From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 07/22] security_context: Convert to markdown
Date: Wed, 9 Sep 2020 14:30:24 +0100 [thread overview]
Message-ID: <20200909133039.44498-8-richard_c_haines@btinternet.com> (raw)
In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/security_context.md | 83 ++++++++++++++++++++++-------------------
1 file changed, 45 insertions(+), 38 deletions(-)
diff --git a/src/security_context.md b/src/security_context.md
index 3ca93a2..cb0fc4a 100644
--- a/src/security_context.md
+++ b/src/security_context.md
@@ -20,47 +20,50 @@ user:role:type[:range]
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>user</code></td>
-<td>The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.</td>
-</tr>
-<tr>
-<td><code>role</code></td>
-<td>The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.</td>
-</tr>
-<tr>
-<td><code>type</code></td>
-<td><p>When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access.</p>
-<p>When a type is associated with an object, it defines what access permissions the SELinux user has to that object.</p></td>
-</tr>
-<tr>
-<td><code>range</code></td>
-<td><p>This field can also be know as a <em>level</em> and is only present if the policy supports MCS or MLS. The entry can consist of:
-<p>A single security level that contains a sensitivity level and zero or more categories (e.g. s0, s1:c0, s7:c10.c15).</p>
-<p>A range that consists of two security levels (a low and high) separated by a hyphen (e.g. s0 - s15:c0.c1023).</p>
-<p>These components are discussed in the <a href="mls_mcs.md#security-levels">Security Levels</a> section.</p></td>
-</tr>
-</tbody>
-</table>
+*user*
+
+- The SELinux user identity. This can be associated to one or more roles
+ that the SELinux user is allowed to use.
+
+*role*
+
+- The SELinux role. This can be associated to one or more types the SELinux
+ user is allowed to access.
+
+*type*
+
+- When a type is associated with a process, it defines what processes
+ (or domains) the SELinux user (the subject) can access.
+ When a type is associated with an object, it defines what access
+ permissions the SELinux user has to that object.
+
+*range*
+
+- This field can also be know as a *level* and is only present if the policy
+ supports MCS or MLS. The entry can consist of:
+ - A single security level that contains a sensitivity level and zero
+ or more categories (e.g. *s0*, *s1:c0*, *s7:c10.c15*).
+ - A range that consists of two security levels (a low and high) separated
+ by a hyphen (e.g. *s0 - s15:c0.c1023*).
+- These components are discussed in the
+ [**Security Levels**]( mls_mcs.md#security-levels) section.
However note that:
-1. Access decisions regarding a subject make use of all the components
- of the **security context**.
-2. Access decisions regarding an object make use of the components as
- follows:
- 1. the user is either set to a special user called system_u or it
- is set to the SELinux user id of the creating process. It is
- possible to add constraints on users within policy based on
- their object class (an example of this is the Reference Policy
- UBAC (User Based Access Control) option.
- 2. the role is generally set to a special SELinux internal role of
- 'object_r`, although policy version 26 with kernel 2.6.39 and
- above do support role transitions on any object class. It is
- then possible to add constraints on the role within policy
- based on their object class.
+1. Access decisions regarding a subject make use of all the components
+ of the **security context**.
+2. Access decisions regarding an object make use of the components as
+ follows:
+ 1. the user is either set to a special user called *system_u*[^fn_sc_1]
+ or it is set to the SELinux user id of the creating process. It is
+ possible to add constraints on users within policy based on
+ their object class (an example of this is the Reference Policy
+ UBAC (User Based Access Control) option.
+ 2. the role is generally set to a special SELinux internal role of
+ *object_r*, although policy version 26 with kernel 2.6.39 and
+ above do support role transitions on any object class. It is
+ then possible to add constraints on the role within policy
+ based on their object class.
The [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts)
section decribes how SELinux computes the security context components based
@@ -116,6 +119,10 @@ unconfined_u:object_r:out_file_t Message-11
# (see the process example above). The role remained as object_r.
```
+[^fn_sc_1]: The user *system_u* name is not mandatory, it is used to signify
+a special user in the Reference Policy. It is also used in some SELinux
+utilities.
+
<!-- %CUTHERE% -->
---
--
2.26.2
next prev parent reply other threads:[~2020-09-10 20:58 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-09 13:30 [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Richard Haines
2020-09-09 13:30 ` [PATCH 01/22] kernel_policy_language: Tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 02/22] mls_statements: Convert to markdown Richard Haines
2020-09-09 13:30 ` [PATCH 03/22] object_classes_permissions: : Tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 04/22] policy_config_files: " Richard Haines
2020-09-09 13:30 ` [PATCH 05/22] policy_validation_example: " Richard Haines
2020-09-09 13:30 ` [PATCH 06/22] postgresql: " Richard Haines
2020-09-09 13:30 ` Richard Haines [this message]
2020-09-09 13:30 ` [PATCH 08/22] selinux_cmds: Convert to markdown Richard Haines
2020-09-09 13:30 ` [PATCH 09/22] selinux_overview: " Richard Haines
2020-09-09 13:30 ` [PATCH 10/22] sid_statement: " Richard Haines
2020-09-09 13:30 ` [PATCH 11/22] subjects: " Richard Haines
2020-09-09 13:30 ` [PATCH 12/22] toc: Tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 13/22] type_enforcement: Convert to markdown Richard Haines
2020-09-09 13:30 ` [PATCH 14/22] type_statements: Add toc, tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 15/22] types_of_policy: Convert to markdown Richard Haines
2020-09-09 13:30 ` [PATCH 16/22] user_statements:: Tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 17/22] users: " Richard Haines
2020-09-09 13:30 ` [PATCH 18/22] userspace_libraries: Tidy up formatting, add toc Richard Haines
2020-09-09 13:30 ` [PATCH 19/22] vm_support: Tidy up formatting Richard Haines
2020-09-09 13:30 ` [PATCH 20/22] x_windows: " Richard Haines
2020-09-09 13:30 ` [PATCH 21/22] xen_statements: " Richard Haines
2020-09-09 13:30 ` [PATCH 22/22] xperm_rules: " Richard Haines
2020-09-11 14:57 ` [PATCH 00/22] SELinux Notebook: Convert batch 3 to markdown/tidy up Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200909133039.44498-8-richard_c_haines@btinternet.com \
--to=richard_c_haines@btinternet.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.