SELinux Policy Structure
Now
that we’ve completed
our close-up view of an SELinux policy component,
let’s return to a wide-angle view. This section
explains the conventions observed by SELinux policy developers in
choosing where to place policy statements of various types. The
explanation is organized around the structure of the SELinux source
directory tree, which is typically
/etc/security/selinux/src/policy. In good
computer science fashion, we’ll first visit the leaf
nodes (that is, the subdirectories of the tree) and ultimately visit
the root node (that is, the policy directory itself). However,
we’ll depart from computer science conventions in
one key respect: rather than visit the nodes in lexicographic
(alphabetical) order, we’ll visit them in an order
in which several nodes having fundamental content are visited first,
to facilitate the exposition.
The flask Subdirectory
The flask
directory, as implied by being the first
subdirectory visited in our traversal of the policy source directory
tree, is the most fundamental of the subdirectories. It contains
three important files:
initial_sidssecurity_classesaccess_vectors
Like other policy source files, these files are read and processed during policy compilation. In addition, these files are used to generate C header files that are used during compilation of an SELinux-capable Linux kernel. In that context, the files specify symbol definitions for access vectors (that is, permissions), initial SIDs, and security classes. ...
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
