SELinux [Electronic resources] نسخه متنی

8.3 Flask-Related Declarations

The flask directory contains several files
that are part of the SELinux policy:

security_classes

Specifies the SELinux security classes.

initial_sids

Specifies the initial SIDs.

access_vectors

Specifies the permissions includes in access vectors.

The following subsections explain the syntax of declarations residing
in these files. Generally, only SELinux developers should change
these declarations. However, administrators may find it helpful to
understand these files and the declarations they contain.

8.3.1 Syntax of security_classes

The flask/security_classes

file specifies the security classes
handled by SELinux. Entries in the file have the syntax shown in
Figure 8-10. A class declaration contains only the
keyword class
and an identifier giving the class
name.

Figure 8-10. Flask class declaration

The example policy defines between two and three dozen classes. Here
is a typical class declaration:

class security

Appendix A summarizes the standard security object classes.

8.3.2 Syntax of initial_sids

The flask/initial_sids
file
specifies the symbols corresponding
to initial SIDs. Entries in the file have the syntax shown in Figure 8-11, consisting of the keyword
sid
and an identifier naming the SID.

Figure 8-11. Flask initial SID declaration

The sample policy defines a few more than two dozen initial SIDs. A
typical SID declaration follows:

sid kernel

Don't confuse the
flask/initial_sids file and its
sid
declarations with the sid

declarations residing in the
initial_sid_contexts file. The former
declarations include no security context, whereas the latter
declarations do.

8.3.3 Syntax of access_vectors

The flask/access_vectors file specifies the form of
SELinux access vectors. Declarations in the
flask/access_vectors file have the forms given
in Figure 8-12 and 8-13. The
common
declaration, shown in Figure 8-12, is used to define access vector components
common to multiple classes. The sample policy includes several such
declarations. A typical common

declaration is:

Figure 8-12. Common declaration

common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}

This declaration specifies the permissions associated with file-like
objects.

A second type of declaration, class
, specifies the
permissions associated with a class.
Figure 8-13 shows the related syntax. The sample
policy specifies between two and three dozen sets of permissions, one
for each class.

Figure 8-13. Access vector declaration

Within a class
declaration, permissions can be
enumerated directly, inherited from a common

declaration, or both. For example, the class
filesystem
enumerates its permissions:

class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}

The lnk_file
class, on the other hand, inherits
all its permissions from the common
declaration
named file
:

class lnk_file
inherits file

The dir
class both enumerates and inherits
permissions:

class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
}

Appendix B summarizes the operations that appear in SELinux
access
vectors.