Review of SELinux Policy Syntax
As explained in Chapter 6, an SELinux policy consists of 11 elements, several of which are optional:
- classes
Defines the security object classes recognized by SELinux.
- initial_sids
Defines initial SIDs for important security objects.
- access_vectors
Defines access vectors associated with each security object class.
- mls
Defines MLS configuration (optional).
- te_rbac
Defines type-enforcement and role-based access control configuration.
- users
Defines the user configuration.
- constraints
Defines constraints that the security policy must observe (optional).
- initial_sid_contexts
Defines the security contexts of important security objects.
- fs_use
Defines the method of labeling of filesystem inodes.
- genfs_contexts
Defines security contexts for filesystems lacking persistent labels (optional).
- net_contexts
Defines security contexts for network objects.
The te_rbac
element specifies both the role-based
access control policies and the type-enforcement policies. Within the
element, role-based access control and type-enforcement declarations
can be freely intermingled. The following section explains the
SELinux type-enforcement declarations.
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.