Section 9.5. Summary


9.5. Summary

  • Conditional statements allow you to create policy rules that can be enabled or disabled by changing Boolean variable values on a running system. Rules that are not within a conditional statement (typically the vast majority of rules in a system) are unconditional and always enabled.

  • Boolean variables are defined in the policy using the bool statement, along with the default value for each Boolean.

  • All defined Booleans in the running policy also have filenames in the selinux filesystem, usually mounted at /selinux/booleans/. These files indicate the current and pending value for each Boolean. To change the current value of a Boolean, you would write the new value (1 or 0) into this file and then make the change effective by writing a 1 to the file /selinux/commit_pending_bools. The commands getsebool and setsebool provide a convenient and stable way for changing these values without remembering the various filenames.

  • Booleans support a persistent value that will override the default value in the policy on a reboot. The persistent value allows you to change the effective default value without having to modifying the policy itself. The easiest way to make a persistent change to a Boolean value is to use the setsebool -P command.

  • The conditional statement (if) allows you to express a logical conditional expression using a defined Boolean variable and a true and optional false list of rules. These rules will be enabled/disabled by the kernel depending on the value of the conditional expression, which in turn depends on the current values of the Booleans the expression contains.

  • The only statements currently supported in a conditional statement true/false list are allow, auditallow, dontaudit, type_transition, and type_change.

  • At present, you cannot nest conditional statements. This limitation is likely to change in the near future.




SELinux by Example(c) Using Security Enhanced Linux
SELinux by Example: Using Security Enhanced Linux
ISBN: 0131963694
EAN: 2147483647
Year: 2007
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net