From patchwork Fri Aug 7 15:17:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11705817 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 72E7F913 for ; Fri, 7 Aug 2020 15:17:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 437BE21744 for ; Fri, 7 Aug 2020 15:17:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="eM0ZBRKR" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725993AbgHGPRh (ORCPT ); Fri, 7 Aug 2020 11:17:37 -0400 Received: from mailomta9-re.btinternet.com ([213.120.69.102]:14825 "EHLO re-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725893AbgHGPRg (ORCPT ); Fri, 7 Aug 2020 11:17:36 -0400 Received: from re-prd-rgout-001.btmx-prd.synchronoss.net ([10.2.54.4]) by re-prd-fep-048.btinternet.com with ESMTP id <20200807151727.WMDR4701.re-prd-fep-048.btinternet.com@re-prd-rgout-001.btmx-prd.synchronoss.net>; Fri, 7 Aug 2020 16:17:27 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1596813447; bh=EPDccZIoxI9SuQpBnYU4Bk6UqDq7CcH6GETD48y7BxQ=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:MIME-Version; b=eM0ZBRKRZb2RospdicwQCgrCgtha3gek0VwXUii9fV28wLcLaH+VaOEVMVxAwhDAOlttMngMT+QCvzAbe8g4X1QwHui7aZBp7XQcc2+q7FAIisjRlRtZj9fP2RUhqYfkCElFJiS1OVg3RHjH8jC1eNGg5cuiKuQ+tn+nTAyLcVOyoiHD+J3EaiVepp7yFj/6zSkAPerCA2WI4jijfQhiZEvuiHiiUbM9p8unFHwhMuQZ7IqxE9qDz9Otk4i2/fdqeKWIuOHiWNkG0O9L371AxyQOVfPvS4TQoZTy/1PxrpGensu+sUJ2S5UEyV/kMpOaUXLCKAWIHtdFNlIHOKHTRA== Authentication-Results: btinternet.com; auth=pass (PLAIN) smtp.auth=richard_c_haines@btinternet.com X-Originating-IP: [213.122.112.2] X-OWM-Source-IP: 213.122.112.2 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrkedvgdekfecutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucenucfjughrpefhvffufffkofgggfestdekredtredttdenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepleetffegveevjeehvefhtefgueevudettedutdffvdejkeeiteegheevfeejtdefnecukfhppedvudefrdduvddvrdduuddvrddvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedvudefrdduvddvrdduuddvrddvpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (213.122.112.2) by re-prd-rgout-001.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9BDD00AC9DDD9; Fri, 7 Aug 2020 16:17:27 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH] selinux-notebook: kernel_policy_language.md convert to markdown Date: Fri, 7 Aug 2020 16:17:22 +0100 Message-Id: <20200807151722.12114-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert HTML tables to either pipe tables or markdown unordered lists. Signed-off-by: Richard Haines --- src/kernel_policy_language.md | 1016 ++++++--------------------------- 1 file changed, 182 insertions(+), 834 deletions(-) diff --git a/src/kernel_policy_language.md b/src/kernel_policy_language.md index a4118f9..921c7d0 100644 --- a/src/kernel_policy_language.md +++ b/src/kernel_policy_language.md @@ -1,7 +1,14 @@ # Kernel Policy Language +- [Policy Source Files](#policy-source-files) +- [Conditional, Optional and Require Statement Rules](#conditional-optional-and-require-statement-rules) +- [MLS Statements and Optional MLS Components](#mls-statements-and-optional-mls-components) +- [General Statement Information](#general-statement-information) +- [Policy Language Index](#policy-language-index) + This section covers the policy source file types and what kernel policy -statements and rule are allowed in each. The [**Section Contents**](#section-contents) +statements and rule are allowed in each. The +[**Policy Language Index**](#policy-language-index) then has links to each section within this document. ## Policy Source Files @@ -12,7 +19,7 @@ are: **Monolithic Policy** - This is a single policy source file that contains all statements. By convention this file is called policy.conf -and is compiled using the **checkpolicy**(8) command that produces the +and is compiled using the ***checkpolicy**(8)* command that produces the binary policy file. **Base Policy** - This is the mandatory base policy source file that @@ -33,176 +40,70 @@ extension. These files are compiled using the ***checkmodule**(8)* command. appear in source files with the mandatory statements that must be present. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Base EntriesM/OModule EntriesM/O
Security Classes (class)mmodule Statemento
Initial SIDsm
Access Vectors (permissions)mrequire Statemento
MLS sensitivity, category and level Statementso
MLS Constraintso
Policy Capability Statementso
AttributesoAttributeso
BooleansoBooleanso
Default user, role, type, range ruleso
Type / Type AliasmType / Type Aliaso
RolesmRoleso
Policy RulesmPolicy Ruleso
UsersmUserso
Constraintso
Default SID labelingm
fs_use_xattr Statementso
fs_use_task and fs_use_trans Statementso
genfscon Statementso
portcon, netifcon and nodecon Statementso
- -**Table 1: Base and Module Policy Statements** -*There must be at least one +| Base Entries | M/O | +| :--------------------------------------------- | :-: | +| Security Classes (class) | m | +| Initial SIDs | m | +| Access Vectors (permissions) | m | +| require Statement | o | +| MLS sensitivity, category and level Statements | o | +| MLS Constraints | m | +| Policy Capability Statements | o | +| Attributes | o | +| Booleans | o | +| Default user, role, type, range rules | o | +| Type / Type Alias | m | +| Roles | m | +| Policy Rules (allow, dontaudit etc.) | m | +| Users | m | +| Constraints | o | +| Default SID labeling | m | +| fs_use_xattr Statements | o | +| fs_use_task and fs_use_trans Statements | o | +| genfscon Statements | o | +| portcon, netifcon and nodecon Statements | o | + +| Module Entries | M/O | +| :---------------- | :-: | +| module Statement | m | +| require Statement | o | +| Attributes | o | +| Booleans | o | +| Type / Type Alias | o | +| Roles | o | +| Policy Rules | o | +| Users | o | + +**Table 1: Base and Module Policy Statements** - *There must be at least one of each of the mandatory statements, plus at least one allow rule in a policy to successfully build.* The language grammar defines what statements and rules can be used within the different types of source file. To highlight these rules, the following table is included in each statement and rule section to show -what circumstances each one is valid within a policy source file: - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
Yes/NoYes/NoYes/No
- -Where: - - - - - - - - - - - - - - - - -
Monolithic PolicyWhether the statement is allowed within a monolithic policy source file or not.
Base PolicyWhether the statement is allowed within a base (for loadable module support) policy source file or not.
Module PolicyWhether the statement is allowed within the optional loadable module policy source file or not.
- -**Table 3** shows a cross reference matrix of statements -and rules allowed in each type of policy source file. +what circumstances each one is valid within a policy source file. + +**Policy Type**: + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes/No | Yes/No | Yes/No | + +**Where:** + +*Monolithic Policy* + +- Whether the statement is allowed within a monolithic policy source file or not. + +*Base Policy* + +- Whether the statement is allowed within a base (for loadable module support) + policy source file or not. + +*Module Policy* + +- Whether the statement is allowed within the optional loadable module policy + source file or not. ## Conditional, Optional and Require Statement Rules @@ -221,42 +122,27 @@ To highlight these rules the following table is included in each statement and rule section to show what circumstances each one is valid within a policy source file: - - - - - - - - - - - - - -
Conditional Policy if Statementoptional Statementrequire Statement
Yes/NoYes/NoYes/No
- -Where: - - - - - - - - - - - - - - - - -
Conditional Policy (if) StatementWhether the statement is allowed within a conditional statement (if/else construct). Conditional statements can be in all types of policy source file.
optional StatementWhether the statement is allowed within the optional { rule_list } construct.
require StatementWhether the statement is allowed within the require { rule_list } construct.
- -**Table 3** shows a cross reference matrix of statements -and rules allowed in each of the above policy statements. +**Conditional Policy Statements:** + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| Yes/No | Yes/No | Yes/No | + +**Where:** + +*if Statement* + +- Whether the statement is allowed within a conditional statement + (*if/else* construct). Conditional statements can be in all types + of policy source file. + +*optional Statement* + +- Whether the statement is allowed within the *optional { rule_list }* construct. + +*require Statement* + +- Whether the statement is allowed within the *require { rule_list }* construct. ## MLS Statements and Optional MLS Components @@ -265,7 +151,8 @@ statements specifically for MLS support. However when MLS is enabled, there are other statements that require the MLS component of a security context as an argument, (for example the [**Network Labeling Statements**](network_statements.md#network-labeling-statements)), -therefore these statements show an example taken from the MLS **Reference Policy** build. +therefore these statements show an example taken from the +MLS **Reference Policy** build. ## General Statement Information @@ -299,180 +186,35 @@ same). for all the possible command line options. 2. **Table 2** lists words reserved for the SELinux policy language. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
aliasallowand
attributeattribute_roleauditallow
auditdenyboolcategory
cfalseclassclone
commonconstrainctrue
domdombydominance
dontauditelseequals
falsefilenamefilesystem
fsconfs_use_taskfs_use_trans
fs_use_xattrgenfsconh1
h2identifierif
incompinheritsiomemcon
ioportconipv4_addripv6_addr
l1l2level
mlsconstrainmlsvalidatetransmodule
netifconneverallownodecon
notnotequalnumber
object_roptionalor
pathpcideviceconpermissive
pirqconpolicycapportcon
r1r2r3
rangerange_transitionrequire
roleroleattributeroles
role_transitionsameusersensitivity
sidsourcet1
t2t3target
truetypetypealias
typeattributetypeboundstype_change
type_membertypestype_transition
u1u2u3
uservalidatetransversion_identifier
xordefault_userdefault_role
default_typedefault_rangelow
highlow_high
+| | | | | +| :-------------- | :------------- | :----------------- | :--------------- | +| alias | allow | allowxperm | and | +| attribute | attribute_role | auditallow | auditallowxperm | +| auditdeny | bool | category | cfalse | +| class | clone | common | constrain | +| ctrue | default_range | default_role | default_type | +| default_user | dom | domby | dominance | +| dontaudit | else | equals | expandattribute | +| false | filename | filesystem | fscon | +| fs_use_task | fs_use_trans | fs_use_xattr | genfscon | +| h1 | h2 | high | ibendportcon | +| ibpkeycon | identifier | if | incomp | +| inherits | iomemcon | ioportcon | ipv4_addr | +| ipv6_addr | l1 | l2 | level | +| low | low_high | mlsconstrain | mlsvalidatetrans | +| module | netifcon | neverallow | neverallowxperm | +| neverallowxperm | nodecon | not | notequal | +| number | object_r | optional | or | +| path | pcidevicecon | permissive | pirqcon | +| policycap | portcon | r1 | r2 | +| r3 | range | range_transition | require | +| role | roleattribute | roles | role_transition | +| sameuser | sensitivity | sid | source | +| t1 | t2 | t3 | target | +| true | type | typealias | typeattribute | +| typebounds | type_change | type_member | types | +| type_transition | u1 | u2 | u3 | +| user | validatetrans | version_identifier | xor | **Table 2: Policy language reserved words** @@ -481,469 +223,74 @@ within each type of policy source file, and whether the statement is valid within an *if/else* construct, *optional {rule_list}*, or *require {rule_list}* statement. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
allowYesYesYesYesYesNo
allow - RoleYesYesYesNoYesNo
attributeYesYesYesNoYesYes
attribute_roleYesYesYesNoYesYes
auditallowYesYesYesYesYesNo
auditdeny (Deprecated)YesYesYesYesYesNo
boolYesYesYesNoYesYes
categoryYesYesNoNoNoYes
classYesYesNoNoNoYes
commonYesYesNoNoNoNo
constrainYesYesNoNoNoNo
default_userYesYesNoNoNoNo
default_roleYesYesNoNoNoNo
default_typeYesYesNoNoNoNo
default_rangeYesYesNoNoNoNo
dominance - MLSYesYesNoNoNoNo
dominance - Role (Deprecated)YesYesYesNoYesNo
dontauditYesYesYesYesYesNo
fs_use_taskYesYesNoNoNoNo
fs_use_transYesYesNoNoNoNo
fs_use_xattrYesYesNoNoNoNo
genfsconYesYesNoNoNoNo
ifYesYesYesNoYesNo
levelYesYesNoNoNoNo
mlsconstrainYesYesNoNoNoNo
mlsvalidatetransYesYesNoNoNoNo
moduleNoNoYesNoNoNo
netifcon YesYesNoNoNoNo
neverallowYesYesYes[^fn_kpl_3]NoYesNo
nodeconYesYesNoNoNoNo
optionalNoYesYesYesYesYes
permissiveYesYesYesYesYesNo
policycapYesYesNoNoNoNo
portconYesYesNoNoNoNo
range_transitionYesYesYesNoYesNo
requireNoYes[^fn_kpl_4]YesYes[^fn_kpl_5]YesNo
roleYesYesYesNoYesYes
roleattributeYesYesYesNoYesNo
role_transitionYesYesYesNoYesNo
sensitivityYesYesNoNoNoYes
sidYesYesNoNoNoNo
typeYesYesYesNoNoYes
type_changeYesYesYesYesYesNo
type_memberYesYesYesYesYesNo
type_transitionYesYesYesYesYesNo
typealiasYesYesYesNoYesNo
typeattributeYesYesYesNoYesNo
typeboundsYesYesYesNoYesNo
userYesYesYesNoYesYes
validatetransYesYesNoNoNoNo
+| Statement / Rule | Monolithic Policy | Base Policy | Module Policy | Conditional Statements | optional Statement | require Statement | +| :--------------- | :---------------: | :---------: | :-----------: | :--------------------: | :----------------: | :---------------: | +| *allow* | Yes | Yes | Yes | Yes | Yes | No | +| *allow* - Role | Yes | Yes | Yes | No | Yes | No | +| *allowxperm* | Yes | Yes | Yes | No | No | No | +| *attribute* | Yes | Yes | Yes | No | Yes | Yes | +| *attribute_role* | Yes | Yes | Yes | No | Yes | Yes | +| *auditallow* | Yes | Yes | Yes | Yes | Yes | No | +| *auditallowxperm*| Yes | Yes | Yes | No | No | No | +| *auditdeny* (Deprecated)| Yes | Yes | Yes | Yes | Yes | No | +| *bool* | Yes | Yes | Yes | No | Yes | Yes | +| *category* | Yes | Yes | No | No | No | Yes | +| *class* | Yes | Yes | No | No | No | Yes | +| *common* | Yes | Yes | No | No | No | No | +| *constrain* | Yes | Yes | No | No | No | No | +| *default_user* | Yes | Yes | No | No | No | No | +| *default_role* | Yes | Yes | No | No | No | No | +| *default_type* | Yes | Yes | No | No | No | No | +| *default_range* | Yes | Yes | No | No | No | No | +| *dominance* - MLS| Yes | Yes | No | No | No | No | +| *dominance* - Role (Deprecated)| Yes | Yes | Yes | No | Yes | No | +| *dontaudit* | Yes | Yes | Yes | Yes | Yes | No | +| *dontauditxperm* | Yes | Yes | Yes | No | No | No | +| *expandattribute*| Yes | Yes | Yes | No | Yes | No | +| *fs_use_task* | Yes | Yes | No | No | No | No | +| *fs_use_trans* | Yes | Yes | No | No | No | No | +| *fs_use_xattr* | Yes | Yes | No | No | No | No | +| *genfscon* | Yes | Yes | No | No | No | No | +| *ibpkeycon* | Yes | Yes | Yes | No | No | No | +| *ibendportcon* | Yes | Yes | Yes | No | No | No | +| *if* | Yes | Yes | Yes | No | Yes | No | +| *level* | Yes | Yes | No | No | No | No | +| *mlsconstrain* | Yes | Yes | No | No | No | No | +| *mlsvalidatetrans*| Yes | Yes | No | No | No | No | +| *module* | No | No | Yes | No | No | No | +| *netifcon* | Yes | Yes | No | No | No | No | +| *neverallow* | Yes | Yes |Yes [^fn_kpl_3]| No | Yes | No | +| *neverallowxperm*| Yes | Yes | Yes | No | No | No | +| *nodecon* | Yes | Yes | No | No | No | No | +| *optional* | No | Yes | Yes | Yes | Yes | Yes | +| *permissive* | Yes | Yes | Yes | Yes | Yes | No | +| *policycap* | Yes | Yes | No | No | No | No | +| *portcon* | Yes | Yes | No | No | No | No | +| *range_transition*| Yes | Yes | Yes | No | Yes | No | +| *require* | No |Yes [^fn_kpl_4]| Yes | Yes [^fn_kpl_5] | Yes | No | +| *role* | Yes | Yes | Yes | No | Yes | Yes | +| *roleattribute* | Yes | Yes | Yes | No | Yes | No | +| *role_transition*| Yes | Yes | Yes | No | Yes | No | +| *sensitivity* | Yes | Yes | No | No | No | Yes | +| *sid* | Yes | Yes | No | No | No | No | +| *type* | Yes | Yes | Yes | No | No | Yes | +| *type_change* | Yes | Yes | Yes | Yes | Yes | No | +| *type_member* | Yes | Yes | Yes | Yes | Yes | No | +| *type_transition*| Yes | Yes | Yes | Yes | Yes | No | +| *typealias* | Yes | Yes | Yes | No | Yes | No | +| *typeattribute* | Yes | Yes | Yes | No | Yes | No | +| *typebounds* | Yes | Yes | Yes | No | Yes | No | +| *user* | Yes | Yes | Yes | No | Yes | Yes | +| *validatetrans* | Yes | Yes | No | No | No | No | **Table 3: The policy language statements and rules that are allowed within each type of policy source file** - *The left hand side of the table shows what Policy Language Statements and Rules are allowed within each type of policy source file. The right hand side of the table shows whether the -statement is valid within the *if/else* construct, *optional {rule_list}*, -or *require {rule_list}* statement.* +statement is valid within the if/else construct, optional {rule_list}, +or require {rule_list} statement.* -## Section Contents +## Policy Language Index The policy language statement and rule sections are as follows: @@ -967,6 +314,7 @@ The policy language statement and rule sections are as follows: Note these are not kernel policy statements, but used by the Reference Policy to assist policy build: + - [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements) [^fn_kpl_1]: It is important to note that the Reference Policy builds policy