statement).
**The statement definition is:**
@@ -341,7 +351,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | Yes | No |
@@ -402,7 +412,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | Yes | No |
@@ -500,7 +510,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| Yes | Yes | No |
@@ -606,6 +616,7 @@ One or more object classes. Multiple entries consist of a space separated list
enclosed in braces '{}'.
*change_type*
+
A single *type* or *typealias* identifier that will become the new *type*.
**The statement is valid in:**
@@ -618,7 +629,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| Yes | Yes | No |
@@ -691,7 +702,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| Yes | Yes | No |
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 15/22] types_of_policy: Convert to markdown
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (13 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 14/22] type_statements: Add toc, tidy up formatting Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 16/22] user_statements:: Tidy up formatting Richard Haines
` (7 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Add a TOC to aid navigation and convert to markdown.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/types_of_policy.md | 359 +++++++++++++++++++++--------------------
1 file changed, 184 insertions(+), 175 deletions(-)
diff --git a/src/types_of_policy.md b/src/types_of_policy.md
index a55fdd0..b9ae190 100644
--- a/src/types_of_policy.md
+++ b/src/types_of_policy.md
@@ -1,32 +1,42 @@
# Types of SELinux Policy
+- [Reference Policy](#reference-policy)
+- [Policy Functionality Based on Name or Type](#policy-functionality-based-on-name-or-type)
+- [Custom Policy](#custom-policy)
+- [Monolithic Policy](#monolithic-policy)
+- [Loadable Module Policy](#loadable-module-policy)
+ - [Optional Policy](#optional-policy)
+- [Conditional Policy](#conditional-policy)
+- [Binary Policy](#binary-policy)
+- [Policy Versions](#policy-versions)
+
This section describes the different type of policy descriptions and
versions that can be found within SELinux.
The type of SELinux policy can described in a number of ways:
-1. Source code - These can be described as:
- [**Reference Policy**](types_of_policy.md#reference-policy) or
- [**Custom**](types_of_policy.md#custom-policy).
- They are generally written using
- [**Kernel Policy Language**](kernel_policy_language.md#kernel-policy-language),
- [**Reference Policy Support Macros**](reference_policy.md#reference-policy-support-macros),
- or using [**CIL**](cil_overview.md#cil-overview)
-2. They can also be classified as: [**Monolithic**](types_of_policy.md#monolithic-policy),
- [**Base Module or Loadable Module**](types_of_policy.md#reference-policy).
-3. Policies can also be described by the
- [**type of policy functionality**](types_of_policy.md#policy-functionality-based-on-name-or-type) they
- provide such as: targeted, mls, mcs, standard, strict or minimum.
-4. Classified using language statements - These can be described as
- [**Modular, Optional**](types_of_policy.md#reference-policy) or
- [**Conditional**](types_of_policy.md#conditional-policy).
-5. Binary or Kernel policy. These are the compiled policy used by the kernel.
-6. Classification can also be on the '[**policy version**](types_of_policy.md#policy-versions)'
- used (examples are version 22, 23 and 24).
-7. Policy can also be generated depending on the target platform of
- either 'selinux' (the default) or 'xen' (see the SELinux policy
- generation tools ***checkpolicy**(8)*, ***secilc**(8)* and ***semanage**(8)*
- *target_platform* options).
+1. Source code - These can be described as:
+ [**Reference Policy**](types_of_policy.md#reference-policy) or
+ [**Custom**](types_of_policy.md#custom-policy).
+ They are generally written using
+ [**Kernel Policy Language**](kernel_policy_language.md#kernel-policy-language),
+ [**Reference Policy Support Macros**](reference_policy.md#reference-policy-support-macros),
+ or using [**CIL**](cil_overview.md#cil-overview)
+2. They can also be classified as: [**Monolithic**](types_of_policy.md#monolithic-policy),
+ [**Base Module or Loadable Module**](types_of_policy.md#reference-policy).
+3. Policies can also be described by the
+ [**type of policy functionality**](types_of_policy.md#policy-functionality-based-on-name-or-type) they
+ provide such as: targeted, mls, mcs, standard, strict or minimum.
+4. Classified using language statements - These can be described as
+ [**Modular, Optional**](types_of_policy.md#reference-policy) or
+ [**Conditional**](types_of_policy.md#conditional-policy).
+5. Binary or Kernel policy. These are the compiled policy used by the kernel.
+6. Classification can also be on the '[**policy version**](types_of_policy.md#policy-versions)'
+ used (examples are version 22, 23 and 24).
+7. Policy can also be generated depending on the target platform of
+ either 'selinux' (the default) or 'xen' (see the SELinux policy
+ generation tools ***checkpolicy**(8)*, ***secilc**(8)* and ***semanage**(8)*
+ *target_platform* options).
As can be seen the description of a policy can vary depending on the
context.
@@ -61,30 +71,32 @@ Generally a policy is installed with a given name such as *targeted*,
*mls*, *refpolicy* or *minimum* that attempts to describes its
functionality. This name then becomes the entry in:
-1. The directory pointing to the policy location (e.g. if the name is
- *targeted*, then the policy will be installed in
- */etc/selinux/targeted*).
-2. The *SELINUXTYPE* entry in the */etc/selinux/config* file when it is
- the active policy (e.g. if the name is *targeted*, then a
- *SELINUXTYPE=targeted* entry would be in the */etc/selinux/config*
- file).
+1. The directory pointing to the policy location (e.g. if the name is
+ *targeted*, then the policy will be installed in
+ */etc/selinux/targeted*).
+2. The *SELINUXTYPE* entry in the */etc/selinux/config* file when it is
+ the active policy (e.g. if the name is *targeted*, then a
+ *SELINUXTYPE=targeted* entry would be in the */etc/selinux/config*
+ file).
This is how the reference policies distributed with Fedora are named,
where:
-- minimum - supports a minimal set of confined daemons within their own
- domains. The remainder run in the unconfined_t space. Red Hat
- pre-configure MCS support within this policy.
-- targeted - supports a greater number of confined daemons and can also
- confine other areas and users. Red Hat pre-configure MCS support within
- this policy.
-- mls - supports server based MLS systems.
+
+- minimum - supports a minimal set of confined daemons within their own
+ domains. The remainder run in the unconfined_t space. Red Hat
+ pre-configure MCS support within this policy.
+- targeted - supports a greater number of confined daemons and can also
+ confine other areas and users. Red Hat pre-configure MCS support within
+ this policy.
+- mls - supports server based MLS systems.
The Reference Policy also has a *TYPE* description that describes the
type of policy being built by the build process, these are:
-- standard - supports confined daemons and can also confine other areas
- and users.
-- mcs - As standard but supports MCS labels.
-- mls - supports server based MLS systems.
+
+- standard - supports confined daemons and can also confine other areas
+ and users.
+- mcs - As standard but supports MCS labels.
+- mls - supports server based MLS systems.
The *NAME* and *TYPE* entries are defined in the reference policy
*build.conf* file that is described in the Reference Policy
@@ -95,14 +107,14 @@ section.
This generally refers to a policy source that is either:
-1. A customised version of the Reference Policy (i.e. not the standard
- distribution version e.g. Red Hat policies).
-2. A policy that has been built using policy language statements
- (CIL or Kernel) to build a specific policy such as the basic policy built
- in the Notebook *notebook-examples/selinux-policy* there are following
- policies:
-- [**Kernel Policy Language**](./notebook-examples/selinux-policy/kernel/kern-nb-policy.txt)
-- [**CIL Policy Language**](./notebook-examples/selinux-policy/cil/cil-nb-policy.txt)
+1. A customised version of the Reference Policy (i.e. not the standard
+ distribution version e.g. Red Hat policies).
+2. A policy that has been built using policy language statements
+ (CIL or Kernel) to build a specific policy such as the basic policy built
+ in the Notebook *notebook-examples/selinux-policy* there are following
+ policies:
+ - [**Kernel Policy Language**](./notebook-examples/selinux-policy/kernel/kern-nb-policy.txt)
+ - [**CIL Policy Language**](./notebook-examples/selinux-policy/cil/cil-nb-policy.txt)
These examples were built using the Notebook 'build-sepolicy' command that is
described in
@@ -140,12 +152,12 @@ but ftp is not used, then that module could be unloaded).
There are number of components that form the infrastructure:
-1. Policy source code that is constructed for a modular policy with a
- base module and optional loadable modules.
-2. Utilities to compile and link modules and place them into a 'policy
- store'.
-3. Utilities to manage the modules and associated configuration files
- within the 'policy store'.
+1. Policy source code that is constructed for a modular policy with a
+ base module and optional loadable modules.
+2. Utilities to compile and link modules and place them into a 'policy
+ store'.
+3. Utilities to manage the modules and associated configuration files
+ within the 'policy store'.
[**Figure 2: High Level SELinux Architecture**](core_components.md#core-selinux-components)
shows these components along the top of the diagram. The files contained in
@@ -196,9 +208,9 @@ section.
This is also know as the kernel policy and is the policy file that is
loaded into the kernel and is located at
-/etc/selinux/<SELINUXTYPE>/policy/policy.<version>. Where
-*<SELINUXTYPE>* is the policy name specified in the SELinux
-configuration file /etc/selinux/config and <version> is the
+/etc/selinux/\<SELINUXTYPE\>/policy/policy.\<version\>. Where
+*\<SELINUXTYPE\>* is the policy name specified in the SELinux
+configuration file /etc/selinux/config and \<version\> is the
SELinux [**policy version**](#policy-versions).
The binary policy can be built from source files supplied by the
@@ -245,124 +257,121 @@ Max kernel policy version: 32
```
-**Table 1: Policy version descriptions** describes the different versions, although note
-that there is also another version that applies to the modular policy,
-however the main policy database version is the one that is generally
-quoted (some SELinux utilities give both version numbers).
-
-<table>
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>policy db Version</strong></td>
-<td><strong>modular db Version</strong></td>
-<td><strong>Description</strong></td>
-</tr>
-<tr>
-<td>15</td>
-<td>4</td>
-<td>The base version when SELinux was merged into the kernel.</td>
-</tr>
-<tr>
-<td>16</td>
-<td>-</td>
-<td>Added <a href="#conditional-policy"><em>Conditional Policy</em></a> support (the bool feature).</td>
-</tr>
-<tr>
-<td>17</td>
-<td>-</td>
-<td>Added support for IPv6.</td>
-</tr>
-<tr>
-<td>18</td>
-<td>-</td>
-<td>Added Netlink support.</td>
-</tr>
-<tr>
-<td>19</td>
-<td>5</td>
-<td>Added MLS support, plus the <code>validatetrans</code> Statement.</td>
-</tr>
-<tr>
-<td>20</td>
-<td>-</td>
-<td>Reduced the size of the access vector table.</td>
-</tr>
-<tr>
-<td>21</td>
-<td>6</td>
-<td>Added support for the MLS <code>range_transition</code> Statement.</td>
-</tr>
-<tr>
-<td>22</td>
-<td>7</td>
-<td>Added <code>policycap</code> Statement that allows various kernel options to be enabled as described in the <a href="policy_config_statements.md#policy-configuration-statements">Policy Configuration Statements</a> section.</td>
-</tr>
-<tr>
-<td>23</td>
-<td>8</td>
-<td>Added support for the <code>permissive</code> statement. This allows a domain to run in permissive mode while the others are still confined (instead of the all or nothing set by the <em>SELINUX</em> entry in the <em>/etc/selinux/config</em> file).</td>
-</tr>
-<tr>
-<td>24</td>
-<td>9 / 10</td>
-<td>Add support for the <code>typebounds</code> statement. This was added to support a hierarchical relationship between two domains in multi-threaded web servers as described in "<a href="http://sepgsql.googlecode.com/files/LCA20090120-lapp-selinux.pdf">A secure web application platform powered by SELinux</a>".</td>
-</tr>
-<tr>
-<td>25</td>
-<td>11</td>
-<td>Add support for file name transition in the <code>type_transition</code> rule. Requires kernel 2.6.39 minimum.</td>
-</tr>
-<tr>
-<td>26</td>
-<td>12/13</td>
-<td><p>Add support for a class parameter in the <code>role_transition</code> rule.</p>
-<p>Add support for the <code>attribute_role</code> and <code>roleattribute</code> statements.</p>
-<p>These require kernel 2.6.39 minimum.</p></td>
-</tr>
-<tr>
-<td>-</td>
-<td>14</td>
-<td>Separate tunables.</td>
-</tr>
-<tr>
-<td>27</td>
-<td>15</td>
-<td>Support setting object defaults for the user, role and range components when computing a new context. Requires kernel 3.5 minimum.</td>
-</tr>
-<tr>
-<td>28</td>
-<td>16</td>
-<td>Support setting object defaults for the type component when computing a new context. Requires kernel 3.5 minimum.</td>
-</tr>
-<tr>
-<td>29</td>
-<td>17</td>
-<td>Support attribute names within constraints. This allows attributes as well as the types to be retrieved from a kernel policy to assist <em><strong>audit2allow</strong>(8)</em> etc. to determine what attribute needs to be updated. Note that the attribute does not determine the constraint outcome, it is still the list of types associated to the constraint. Requires kernel 3.14 minimum.</td>
-</tr>
-<tr>
-<td>30</td>
-<td>18</td>
-<td><p>For the '<em>selinux</em>' target platform adds new '<code>xperm</code>' rules as explained in the <a href="xperm_rules.md#extended-access-vector-rules">Extended Access Vector Rules</a> section. This is to support 'ioctl whitelisting' as explained in the <a href="xperm_rules.md#ioctl-operation-rules">ioctl Operation Rules</a> section. Requires kernel 4.3 minimum. For modular support, requires libsepol 2.7 minimum.</p></td>
-</tr>
-<tr>
-<td>30</td>
-<td></td>
-<td>For the '<code>xen</code>' target platform support the <code>devicetreecon</code> statement and also expand the existing I/O memory range to 64 bits as explained in the <a href="xen_statements.md#xen-statements">Xen Statements</a> section.</td>
-</tr>
-<tr>
-<td>31</td>
-<td>19</td>
-<td>InfiniBand (IB) partition key (Pkey) and IB end port object labeling that requires kernel 4.13 minimum. See the <a href="infiniband_statements.md#infiniband-labeling-statements">InfiniBand Labeling Statements section.</a></td>
-</tr>
-<tr>
-<td>32</td>
-<td>20</td>
-<td>Specify <code>glblub</code> as a <code>default_range</code> default and the computed transition will be the intersection of the MLS range of the two contexts. See <code>default_range</code> for details. Requires kernel 5.5 minimum. See the <a href="default_rules.md#default_range">Default Rules section.</a></td>
-</tr>
-</tbody>
-</table>
-
-**Table 1: Policy version descriptions**
+The following table describes the features added for each policy version and
+its corresponding modular policy version. When these features are implemented
+there may also be functionality added to the kernel, libselinux and/or libsepol.
+If known, these version requirements are also listed.
+
+**Policy: 15 Module: 4**
+
+The base version when SELinux was merged into the kernel.
+
+**Policy: 16**
+
+Added [**Conditional Policy**](#conditional-policy) support (the bool feature).
+
+**Policy: 17**
+
+Added support for IPv6.
+
+**Policy: 18**
+
+Added Netlink support.
+
+**Policy: 19 Module: 5**
+
+Added MLS support, plus the *validatetrans* Statement.
+
+**Policy: 20**
+
+Reduced the size of the access vector table.
+
+**Policy: 21 Module: 6**
+
+Added support for the MLS *range_transition* Statement.
+
+**Policy: 22 Module: 7**
+
+Added *policycap* Statement that allows various kernel options to be
+enabled as described in the
+[**Policy Configuration Statements**](policy_config_statements.md#policy-configuration-statements)
+section.
+
+**Policy: 23 Module: 8**
+
+Added support for the *permissive* statement. This allows a domain to run
+in permissive mode while the others are still confined (instead of the all
+or nothing set by the *SELINUX* entry in the */etc/selinux/config* file).
+
+**Policy: 24 Module: 9 / 10**
+
+Add support for the *typebounds* statement. This was added to support a
+hierarchical relationship between two domains in multi-threaded web servers
+as described in
+[**A secure web application platform powered by SELinux**](http://sepgsql.googlecode.com/files/LCA20090120-lapp-selinux.pdf).
+
+**Policy: 25 Module: 11**
+
+Add support for file name transition in the *type_transition* rule.
+Requires kernel 2.6.39 minimum.
+
+**Policy: 26 Module: 12 / 13**
+
+Add support for a class parameter in the *role_transition* rule and
+support for the *attribute_role* and *roleattribute* statements.
+These require kernel 2.6.39 minimum.
+
+**Module: 14**
+
+Separate tunables.
+
+**Policy: 27 Module: 15**
+
+Support setting object defaults for the user, role and range components
+when computing a new context. Requires kernel 3.5 minimum.
+
+**Policy: 28 Module: 16**
+
+Support setting object defaults for the type component when computing a
+new context. Requires kernel 3.5 minimum.
+
+**Policy: 29 Module: 17**
+
+Support attribute names within constraints. This allows attributes as well
+as the types to be retrieved from a kernel policy to assist
+***audit2allow**(8)* etc. to determine what attribute needs to be updated.
+Note that the attribute does not determine the constraint outcome, it is
+still the list of types associated to the constraint.
+Requires kernel 3.14 minimum.
+
+**Policy: 30 Module: 18**
+
+For the *selinux* target platform adds new *xperm* rules as explained in the
+[**Extended Access Vector Rules**](xperm_rules.md#extended-access-vector-rules)
+section. This is to support 'ioctl whitelisting' as explained in the
+[***ioctl* Operation Rules**](xperm_rules.md#ioctl-operation-rules) section.
+Requires kernel 4.3 minimum.
+For modular policy support requires libsepol 2.7 minimum.
+
+**Policy: 30**
+
+For the '*xen*' target platform support the *devicetreecon* statement and
+also expand the existing I/O memory range to 64 bits as explained in the
+[**Xen Statements**](xen_statements.md#xen-statements) section.
+
+**Policy: 31 Module: 19**
+
+Add InfiniBand (IB) partition key (Pkey) and IB end port object labeling
+as explained in the
+[**InfiniBand Labeling Statements**](infiniband_statements.md#infiniband-labeling-statements)
+section. Requires kernel 4.13 minimum.
+
+**Policy: 32 Module: 20**
+
+Specify *glblub* as a *default_range* default and the computed transition
+will be the intersection of the MLS range of the two contexts.
+See the [**default_range**](default_rules.md#default_range) for details.
+Requires kernel 5.5 minimum.
<!-- %CUTHERE% -->
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 16/22] user_statements:: Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (14 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 15/22] types_of_policy: Convert to markdown Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 17/22] users: " Richard Haines
` (6 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/user_statements.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/user_statements.md b/src/user_statements.md
index 7a5ff8a..ee3eed1 100644
--- a/src/user_statements.md
+++ b/src/user_statements.md
@@ -70,7 +70,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | Yes | Yes |
@@ -116,9 +116,9 @@ semanage user -a -R unconfined_r mque_u
```
This command will produce the following files in the default
-<SELINUXTYPE> policy store and then activate the policy:
+\<SELINUXTYPE\> policy store and then activate the policy:
-*/var/lib/selinux/<SELINUXTYPE>/active/users.local*:
+*/var/lib/selinux/\<SELINUXTYPE\>/active/users.local*:
```
# This file is auto-generated by libsemanage
@@ -127,7 +127,7 @@ This command will produce the following files in the default
user mque_u roles { unconfined_r } ;
```
-*/var/lib/selinux/<SELINUXTYPE>/active/users_extra*:
+*/var/lib/selinux/\<SELINUXTYPE\>/active/users_extra*:
```
# This file is auto-generated by libsemanage
@@ -136,7 +136,7 @@ user mque_u roles { unconfined_r } ;
user mque_u prefix user;
```
-*/var/lib/selinux/<SELINUXTYPE>/active/users_extra.local*:
+*/var/lib/selinux/\<SELINUXTYPE\>/active/users_extra.local*:
```
# This file is auto-generated by libsemanage
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 17/22] users: Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (15 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 16/22] user_statements:: Tidy up formatting Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 18/22] userspace_libraries: Tidy up formatting, add toc Richard Haines
` (5 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/users.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/users.md b/src/users.md
index a1a86b1..4be8356 100644
--- a/src/users.md
+++ b/src/users.md
@@ -13,7 +13,7 @@ objects, this user is *system_u*.
The SELinux user name is the first component of a
[**Security Context**](security_context.md#security-context) and
-by convention SELinux user names end in *_u*, however this is not
+by convention SELinux user names end in *\_u*, however this is not
enforced by any SELinux service (i.e. it is only to identify the user
component), although CIL with namespaces does make identification of an
SELinux user easier for example a 'user' could be declared as
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 18/22] userspace_libraries: Tidy up formatting, add toc
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (16 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 17/22] users: " Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 19/22] vm_support: Tidy up formatting Richard Haines
` (4 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/userspace_libraries.md | 58 ++++++++++++++++++++------------------
1 file changed, 31 insertions(+), 27 deletions(-)
diff --git a/src/userspace_libraries.md b/src/userspace_libraries.md
index 4f70321..5be703a 100644
--- a/src/userspace_libraries.md
+++ b/src/userspace_libraries.md
@@ -1,5 +1,9 @@
# SELinux Userspace Libraries
+- [libselinux Library](#libselinux-library)
+- [libsepol Library](#libsepol-library)
+- [libsemanage Library](#libsemanage-library)
+
The versions of kernel and SELinux tools and libraries influence the
features available, therefore it is important to establish what level of
functionality is required for the application. The
@@ -19,13 +23,13 @@ Python, Ruby and PHP languages.
The library hides the low level functionality of (but not limited to):
-- The SELinux filesystem that interfaces to the SELinux kernel
- security server.
-- The proc filesystem that maintains process state information and
- security contexts - see ***proc**(5)*.
-- Extended attribute services that manage the extended attributes
- associated to files, sockets etc. - see ***attr**(5)*.
-- The SELinux policy and its associated configuration files.
+- The SELinux filesystem that interfaces to the SELinux kernel
+ security server.
+- The proc filesystem that maintains process state information and
+ security contexts - see ***proc**(5)*.
+- Extended attribute services that manage the extended attributes
+ associated to files, sockets etc. - see ***attr**(5)*.
+- The SELinux policy and its associated configuration files.
The general category of functions available in *libselinux* are shown below,
with [**Appendix B - *libselinux* API Summary**](libselinux_functions.md#appendix-b---libselinux-api-summary)
@@ -102,24 +106,23 @@ Retrieve default contexts for user sessions.
The *libselinux* functions make use of a number of files within the
SELinux sub-system:
-1. The SELinux configuration file *config* that is described in the
- [*/etc/selinux/config*](global_config_files.md#etcselinuxconfig) section.
-2. The SELinux filesystem interface between userspace and kernel that
- is generally mounted as */selinux* or */sys/fs/selinux* and
- described in the
- [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem)
- section.
-3. The *proc* filesystem that maintains process state information and
- security contexts - see ***proc**(5)*.
-4. The extended attribute services that manage the extended attributes
- associated to files, sockets etc. - see ***attr**(5)*.
-5. The SELinux kernel binary policy that describes the enforcement
- policy.
-6. A number of *libselinux* functions have their own configuration
- files that in conjunction with the policy, allow additional levels
- of configuration. These are described in the
- [**Policy Configuration Files**](policy_config_files.md#policy-configuration-files)
- section.
+1. The SELinux configuration file *config* that is described in the
+ [*/etc/selinux/config*](global_config_files.md#etcselinuxconfig) section.
+2. The SELinux filesystem interface between userspace and kernel that
+ is generally mounted as */selinux* or */sys/fs/selinux* and
+ described in the
+ [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section.
+3. The *proc* filesystem that maintains process state information and
+ security contexts - see ***proc**(5)*.
+4. The extended attribute services that manage the extended attributes
+ associated to files, sockets etc. - see ***attr**(5)*.
+5. The SELinux kernel binary policy that describes the enforcement
+ policy.
+6. A number of *libselinux* functions have their own configuration
+ files that in conjunction with the policy, allow additional levels
+ of configuration. These are described in the
+ [**Policy Configuration Files**](policy_config_files.md#policy-configuration-files)
+ section.
There is a static version of the library that is not installed by default:
@@ -140,10 +143,11 @@ dnf install libsepol-static
This is used by commands such as ***audit2allow**(8)* and ***checkpolicy**(8)*
as they require access to functions that are not available in the dynamic
-library (such as sepol_compute_av(), sepol_compute_av_reason() and
-sepol_context_to_sid().
+library, such as *sepol_compute_av()*, *sepol_compute_av_reason()* and
+*sepol_context_to_sid()*.
## libsemanage Library
+
*libsemanage* - To manage the policy infrastructure.
<!-- %CUTHERE% -->
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 19/22] vm_support: Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (17 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 18/22] userspace_libraries: Tidy up formatting, add toc Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 20/22] x_windows: " Richard Haines
` (3 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/vm_support.md | 84 ++++++++++++++++++++++++++---------------------
1 file changed, 46 insertions(+), 38 deletions(-)
diff --git a/src/vm_support.md b/src/vm_support.md
index 80d5cd5..a60fe6c 100644
--- a/src/vm_support.md
+++ b/src/vm_support.md
@@ -1,5 +1,13 @@
# SELinux Virtual Machine Support
+- [KVM / QEMU Support](#kvm-qemu-support)
+- [*libvirt* Support](#libvirt-support)
+- [VM Image Labeling](#vm-image-labeling)
+ - [Dynamic Labeling](#dynamic-labeling)
+ - [Shared Image](#shared-image)
+ - [Static Labeling](#static-labeling)
+- [Xen Support](#xen-support)
+
SELinux support is available in the KVM/QEMU and Xen virtual machine (VM)
technologies[^fn_vms_1] that are discussed in the sections that follow, however
the package documentation should be read for how these products actually work
@@ -90,20 +98,20 @@ other (i.e. every time the VM is run a different and unique MCS label
will be generated to confine each VM to its own domain). This mode is
implemented as follows:
-1. An initial context for the process is obtained from the
- */etc/selinux/<SELINUXTYPE>/contexts/virtual_domain_context*
- file (the default is *system_u:system_r:svirt_tcg_t:s0*).
-2. An initial context for the image file label is obtained from the
- */etc/selinux/<SELINUXTYPE>/contexts/virtual_image_context*
- file. The default is *system_u:system_r:svirt_image_t:s0* that
- allows read/write of image files.
-3. When the image is used to start the VM, a random MCS *level* is
- generated and added to the process context and the image file
- context. The process and image files are then transitioned to the
- context by the* libselinux* API calls *setfilecon* and *setexeccon*
- respectively (see *security_selinux.c* in the *libvirt *source).
- The following example shows two running VM sessions each having
- different labels:
+1. An initial context for the process is obtained from the
+ */etc/selinux/\<SELINUXTYPE\>/contexts/virtual_domain_context*
+ file (the default is *system_u:system_r:svirt_tcg_t:s0*).
+2. An initial context for the image file label is obtained from the
+ */etc/selinux/\<SELINUXTYPE\>/contexts/virtual_image_context*
+ file. The default is *system_u:system_r:svirt_image_t:s0* that
+ allows read/write of image files.
+3. When the image is used to start the VM, a random MCS *level* is
+ generated and added to the process context and the image file
+ context. The process and image files are then transitioned to the
+ context by the *libselinux* API calls *setfilecon* and *setexeccon*
+ respectively (see *security_selinux.c* in the *libvirt *source).
+ The following example shows two running VM sessions each having
+ different labels:
| VM Image | Object | Dynamically assigned security context |
| ------------| --------- | ------------------------------------------------- |
@@ -152,7 +160,7 @@ checking the *Shareable* box as shown in **Figure 19**.
This will set the image (*Shareable_VM.xml*) resource XML
configuration file located in the */etc/libvirt/qemu* directory
-*<disk>* contents as follows:
+*\<disk\>* contents as follows:
```
# /etc/libvirt/qemu/Shareable_VM.xml:
@@ -172,7 +180,7 @@ needs to be cloned and the VM resource name selected was
-The resource XML file *<disk>* contents generated are shown - note
+The resource XML file *\<disk\>* contents generated are shown - note
that it has the same *source file* name as the *Shareable_VM.xml* file
shown above.
@@ -191,7 +199,7 @@ shown above.
With the targeted policy on Fedora the shareable option gave a error when
the VMs were run as follows:
-- **Could not allocate dynamic translator buffer**
+- **Could not allocate dynamic translator buffer**
The audit log contained the following AVC message:
@@ -213,19 +221,19 @@ setsebool -P virt_use_execmem on
Now that the image has been configured as shareable, the following
initialisation process will take place:
-1. An initial context for the process is obtained from the
- */etc/selinux/<SELINUXTYPE>/contexts/virtual_domain_context*
- file (the default is *system_u:system_r:svirt_tcg_t:s0*).
-2. An initial context for the image file label is obtained from the
- */etc/selinux/<SELINUXTYPE>/contexts/virtual_image_context*
- file. The default is *system_u:system_r:svirt_image_t:s0* that
- allows read/write of image files.
-3. When the image is used to start the VM a random MCS level is
- generated and added to the process context (but not the image file).
- The process is then transitioned to the appropriate context by the*
- libselinux* API calls *setfilecon* and *setexeccon* respectively.
- The following example shows each VM having the same file label but
- different process labels:
+1. An initial context for the process is obtained from the
+ */etc/selinux/\<SELINUXTYPE\>/contexts/virtual_domain_context*
+ file (the default is *system_u:system_r:svirt_tcg_t:s0*).
+2. An initial context for the image file label is obtained from the
+ */etc/selinux/\<SELINUXTYPE\>/contexts/virtual_image_context*
+ file. The default is *system_u:system_r:svirt_image_t:s0* that
+ allows read/write of image files.
+3. When the image is used to start the VM a random MCS level is
+ generated and added to the process context (but not the image file).
+ The process is then transitioned to the appropriate context by the*
+ libselinux* API calls *setfilecon* and *setexeccon* respectively.
+ The following example shows each VM having the same file label but
+ different process labels:
| VM Image | Object | Security context |
| -------------------| ----------| -------------------------------------------- |
@@ -273,8 +281,8 @@ need to be relabeled. An example VM configuration follows where the VM
has been created as *Static_VM1* using the Fedora *targeted* policy in
enforcing mode (just so all errors are flagged during the build):
-1. To set the required security context requires editing the
- *Static_VM1* configuration file using ***virsh**(1)* as follows:
+1. To set the required security context requires editing the
+ *Static_VM1* configuration file using ***virsh**(1)* as follows:
```
virsh edit Static_VM1
@@ -301,11 +309,11 @@ For this example *svirt_t* has been chosen as it is a valid context
written to the *Static_VM1.xml* configuration file in
*/etc/libvirt/qemu*.
-2. If the VM is now started an error will be shown as follows:
+2. If the VM is now started an error will be shown as follows:
-**Figure 2.21: Image Start Error**
+**Figure 21: Image Start Error**
This is because the image file label is incorrect as by default
it is labeled *virt_image_t* when the VM image is built (and
@@ -340,12 +348,12 @@ the same as the process using *chcon* as follows:
chcon -l s0:c1022,c1023 Static_VM1.img
```
-3. Now that the image has been relabeled, the VM can now be started.
+3. Now that the image has been relabeled, the VM can now be started.
The following example shows two static VMs (one is configured for
*unconfined_t* that is allowed to run under the targeted policy - this
-was possible because the 's*etsebool -P virt_transition_userdomain
-on*'* *boolean was set that allows *virtd_t* domain to transition to a
+was possible because the '*setsebool -P virt_transition_userdomain
+on*' boolean was set that allows *virtd_t* domain to transition to a
user domain (e.g. *unconfined_t*).
| VM Image | Object | Static security context |
@@ -383,7 +391,7 @@ system_u:object_r:virt_image_t:s0 Static_VM2.img
## Xen Support
This is not supported by SELinux in the usual way as it is built into
-the actual Xen software as a 'Flask/TE' extension[24] for the XSM (Xen
+the actual Xen software as a 'Flask/TE' extension for the XSM (Xen
Security Module). Also the Xen implementation has its own built-in
policy (*xen.te*) and supporting definitions for access vectors,
security classes and initial SIDs for the policy. These Flask/TE
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 20/22] x_windows: Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (18 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 19/22] vm_support: Tidy up formatting Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 21/22] xen_statements: " Richard Haines
` (2 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/x_windows.md | 52 ++++++++++++++++++++++++------------------------
1 file changed, 26 insertions(+), 26 deletions(-)
diff --git a/src/x_windows.md b/src/x_windows.md
index 74edc62..86d93f9 100644
--- a/src/x_windows.md
+++ b/src/x_windows.md
@@ -1,13 +1,13 @@
# X-Windows SELinux Support
-- [**Infrastructure Overview**](#infrastructure-overview)
-- [**Polyinstantiation**](#polyinstantiation)
-- [**Configuration Information**](#configuration-information)
- - [**Enable/Disable the OM from Policy Decisions**](#enabledisable-the-om-from-policy-decisions)
- - [**Configure OM Enforcement Mode**](#configure-om-enforcement-mode)
- - [**Determine OM X-extension Opcode**](#determine-om-x-extension-opcode)
- - [**The *x_contexts* File**](#the-x_contexts-file)
-- [**SELinux Extension Functions**](#selinux-extension-functions)
+- [Infrastructure Overview](#infrastructure-overview)
+- [Polyinstantiation](#polyinstantiation)
+- [Configuration Information](#configuration-information)
+ - [Enable/Disable the OM from Policy Decisions](#enabledisable-the-om-from-policy-decisions)
+ - [Configure OM Enforcement Mode](#configure-om-enforcement-mode)
+ - [Determine OM X-extension Opcode](#determine-om-x-extension-opcode)
+ - [The *x_contexts* File](#the-x_contexts-file)
+- [SELinux Extension Functions](#selinux-extension-functions)
The SELinux X-Windows (XSELinux) implementation provides fine grained
access control over the majority of the X-server objects (known as
@@ -116,10 +116,10 @@ of properties and selections.
This section covers:
-- How to enable/disable the OM X-extension.
-- How to determine the OM X-extension opcode.
-- How to configure the OM in a specific SELinux enforcement mode.
-- The *x-contexts* configuration file.
+- How to enable/disable the OM X-extension.
+- How to determine the OM X-extension opcode.
+- How to configure the OM in a specific SELinux enforcement mode.
+- The *x-contexts* configuration file.
### Enable/Disable the OM from Policy Decisions
@@ -148,9 +148,9 @@ If the X-server object manager needs to be run in a specific SELinux
enforcement mode, then the option may be added to the *xorg.conf* file
(normally in */etc/X11/xorg.conf.d*). The option entries are as follows:
-- SELinux mode disabled
-- SELinux mode permissive
-- SELinux mode enforcing
+- SELinux mode disabled
+- SELinux mode permissive
+- SELinux mode enforcing
Note that the entry must be exact otherwise it will be ignored. An
example entry is:
@@ -222,17 +222,17 @@ the Xlib libraries (e.g. *XInternAtom*).
**Notes:**
-1. The way the XSELinux extension code works (see
- *xselinux_label.c* - SELinuxAtomToSIDLookup()) is that non-poly
- entries are searched for first, if an entry is not found then it
- searches for a matching poly entry. The reason for this behavior is
- that when operating in a secure environment all objects would be
- polyinstantiated unless there are specific exemptions made for
- individual objects to make them non-polyinstantiated. There would
- then be a 'poly_selection' or 'poly_property' at the end of the section.
-2. For systems using the Reference Policy all X-clients connecting
- remotely will be allocated a security context from the *x_contexts*
- file of:
+1. The way the XSELinux extension code works (see
+ *xselinux_label.c* - SELinuxAtomToSIDLookup()) is that non-poly
+ entries are searched for first, if an entry is not found then it
+ searches for a matching poly entry. The reason for this behavior is
+ that when operating in a secure environment all objects would be
+ polyinstantiated unless there are specific exemptions made for
+ individual objects to make them non-polyinstantiated. There would
+ then be a 'poly_selection' or 'poly_property' at the end of the section.
+2. For systems using the Reference Policy all X-clients connecting
+ remotely will be allocated a security context from the *x_contexts*
+ file of:
```
# object_type object_name context
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 21/22] xen_statements: Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (19 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 20/22] x_windows: " Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-09 13:30 ` [PATCH 22/22] xperm_rules: " Richard Haines
2020-09-11 14:57 ` [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Paul Moore
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/xen_statements.md | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/src/xen_statements.md b/src/xen_statements.md
index e2c4cc3..c7bbe70 100644
--- a/src/xen_statements.md
+++ b/src/xen_statements.md
@@ -1,5 +1,11 @@
# Xen Statements
+- [*iomemcon*](#iomemcon)
+- [*ioportcon*](#ioportcon)
+- [*pcidevicecon*](#pcidevicecon)
+- [*pirqcon*](#pirqcon)
+- [*devicetreecon*](#devicetreecon)
+
Xen policy supports additional policy language statements: *iomemcon*,
*ioportcon*, *pcidevicecon*, *pirqcon* and *devicetreecon* that are
discussed in the sections that follow, also the
@@ -49,7 +55,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | No | No |
@@ -95,7 +101,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | No | No |
@@ -140,7 +146,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | No | No |
@@ -184,7 +190,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | No | No |
@@ -229,7 +235,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | No | No |
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH 22/22] xperm_rules: Tidy up formatting
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (20 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 21/22] xen_statements: " Richard Haines
@ 2020-09-09 13:30 ` Richard Haines
2020-09-11 14:57 ` [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Paul Moore
22 siblings, 0 replies; 24+ messages in thread
From: Richard Haines @ 2020-09-09 13:30 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/xperm_rules.md | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/src/xperm_rules.md b/src/xperm_rules.md
index 7f8744b..849b2ac 100644
--- a/src/xperm_rules.md
+++ b/src/xperm_rules.md
@@ -1,5 +1,7 @@
# Extended Access Vector Rules
+- [*ioctl* Operation Rules](#ioctl-operation-rules)
+
There are three extended AV rules implemented from Policy version 30
with the target platform 'selinux' that expand the permission sets from
a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*,
@@ -66,7 +68,7 @@ Policy Type
Conditional Policy Statements
-| *if* statement | *optional* Statement | *require* Statement |
+| *if* Statement | *optional* Statement | *require* Statement |
| ----------------------- | ----------------------- | ----------------------- |
| No | No | No |
@@ -80,7 +82,7 @@ policy format changes shown in the example below with a brief overview
the final upstream kernel patch).
Ioctl calls are generally used to get or set device options. Policy
-versions < 30 only controls whether an *ioctl* permission is allowed
+versions \> 30 only controls whether an *ioctl* permission is allowed
or not, for example this rule allows the object class *tcp_socket* the
*ioctl* permission:
@@ -116,17 +118,17 @@ tclass=udp_socket permissive=0
Notes:
-1. Important: The ioctl operation is not 'deny all' ioctl requests
- (hence whitelisting). It is targeted at the specific
- source/target/class set of ioctl commands. As no other *allowxperm*
- rules have been defined in the example, all other ioctl calls may
- continue to use any valid request parameters (provided there are
- *allow* rules for the *ioctl* permission).
-2. As the ***ioctl**(2)* function requires a file descriptor, its
- context must match the process context otherwise the *fd { use }*
- class/permission is required.
-3. To deny all ioctl requests for a specific source/target/class the
- *xperm_set* should be set to *0* or *0x0*.
+1. Important: The ioctl operation is not 'deny all' ioctl requests
+ (hence whitelisting). It is targeted at the specific
+ source/target/class set of ioctl commands. As no other *allowxperm*
+ rules have been defined in the example, all other ioctl calls may
+ continue to use any valid request parameters (provided there are
+ *allow* rules for the *ioctl* permission).
+2. As the ***ioctl**(2)* function requires a file descriptor, its
+ context must match the process context otherwise the *fd { use }*
+ class/permission is required.
+3. To deny all ioctl requests for a specific source/target/class the
+ *xperm_set* should be set to *0* or *0x0*.
<!-- %CUTHERE% -->
--
2.26.2
^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
` (21 preceding siblings ...)
2020-09-09 13:30 ` [PATCH 22/22] xperm_rules: " Richard Haines
@ 2020-09-11 14:57 ` Paul Moore
22 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-09-11 14:57 UTC (permalink / raw)
To: Richard Haines; +Cc: selinux
On Wed, Sep 9, 2020 at 9:30 AM Richard Haines
<richard_c_haines@btinternet.com> wrote:
> Converted to Markdown or just tidy up formatting. Added TOC to aid
> navigation where required.
> No text changes.
>
> This is the final batch of basic changes that should bring the sections to
> a standard markdown format. The reference_policy.md update to tidy up the
> formatting is large so I'll send patch direct to Paul (no text changes).
>
> The only two sections left are: lsm_selinux.md and mls_mcs.md - These
> require moving and updating text to convert to markdown, will send
> each separately.
>
> Richard Haines (22):
> kernel_policy_language: Tidy up formatting
> mls_statements: Convert to markdown
> object_classes_permissions: : Tidy up formatting
> policy_config_files: Tidy up formatting
> policy_validation_example: Tidy up formatting
> postgresql: Tidy up formatting
> security_context: Convert to markdown
> selinux_cmds: Convert to markdown
> selinux_overview: Convert to markdown
> sid_statement: Convert to markdown
> subjects: Convert to markdown
> toc: Tidy up formatting
> type_enforcement: Convert to markdown
> type_statements: Convert to markdown
> types_of_policy: Convert to markdown
> user_statements:: Tidy up formatting
> users: Tidy up formatting
> userspace_libraries: Tidy up formatting, add toc
> vm_support: Tidy up formatting
> x_windows: Tidy up formatting
> xen_statements: Tidy up formatting
> xperm_rules: Tidy up formatting
>
> src/kernel_policy_language.md | 106 +++----
> src/mls_statements.md | 461 +++++++++++-------------------
> src/object_classes_permissions.md | 299 +++++++++----------
> src/policy_config_files.md | 442 ++++++++++++++--------------
> src/policy_validation_example.md | 3 +-
> src/postgresql.md | 19 +-
> src/security_context.md | 83 +++---
> src/selinux_cmds.md | 256 ++++++++---------
> src/selinux_overview.md | 33 +--
> src/sid_statement.md | 119 +++-----
> src/subjects.md | 21 +-
> src/toc.md | 120 ++++----
> src/type_enforcement.md | 9 +-
> src/type_statements.md | 33 ++-
> src/types_of_policy.md | 359 +++++++++++------------
> src/user_statements.md | 10 +-
> src/users.md | 2 +-
> src/userspace_libraries.md | 58 ++--
> src/vm_support.md | 84 +++---
> src/x_windows.md | 52 ++--
> src/xen_statements.md | 16 +-
> src/xperm_rules.md | 28 +-
> 22 files changed, 1223 insertions(+), 1390 deletions(-)
Merged, thanks Richard!
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2020-10-12 22:19 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
2020-09-09 13:30 ` [PATCH 01/22] kernel_policy_language: Tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 02/22] mls_statements: Convert to markdown Richard Haines
2020-09-09 13:30 ` [PATCH 03/22] object_classes_permissions: : Tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 04/22] policy_config_files: " Richard Haines
2020-09-09 13:30 ` [PATCH 05/22] policy_validation_example: " Richard Haines
2020-09-09 13:30 ` [PATCH 06/22] postgresql: " Richard Haines
2020-09-09 13:30 ` [PATCH 07/22] security_context: Convert to markdown Richard Haines
2020-09-09 13:30 ` [PATCH 08/22] selinux_cmds: " Richard Haines
2020-09-09 13:30 ` [PATCH 09/22] selinux_overview: " Richard Haines
2020-09-09 13:30 ` [PATCH 10/22] sid_statement: " Richard Haines
2020-09-09 13:30 ` [PATCH 11/22] subjects: " Richard Haines
2020-09-09 13:30 ` [PATCH 12/22] toc: Tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 13/22] type_enforcement: Convert to markdown Richard Haines
2020-09-09 13:30 ` [PATCH 14/22] type_statements: Add toc, tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 15/22] types_of_policy: Convert to markdown Richard Haines
2020-09-09 13:30 ` [PATCH 16/22] user_statements:: Tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 17/22] users: " Richard Haines
2020-09-09 13:30 ` [PATCH 18/22] userspace_libraries: Tidy up formatting, add toc Richard Haines
2020-09-09 13:30 ` [PATCH 19/22] vm_support: Tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 20/22] x_windows: " Richard Haines
2020-09-09 13:30 ` [PATCH 21/22] xen_statements: " Richard Haines
2020-09-09 13:30 ` [PATCH 22/22] xperm_rules: " Richard Haines
2020-09-11 14:57 ` [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.