Other Context-Related Declarations

The SELinux policy language includes several declaration types that establish contexts for various objects:

  • Objects having initial SIDs

  • Filesystems supporting persistent labels

  • Filesystems not supporting persistent labels

  • Network-related objects

Some filesystems, such as ext2 and ext3, provide space in which SELinux can store persistent file labels. However, some filesystems do not have this capability. So that even uncooperative filesystems can be used with SELinux, SELinux lets you specify static labels that are applied to files within such filesystems.

The following subsections describe these declarations.

Syntax of Initial SID Context Declarations

Figure 8-6 shows the syntax of initial SID context declarations, which are used to specify the security context of objects having initial SIDs.

Initial SID context declaration

Figure 8-6. Initial SID context declaration

The example SELinux policy typically includes a bit more than two dozen initial SID declarations. A typical declaration is:

sid kernel      system_u:system_r:kernel_t

This declaration assigns the security context system_u:system_r:kernel_t to the kernel object. In general, it’s not possible to change or add an initial SID declaration without making corresponding changes to SELinux itself, so changes and additions are generally made only by SELinux developers rather than system administrators.

Syntax of Filesystem Labeling Declarations ...

Get SELinux now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.