selinux/secilc/docs/cil_file_labeling_statements.md
Yuli Khodorkovskiy 12c7dfc553 secilc/docs: Convert DocBook documentation into github markdown
Converting to github markdown allows for easier integration with the
SELinux project wiki and viewing of documentation directly on github without
creating PDFs or reading through DocBook XML.

The conversion of DocBook to github markdown would not format tables or
keyword links properly. By maintaining the documentation in github
markdown in the repository, the content is well formatted with a table of
contents when viewing in the github wiki or in the repository.

The migration from DocBook to github markdown was done using Pandoc and
manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook
conversion were added back. An introduction and design philosphy was
also pulled from the SELinux project wiki to provide more cohesion
to the current documentation.

Running make will now convert the github markdown into PDF and HTML.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 16:18:34 -05:00

8.0 KiB
Raw Blame History

File Labeling Statements

filecon

Define entries for labeling files. The compiler will produce these entries in a file called file_contexts(5) by default in the cwd. The compiler option [-f|--filecontext <filename>] may be used to specify a different path or file name.

Statement definition:

(filecon "path" file_type context_id)

Where:

filecon

The filecon keyword.

path

A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. "/this/is/a/path(/.*)?")

file_type

A single keyword representing a file type in the file_contexts file as follows:

keyword

file_contexts entry

file

--

dir

-d

char

-c

block

-b

socket

-s

pipe

-p

symlink

-l

any

no entry

context_id

The security context to be allocated to the file, which may be:

  • A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

  • An empty context list represented by () can be used to indicate that matching files should not be re-labeled. This will be interpreted as <<none>> within the file_contexts(5) file.

Examples:

These examples use one named, one anonymous and one empty context definition:

(context runas_exec_context (u object_r exec low_low))

(filecon "/system/bin/run-as" file runas_exec_context)
(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
(filecon "/data/local/mine" dir ())

to resolve/build file_contexts entries of (assuming MLS enabled policy):

/system/bin/run-as  -- u:object_r:runas.exec:s0
/dev/socket/wpa_wlan[0-9]   u:object_r:wpa.socket:s0
/data/local/mine -d <<none>>

fsuse

Label filesystems that support SELinux security contexts.

Statement definition:

(fsuse fstype fsname context_id)

Where:

fsuse

The fsuse keyword.

fstype

A single keyword representing the type of filesystem as follows:

  • task - For pseudo filesystems supporting task related services such as pipes and sockets.

  • trans - For pseudo filesystems such as pseudo terminals and temporary objects.

  • xattr - Filesystems supporting the extended attribute security.selinux. The labeling is persistent for filesystems that support extended attributes.

fsname

Name of the supported filesystem (e.g. ext4 or pipefs).

context_id

The security context to be allocated to the network interface.

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

Examples:

The context identifiers are declared in the file namespace and the fsuse statements in the global namespace:

(block file
    (type labeledfs)
    (roletype object_r labeledfs)
    (context labeledfs_context (u object_r labeledfs low_low))

    (type pipefs)
    (roletype object_r pipefs)
    (context pipefs_context (u object_r pipefs low_low))
    ...
)

(fsuse xattr ex4 file.labeledfs_context)
(fsuse xattr btrfs file.labeledfs_context)

(fsuse task pipefs file.pipefs_context)
(fsuse task sockfs file.sockfs_context)

(fsuse trans devpts file.devpts_context)
(fsuse trans tmpfs file.tmpfs_context)

genfscon

Used to allocate a security context to filesystems that cannot support any of the fsuse file labeling options. Generally a filesystem would have a single default security context assigned by genfscon from the root (/) that would then be inherited by all files and directories on that filesystem. The exception to this is the /proc filesystem, where directories can be labeled with a specific security context (as shown in the examples).

Statement definition:

(genfscon fsname path context_id)

Where:

genfscon

The genfscon keyword.

fsname

Name of the supported filesystem (e.g. rootfs or proc).

path

If fsname is proc, then the partial path (see examples). For all other types this must be /.

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

Examples:

The context identifiers are declared in the file namespace and the genfscon statements are then inserted using the in container statement:

(file
    (type rootfs)
    (roletype object_r rootfs)
    (context rootfs_context (u object_r rootfs low_low))

    (type proc)
    (roletype object_r proc)
    (context rootfs_context (u object_r proc low_low))
    ...
)

(in file
    (genfscon rootfs / rootfs_context)
    ; proc labeling can be further refined (longest matching prefix).
    (genfscon proc / proc_context)
    (genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context)
    (genfscon proc /sysrq-trigger sysrq_proc_context)
    (genfscon selinuxfs / selinuxfs_context)
)