The SELinux policy language includes several declaration types that establish contexts for various objects:
Objects having initial SIDs
Filesystems supporting persistent labels
Filesystems not supporting persistent labels
Some filesystems, such as ext2 and ext3, provide space in which SELinux can store persistent file labels. However, some filesystems do not have this capability. So that even uncooperative filesystems can be used with SELinux, SELinux lets you specify static labels that are applied to files within such filesystems.
The following subsections describe these declarations.
Figure 8-6 shows the syntax of initial SID context declarations, which are used to specify the security context of objects having initial SIDs.
Figure 8-6. Initial SID context declaration
The example SELinux policy typically includes a bit more than two dozen initial SID declarations. A typical declaration is:
sid kernel system_u:system_r:kernel_t
This declaration assigns the security context
system_u:system_r:kernel_t to the
kernel object. In general, it’s
not possible to change or add an initial SID declaration without
making corresponding changes to SELinux itself, so changes and
additions are generally made only by SELinux developers rather than