RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2024-12-12 17:15:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
b300d3d43a
selinux/secilc/docs/cil_file_labeling_statements.xml
Yuli Khodorkovskiy 36f62b78f1 libsepol: Move secilc out of libsepol 
Since the secilc compiler is independent of libsepol, move secilc out of
libsepol. Linke secilc dynamically rather than statically with libsepol.

- Move secilc source, test policies, docs, and secilc manpage to secilc
  directory.
- Remove unneeded Makefile from libsepol/cil. To build secilc, run make
  in the secilc directory.
- Add target to install the secilc binary to /usr/bin/.
- Create an Android makefile for secilc and move secilc out of libsepol
  Android makefile.
- Add cil_set_mls to libsepol public API as it is needed by secilc.
- Remove policy.conf from testing since it is no longer used.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-03-31 12:31:38 -04:00

303 lines
15 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!-- Common Interface Language (CIL) Reference Guide -->
<!-- file_labeling_statements.xml -->
<sect1>
<title>File Labeling Statements</title>
<sect2 id="filecon">
<title>filecon</title>
<para>Define entries for labeling files. The compiler will produce these entries in a file called <emphasis role="bold"><literal>file_contexts</literal></emphasis><literal>(5)</literal> by default in the <literal>cwd</literal>. The compiler option <literal>[-f|--filecontext &lt;filename>]</literal> may be used to specify a different path or file name.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(filecon "path" file_type context_id)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal>filecon</literal></para>
</entry>
<entry>
<para>The <literal>filecon</literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>path</literal></para>
</entry>
<entry>
<para>A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. <literal>"/this/is/a/path(/.*)?"</literal>)</para>
</entry>
</row>
<row>
<entry>
<para><literal>file_type</literal></para>
</entry>
<entry>
<para>A single keyword representing a file type in the <literal>file_contexts</literal> file as follows:</para>
<para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="1 in"/>
<colspec colwidth="1.25 in"/>
<tbody>
<row>
<entry>
<para><emphasis role="bold">keyword</emphasis></para>
</entry>
<entry>
<para><emphasis role="bold">file_contexts entry</emphasis></para>
</entry>
</row>
<row>
<entry>
<para><literal>file</literal></para>
</entry>
<entry>
<para><literal>--</literal></para>
</entry>
</row>
<row>
<entry>
<para><literal>dir</literal></para>
</entry>
<entry>
<para><literal>-d</literal></para>
</entry>
</row>
<row>
<entry>
<para><literal>char</literal></para>
</entry>
<entry>
<para><literal>-c</literal></para>
</entry>
</row>
<row>
<entry>
<para><literal>block</literal></para>
</entry>
<entry>
<para><literal>-b</literal></para>
</entry>
</row>
<row>
<entry>
<para><literal>socket</literal></para>
</entry>
<entry>
<para><literal>-s</literal></para>
</entry>
</row>
<row>
<entry>
<para><literal>pipe</literal></para>
</entry>
<entry>
<para><literal>-p</literal></para>
</entry>
</row>
<row>
<entry>
<para><literal>symlink</literal></para>
</entry>
<entry>
<para><literal>-l</literal></para>
</entry>
</row>
<row>
<entry>
<para><literal>any</literal></para>
</entry>
<entry>
<para>no entry</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
</para>
</entry>
</row>
<row>
<entry>
<para><literal>context_id</literal></para>
</entry>
<entry>
<para>The security context to be allocated to the file, which may be:</para>
<itemizedlist>
<listitem><para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para></listitem>
<listitem><para>An empty context list represented by <literal>()</literal> can be used to indicate that matching files should not be re-labeled. This will be interpreted as <literal>&lt;&lt;none>></literal> within the <emphasis role="bold"><literal>file_contexts</literal></emphasis><literal>(5)</literal> file.</para></listitem>
</itemizedlist>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Examples:</emphasis></para>
<para>These examples use one named, one anonymous and one empty context definition:</para>
<programlisting><![CDATA[
(context runas_exec_context (u object_r exec low_low))
(filecon "/system/bin/run-as" file runas_exec_context)
(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
(filecon "/data/local/mine" dir ())]]>
</programlisting>
<simpara>to resolve/build <literal>file_contexts</literal> entries of (assuming MLS enabled policy):</simpara>
<programlisting><![CDATA[
/system/bin/run-as -- u:object_r:runas.exec:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa.socket:s0
/data/local/mine -d <<none>>]]>
</programlisting>
</sect2>
<sect2 id="fsuse">
<title>fsuse</title>
<para>Label filesystems that support SELinux security contexts.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(fsuse fstype fsname context_id)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal>fsuse</literal></para>
</entry>
<entry>
<para>The <literal>fsuse</literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>fstype</literal></para>
</entry>
<entry>
<para>A single keyword representing the type of filesystem as follows:</para>
<itemizedlist mark="none">
<listitem><simpara><literal>task</literal> - For pseudo filesystems supporting task related services such as pipes and sockets.</simpara></listitem>
<listitem><simpara><literal>trans</literal> - For pseudo filesystems such as pseudo terminals and temporary objects.</simpara></listitem>
<listitem><simpara><literal>xattr</literal> - Filesystems supporting the extended attribute <literal>security.selinux</literal>. The labeling is persistent for filesystems that support extended attributes.</simpara></listitem>
</itemizedlist>
</entry>
</row>
<row>
<entry>
<para><literal>fsname</literal></para>
</entry>
<entry>
<para>Name of the supported filesystem (e.g. <literal>ext4</literal> or <literal>pipefs</literal>).</para>
</entry>
</row>
<row>
<entry>
<para><literal>context_id</literal></para>
</entry>
<entry>
<para>The security context to be allocated to the network interface.</para>
<para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Examples:</emphasis></para>
<para>The <link linkend="context">context</link> identifiers are declared in the <literal>file</literal> namespace and the <literal>fsuse</literal> statements in the global namespace:</para>
<programlisting><![CDATA[
(block file
(type labeledfs)
(roletype object_r labeledfs)
(context labeledfs_context (u object_r labeledfs low_low))
(type pipefs)
(roletype object_r pipefs)
(context pipefs_context (u object_r pipefs low_low))
...
)
(fsuse xattr ex4 file.labeledfs_context)
(fsuse xattr btrfs file.labeledfs_context)
(fsuse task pipefs file.pipefs_context)
(fsuse task sockfs file.sockfs_context)
(fsuse trans devpts file.devpts_context)
(fsuse trans tmpfs file.tmpfs_context)]]>
</programlisting>
</sect2>
<sect2 id="genfscon">
<title>genfscon</title>
<para>Used to allocate a security context to filesystems that cannot support any of the <literal><link linkend="fsuse">fsuse</link></literal> file labeling options. Generally a filesystem would have a single default security context assigned by <literal>genfscon</literal> from the root <literal>(/)</literal> that would then be inherited by all files and directories on that filesystem. The exception to this is the <literal>/proc</literal> filesystem, where directories can be labeled with a specific security context (as shown in the examples).</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(genfscon fsname path context_id)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal>genfscon</literal></para>
</entry>
<entry>
<para>The <literal>genfscon</literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>fsname</literal></para>
</entry>
<entry>
<para>Name of the supported filesystem (e.g. <literal>rootfs</literal> or <literal>proc</literal>).</para>
</entry>
</row>
<row>
<entry>
<para><literal>path</literal></para>
</entry>
<entry>
<para>If <literal>fsname</literal> is <literal>proc</literal>, then the partial path (see examples). For all other types this must be <literal>/</literal>.</para>
</entry>
</row>
<row>
<entry>
<para><literal>context_id</literal></para>
</entry>
<entry>
<para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Examples:</emphasis></para>
<para>The <link linkend="context">context</link> identifiers are declared in the <literal>file</literal> namespace and the <literal>genfscon</literal> statements are then inserted using the <literal><link linkend="in">in</link></literal> container statement:</para>
<programlisting><![CDATA[
(file
(type rootfs)
(roletype object_r rootfs)
(context rootfs_context (u object_r rootfs low_low))
(type proc)
(roletype object_r proc)
(context rootfs_context (u object_r proc low_low))
...
)
(in file
(genfscon rootfs / rootfs_context)
; proc labeling can be further refined (longest matching prefix).
(genfscon proc / proc_context)
(genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context)
(genfscon proc /sysrq-trigger sysrq_proc_context)
(genfscon selinuxfs / selinuxfs_context)
)]]>
</programlisting>
</sect2>
</sect1>
Reference in New Issue View Git Blame Copy Permalink