mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-12 17:15:00 +00:00
36f62b78f1
Since the secilc compiler is independent of libsepol, move secilc out of libsepol. Linke secilc dynamically rather than statically with libsepol. - Move secilc source, test policies, docs, and secilc manpage to secilc directory. - Remove unneeded Makefile from libsepol/cil. To build secilc, run make in the secilc directory. - Add target to install the secilc binary to /usr/bin/. - Create an Android makefile for secilc and move secilc out of libsepol Android makefile. - Add cil_set_mls to libsepol public API as it is needed by secilc. - Remove policy.conf from testing since it is no longer used. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
143 lines
5.6 KiB
XML
143 lines
5.6 KiB
XML
<!-- Common Interface Language (CIL) Reference Guide -->
|
|
<!-- sid_statements.xml -->
|
|
|
|
<sect1>
|
|
<title>SID Statements</title>
|
|
<sect2 id="sid">
|
|
<title>sid</title>
|
|
<para>Declares a new SID identifier in the current namespace.</para>
|
|
<para><emphasis role="bold">Statement definition:</emphasis></para>
|
|
<programlisting><![CDATA[(sid sid_id)]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal>sid</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>sid</literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>sid_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>sid</literal> identifier.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Examples:</emphasis></para>
|
|
<para>These examples show three <literal>sid</literal> declarations:</para>
|
|
<programlisting><![CDATA[
|
|
(sid kernel)
|
|
(sid security)
|
|
(sid igmp_packet)]]>
|
|
</programlisting>
|
|
</sect2>
|
|
|
|
<sect2 id="sidorder">
|
|
<title>sidorder</title>
|
|
<para>Defines the order of <link linkend="sid">sid</link>'s. This is a mandatory statement when SIDs are defined. Multiple <literal>sidorder</literal> statements declared in the policy will form an ordered list.</para>
|
|
<para><emphasis role="bold">Statement definition:</emphasis></para>
|
|
<programlisting><![CDATA[(sidorder (sid_id ...))]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal>sidorder</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>sidorder</literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>sid_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>One or more <literal><link linkend="sid">sid</link></literal> identifiers.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
<para>This will produce an ordered list of "<literal>kernel security unlabeled</literal>"</para>
|
|
<programlisting><![CDATA[
|
|
(sid kernel)
|
|
(sid security)
|
|
(sid unlabeled)
|
|
(sidorder (kernel security))
|
|
(sidorder (security unlabeled))]]>
|
|
</programlisting>
|
|
</sect2>
|
|
|
|
<sect2 id="sidcontext">
|
|
<title>sidcontext</title>
|
|
<para>Associates an SELinux security <link linkend="context">context</link> to a previously declared <literal><link linkend="sid">sid</link></literal> identifier.</para>
|
|
<para><emphasis role="bold">Statement definition:</emphasis></para>
|
|
<programlisting><![CDATA[(sidcontext sid_id context_id)]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal>sidcontext</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>sidcontext</literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>sid_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single previously declared <literal><link linkend="sid">sid</link></literal> identifier.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>context_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Examples:</emphasis></para>
|
|
<para>This shows two named security context examples plus an anonymous context:</para>
|
|
<programlisting><![CDATA[
|
|
; Two named context:
|
|
(sid kernel)
|
|
(context kernel_context (u r process low_low))
|
|
(sidcontext kernel kernel_context)
|
|
|
|
(sid security)
|
|
(context security_context (u object_r process low_low))
|
|
(sidcontext security security_context)
|
|
|
|
; An anonymous context:
|
|
(sid unlabeled)
|
|
(sidcontext unlabeled (u object_r ((s0) (s0))))]]>
|
|
</programlisting>
|
|
</sect2>
|
|
|
|
</sect1>
|