Chapter 8. Ancillary Policy Statements

The most important SELinux policy statement types—role-based access control and type enforcement statements—were explained in the two preceding chapters. However, a typical SELinux policy contains several other statement types that the administrator of an SELinux system may want to understand. This chapter explains these statement types, including constraint declarations, context-related declarations, and Flask-related declarations. Most administrators will seldom need to refer to the material in this chapter, since these statement types are primarily important to SELinux developers rather than SELinux system administrators. However, occasionally a policy modification will fail because it violates a policy constraint. At these times, an understanding of policy constraint declarations is helpful.

Constraint Declarations

SELinux policy constraint declarations superficially resemble the constraints implemented via neverallow rules. However, they support a richer language for specifying constraints and, at the same time, have a narrower purpose: constraint declarations restrict the permissions that can be granted by an access-vector rule.

Figures Figure 8-1 through Figure 8-5 show the statement syntax, which is relatively complex. Fortunately, it’s unusual for a system administrator to need to modify the constraint declarations supplied by a sample SELinux policy.

Figure 8-1. Constraint declaration

Figure 8-2. Syntax of cexpr

Figure 8-3. Syntax of cexpr_prim ...

Get SELinux now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.