RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
selinux/secilc/docs/cil_sid_statements.md

2.9 KiB
Raw Blame History

SID Statements

sid

Declares a new SID identifier in the current namespace.

Statement definition:

    (sid sid_id)

Where:

sid

The sid keyword.

sid_id

The sid identifier.

Examples:

These examples show three sid declarations:

    (sid kernel)
    (sid security)
    (sid igmp_packet)

sidorder

Defines the order of sid's. This is a mandatory statement when SIDs are defined. Multiple sidorder statements declared in the policy will form an ordered list.

Statement definition:

    (sidorder (sid_id ...))

Where:

sidorder

The sidorder keyword.

sid_id

One or more sid identifiers.

Example:

This will produce an ordered list of "kernel security unlabeled"

    (sid kernel)
    (sid security)
    (sid unlabeled)
    (sidorder (kernel security))
    (sidorder (security unlabeled))

sidcontext

Associates an SELinux security context to a previously declared sid identifier.

Statement definition:

    (sidcontext sid_id context_id)

Where:

sidcontext

The sidcontext keyword.

sid_id

A single previously declared sid identifier.

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

Examples:

This shows two named security context examples plus an anonymous context:

    ; Two named context:
    (sid kernel)
    (context kernel_context (u r process low_low))
    (sidcontext kernel kernel_context)

    (sid security)
    (context security_context (u object_r process low_low))
    (sidcontext security security_context)

    ; An anonymous context:
    (sid unlabeled)
    (sidcontext unlabeled (u object_r ((s0) (s0))))