selinux/secilc/docs/cil_sid_statements.xml
Yuli Khodorkovskiy 36f62b78f1 libsepol: Move secilc out of libsepol
Since the secilc compiler is independent of libsepol, move secilc out of
libsepol. Linke secilc dynamically rather than statically with libsepol.

- Move secilc source, test policies, docs, and secilc manpage to secilc
  directory.
- Remove unneeded Makefile from libsepol/cil. To build secilc, run make
  in the secilc directory.
- Add target to install the secilc binary to /usr/bin/.
- Create an Android makefile for secilc and move secilc out of libsepol
  Android makefile.
- Add cil_set_mls to libsepol public API as it is needed by secilc.
- Remove policy.conf from testing since it is no longer used.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-03-31 12:31:38 -04:00

143 lines
5.6 KiB
XML

<!-- Common Interface Language (CIL) Reference Guide -->
<!-- sid_statements.xml -->
<sect1>
<title>SID Statements</title>
<sect2 id="sid">
<title>sid</title>
<para>Declares a new SID identifier in the current namespace.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(sid sid_id)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal>sid</literal></para>
</entry>
<entry>
<para>The <literal>sid</literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>sid_id</literal></para>
</entry>
<entry>
<para>The <literal>sid</literal> identifier.</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Examples:</emphasis></para>
<para>These examples show three <literal>sid</literal> declarations:</para>
<programlisting><![CDATA[
(sid kernel)
(sid security)
(sid igmp_packet)]]>
</programlisting>
</sect2>
<sect2 id="sidorder">
<title>sidorder</title>
<para>Defines the order of <link linkend="sid">sid</link>'s. This is a mandatory statement when SIDs are defined. Multiple <literal>sidorder</literal> statements declared in the policy will form an ordered list.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(sidorder (sid_id ...))]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal>sidorder</literal></para>
</entry>
<entry>
<para>The <literal>sidorder</literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>sid_id</literal></para>
</entry>
<entry>
<para>One or more <literal><link linkend="sid">sid</link></literal> identifiers.</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Example:</emphasis></para>
<para>This will produce an ordered list of "<literal>kernel security unlabeled</literal>"</para>
<programlisting><![CDATA[
(sid kernel)
(sid security)
(sid unlabeled)
(sidorder (kernel security))
(sidorder (security unlabeled))]]>
</programlisting>
</sect2>
<sect2 id="sidcontext">
<title>sidcontext</title>
<para>Associates an SELinux security <link linkend="context">context</link> to a previously declared <literal><link linkend="sid">sid</link></literal> identifier.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(sidcontext sid_id context_id)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal>sidcontext</literal></para>
</entry>
<entry>
<para>The <literal>sidcontext</literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>sid_id</literal></para>
</entry>
<entry>
<para>A single previously declared <literal><link linkend="sid">sid</link></literal> identifier.</para>
</entry>
</row>
<row>
<entry>
<para><literal>context_id</literal></para>
</entry>
<entry>
<para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Examples:</emphasis></para>
<para>This shows two named security context examples plus an anonymous context:</para>
<programlisting><![CDATA[
; Two named context:
(sid kernel)
(context kernel_context (u r process low_low))
(sidcontext kernel kernel_context)
(sid security)
(context security_context (u object_r process low_low))
(sidcontext security security_context)
; An anonymous context:
(sid unlabeled)
(sidcontext unlabeled (u object_r ((s0) (s0))))]]>
</programlisting>
</sect2>
</sect1>