The most important SELinux policy statement types—role-based access control and type enforcement statements—were explained in the two preceding chapters. However, a typical SELinux policy contains several other statement types that the administrator of an SELinux system may want to understand. This chapter explains these statement types, including constraint declarations, context-related declarations, and Flask-related declarations. Most administrators will seldom need to refer to the material in this chapter, since these statement types are primarily important to SELinux developers rather than SELinux system administrators. However, occasionally a policy modification will fail because it violates a policy constraint. At these times, an understanding of policy constraint declarations is helpful.
policy constraint declarations
superficially resemble the constraints implemented via
neverallow rules. However, they support a richer
language for specifying constraints and, at the same time, have a
narrower purpose: constraint declarations restrict the
permissions that can
be granted by an access-vector rule.
Figures Figure 8-1 through Figure 8-5 show the statement syntax, which is relatively complex. Fortunately, it’s unusual for a system administrator to need to modify the constraint declarations supplied by a sample SELinux policy.
Figure 8-1. Constraint declaration
Figure 8-2. Syntax of cexpr
Figure 8-3. Syntax of cexpr_prim ...