8.3 Flask - Related Declarations The flask directory contains several files that are part of the SELinux policy: -
- security_classes
-
Specifies the SELinux security classes. -
- initial_sids
-
Specifies the initial SIDs. -
- access_vectors
-
Specifies the permissions includes in access vectors. The following subsections explain the syntax of declarations residing in these files. Generally, only SELinux developers should change these declarations. However, administrators may find it helpful to understand these files and the declarations they contain. 8.3.1 Syntax of security_classes The flask/security_classes file specifies the security classes handled by SELinux. Entries in the file have the syntax shown in Figure 8-10. A class declaration contains only the keyword class and an identifier giving the class name . Figure 8-10. Flask class declaration The example policy defines between two and three dozen classes. Here is a typical class declaration: class security Appendix A summarizes the standard security object classes. 8.3.2 Syntax of initial_sids The flask/initial_sids file specifies the symbols corresponding to initial SIDs. Entries in the file have the syntax shown in Figure 8-11, consisting of the keyword sid and an identifier naming the SID. Figure 8-11. Flask initial SID declaration The sample policy defines a few more than two dozen initial SIDs. A typical SID declaration follows : sid kernel | Don't confuse the flask/initial_sids file and its sid declarations with the sid declarations residing in the initial_sid_contexts file. The former declarations include no security context, whereas the latter declarations do. | | 8.3.3 Syntax of access_vectors The flask/access_vectors file specifies the form of SELinux access vectors. Declarations in the flask/access_vectors file have the forms given in Figure 8-12 and 8-13. The common declaration, shown in Figure 8-12, is used to define access vector components common to multiple classes. The sample policy includes several such declarations. A typical common declaration is: Figure 8-12. Common declaration common file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton } This declaration specifies the permissions associated with file-like objects. A second type of declaration, class , specifies the permissions associated with a class. Figure 8-13 shows the related syntax. The sample policy specifies between two and three dozen sets of permissions, one for each class. Figure 8-13. Access vector declaration Within a class declaration, permissions can be enumerated directly, inherited from a common declaration, or both. For example, the class filesystem enumerates its permissions: class filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget } The lnk_file class, on the other hand, inherits all its permissions from the common declaration named file : class lnk_file inherits file The dir class both enumerates and inherits permissions: class dir inherits file { add_name remove_name reparent search rmdir } Appendix B summarizes the operations that appear in SELinux access vectors. |