Type-Enforcement Declarations

Type-enforcement (TE) declarations are of seven types:

attribute_def

Attribute declarations

type_def

Type declarations

typealias_def

Type alias declarations

bool_def

Boolean declarations

transition_def

Transition declarations

te_avtab_def

TE access vector table declarations

cond_stmt_def

Conditional statement declarations

Type Declarations

The SELinux policy language requires that all type names be explicitly defined. In the simplest possible form, a type declaration merely defines a name as a type. For instance, the type declaration:

type ping_t;

would mark ping_t as the name of a type. Type declarations need not precede all statements that refer to the types they define; you can place type declarations any place within a TE file.

Optionally, a type declaration may define one or more aliases for the type name. Any alias associated with a type can be freely used in place of the primary name of the type. A type declaration can also optionally associate one or more attributes with the type name.

Figure 7-1 shows the syntax of a type declaration. As an example, the ping.te file contains two type declarations:

type ping_t, domain, privlog;
type ping_exec_t, file_type, sysadmfile, exec_type;

The first declaration identifies ping_t as a type name, and associates the attributes domain and privlog with the type name, marking the type as a domain that communicates with the system log process. The second declaration identifies ping_exec_t as a type name, and associates ...

Get SELinux now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.