SELinux Policy Structure

Now that we’ve completed our close-up view of an SELinux policy component, let’s return to a wide-angle view. This section explains the conventions observed by SELinux policy developers in choosing where to place policy statements of various types. The explanation is organized around the structure of the SELinux source directory tree, which is typically /etc/security/selinux/src/policy. In good computer science fashion, we’ll first visit the leaf nodes (that is, the subdirectories of the tree) and ultimately visit the root node (that is, the policy directory itself). However, we’ll depart from computer science conventions in one key respect: rather than visit the nodes in lexicographic (alphabetical) order, we’ll visit them in an order in which several nodes having fundamental content are visited first, to facilitate the exposition.

The flask Subdirectory

The flask directory, as implied by being the first subdirectory visited in our traversal of the policy source directory tree, is the most fundamental of the subdirectories. It contains three important files:

  • initial_sids

  • security_classes

  • access_vectors

Like other policy source files, these files are read and processed during policy compilation. In addition, these files are used to generate C header files that are used during compilation of an SELinux-capable Linux kernel. In that context, the files specify symbol definitions for access vectors (that is, permissions), initial SIDs, and security classes. ...

Get SELinux now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.