October 2004
Intermediate to advanced
256 pages
8h 16m
English
Content preview from SELinux
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
SELinux Policy Syntax
The railroad diagram in Figure 6-9 represents an overview of the syntax of an SELinux policy.
Figure 6-9. The SELinux Policy
As the figure shows, an SELinux policy consists of 11 elements, several of which are optional:
-
classes Defines the security object classes recognized by SELinux.
-
initial_sids Defines initial SIDs for important security objects.
-
access_vectors Defines access vectors associated with each security object class.
-
mls Defines MLS configuration (optional).
Tip
MLS is not currently implemented in sample SELinux policies and is not covered in this book.
-
te_rbac Defines type enforcement and role-based access control configuration.
-
users Defines the user configuration.
-
constraints Defines constraints that the security policy must observe (optional).
-
initial_sid_contexts Defines the security contexts of important security objects.
-
fs_use Defines the method of labeling of filesystem inodes.
-
genfs_contexts Defines security contexts for filesystems lacking persistent labels (optional).
-
net_contexts Defines security contexts for network objects.
The policy elements must appear in the order indicated by the railroad diagram. However, you generally don’t have to concern yourself with the order of policy statements, because each type of statement resides in a designated file or directory. As explained in Chapter 4, the SELinux policy Makefile assembles ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.