12.2. Overview of Policy Source File Structure The file structure for the reference policy differs from the example policy. Before we describe the key implementation details of the reference policy, let's overview the layout of the reference policy source files to familiarize ourselves with its file structure. 12.2.1. Build and Support Files The following files and directories are used for building or otherwise supporting the building of a reference policy: | |
|---|
build.conf | This file defines the set of build options that we can change and set to control the build process. This file is included within the Makefile during the make process. We will discuss some of these build options later in this chapter. | Rules.modular | This file contains the make rules for building a policy that supports loadable modules (see Chapter 3, "Architecture"). It supports building both the base policy module and loadable policy modules. Which modules are built as part of the base module, and which are built as loadable modules, is defined in policy/modules.conf (see below). The build option MONOLITHIC in build.conf controls whether a modular or monolithic policy is built. | Rules.monolithic | If a monolithic policy is being built, this file (rather than Rules.modular) is included in the Makefile to define the rules for building a monolithic policy. | config/ | This directory contains subdirectories for the application configuration files for every variety of policy that can be built with the reference policy. These configuration files are exactly the same as the files in the appconfig/ directory for the example policy. These are files installed in the operational policy directory (for example, /etc/selinux/refpolicy) to support various services and applications (see Chapter 13, "Managing an SELinux System"). | doc/ | This directory contains files that support integrated documentation generation that is part of the reference policy. To see the resulting documentation generation, view the reference policy Web site (http://serefpolicy.sourceforge.net/) or run the command make html and look in the doc/html/ directory. | support/ | This directory contains source code and scripts for the tools used to support the build process. |
12.2.2. Core Policy Files In the reference policy, the primary files used to create a policy (or loadable modules) are contained in the policy/ directory. These are the files that we, as policy writers, will most commonly modify and examine: | |
|---|
policy/constraints | This file is where all non-MLS constraints are defined. It is essentially identical to the same file in the example policy. See Chapter 7, "Constraints," for more on policy constraints. | policy/flask/ | This directory contains the Flask definitions identical with the example policy. See the description for the example policy in Chapter 11, "Original Example Policy," for this directory and its files. | policy/mls and policy/mcs | These two files define two configurations for the optional MLS features in SELinux. They are identical in intent to the same files in the example policy; see the description in Chapter 11. | policy/global_booleans and policy/global_tunables | These two files currently store defined Booleans and their default values. They are combined and installed in /etc/selinux/refpolicy/booleans and enable an administrator to change the default values of Booleans as we discussed in Chapter 9, "Conditional Policies." The reason for two files is one of a philosophy that may eventually lead to a difference in implementation. The global_booleans file contains Booleans intended to support truly conditional policies that an administrator may want to toggle on and off in a production system. The global_tunables contains Booleans that are build/runtime configuration options that are likely changed once during installation and never changed again. Some of these latter Booleans (that is, the tunables) may be implemented using features of loadable modules in the future. | policy/modules.conf | This file configures which modules are to be included in a build process and in what form. A module can be built in to a monolithic policy or the base module for a loadable policy, built as a loadable module, or not built at all. The modules.conf file is created with the make conf command. We discuss module configuration options later in this chapter. | policy/modules/ | This directory contains all the policy modules divided into subdirectories by layer. Most of the files that we would examine, edit, and change will be in this directory. We discuss modules and layers in the next section. | policy/support/ | This directory contains macros used throughout the policy modules to aide in policy writing. For example, the file policy/support/obj_perm_sets.spt defines macros that define sets of permissions. We use these macros to simplify some of the policy writing steps and to create easier to read policy. | policy/users | This file is the same as the users file in the example policy though it uses an interface (that is, a macro), gen_user(), to create the user statements; see the description in Chapter 11. |
|
