mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-14 01:54:42 +00:00
36f62b78f1
Since the secilc compiler is independent of libsepol, move secilc out of libsepol. Linke secilc dynamically rather than statically with libsepol. - Move secilc source, test policies, docs, and secilc manpage to secilc directory. - Remove unneeded Makefile from libsepol/cil. To build secilc, run make in the secilc directory. - Add target to install the secilc binary to /usr/bin/. - Create an Android makefile for secilc and move secilc out of libsepol Android makefile. - Add cil_set_mls to libsepol public API as it is needed by secilc. - Remove policy.conf from testing since it is no longer used. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
228 lines
11 KiB
XML
228 lines
11 KiB
XML
<!-- Common Interface Language (CIL) Reference Guide -->
|
|
<!-- xen_statements.xml -->
|
|
|
|
<sect1>
|
|
<title>Xen Statements</title>
|
|
<para>Policy version 30 introduced the <literal><link linkend="devicetreecon">devicetreecon</link></literal> statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages).</para>
|
|
<para>See the <ulink url="http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt">"XSM/FLASK Configuration"</ulink> document for further information (<ulink url="http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt"></ulink>)</para>
|
|
<sect2 id="iomemcon">
|
|
<title>iomemcon</title>
|
|
<para>Label i/o memory. This may be a single memory location or a range.</para>
|
|
<para><emphasis role="bold">Statement definition:</emphasis></para>
|
|
<programlisting><![CDATA[(iomemcon mem_addr|(mem_low mem_high) context_id)]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal>iomemcon</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>iomemcon</literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>mem_addr |</literal></para>
|
|
<para><literal>(mem_low mem_high)</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single memory address to apply the context, or a range of addresses.</para>
|
|
<para>The entries must consist of numerics <literal>[0-9]</literal>.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>context_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
<para>An anonymous context for a memory address range of <literal>0xfebe0-0xfebff</literal>:</para>
|
|
<programlisting><![CDATA[(iomemcon (1043424 1043455) (unconfined.user object_r unconfined.object low_low))]]></programlisting>
|
|
</sect2>
|
|
|
|
<sect2 id="ioportcon">
|
|
<title>ioportcon</title>
|
|
<para>Label i/o ports. This may be a single port or a range.</para>
|
|
<para><emphasis role="bold">Statement definition:</emphasis></para>
|
|
<programlisting><![CDATA[(ioportcon port|(port_low port_high) context_id)]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2.25 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal>ioportcon</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>ioportcon</literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>port |</literal></para>
|
|
<para><literal>(port_low port_high)</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single port to apply the context, or a range of ports.</para>
|
|
<para>The entries must consist of numerics <literal>[0-9]</literal>.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>context_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
<para>An anonymous context for a single port of :<literal>0xecc0</literal>:</para>
|
|
<programlisting><![CDATA[(ioportcon 60608 (unconfined.user object_r unconfined.object low_low))]]></programlisting>
|
|
</sect2>
|
|
|
|
<sect2 id="pcidevicecon">
|
|
<title>pcidevicecon</title>
|
|
<para>Label a PCI device.</para>
|
|
<para><emphasis role="bold">Statement definition:</emphasis></para>
|
|
<programlisting><![CDATA[(pcidevicecon device context_id)]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal>pcidevicecon</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>pcidevicecon</literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>device</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The device number.The entries must consist of numerics <literal>[0-9]</literal>.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>context_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
<para>An anonymous context for a pci device address of <literal>0xc800</literal>:</para>
|
|
<programlisting><![CDATA[(pcidevicecon 51200 (unconfined.user object_r unconfined.object low_low))]]></programlisting>
|
|
</sect2>
|
|
|
|
<sect2 id="pirqcon">
|
|
<title>pirqcon</title>
|
|
<para>Label an interrupt level.</para>
|
|
<para><emphasis role="bold">Statement definition:</emphasis></para>
|
|
<programlisting><![CDATA[(pirqcon irq_level context_id)]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal>pirqcon</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>pirqcon</literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>irq_level</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The interrupt request number. The entries must consist of numerics <literal>[0-9]</literal>.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>context_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
<para>An anonymous context for IRQ 33:</para>
|
|
<programlisting><![CDATA[(pirqcon 33 (unconfined.user object_r unconfined.object low_low))]]></programlisting>
|
|
</sect2>
|
|
|
|
<sect2 id="devicetreecon">
|
|
<title>devicetreecon</title>
|
|
<para>Label device tree nodes.</para>
|
|
<para><emphasis role="bold">Statement definition:</emphasis></para>
|
|
<programlisting><![CDATA[(devicetreecon path context_id)]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal>devicetreecon</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>devicetreecon</literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>path</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The device tree path. If this contains spaces enclose within <literal>""</literal>.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>context_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
<para>An anonymous context for the specified path:</para>
|
|
<programlisting><![CDATA[(devicetreecon "/this is/a/path" (unconfined.user object_r unconfined.object low_low))]]></programlisting>
|
|
</sect2>
|
|
|
|
</sect1>
|