From patchwork Tue Aug 4 01:33:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699369 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4DD87722 for ; Tue, 4 Aug 2020 01:33:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6545720786 for ; Tue, 4 Aug 2020 01:33:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="KelovBdm" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729149AbgHDBd0 (ORCPT ); Mon, 3 Aug 2020 21:33:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBdZ (ORCPT ); Mon, 3 Aug 2020 21:33:25 -0400 Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 88834C06174A for ; Mon, 3 Aug 2020 18:33:25 -0700 (PDT) Received: by mail-qt1-x841.google.com with SMTP id b25so29805281qto.2 for ; Mon, 03 Aug 2020 18:33:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=G6d9CvhAN3e9a1NKxuyg1jZcMbvmsJ/QYg4zQTz7tcQ=; b=KelovBdm3Yc90lMETVBgNCSirD8FlOYTThhRUVz2k5HTLoKAqcekfrzKQqnoqnifqA QINFHEexVDIdBJXSYiWOGcMGLMRrE+aFSuS+xO92/CJ8SlZBW4R3Hoa5MWTPdtc0bJMM 6seJ443VgOwU4kTIwehMGnS1tNplD+Wm4aTkpy4r0Ocal04WyLpnLFKasB2o1p2l+o7C UBqC3kwDrAglFoBGKT5BOXv7xKmvh6pfMbv7Yda6L35oBMRhvLejD04VkWnVBxOSXHRC NL8WAN1uJ0JuehrCwH2dBRjr0RDrWAlY1ROJ+wRbkAUQe3g5ASZyzHqphDEGYSdiG750 nHYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=G6d9CvhAN3e9a1NKxuyg1jZcMbvmsJ/QYg4zQTz7tcQ=; b=iQR77h2uR01UJ6QT7MbCE/P2eZ4Y96Cqozh4ZH9pdnOTqrQ7m4wRpWHLHxb94XFH2s FJvcsK5HuvtKTLKFLA+sx2bHNPiP0LQELtKXkWMBAkTO49hhjmPhMPiT/tixk14GM95Q EGtWTbX9NLzmTSCXKUm/XzXlJpwTQqVlRiWOFeH9eu0AJ7j4S79qkW1oR2vyJE4MX8rY TBstasXBbRcds830B1rLkVx/lF/XhiQaVexyHMX6N2gl2tu5GYEichjvBPROm2sFf6OG xf5pYcassrG33NDI8UsO49klM36U1M8IOxefHk3+xorlNqbCVTza0aC2gPv0ykraq6V7 aUhg== X-Gm-Message-State: AOAM5312zA/Coxal4bXEWtOPRQ6YiYNqFQsoqrqwLi3pA/H7sj5bECht j8wBS8FFPNzTOwWOATizDnEMsHYdV0m5 X-Google-Smtp-Source: ABdhPJx8CooGiFpY52t16MRzEIf6aMvI1i9IvYt7rDnG6dd9txTuYF3bZqLBFaZEuMjIv49tzrN5PQ== X-Received: by 2002:aed:37a6:: with SMTP id j35mr19259324qtb.322.1596504804308; Mon, 03 Aug 2020 18:33:24 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id z68sm21562766qke.113.2020.08.03.18.33.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:33:23 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 01/18] build: explicitly enable pandoc pipe_tables From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:33:23 -0400 Message-ID: <159650480312.8961.3858639968171830656.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org As of July 2020 GitHub Markdown supports pipe tables. Signed-off-by: Paul Moore --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 9bd0ffa..f41bb16 100644 --- a/Makefile +++ b/Makefile @@ -16,7 +16,8 @@ PDF_OUT = SELinux_Notebook.pdf SED = sed PANDOC = pandoc -PANDOC_OPTS=-V mainfont='DejaVu Serif' -V monofont='DejaVu Sans Mono' +PANDOC_OPTS = --from markdown+pipe_tables +PANDOC_OPTS += -V mainfont='DejaVu Serif' -V monofont='DejaVu Sans Mono' # the individual section files, in order FILE_LIST = $(shell cat src/section_list.txt) From patchwork Tue Aug 4 01:33:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699371 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9A1E7722 for ; Tue, 4 Aug 2020 01:33:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C120720786 for ; Tue, 4 Aug 2020 01:33:32 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="w2Y8a/1h" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729154AbgHDBdc (ORCPT ); Mon, 3 Aug 2020 21:33:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50932 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBdc (ORCPT ); Mon, 3 Aug 2020 21:33:32 -0400 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F049FC06174A for ; Mon, 3 Aug 2020 18:33:31 -0700 (PDT) Received: by mail-qt1-x82f.google.com with SMTP id c12so20779512qtn.9 for ; Mon, 03 Aug 2020 18:33:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=RT32yweqTmfDSy4bYjN1WNQdcpdshYzkUvt1F6G2i20=; b=w2Y8a/1hllZL5UeWfLscDDgBqrWRu7h7HRrVlcIXpDkkhtJvY9iKIbWU9StL4H6nxw 4tUjPw/7/JLRRXk3n0lT9LyVG3q9RG6I/9lKg36IzrRJ2Ecr4Sg/AjpiiRvCky5aunPF rFSZuuF20qGx0TmO2WLBy88uMmdavZUHt++cvunofG2TNqXxgDfbCLvIPd/c9Wi8DYEZ NsOx4sIc7LbQyQT4/xMVNvJpVQvA9mlwDxqLuX++FgoAntTINDxc02VKmL1u8UiM+puL 0iHe3L98t1sac2Um6vg25c6/5yX+KUHnSRFYyPTsRH4xTzQJ2SkvRwAxNwnsiQfkmo3y qPHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=RT32yweqTmfDSy4bYjN1WNQdcpdshYzkUvt1F6G2i20=; b=FyzAWK92/qMibRLsv3wm2EGA5/MGsSB6LEn5XzQw949eg+rHGZswHYmr5MTkvZmD9E mDrjTRX7MpxbX6cop6CmmJOfL4TeuicTcmzIr+2TTZTQbE62JmYgC8ksX8KfJptuSSBL SjrGKwPMLpnF46jCmki+dHtktwvSeIlcYEshkF+rYOd8Vo4S+UVguulpN3XaHw7IEiGZ xcTG8PaWd3hyWP1/IkaBFDeOo7KI9zr6Z1R12vMdnJR0ajI7EqX6Yd+v0hYAKmcaFpl9 fl1WhFCsxfnW90iwyXu5jdKsDueWdgv2TwFf5+1s4iQ+WXQD2gqV7AkJkwiWzTwlg5JU 9BlQ== X-Gm-Message-State: AOAM530YQX3WYAls28KiNXEirIGXNsb9psY08ewdqSBJO3+66X33Wz5c ZOlhYKoa9SzwEFNwG20VEHp3Ao+Eaydb X-Google-Smtp-Source: ABdhPJwkZ1FTtaBmnFjaonbcmcIG6blyM+VAWRpPEE8tk2CW6VrCXcXpDY5kPD0pUIpmQ1Oikt9ywQ== X-Received: by 2002:ac8:1e95:: with SMTP id c21mr19617087qtm.306.1596504810693; Mon, 03 Aug 2020 18:33:30 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id c9sm20524691qkm.44.2020.08.03.18.33.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:33:30 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 02/18] css: identify table layout hacks From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:33:29 -0400 Message-ID: <159650480947.8961.9574180519610718746.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Better identify, and tweak, some of the table layout hacks so that we know to revisit them later once we have fully converted to markdown. Signed-off-by: Paul Moore --- src/styles_html.css | 1 - src/styles_pdf.css | 6 +++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/styles_html.css b/src/styles_html.css index ea3f7ee..887051c 100644 --- a/src/styles_html.css +++ b/src/styles_html.css @@ -21,7 +21,6 @@ table { } table tr, th, td { border: 1px solid black; - word-wrap: break-word; } img { diff --git a/src/styles_pdf.css b/src/styles_pdf.css index 48da310..5fa9d02 100644 --- a/src/styles_pdf.css +++ b/src/styles_pdf.css @@ -62,12 +62,16 @@ table { margin-left: auto; margin-right: auto; width: 95%; - table-layout: fixed; /* combine table borders when they are adjacent */ border-collapse: collapse; + /* TODO: once we finish the HTML->Markdown conversion we should + * revaluate the 'table-layout: fixed' hack below */ + table-layout: fixed; } table tr, th, td { border: 1px solid black; + /* TODO: once we finish the HTML->Markdown conversion we should + * revaluate the 'word-wrap: break-word' hack below */ word-wrap: break-word; } From patchwork Tue Aug 4 01:33:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699373 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 12C31722 for ; Tue, 4 Aug 2020 01:33:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3AE3E2086A for ; Tue, 4 Aug 2020 01:33:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="tbLFGm5f" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729090AbgHDBdi (ORCPT ); Mon, 3 Aug 2020 21:33:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50954 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBdi (ORCPT ); Mon, 3 Aug 2020 21:33:38 -0400 Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6AAB3C06174A for ; Mon, 3 Aug 2020 18:33:38 -0700 (PDT) Received: by mail-qk1-x734.google.com with SMTP id 77so4763056qkm.5 for ; Mon, 03 Aug 2020 18:33:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=5fTIi0PQ8YABtKnFj2l7LiM2WgmTwIcrXUBwbnQL4i4=; b=tbLFGm5f5v5sMfVrgrw/zBzfMliiaEOU0/5hcry1UmcbXjYUGcw0Wf9h3mfhyc5LC9 txE6H2i4K67WAGt4T8KGzmpj2K28XRhpeKZrxG5s30qVqYxcfO47hybbX/QWp6Tb1xoE g7JaBI+VPNmU8ibYSJUDR6mXGECD1HWYicdhH5PFYclC5HeOSLtZ/39K5p++soz64l8m DOQEq+TgBl5q4NRkf6q+cK7Zyf+zWfH47nquuGEWMGGKS3BDgGk1WGeMBFPRZhvzKGGy GPISJVoqCZCR+FHkQFbmOGRD9U2wInQIzqC7M4+oSGWEeEIP23OOvun/5e2kZrM4B0Ry fnfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=5fTIi0PQ8YABtKnFj2l7LiM2WgmTwIcrXUBwbnQL4i4=; b=ATe1a8QdUS1wIeZMZRsxDbjGU8t4qIJ/KFdw14cn9UPf7BKQKI5uG9FZ6XvCKMKRu2 O+sZHXJqpoCz4fluOTnAmL3t5HM0OpASqDjz/4UFRfUk9r7DWztQu7IZwEudwifG55oo J/hYjdTtjPSyGdEwFFvAQV4RSgew1XCWD5TYAer5Cdvht3COoP45dv4bspckW5HygT4U 6gVeq1cR0d8SS780xjc9qgoZmGm8hCUNfUjgwtmRRrnUTO9EteikqELhcj51YYY2bDge gsF3J3sXohBfo7DnjYpytGneVyP0/ye4gMbkaMvtJziHnm6o6tU6/2iboOTb/2oJ8eTj jVXA== X-Gm-Message-State: AOAM531RMyElAr5rUOZsylSSptGJWlNCJHdPbyIY2RsVxTDI/z6oDj4P V6VWSoAyP/wCV71qF17a+Fygqebh62SF X-Google-Smtp-Source: ABdhPJxnXeZBxUtvL72HiiQhMMOi+W5QgInAlMnJPmVKecjLZ4tJbed/I6T5Q6Y2zZb9TNcNtc/xmg== X-Received: by 2002:a37:6644:: with SMTP id a65mr18748895qkc.4.1596504817090; Mon, 03 Aug 2020 18:33:37 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id z126sm19953507qkc.58.2020.08.03.18.33.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:33:36 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 03/18] css: style improvements From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:33:35 -0400 Message-ID: <159650481580.8961.18287412326005256104.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Paul Moore --- src/styles_html.css | 15 ++++++++++++++- src/styles_pdf.css | 18 +++++++++++++++++- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/src/styles_html.css b/src/styles_html.css index 887051c..fef851e 100644 --- a/src/styles_html.css +++ b/src/styles_html.css @@ -15,11 +15,18 @@ a { table { /* limit to 95% page width */ + min-width: 50%; max-width: 95%; /* combine table borders when they are adjacent */ border-collapse: collapse; } -table tr, th, td { +table th { + padding: 0.5em; + border: 1px solid black; + background-color: #d3d3d3; +} +table tr, td { + padding: 0.5em; border: 1px solid black; } @@ -30,3 +37,9 @@ img { margin-right: auto; max-width: 95%; } + +pre { + width: 95%; + padding: 1em; + background-color: #f5f5f5; +} diff --git a/src/styles_pdf.css b/src/styles_pdf.css index 5fa9d02..f0bba23 100644 --- a/src/styles_pdf.css +++ b/src/styles_pdf.css @@ -68,7 +68,16 @@ table { * revaluate the 'table-layout: fixed' hack below */ table-layout: fixed; } -table tr, th, td { +table th { + padding: 0.5em; + border: 1px solid black; + background-color: #d3d3d3; + /* TODO: once we finish the HTML->Markdown conversion we should + * revaluate the 'word-wrap: break-word' hack below */ + word-wrap: break-word; +} +table tr, td { + padding: 0.5em; border: 1px solid black; /* TODO: once we finish the HTML->Markdown conversion we should * revaluate the 'word-wrap: break-word' hack below */ @@ -82,3 +91,10 @@ img { margin-right: auto; max-width: 95%; } + +pre { + /* force/limit to 95% page width */ + width: 95%; + padding: 1em; + background-color: #f5f5f5; +} From patchwork Tue Aug 4 01:33:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699375 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DC7141392 for ; Tue, 4 Aug 2020 01:33:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0308320786 for ; Tue, 4 Aug 2020 01:33:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="d6Z5C7sl" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729209AbgHDBdp (ORCPT ); Mon, 3 Aug 2020 21:33:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50970 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBdp (ORCPT ); Mon, 3 Aug 2020 21:33:45 -0400 Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31646C06174A for ; Mon, 3 Aug 2020 18:33:45 -0700 (PDT) Received: by mail-qk1-x729.google.com with SMTP id g26so37104093qka.3 for ; Mon, 03 Aug 2020 18:33:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=dI103vdqyGcVlIl5+VUq0P5t55uuTpMc/MxyiAd6DuM=; b=d6Z5C7sl8xoE0fxDe75Ku7tcB3RyCn0fE6ccWX8NqSfEtX8QkM9raE/mwBsqMET07d f0G/lju9rV4cUjp2jFYYNG4YZiQuDQpYLiEt6FQNfx0F6MDwlRakbeBcV0mEBVqIbzA3 GkW73pKEOGxtXDTwTY4jL0oQdYFWwqAX+T9Us86VtXndUZFijr765vp7V5ZjfnjSiiBG dLUt6Ylchokiq4Vn1NnArkcqdLQRPCny9LTaIy8Ek8xV2MF3aKsC3SYzSIpbCt910S8d YqAdxwqGbG72XXKNxB1W0Sa3WmR4te9vvK7HVSae1eunaiF6yHuebLwa1IIs2tPngRQc DkYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=dI103vdqyGcVlIl5+VUq0P5t55uuTpMc/MxyiAd6DuM=; b=keXFiHzHhx6tK1rSo6NbfJShDNiLDfuDCIhI2uIWPbpVPhOtUZTO3nwh03O+W4Fn/D 2Eqfww30lHX3IyocEreRqKAgR9MOmPJVjRAEBubi9b7TCO1i5fD3dZO+vVmxfSJRkyBa 6wfRQ6OpFTaW+iuid3vHpz+dD+daMN0i9a1SGCbhd5bol6DbONEB2M6OR96NJkL+99Aj 8Ih1m6yc9cYDGtFDAaFe+f+NoR+JVtD2Dh7i+mGGsTBk+gh7rsRNlWjKzQ7/U3iQxjOW apvhgPMd10Y9VY/5mcLbtptdHnVCsRaMrqGWdP2/W0wweUbg5dIYacddRF9YisMXx/YP FZVw== X-Gm-Message-State: AOAM531uuZeXrhIvBp0vIpmO5zXPk86e5Q2CjD4Jc8w2y1hmOciiQyUS 6VKMKAQRRivujBrOI6kR7HZNbTOfZM1S X-Google-Smtp-Source: ABdhPJz1LRXl8Rtz/z3lGohLopO6e5AdcETvBaJ4rOAetAO1mPi++uuG3PZNWDPsoirxZu4jxBOixg== X-Received: by 2002:a37:a882:: with SMTP id r124mr14461038qke.56.1596504823596; Mon, 03 Aug 2020 18:33:43 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id l189sm21236963qke.67.2020.08.03.18.33.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:33:42 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 04/18] x_windows: fully convert to markdown From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:33:42 -0400 Message-ID: <159650482221.8961.7779250010228783136.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Paul Moore --- src/x_windows.md | 330 +++++++++++++++++++++++++++--------------------------- 1 file changed, 163 insertions(+), 167 deletions(-) diff --git a/src/x_windows.md b/src/x_windows.md index e2625f7..86f966e 100644 --- a/src/x_windows.md +++ b/src/x_windows.md @@ -68,7 +68,8 @@ time, then the X-function will only succeed if allowed by all the security extensions in the chain. This interface is defined in the -"[**X Access Control Extension Specification**](http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.pdf)". The specification also defines the hooks available to OMs and +"[**X Access Control Extension Specification**](http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.pdf)". +The specification also defines the hooks available to OMs and how they should be used. The provision of polyinstantiation services for properties and selections is also discussed. The XACE interface is a similar service to the LSM that supports the kernel OMs. @@ -85,8 +86,6 @@ managers such as Gnome, twm or KDE. [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) section. -
- ## Polyinstantiation The OM / XACE services support polyinstantiation of properties and @@ -104,8 +103,6 @@ polyinstantiation, instead the MLS policy uses [**`mlsconstrain`**](constraint_statements.md#mlsconstrain) to limit the scope of properties and selections. -
- ## Configuration Information This section covers: @@ -234,167 +231,169 @@ client * system_u:object_r:remote_t:s0 A full description of the *x_contexts* file format is given in the [***x_contexts***](policy_config_files.md#contextsx_contexts) section. -
- ## SELinux Extension Functions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function NameMinor ParametersOpcodeComments
XSELinuxQueryVersion0NoneReturns the XSELinux version. Fedora returns 1.1
XSELinuxSetDeviceCreateContext1Context+LenSets the context for creating a device object (x_device).
XSELinuxGetDeviceCreateContext2NoneRetrieves the context set by XSELinuxSetDeviceCreateContext.
XSELinuxSetDeviceContext3DeviceID + Context+LenSets the context for creating the specified DeviceID object.
XSELinuxGetDeviceContext4DeviceIDRetrieves the context set by XSELinuxSetDeviceContext.
XSELinuxSetWindowCreateContext5Context+LenSet the context for creating a window object (x_window).
XSELinuxGetWindowCreateContext6NoneRetrieves the context set by XSELinuxSetWindowCreateContext.
XSELinuxGetWindowContext7WindowIDRetrieves the specified WindowID context.
XSELinuxSetPropertyCreateContext8Context + LenSets the context for creating a property object (x_property).
XSELinuxGetPropertyCreateContext9NoneRetrieves the context set by XSELinuxSetPropertyCreateContext.
XSELinuxSetPropertyUseContext10Context + LenSets the context of the property object to be retrieved when polyinstantiation is being used.
XSELinuxGetPropertyUseContext11NoneRetrieves the property object context set by SELinuxSetPropertyUseContext.
XSELinuxGetPropertyContext12WindowID + AtomIDRetrieves the context of the property atom object.
XSELinuxGetPropertyDataContext13WindowID + AtomIDRetrieves the context of the property atom data.
XSELinuxListProperties14WindowIDLists the object and data contexts of properties associated with the selected WindowID.
XSELinuxSetSelectionCreateContext15Context+LenSets the context to be used for creating a selection object.
XSELinuxGetSelectionCreateContext16NoneRetrieves the context set by SELinuxSetSelectionCreateContext.
XSELinuxSetSelectionUseContext17Context+LenSets the context of the selection object to be retrieved when polyinstantiation is being used. See the XSELinuxListSelections function for an example.
XSELinuxGetSelectionUseContext18NoneRetrieves the selection object context set by SELinuxSetSelectionUseContext.
XSELinuxGetSelectionContext19AtomIDRetrieves the context of the specified selection atom object.
XSELinuxGetSelectionDataContext20AtomIDRetrieves the context of the selection data from the current selection owner (x_application_data object).
XSELinuxListSelections21None

Lists the selection atom object and data contexts associated with this display. The main difference in the listings is that when (for example) the PRIMARY selection atom is polyinstantiated, multiple entries can returned. One has the context of the atom itself, and one entry for each process (or x-client) that has an active polyinstantiated entry, for example:

-

Atom: PRIMARY - label defined in the x_contexts file (this is also for non-poly listing):

-

Object Context: system_u:object_r:primary_xselection_t

-

Data Context: system_u:object_r:primary_xselection_t

-

Atom: PRIMARY - Labels for client 1:

-

Object Context: system_u:object_r:x_select_paste1_t

-

Data Context: system_u:object_r:x_select_paste1_t

-

Atom: PRIMARY - Labels for client 2:

-

Object Context: system_u:object_r:x_select_paste2_t

-

Data Context: system_u:object_r:x_select_paste2_t

XSELinuxGetClientContext22ResourceIDRetrieves the client context of the specified ResourceID.
+| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxQueryVersion | 0 | None | + +Returns the XSELinux version. Fedora returns 1.1. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetDeviceCreateContext | 1 | Context + Len | + +Sets the context for creating a device object (*x_device*). + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetDeviceCreateContext | 2 | None | + +Retrieves the context set by *XSELinuxSetDeviceCreateContext*. + +| Function Name | Minor Parameter | Opcode | +| ------------------------------- | --------------- | ------------------------ | +| XSELinuxSetDeviceContext | 3 | DeviceID + Context + Len | + +Sets the context for creating the specified DeviceID object. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetDeviceContext | 4 | DeviceID | + +Retrieves the context set by *XSELinuxSetDeviceContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetWindowCreateContext | 5 | Context + Len | + +Set the context for creating a window object (*x_window*). + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetWindowCreateContext | 6 | None | + +Retrieves the context set by *XSELinuxSetWindowCreateContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetWindowContext | 7 | WindowID | + +Retrieves the specified WindowID context. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetPropertyCreateContext | 8 | Context | + +Sets the context for creating a property object (*x_property*). + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetPropertyCreateContext | 9 | None | + +Retrieves the context set by *XSELinuxSetPropertyCreateContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetPropertyUseContext | 10 | Context + Len | + +Sets the context of the property object to be retrieved when polyinstantiation +is being used. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetPropertyUseContext | 11 | None | + +Retrieves the property object context set by *SELinuxSetPropertyUseContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetPropertyContext | 12 | WindowID + AtomID | + +Retrieves the context of the property atom object. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetPropertyDataContext | 13 | WindowID + AtomID | + +Retrieves the context of the property atom data. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxListProperties | 14 | WindowID | + +Lists the object and data contexts of properties associated with the selected +WindowID. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetSelectionCreateContext | 15 | Context + Len | + +Sets the context to be used for creating a selection object. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetSelectionCreateContext | 16 | None | + +Retrieves the context set by *SELinuxSetSelectionCreateContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetSelectionUseContext | 17 | Context + Len | + +Sets the context of the selection object to be retrieved when polyinstantiation +is being used. See the *XSELinuxListSelections* function for an example. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetSelectionUseContext | 18 | None | + +Retrieves the selection object context set by *SELinuxSetSelectionUseContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetSelectionContext | 19 | AtomID | + +Retrieves the context of the specified selection atom object. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetSelectionDataContext | 20 | AtomID | + +Retrieves the context of the selection data from the current selection owner +(*x_application_data* object). + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxListSelections | 21 | None | + +Lists the selection atom object and data contexts associated with this display. +The main difference in the listings is that when (for example) the *PRIMARY* +selection atom is polyinstantiated, multiple entries can returned. One has the +context of the atom itself, and one entry for each process (or x-client) that +has an active polyinstantiated entry, for example: + +Atom: PRIMARY - label defined in the *x_contexts* file (this is also for +non-poly listing): + +- Object Context: *system_u:object_r:primary_xselection_t* +- Data Context: *system_u:object_r:primary_xselection_t* + +Atom: PRIMARY - Labels for client 1: + +- Object Context: *system_u:object_r:x_select_paste1_t* +- Data Context: *system_u:object_r:x_select_paste1_t* + +Atom: PRIMARY - Labels for client 2: + +- Object Context: *system_u:object_r:x_select_paste2_t* +- Data Context: *system_u:object_r:x_select_paste2_t* + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetClientContext | 22 | ResourceID | + +Retrieves the client context of the specified ResourceID. **Table 12: The XSELinux Extension Functions** - *Supported by the object manager as X-protocol extensions. Note that some functions will return @@ -402,9 +401,6 @@ the default contexts, while others (2, 6, 9, 11, 16, 18) will not return a value unless one has been set the the appropriate function (1, 5, 8, 10, 15, 17) by an SELinux-aware application.* - -
- --- From patchwork Tue Aug 4 01:33:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699377 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2D2CE722 for ; Tue, 4 Aug 2020 01:33:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4F33020786 for ; Tue, 4 Aug 2020 01:33:52 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="OxrIgRSa" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729080AbgHDBdv (ORCPT ); Mon, 3 Aug 2020 21:33:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50988 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBdv (ORCPT ); Mon, 3 Aug 2020 21:33:51 -0400 Received: from mail-qk1-x744.google.com (mail-qk1-x744.google.com [IPv6:2607:f8b0:4864:20::744]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 60F0DC06174A for ; Mon, 3 Aug 2020 18:33:51 -0700 (PDT) Received: by mail-qk1-x744.google.com with SMTP id l23so37111959qkk.0 for ; Mon, 03 Aug 2020 18:33:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=J9fXVlEdf7OFiOr4V1LW5OGbAB+De+vYVl5tQCtvAEI=; b=OxrIgRSa7kC5eSc6PEMjCK0ZSHU+GL5BucHkNDe9nSsoM2GNplNIldrx3QwnmPULjr 7ww2uCMG9xLSOvqnksstsWcNQJAwQ7LNW8xvPdPAapzoIZc/97G3wZSFJ57LleR6OT0y Xd7mSgGSOExrfsh65RuAev4Bo63LmKO44BFxa3rNbOMxAZTxXAXAbxvaIg6dC4NKufhK DWxE7rhFesF1fIkOvJ5ouwykKaliw8xQg+P/7MIeJ0zqlKY+kouaTrII40GZKEniLpXJ XcLQ4xk/W1/1bA+6aVSuOkv+SeXZV9aAYnlByWHM3i/kJMAVV917eD2+17SRALK20rq8 vQ9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=J9fXVlEdf7OFiOr4V1LW5OGbAB+De+vYVl5tQCtvAEI=; b=NLm6Jpg8EdSPJQMHxX5vpncq+UZvHC7IyOXV6OmrWb/HJIJrlPMib3iTqKBV5MM/eF S8cM/F5Sc2BB2rW2KRjueRXRIsM3nofuu6+FjNPP/8wkcRCrWNRQSU318j7gX/r6ONX4 fosPRWDfD0yEQIYHEDQG9huGBE51iC2XDOZFIcrTyzkdT3sWnYc0fKOvX/rXqAQnko/y EiDC48vbCazvi4RtTkQykWpzbW0+GFEda8Dk34fITneUIncSO9QVxD+eahllnE3J0ZmP e1R8q/oeXAYfSpINdUYfVN3m1qt8cnKHwAm8octxra6HnnJtmPSXWKuX7CxG4FhkQ6aH vMBg== X-Gm-Message-State: AOAM532Ze7cspoLxbwuogwAD0hTCk79vTVpYNUjJP/8TPj8QcF4fbUl+ 6ioTye0m+F2BSjKy3xDRLlbXxF+itGJF X-Google-Smtp-Source: ABdhPJy76Dl43lsRSXjhzzBTEajjuk6EGN1W/Uq+IyMGT8NxKYLRd0U6U15bJWvj05fNYv68k9B9pQ== X-Received: by 2002:a05:620a:22f4:: with SMTP id p20mr19354183qki.349.1596504830005; Mon, 03 Aug 2020 18:33:50 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id z126sm19953984qkc.58.2020.08.03.18.33.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:33:49 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 05/18] xperm_rules: fully convert to markdown From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:33:48 -0400 Message-ID: <159650482872.8961.7516871249534865160.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Paul Moore --- src/xperm_rules.md | 138 ++++++++++++++++++++++++---------------------------- 1 file changed, 64 insertions(+), 74 deletions(-) diff --git a/src/xperm_rules.md b/src/xperm_rules.md index 48beb41..21878ea 100644 --- a/src/xperm_rules.md +++ b/src/xperm_rules.md @@ -2,8 +2,8 @@ There are three extended AV rules implemented from Policy version 30 with the target platform 'selinux' that expand the permission sets from -a fixed 32 bits to permission sets in 256 bit increments: `allowxperm`, -`dontauditxperm`, `auditallowxperm` and `neverallowxperm`. +a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*, +*dontauditxperm*, *auditallowxperm* and *neverallowxperm*. The rules for extended permissions are subject to the 'operation' they perform with Policy version 30 and kernels from 4.3 supporting ioctl @@ -16,66 +16,59 @@ libsepol 2.7 minimum is required). **Where:** - - - - - - - - - - - - - - - - - - - - - - - -
rule_nameThe applicable allowxperm, dontauditxperm, auditallowxperm or neverallowxperm rule keyword.

source_type

-

target_type

One or more source / target type, typealias or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'. Entries can be excluded from the list by using the negative operator '-'.

-

The target_type can have the self keyword instead of type, typealias or attribute identifiers. This means that the target_type is the same as the source_type.

classOne or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.
operationA key word defining the operation to be implemented by the rule. Currently only the ioctl operation is supported by the kernel policy language and kernel as described in the ioctl Operation Rules section.
xperm_set

One or more extended permissions represented by numeric values (i.e. 0x8900 or 35072). The usage is dependent on the specified operation.

-

Multiple entries consist of a space separated list enclosed in braces '{}'.

-

The complement operator '~' is used to specify all permissions except those explicitly listed.

-

The range operator '-' is used to specify all permissions within the low – high range.

-

An example is shown in the ioctl Operation Rules section.

+*rule_name* + +The applicable *allowxperm*, *dontauditxperm*, *auditallowxperm* +or *neverallowxperm* rule keyword. + +*source_type* + +One or more source / target *type*, *typealias* or *attribute* identifiers. +Multiple entries consist of a space separated list enclosed in braces \'{}\'. +Entries can be excluded from the list by using the negative operator \'-\'. + +*target_type* + +The target_type can have the *self* keyword instead of *type*, *typealias* or +*attribute* identifiers. This means that the *target_type* is the same as the +*source_type*. + +*class* + +One or more object classes. Multiple entries consist of a space separated list +enclosed in braces \'{}\'. + +*operation* + +A key word defining the operation to be implemented by the rule. Currently only +the *ioctl* operation is supported by the kernel policy language and kernel as +described in the [*ioctl* Operation Rules](#ioctl-operation-rules) section. + +*xperm_set* + +One or more extended permissions represented by numeric values (i.e. *0x8900* +or *35072*). The usage is dependent on the specified *operation*. Multiple +entries consist of a space separated list enclosed in braces \'{}\'. The +complement operator \'\~\' is used to specify all permissions except those +explicitly listed. The range operator \'-\' is used to specify all permissions +within the *low – high* range. An example is shown in the +[*ioctl* Operation Rules](#ioctl-operation-rules) section. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
-
- -### `ioctl` Operation Rules +Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | + +### *ioctl* Operation Rules Use cases and implementation details for ioctl command whitelisting are described in detail at @@ -85,14 +78,14 @@ policy format changes shown in the example below with a brief overview the final upstream kernel patch). Ioctl calls are generally used to get or set device options. Policy -versions < 30 only controls whether an `ioctl` permission is allowed -or not, for example this rule allows the object class `tcp_socket` the -`ioctl` permission: +versions < 30 only controls whether an *ioctl* permission is allowed +or not, for example this rule allows the object class *tcp_socket* the +*ioctl* permission: `allow src_t tgt_t : tcp_socket ioctl;` From Policy version 30 it is possible to control ***ioctl**(2)* -'*request*' parameters provided the `ioctl` permission is also allowed, +'*request*' parameters provided the *ioctl* permission is also allowed, for example: ``` @@ -101,14 +94,14 @@ allow src_t tgt_t : tcp_socket ioctl; allowxperm src_t tgt_t : tcp_socket ioctl ~0x8927; ``` -The `allowxperm` rule states that all ioctl request parameters are +The *allowxperm* rule states that all ioctl request parameters are allowed for the source/target/class with the exception of the value -`0x8927` that (using *include/linux/sockios.h*) is **SIOCGIFHWADDR**, or +*0x8927* that (using *include/linux/sockios.h*) is **SIOCGIFHWADDR**, or 'get hardware address'. An example audit log entry denying an ioctl request to add a routing -table entry (**SIOCADDRT** - `ioctlcmd=890b`) for *goldfish_setup* on a -`udp_socket` is: +table entry (**SIOCADDRT** - *ioctlcmd=890b*) for *goldfish_setup* on a +*udp_socket* is: ``` type=1400 audit(1437408413.860:6): avc: denied { ioctl } for pid=81 @@ -121,18 +114,15 @@ Notes: 1. Important: The ioctl operation is not 'deny all' ioctl requests (hence whitelisting). It is targeted at the specific - source/target/class set of ioctl commands. As no other `allowxperm` + source/target/class set of ioctl commands. As no other *allowxperm* rules have been defined in the example, all other ioctl calls may continue to use any valid request parameters (provided there are - `allow` rules for the `ioctl` permission). + *allow* rules for the *ioctl* permission). 2. As the ***ioctl**(2)* function requires a file descriptor, its - context must match the process context otherwise the `fd { use }` + context must match the process context otherwise the *fd { use }* class/permission is required. 3. To deny all ioctl requests for a specific source/target/class the - `xperm_set` should be set to `0` or `0x0`. - - -
+ *xperm_set* should be set to *0* or *0x0*. From patchwork Tue Aug 4 01:33:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699379 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A1CAC1392 for ; Tue, 4 Aug 2020 01:33:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C424C20786 for ; Tue, 4 Aug 2020 01:33:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="WkIeTdup" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729093AbgHDBd6 (ORCPT ); Mon, 3 Aug 2020 21:33:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51006 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBd6 (ORCPT ); Mon, 3 Aug 2020 21:33:58 -0400 Received: from mail-qt1-x844.google.com (mail-qt1-x844.google.com [IPv6:2607:f8b0:4864:20::844]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F396BC06174A for ; Mon, 3 Aug 2020 18:33:57 -0700 (PDT) Received: by mail-qt1-x844.google.com with SMTP id w9so29781507qts.6 for ; Mon, 03 Aug 2020 18:33:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=v9ZvmYBz7eaoO+uUvfFP1o/P6cXhuawctpQc4C+Sm9g=; b=WkIeTdupPriUDlNc1ey0pk5AR1cZFpauX2+/O+IrENzNWFrM0eyKSUzYzVMKY/EcOv uUv8st9CnZpqFeJvR1LSVmbseC0mULpodHahNlSaaWqOUN0Z+pgbtsGPpNJksPoXffXO 3t8nd8QCPsphbuRbf0Cm9WoMUqm4fkmPSnage/SLlDMoyOmGh5aLUCRGIWm4/eijIt9w Po8m0ZZOukAwCitgmGa572gxumf/X70DBQG2dOXXC73Yyisw2WybPTuZgXHY33zON11h HvPe4tfpnR+PoHoP0QAP2Tujy3jESIFM9Mp96OuIv17EaXHngIwGA2U+7wdLiNhR4QfY xYDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=v9ZvmYBz7eaoO+uUvfFP1o/P6cXhuawctpQc4C+Sm9g=; b=WzlOE1YbCwwRmBceAWOPiljqQrq5MTysbSWn10c+TkhwTltt4PBsVoqY5C6xoJP2Pi RmLRpsYhY7l9wf3t7urTB+FQ7goF1NeOftRL8/GgJ5Oa/1VoFGtkpWpSB8IJk/jPas1w rxVMW++mMqCmhxcIuai5WfvRvyUUvp8KF+2ZxKFDI0B28KYl3qQBphyFyi5sYk1Pw24W BFY0Frw53QG1J4YV0tdMIWZPhCKWHEwHYQmh4pMDjHVxqFgKOuATeIQ0YC3afyO3QXgB IT3GNJ/XTNaQmynlENUewj/NoQ/+uCxIbQHbuGwEOm0fBR771YftmjCGJPRn3p+B/WiE bPvA== X-Gm-Message-State: AOAM5320hJA+IKNvinEITqXtLv0JiBadsXZglfkYNA0X8vWa0Q+slMo9 wo24oGNJ9+yijAERjmDRUntZ3LGmF9V2 X-Google-Smtp-Source: ABdhPJzHRNZd5EhZSnbcQtXKR/APGGTIuoWFxvAnS4JS26qf1ecJcj/ivbvmXQwQhBUKnAOrRikqSg== X-Received: by 2002:ac8:729a:: with SMTP id v26mr19712883qto.362.1596504836522; Mon, 03 Aug 2020 18:33:56 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id y7sm24381975qta.36.2020.08.03.18.33.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:33:55 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 06/18] xen_statements: fully convert to markdown From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:33:55 -0400 Message-ID: <159650483517.8961.12011786927723219806.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Paul Moore --- src/xen_statements.md | 340 +++++++++++++++++-------------------------------- 1 file changed, 119 insertions(+), 221 deletions(-) diff --git a/src/xen_statements.md b/src/xen_statements.md index ce968de..5688893 100644 --- a/src/xen_statements.md +++ b/src/xen_statements.md @@ -1,12 +1,12 @@ # Xen Statements -Xen policy supports additional policy language statements: `iomemcon`, -`ioportcon`, `pcidevicecon`, `pirqcon` and `devicetreecon` that are +Xen policy supports additional policy language statements: *iomemcon*, +*ioportcon*, *pcidevicecon*, *pirqcon* and *devicetreecon* that are discussed in the sections that follow, also the [**XSM/FLASK Configuration**](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt) document contains further information. -Policy version 30 introduced the `devicetreecon` statement and also +Policy version 30 introduced the *devicetreecon* statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages). @@ -14,9 +14,7 @@ of 4K pages). To compile these additional statements using ***semodule**(8)*, ensure that the ***semanage.conf**(5)* file has the *policy-target=xen* entry. -
- -## `iomemcon` +## *iomemcon* Label i/o memory. This may be a single memory location or a range. @@ -26,50 +24,32 @@ Label i/o memory. This may be a single memory location or a range. **Where:** - - - - - - - - - - - - - - - -
iomemconThe iomemcon keyword.
addrThe memory address to apply the context. This may also be a range that consists of a start and end address separated by a hypen '-'.
contextThe security context to be applied.
+*iomemcon* + +The *iomemcon* keyword. + +*addr* +The memory address to apply the context. This may also be a range that consists +of a start and end address separated by a hypen \'-\'. + +*context* + +The security context to be applied. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Examples:** @@ -78,9 +58,7 @@ iomemcon 0xfebd9 system_u:object_r:nicP_t iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t ``` -
- -## `ioportcon` +## *ioportcon* Label i/o ports. This may be a single port or a range. @@ -90,49 +68,32 @@ Label i/o ports. This may be a single port or a range. **Where:** - - - - - - - - - - - - - - - -
ioportconThe ioportcon keyword.
portThe port to apply the context. This may also be a range that consists of a start and end port number separated by a hypen '-'.
contextThe security context to be applied.
+*ioportcon* + +The *ioportcon* keyword. + +*port* + +The *port* to apply the context. This may also be a range that consists of a +start and end port number separated by a hypen \'-\'. + +*context* + +The security context to be applied. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Examples:** @@ -141,9 +102,7 @@ ioportcon 0xeac0 system_u:object_r:nicP_t ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t ``` -
- -## `pcidevicecon` +## *pcidevicecon* Label a PCI device. @@ -153,57 +112,37 @@ Label a PCI device. **Where:** - - - - - - - - - - - - - - - -
pcideviceconThe pcidevicecon keyword.
pci_idThe PCI indentifer.
contextThe security context to be applied.
+*pcidevicecon* + +The *pcidevicecon* keyword. + +*pci_id* + +The PCI indentifer. + +*context* + +The security context to be applied. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Example:** `pcidevicecon 0xc800 system_u:object_r:nicP_t` -
- -## `pirqcon` +## *pirqcon* Label an interrupt level. @@ -213,57 +152,37 @@ Label an interrupt level. **Where:** - - - - - - - - - - - - - - - -
pirqconThe pirqcon keyword.
irqThe interrupt request number.
contextThe security context to be applied.
+*pirqcon* + +The *pirqcon* keyword. + +*irq* + +The interrupt request number. + +*context* + +The security context to be applied. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Example:** `pirqcon 33 system_u:object_r:nicP_t` -
- -## `devicetreecon` +## *devicetreecon* Label device tree nodes. @@ -273,57 +192,36 @@ Label device tree nodes. **Where:** - - - - - - - - - - - - - - - -
devicetreeconThe devicetreecon keyword.
pathThe device tree path. If this contains spaces enclose within "" as shown in the example.
contextThe security context to be applied.
+*devicetreecon* + +The *devicetreecon* keyword. + +*path* + +The device tree path. If this contains spaces enclose within *""* as shown in +the example. + +*context* + +The security context to be applied. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesNo
Conditional Policy if Statementoptional Statementrequire Statement
NoNoNo
+Policy Type +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | -**Example:** +Conditional Policy Statements -`devicetreecon "/this is/a/path" system_u:object_r:arm_path` +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | +**Example:** -
+`devicetreecon "/this is/a/path" system_u:object_r:arm_path` From patchwork Tue Aug 4 01:34:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699381 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 31D0E1392 for ; Tue, 4 Aug 2020 01:34:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5435520781 for ; Tue, 4 Aug 2020 01:34:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="PhY32fey" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729246AbgHDBeE (ORCPT ); Mon, 3 Aug 2020 21:34:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51026 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBeE (ORCPT ); Mon, 3 Aug 2020 21:34:04 -0400 Received: from mail-qv1-xf44.google.com (mail-qv1-xf44.google.com [IPv6:2607:f8b0:4864:20::f44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74C0FC06174A for ; Mon, 3 Aug 2020 18:34:04 -0700 (PDT) Received: by mail-qv1-xf44.google.com with SMTP id b2so7742837qvp.9 for ; Mon, 03 Aug 2020 18:34:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=5XGXgUwHt2jixVb6VUVl2u66EYLnPPiFpBq/Tv4sfkM=; b=PhY32feyoNJ2PjZSQqaAYd7Cb2DoiaautVrm31j7TEoeVmseXm0zysVRe4fTXQTB5N mHRWFFOeLCn3qSrQB31zuTzwRFPSXUT7GWlLHelyQSZDlOIvHGJhCwIhbYtyl2sXzais uoYTMKR41O9kWgF3CAdvOS4U7AhiXTwlIOYC6ASkE9Q8vACULp+N8MhsIvBRWiFazwUg IRT9IDTCsjFSITYPP+7CuRTLu5tn7Fyu/8395/t/byFFcpoQF+KOA28MEIKSlaj+v3Bg uzX3V111AywTvp7JgQhPPBD4TTckM46YuZvEpZmBevzz0VI3PjjOjzgjt4KOjBavs57o jSKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=5XGXgUwHt2jixVb6VUVl2u66EYLnPPiFpBq/Tv4sfkM=; b=qZPAJFY8dRx/GG+GlMCbVpnxQxWLBMF/z1MPSKYbtvfDWoo6zDSdz8rHNPk/IiXXRw ye2U3Dz3VaCFKcQHBfMZAy26RJi/9vgBPWbbmlEPt8yEjHB5zvuPuJPQPUuF6Dp4P8D1 5NSL7cv9d+r7O2SwwOJ6K+vkCYdklzapDLSbiHH7l70bVMMJml1V4VjxN3ge/6VMqSN3 3DdyNnu0ccpmjL3zZpqlPGwpfkqVrjuC30n9zBB1fcVXQ7LTkUMXCzC24UrMVEidMblA qCF9eYBDvrUFbihcq6PurjC1+qMx2zEahMVm4oETUseRRVBtP2O7xVTakG5R2xlYnRoJ m8Jg== X-Gm-Message-State: AOAM532lIq/hRraNbXK001cjtbq6se6Kdsu5ztIRMynAedzaK+nuOOhT 6UyOhNIJ4rbaO39hJZgvq3oxywB1vmwo X-Google-Smtp-Source: ABdhPJyqxXuwvAISqyirUZLF+JWmJFJNVEh9yAmLVxxF8NHWNAJzXETwznaZ7qkr3qcPqGteG1o7LQ== X-Received: by 2002:a0c:ea8e:: with SMTP id d14mr19488576qvp.37.1596504843018; Mon, 03 Aug 2020 18:34:03 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id f189sm19642200qke.15.2020.08.03.18.34.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:34:02 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 07/18] vm_support: fully convert to markdown From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:34:01 -0400 Message-ID: <159650484173.8961.4886081033953945601.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org As a warning, the footnotes may not render correctly until all footnotes in the document have been converted. Signed-off-by: Paul Moore --- src/vm_support.md | 135 +++++++++++------------------------------------------ 1 file changed, 27 insertions(+), 108 deletions(-) diff --git a/src/vm_support.md b/src/vm_support.md index f072fe3..09321ed 100644 --- a/src/vm_support.md +++ b/src/vm_support.md @@ -1,10 +1,9 @@ # SELinux Virtual Machine Support -SELinux support is available in the KVM/QEMU and Xen virtual machine -(VM) technologies1 -(that are discussed in the sections that follow, however the package -documentation should be read for how these products actually work and how they -are configured. +SELinux support is available in the KVM/QEMU and Xen virtual machine (VM) +technologies[^fn_vms_1] that are discussed in the sections that follow, however +the package documentation should be read for how these products actually work +and how they are configured. Currently the main SELinux support for virtualisation is via *libvirt* that is an open-source virtualisation API used to dynamically load guest @@ -23,8 +22,6 @@ To ensure all dependencies are installed run: `dnf install libvirt qemu virt-manager` -
- ## KVM / QEMU Support KVM is a kernel loadable module that uses the Linux kernel as a @@ -51,7 +48,6 @@ configure these and their VM image files. QEMU provides the hardware emulation services for the guest operating systems. Note that KVM requires CPU virtualisation support.* - ## *libvirt* Support The Svirt project added security hooks into the *libvirt* library that @@ -65,14 +61,12 @@ that will load and manage the images. The SELinux implementation supports four methods of labeling VM images, processes and their resources with support from the Reference Policy *modules/services/virt* loadable module. To support this labeling, *libvirt* requires an MCS or MLS -enabled policy as the [**`level`**](security_context.md#security-context) +enabled policy as the [***level***](security_context.md#security-context) entry of the security context is used (*user:role:type:level*). The link has details regarding the QEMU driver and the SELinux confinement modes it supports. -
- ## VM Image Labeling This sections assumes VM images have been generated using the simple @@ -109,33 +103,12 @@ implemented as follows: The following example shows two running VM sessions each having different labels: - - - - - - - - - - - - - - - - - - - - - - - - - - -
VM Image NameObjectDynamically assigned security context
Dynamic_VM1processsystem_u:system_r:svirt_tcg_t:s0:c585,c813
filesystem_u:system_r:svirt_image_t:s0:c585,c813
Dynamic_VM2processsystem_u:system_r:svirt_tcg_t:s0:c535,c601
filesystem_u:system_r:svirt_image_t:s0:c535,c601
+| VM Image | Object | Dynamically assigned security context | +| ------------| --------- | ------------------------------------------------- | +| Dynamic_VM1 | *process* | *system_u:system_r:svirt_tcg_t:s0:c585,c813* | +| | *file* | *system_u:system_r:svirt_image_t:s0:c585,c813* | +| Dynamic_VM2 | *process* | *system_u:system_r:svirt_tcg_t:s0:c535,c601* | +| | *file* | *system_u:system_r:svirt_image_t:s0:c535,c601* | The running image *ls -Z* and *ps -eZ* are as follows, and for completeness an *ls -Z* is shown when both VMs have been stopped: @@ -163,8 +136,6 @@ system_u:object_r:virt_image_t:s0 Dynamic_VM1.img system_u:object_r:virt_image_t:s0 Dynamic_VM2.img ``` -
- ### Shared Image If the disk image has been set to shared, then a dynamically allocated @@ -253,30 +224,12 @@ initialisation process will take place: The following example shows each VM having the same file label but different process labels: - - - - - - - - - - - - - - - - - - - - - - - -
VM Image NameObjectSecurity context
Shareable_VMprocesssystem_u:system_r:svirt_tcg_t:s0:c231,c245
Shareable_VM-cloneprocesssystem_u:system_r:svirt_tcg_t:s0:c695,c894
filesystem_u:system_r:svirt_image_t:s0
+ +| VM Image | Object | Security context | +| -------------------| ----------| -------------------------------------------- | +| Shareable_VM | *process* | *system_u:system_r:svirt_tcg_t:s0:c231,c245* | +| Shareable_VM-clone | *process* | *system_u:system_r:svirt_tcg_t:s0:c695,c894* | +| | *file* | *system_u:system_r:svirt_image_t:s0* | The running image *ls -Z* and *ps -eZ* are as follows and for completeness an *ls -Z* is shown when both VMs have been stopped: @@ -391,35 +344,12 @@ was possible because the 's*etsebool -P virt_transition_userdomain on*'* *boolean was set that allows *virtd_t* domain to transition to a user domain (e.g. *unconfined_t*). - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
VM Image NameObjectStatic security context
Static_VM1processsystem_u:system_r:svirt_t:s0:c1022,c1023
filesystem_u:system_r:svirt_image_t:s0:c1022,c1023
Static_VM2processsystem_u:system_r:unconfined_t:s0:c11,c22
filesystem_u:system_r:virt_image_t:s0
+| VM Image | Object | Static security context | +| -----------| --------- | -------------------------------------------------- | +| Static_VM1 | *process* | *system_u:system_r:svirt_t:s0:c1022,c1023* | +| | *file* | *system_u:system_r:svirt_image_t:s0:c1022,c1023* | +| Static_VM2 | *process* | *system_u:system_r:unconfined_t:s0:c11,c22* | +| | *file* | *system_u:system_r:virt_image_t:s0* | The running image *ls -Z* and *ps -eZ* are as follows, and for completeness an *ls -Z* is shown when both VMs have been stopped: @@ -446,8 +376,6 @@ system_u:object_r:svirt_image_t:s0:c1022,c1023 Static_VM1.img system_u:object_r:virt_image_t:s0 Static_VM2.img ``` -
- ## Xen Support This is not supported by SELinux in the usual way as it is built into @@ -479,19 +407,10 @@ For reference, the Xen policy supports additional policy language statements that defined in the [**Xen Statements**](xen_statements.md#xen-statements) section. -
- -
-
    -

  1. KVM (Kernel-based Virtual Machine) and Xen are classed as 'bare metal' hypervisors and they -rely on other services to manage the overall VM environment. QEMU (Quick Emulator) is an -emulator that emulates the BIOS and I/O device functionality and can be used standalone or with -KVM and Xen.

    2. -
-
- - -
+[^fn_vms_1]: KVM (Kernel-based Virtual Machine) and Xen are classed as 'bare +metal' hypervisors and they rely on other services to manage the overall VM +environment. QEMU (Quick Emulator) is an emulator that emulates the BIOS and +I/O device functionality and can be used standalone or with KVM and Xen. From patchwork Tue Aug 4 01:34:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699383 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5F764722 for ; Tue, 4 Aug 2020 01:34:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8701320786 for ; Tue, 4 Aug 2020 01:34:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="1a70cOVW" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729300AbgHDBeL (ORCPT ); Mon, 3 Aug 2020 21:34:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51044 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729294AbgHDBeK (ORCPT ); Mon, 3 Aug 2020 21:34:10 -0400 Received: from mail-qk1-x742.google.com (mail-qk1-x742.google.com [IPv6:2607:f8b0:4864:20::742]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A05BBC06174A for ; Mon, 3 Aug 2020 18:34:10 -0700 (PDT) Received: by mail-qk1-x742.google.com with SMTP id 2so32950555qkf.10 for ; Mon, 03 Aug 2020 18:34:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=/XWmo/lWlCmhtwDZShb3Uw1UiWkXVtk0h6qT7w7htcM=; b=1a70cOVWbFxKyIgUrDhyWMipvrtV8Q5CCjlfzz5JRbuJwxlRX5YTEQwNwhExxa30qn jpuWOSUyyLMXdPkX1NvWO51dFLE12mTWVcsUDEYE8d2h/xUliKeZfse0sxK+kL8sKoEF ApGu+2y+mfoQMykJ7azapk5rLYlhp3X9ahqSTTlPmcJ75XKse7IbYi/+coNu5feMubHd ZqJt46R3BoBllhkmWiMvHZwkGtw/+pPmXeW6jclbMJGBow+enOYODGCMjsz00l9yq5A9 zPAGQxdNqsoIZYoY1LbMV8mrW7hqarzNZgmhviY49nrnwSFOQxP+Dasna1CCZC7EeWKQ p80w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=/XWmo/lWlCmhtwDZShb3Uw1UiWkXVtk0h6qT7w7htcM=; b=Yr9+9dUPEfTBHZlYuSXFFINeK9bgkKeWwejejFi6/cCiyi/6uOe8qqtm3ybWjvy/tP Y+/GKIePtJpxrMcfUwq9IpDC/OzxBQ8p/E3584sFEpSl608LdjhL5HmFEcTDIAw7ljJq qZIh+pAiHAjSG5YVK8gXfq0jQ97MG+tE3HIZx2guSyIBgw94JGEkWGEVJso9NyqyqRas 9uhw87LJTUkLJ1LGUqxdZo5fe/4FBA4W+0zHRmYYZ6iyFStjd0nHL9Pm/16BPt3qIQlu swZ9PV2M+tG20AUHZ27WVKapV6vyYGbb7kITqpPt7PhyYQWuH8Oy2efIz2XQjP2PN7Qb 7B3g== X-Gm-Message-State: AOAM532PgLTuW6kN2c3QySod4wrOmFJSMn7gClHSrGYm8Drjip1S13Yj iLfCh/nEWHjWdSz+nkXJq8G6NdBxYNS1 X-Google-Smtp-Source: ABdhPJyvEcjvUUVZ6g05hg2O77fem6pEFo5Avm0Hecdq+U3LN2vSVJuUu89UFpwKf0075OKfRl2O/A== X-Received: by 2002:a37:9f13:: with SMTP id i19mr18131376qke.316.1596504849374; Mon, 03 Aug 2020 18:34:09 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id s33sm24886357qtk.11.2020.08.03.18.34.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:34:08 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 08/18] user_statements: fully convert to markdown From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:34:08 -0400 Message-ID: <159650484817.8961.3234655942477723956.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Paul Moore --- src/user_statements.md | 113 ++++++++++++++++++++---------------------------- 1 file changed, 48 insertions(+), 65 deletions(-) diff --git a/src/user_statements.md b/src/user_statements.md index cac6181..46f2846 100644 --- a/src/user_statements.md +++ b/src/user_statements.md @@ -1,6 +1,6 @@ # User Statements -## `user` +## *user* The user statement declares an SELinux user identifier within the policy and associates it to one or more roles. The statement also allows an @@ -17,73 +17,58 @@ Or for MCS/MLS Policy: `user seuser_id roles role_id level mls_level range mls_range;` - Where: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
userThe user keyword.
seuser_idThe SELinux user identifier.
rolesThe roles keyword.
role_idOne or more previously declared role or attribute_role identifiers. Multiple role identifiers consist of a space separated list enclosed in braces '{}'.
levelIf MLS is configured, the MLS level keyword.
mls_level

The users default MLS security level that has been previously declared with a level statement.

-

Note that the compiler only accepts the sensitivity component of the level (e.g. s0).

rangeIf MLS is configured, the MLS range keyword.
mls_rangeThe range of security levels that the user can run. The format is described in the "MLS range Definition" section.
+*user* + +The *user* keyword. + +*seuser_id* + +The SELinux user identifier. + +*roles* + +The *roles* keyword. + +*role_id* + +One or more previously declared *role* or *attribute_role* identifiers. +Multiple *role* identifiers consist of a space separated list enclosed in +braces '{}'. + +*level* + +If MLS is configured, the MLS *level* keyword. + +*mls_level* + +The users default MLS security level that has been previously declared with a +*level* statement. Note that the compiler only accepts the *sensitivity* +component of the *level* (e.g. s0). + +*range* + +If MLS is configured, the MLS *range* keyword. + +*mls_range* + +The range of security levels that the user can run. The format is described in +the ["MLS *range* Definition"](mls_statements.md#mls-range-definition) section. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | Yes | **Examples:** @@ -156,8 +141,6 @@ user mque_u prefix user; user mque_u prefix user; ``` -
- --- From patchwork Tue Aug 4 01:34:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699385 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 142721392 for ; Tue, 4 Aug 2020 01:34:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 362E020786 for ; Tue, 4 Aug 2020 01:34:18 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="YdeAf4SF" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729294AbgHDBeR (ORCPT ); Mon, 3 Aug 2020 21:34:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBeR (ORCPT ); Mon, 3 Aug 2020 21:34:17 -0400 Received: from mail-qk1-x741.google.com (mail-qk1-x741.google.com [IPv6:2607:f8b0:4864:20::741]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58E7EC06174A for ; Mon, 3 Aug 2020 18:34:17 -0700 (PDT) Received: by mail-qk1-x741.google.com with SMTP id g26so37104994qka.3 for ; Mon, 03 Aug 2020 18:34:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=lVx6mAURfTh2WbJI3ubOjiDwwCUM1ESb/nZaInqk12A=; b=YdeAf4SFdKOaaDN5ILJUQNlmYKrA+gypeCHz5aA5xPcvzfMShQJLJysPNLQotwjc+E eE39ySqF5VDtzvTS6gbZ5eMY/cCklRRcQOr7v520Wwm4JFvM4yVHumUXYCZ4JsFiE4rS hU7Ic/+szET5XSv2AKtDYIff/wM71cCMFopL+de6TFJU293B0+ztV8sZbvHuV1jb+TN6 1tYg49gD1ok//UIo+uJ+qGKbB9i5mZhdTE625eiGF5o/6qVzpP8aI6sSnB3P2dlJcdR4 mVJF/BVl+HhFLmKbI4G/4eCT2zKjgY7ku7jeljh5iKkaHX33K9Ec/DrNtBQAbh1XWsLR ePdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=lVx6mAURfTh2WbJI3ubOjiDwwCUM1ESb/nZaInqk12A=; b=ZwPCbnZVQSk4EIoWMroKMz6/oS9uUMTx3BFptTbEQu5NlWXNyZfQ6JK4oX53dKWRUk n6ZrxJ1iF65FpSgTf8sWSRoSJcZs4ax/N36OJ24EGT1tUsj692zGve9Vq3cruKBH7qqL 0MBBcnMfvgkH6f/s1fX3eIbl7lAC0VilUzY53iU983cQsWmE+w7IcSemh+Zo12FY3JDH fUONG+etHznlinrdc7Ieygf2OL8276x9m4qAZ5NFn1CQddCAKOGNEp8R7pRcMpY1+7ko 7rnR4bSHtmdovFD9cIKhubOIEiok3rGodxZH+kH4q9SiX/fJ7igZ6x+y7HbsVGYpF/Be E4JQ== X-Gm-Message-State: AOAM532CsF3YswdgP3g6/+EWvMuv80xzktqXo7WPKsUR5FwM/+1Hu/cz TWehjm4ngwjIyoaw4qeC2tZEMI+2EtyV X-Google-Smtp-Source: ABdhPJxw+Rz2i6V8LxNpe8POYAAU42Iu4gqTveHJyUJYSf5HBG3KJGgwsHjGgcDWHH7iGl8/gtD/kQ== X-Received: by 2002:a05:620a:152d:: with SMTP id n13mr18057163qkk.43.1596504856063; Mon, 03 Aug 2020 18:34:16 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id z72sm22314633qka.107.2020.08.03.18.34.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:34:15 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 09/18] userspace_libraries: fully convert to markdown From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:34:14 -0400 Message-ID: <159650485462.8961.1637559132596567367.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Paul Moore --- src/userspace_libraries.md | 161 +++++++++++++++++++------------------------- 1 file changed, 69 insertions(+), 92 deletions(-) diff --git a/src/userspace_libraries.md b/src/userspace_libraries.md index 26ed38d..6db6bb7 100644 --- a/src/userspace_libraries.md +++ b/src/userspace_libraries.md @@ -11,8 +11,6 @@ source code are available at: -
- ## libselinux Library *libselinux* contains all the SELinux functions necessary to build @@ -29,91 +27,77 @@ The library hides the low level functionality of (but not limited to): associated to files, sockets etc. - see ***attr**(5)*. - The SELinux policy and its associated configuration files. -The general category of functions available in *libselinux* are shown in -**Table 1: libselinux function types**, with -[**Appendix B - `libselinux` API Summary**](libselinux_functions.md#appendix-b---libselinux-api-summary) +The general category of functions available in *libselinux* are shown below, +with [**Appendix B - `libselinux` API Summary**](libselinux_functions.md#appendix-b---libselinux-api-summary) giving a complete list of functions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function CategoryDescription
Access Vector Cache ServicesAllow access decisions to be cached and audited.
Boolean ServicesManage booleans.
Class and Permission ManagementClass / permission string conversion and mapping.
Compute Access DecisionsDetermine if access is allowed or denied.
Compute LabelingCompute labels to be applied to new instances of on object.
Default File LabelingObtain default contexts for file operations.
File Creation Labeling Get and set file creation contexts.
File LabelingGet and set file and file descriptor extended attributes.
General Context ManagementCheck contexts are valid, get and set context components.
Key Creation Labeling Get and set kernel key creation contexts.
Label Translation Management Translate to/from, raw/readable contexts.
Netlink ServicesUsed to detect policy reloads and enforcement changes.
Process Labeling Get and set process contexts.
SELinux Management ServicesLoad policy, set enforcement mode, obtain SELinux configuration information.
SELinux-aware Application LabelingRetrieve default contexts for applications such as database and X-Windows.
Socket Creation Labeling Get and set socket creation contexts.
User Session ManagementRetrieve default contexts for user sessions.
- -**Table 1: libselinux function types** - -
+**Access Vector Cache Services** + +Allow access decisions to be cached and audited. + +**Boolean Services** + +Manage booleans. + +**Class and Permission Management** + +Class / permission string conversion and mapping. + +**Compute Access Decisions** + +Determine if access is allowed or denied. + +**Compute Labeling** + +Compute labels to be applied to new instances of on object. + +**Default File Labeling** + +Obtain default contexts for file operations. + +**File Creation Labeling** + +Get and set file creation contexts. + +**File Labeling** + +Get and set file and file descriptor extended attributes. + +**General Context Management** + +Check contexts are valid, get and set context components. + +**Key Creation Labeling** + +Get and set kernel key creation contexts. + +**Label Translation Management** + +Translate to/from, raw/readable contexts. + +**Netlink Services** + +Used to detect policy reloads and enforcement changes. + +**Process Labeling** + +Get and set process contexts. + +**SELinux Management Services** + +Load policy, set enforcement mode, obtain SELinux configuration information. + +**SELinux-aware Application Labeling** + +Retrieve default contexts for applications such as database and X-Windows. + +**Socket Creation Labeling** + +Get and set socket creation contexts. + +**User Session Management** + +Retrieve default contexts for user sessions. The *libselinux* functions make use of a number of files within the SELinux sub-system: @@ -141,8 +125,6 @@ There is a static version of the library that is not installed by default: `dnf install libselinux-static` -
- ## libsepol Library *libsepol* - To build and manipulate the contents of SELinux kernel @@ -157,14 +139,9 @@ as they require access to functions that are not available in the dynamic library (such as sepol_compute_av(), sepol_compute_av_reason() and sepol_context_to_sid(). -
- ## libsemanage Library *libsemanage* - To manage the policy infrastructure. - -
- --- From patchwork Tue Aug 4 01:34:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699387 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5BEDB722 for ; Tue, 4 Aug 2020 01:34:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 78FFB20786 for ; Tue, 4 Aug 2020 01:34:25 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="cNuCFYbV" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729303AbgHDBeZ (ORCPT ); Mon, 3 Aug 2020 21:34:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBeY (ORCPT ); Mon, 3 Aug 2020 21:34:24 -0400 Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 965B0C06174A for ; Mon, 3 Aug 2020 18:34:24 -0700 (PDT) Received: by mail-qt1-x82c.google.com with SMTP id e5so15769288qth.5 for ; Mon, 03 Aug 2020 18:34:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=4cQtGvsT8Go6Zn/weMpUhNjSrl8eTd6dCwY1+RJZW+I=; b=cNuCFYbVfCWCF6sGCa04FDnl2Q6dw8KGJU2z75wznkcCeIesJGl2LxP1g8RMuTJrek LzeOZuNxN536Gjb2cKHLSp0050V1BqbL00ZRmrQhXLi8gNq57B0V6rJl8eOH7yM358NN fPSO9dejHLth4eKRjUNGH18e1bPM5TLXbLd1plx0uKt4ib5yGzjpl/qE1hENDfrqhvZh GeA2aKQ9tW35iTuXwNj7RENxgaT+BNHy7MyDrANwnWzN0OPNZDayLNODh+zqy8UXCHVY ZOb/YalGXZ2IgXX11iRtoy3c1U8pbJbLc1oDTNsMjmbCDECXjrnzIVCpMgIidQmnPkAt 3GPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=4cQtGvsT8Go6Zn/weMpUhNjSrl8eTd6dCwY1+RJZW+I=; b=hlg0BxxvneX+bQAWJ/wUtfh908tr1lPoZCvxrPBkBN2oW/ZJYoit322q1dl/IqyLqm 832j6XwlHkYkL6+FPDKapPcY64gbiPoy6xTz7QVXfGdFarWWzrKJBrTXHKfuyT7JUiPf B0pv0PKxavuM0wd23fLnP2//FWIlK8lMO0MZKT85dx+edJaRsai89UfPrE33lRnfo/2Q 7roR8eNdrXWSgRScYyRLgU+V+qte/tN3WqBBw5SkiRVIKs1K1wwWpr1wOspI2+k5qJ4i h0JFSSgP8WMxeKp64iGAAefvVtRt7uDRYXg4z/4MeHxTinIMmoHSSp7sYp2e7TcHX8px JixQ== X-Gm-Message-State: AOAM533WseeKeHBXl5tz9J095SLhoF4sXz1D5fOLsMQkbfcNHTxG4Pel +Syj4fgqUECPGYBGjfW+u9LQ2zHlejJ2 X-Google-Smtp-Source: ABdhPJzIR5LnmG61hOk/JPS7uDt59wswEsThj3RK4XJZyhnNZ7tOrRfyTpqaEzAfaxHv3+HMPCmTAg== X-Received: by 2002:ac8:5254:: with SMTP id y20mr19376796qtn.170.1596504862581; Mon, 03 Aug 2020 18:34:22 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id 141sm16272005qke.41.2020.08.03.18.34.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:34:21 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 10/18] type_statements: fully convert to markdown From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:34:21 -0400 Message-ID: <159650486128.8961.860004757295092365.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Paul Moore --- src/type_statements.md | 636 ++++++++++++++++++------------------------------ 1 file changed, 244 insertions(+), 392 deletions(-) diff --git a/src/type_statements.md b/src/type_statements.md index 61c7191..76dedab 100644 --- a/src/type_statements.md +++ b/src/type_statements.md @@ -1,7 +1,7 @@ # Type Statements These statements share the same namespace, therefore the general -convention is to use `_t` as the final two characters of a type +convention is to use *_t* as the final two characters of a type identifier to differentiate it from an attribute identifier as shown in the following examples: @@ -13,12 +13,10 @@ type bin_t; # A type identifier generally ends with _t attribute file_type; # An attribute identifier generally ends with _type ``` -
+## *type* -## `type` - -The `type` statement declares the type identifier and any optional -associated `alias` or `attribute` identifiers. Type identifiers are a +The *type* statement declares the type identifier and any optional +associated *alias* or *attribute* identifiers. Type identifiers are a component of the [**Security Context**](security_context.md#security-context). **The statement definition is:** @@ -27,57 +25,44 @@ component of the [**Security Context**](security_context.md#security-context). **Where:** - - - - - - - - - - - - - - - - - - - - - - - -
typeThe type keyword.
type_idThe type identifier.
aliasOptional alias keyword that signifies alternate identifiers for the type_id that are declared in the alias_id list.
alias_idOne or more alias identifiers that have been previously declared by the typealias statement. Multiple entries consist of a space separated list enclosed in braces '{}'.
attribute_idOne or more optional attribute identifiers that have been previously declared by the attribute statement. Multiple entries consist of a comma ',' separated list, also note the lead comma.
+*type* + +The *type* keyword. + +*type_id* + +The *type* identifier. + +*alias* + +Optional *alias* keyword that signifies alternate identifiers for the *type_id* +that are declared in the *alias_id* list. + +*alias_id* + +One or more *alias* identifiers that have been previously declared by the +[*typealias*](#typealias) statement. Multiple entries consist of a space +separated list enclosed in braces '{}'. + +*attribute_id* + +One or more optional *attribute* identifiers that have been previously declared +by the [*attribute*](#attribute) statement. Multiple entries consist of a comma +',' separated list, also note the lead comma. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | Yes | **Examples:** @@ -134,12 +119,10 @@ attribute server_packet_type; # declare attribute 2 type ssh_server_packet_t, packet_type, server_packet_type; ``` -
- -## `attribute` +## *attribute* -An `attribute` statement declares an identifier that can then be used to -refer to a group of `type` identifiers. +An *attribute* statement declares an identifier that can then be used to +refer to a group of *type* identifiers. **The statement definition is:** @@ -147,45 +130,27 @@ refer to a group of `type` identifiers. **Where:** - - - - - - - - - - - -
attributeThe attribute keyword.
attribute_idThe attribute identifier.
+*attribute* + +The *attribute* keyword. + +*attribute_id* + +The *attribute* identifier. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | Yes | **Examples:** @@ -199,11 +164,9 @@ attribute file_type; attribute non_security_file_type; ``` -
- -## `typeattribute` +## *typeattribute* -The `typeattribute` statement allows the association of previously +The *typeattribute* statement allows the association of previously declared types to one or more previously declared attributes. **The statement definition is:** @@ -212,49 +175,32 @@ declared types to one or more previously declared attributes. **Where:** - - - - - - - - - - - - - - - -
typeattributeThe typeattribute keyword.
type_idThe identifier of a previously declared type.
attribute_idOne or more previously declared attribute identifiers. Multiple entries consist of a comma ',' separated list.
+*typeattribute* + +The *typeattribute* keyword. + +*type_id* + +The identifier of a previously declared *type*. + +*attribute_id* + +One or more previously declared *attribute* identifiers. Multiple entries +consist of a comma ',' separated list. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Examples:** @@ -289,13 +235,11 @@ type setroubleshootd_exec_t; typeattribute setroubleshootd_exec_t file_type, non_security_file_type; ``` -
- -## `typealias` +## *typealias* -The `typealias` statement allows the association of a previously declared -`type` to one or more `alias` identifiers (an alternative way is to use the -`type` statement. +The *typealias* statement allows the association of a previously declared +*type* to one or more *alias* identifiers (an alternative way is to use the +*type* statement. **The statement definition is:** @@ -303,53 +247,36 @@ The `typealias` statement allows the association of a previously declared **Where:** - - - - - - - - - - - - - - - - - - - -
typealiasThe typealias keyword.
type_idThe identifier of a previously declared type.
aliasThe alias keyword.
alias_idOne or more alias identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'.
+*typealias* + +The *typealias* keyword. + +*type_id* + +The identifier of a previously declared *type*. + +*alias* + +The *alias* keyword. + +*alias_id* + +One or more *alias* identifiers. Multiple entries consist of a space separated +list enclosed in braces '{}'. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Examples:** @@ -374,14 +301,12 @@ type netif_t; typealias netif_t alias { lo_netif_t netif_lo_t }; ``` -
+## *permissive* -## `permissive` - -Policy version 23 introduced the `permissive` statement to allow the named +Policy version 23 introduced the *permissive* statement to allow the named domain to run in permissive mode instead of running all SELinux domains in permissive mode (that was the only option prior to version 23). Note -that the `permissive` statement only tests the source context for any +that the *permissive* statement only tests the source context for any policy denial. **The statement definition is:** @@ -390,45 +315,27 @@ policy denial. **Where:** - - - - - - - - - - - -
permissiveThe permissive keyword.
type_idThe type identifier of the domain that will be run in permissive mode.
+*permissive* + +The *permissive* keyword. + +*type_id* + +The *type* identifier of the domain that will be run in permissive mode. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Examples:** @@ -463,16 +370,13 @@ require { permissive unconfined_t; ``` -
- - -## `type_transition` +## *type_transition* The type_transition rule specifies the default type to be used for domain transistion or object creation. Kernels from 2.6.39 with Policy versions from 25 also support the 'name transition rule' extension. See the [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts) -section for more details. Note than an `allow` rule must be used to authorise +section for more details. Note than an *allow* rule must be used to authorise the transition. **The statement definitions are:** @@ -486,59 +390,46 @@ however, this is only appropriate for the file classes: **Where:** - - - - - - - - - - - - - - - - - - - - - - - -
type_transitionThe type_transition rule keyword.

source_type

-

target_type

One or more source / target type, typealias or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'.

-

Entries can be excluded from the list by using the negative operator '-'.

classOne or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.
default_typeA single type or typealias identifier that will become the default process type for a domain transition or the type for object transitions.
object_nameFor the 'name transition' rule this is matched against the objects name (i.e. the last component of a path). If object_name exactly matches the object name, then use default_type for the type.
+*type_transition* + +The *type_transition* rule keyword. + +*source_type* +*target_type* + +One or more source / target *type*, *typealias* or *attribute* identifiers. +Multiple entries consist of a space separated list enclosed in braces '{}'. +Entries can be excluded from the list by using the negative operator '-'. + +*class* + +One or more object classes. Multiple entries consist of a space separated list +enclosed in braces '{}'. + +*default_type* + +A single *type* or *typealias* identifier that will become the default process +*type* for a domain transition or the *type* for object transitions. + +*object_name* + +For the 'name transition' rule this is matched against the objects name +(i.e. the last component of a path). If *object_name* exactly matches the +object name, then use *default_type* for the *type*. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
YesYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | **Example - Domain Transition:** @@ -607,14 +498,12 @@ type_transition unconfined_t etc_t : file system_conf_t eric; # an exact strcmp) it should be labeled system_conf_t. ``` -
+## *type_change* -## `type_change` - -The `type_change` rule specifies a default `type` when relabeling an +The *type_change* rule specifies a default *type* when relabeling an existing object. For example userspace SELinux-aware applications would -use ***security_compute_relabel**(3)* and `type_change` rules in -policy to determine the new context to be applied. Note that an `allow` +use ***security_compute_relabel**(3)* and *type_change* rules in +policy to determine the new context to be applied. Note that an *allow* rule must be used to authorise access. See the [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts) section for more details. @@ -625,55 +514,38 @@ section for more details. **Where:** - - - - - - - - - - - - - - - - - - - -
type_changeThe type_change rule keyword.

source_type

-

target_type

One or more source / target type, typealias or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'.

-

Entries can be excluded from the list by using the negative operator '-'.

classOne or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.
change_typeA single type or typealias identifier that will become the new type.
+*type_change* + +The *type_change* rule keyword. + +*source_type* +*target_type* + +One or more source / target *type*, *typealias* or *attribute* identifiers. +Multiple entries consist of a space separated list enclosed in braces '{}'. +Entries can be excluded from the list by using the negative operator '-'. + +*class* + +One or more object classes. Multiple entries consist of a space separated list +enclosed in braces '{}'. + +*change_type* +A single *type* or *typealias* identifier that will become the new *type*. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
YesYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | **Examples:** @@ -694,15 +566,13 @@ type_change auditadm_t sysadm_devpts_t:chr_file auditadm_devpts_t; type_change staff_t server_ptynode:chr_file staff_devpts_t; ``` -
- -## `type_member` +## *type_member* -The `type_member` rule specifies a default type when creating a +The *type_member* rule specifies a default type when creating a polyinstantiated object. For example a userspace SELinux-aware application would use ***avc_compute_member**(3)* or -***security_compute_member**(3)* with `type_member` rules in policy -to determine the context to be applied. Note that an `allow` rule must +***security_compute_member**(3)* with *type_member* rules in policy +to determine the context to be applied. Note that an *allow* rule must be used to authorise access. See the [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts) section for more details. @@ -713,55 +583,40 @@ section for more details. **Where:** - - - - - - - - - - - - - - - - - - - -
type_memberThe type_member rule keyword.

source_type

-

target_type

One or more source / target type, typealias or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'.

-

Entries can be excluded from the list by using the negative operator '-'.

classOne or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.
member_typeA single type or typealias identifier that will become the polyinstantiated type.
+*type_member* + +The *type_member* rule keyword. + +*source_type* +*target_type* + +One or more source / target *type*, *typealias* or *attribute* identifiers. +Multiple entries consist of a space separated list enclosed in braces '{}'. +Entries can be excluded from the list by using the negative operator '-'. + +*class* + +One or more object classes. Multiple entries consist of a space separated list +enclosed in braces '{}'. + +*member_type* + +A single *type* or *typealias* identifier that will become the polyinstantiated +*type*. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
YesYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | **Example:** @@ -774,9 +629,6 @@ section for more details. type_member sysadm_t user_home_dir_t:dir user_home_dir_t; ``` - -
- --- From patchwork Tue Aug 4 01:34:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699389 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E67641392 for ; Tue, 4 Aug 2020 01:34:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E97A920786 for ; Tue, 4 Aug 2020 01:34:34 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="TIcMzG8D" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728926AbgHDBee (ORCPT ); Mon, 3 Aug 2020 21:34:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51104 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBed (ORCPT ); Mon, 3 Aug 2020 21:34:33 -0400 Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5628C06174A for ; Mon, 3 Aug 2020 18:34:32 -0700 (PDT) Received: by mail-qt1-x841.google.com with SMTP id k18so29777047qtm.10 for ; Mon, 03 Aug 2020 18:34:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=KFRyEWJ+SnU8Mx6RM6SDQB0INLWMQvW1g/imwXTTYjA=; b=TIcMzG8DFSdpxX52ttGrBdP+7jHZzXtjJAcutfDlKSOVbdFwIbdUAtIrnJw21W9Zob Jy58aU5mh2RQKr6pYTdA+JDm32r+JogdoDt8qAH62IKePyQ40LlA9hh52cFSZ8BtDyqt 1qsIfoo2mCBdjvxillXyxFBMDhZz8AHzHFpv3WwnqwCC9rmGXY/QKcz8d8QCaYGo0hIl xIrlzmknzQv/cwDRr746d0FS39iDWE+pD797jCmsUlFp1xRHRxrydB0b8xb8S2JsloHQ gXnaKiWdNn7kFh2sHb1SnXb6FxTC1LeZAQqV7YB0TQV19DXumZlSBryFD2VDMwONlYGO D52w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=KFRyEWJ+SnU8Mx6RM6SDQB0INLWMQvW1g/imwXTTYjA=; b=icrBBji0LBMZ6ZfukidyNHii2xDKkk5nq/GipVdXWcShe6icWJ/At/YKphDVS7jCzy iQ1CPUpB4/9w/X7+yuq2IQsqmRG5DWLjaa0Qxq/BBRxNFMK+poP7wJzx66XchzD7GpW1 FcIvoIrDYyvhgVFMSwuWWaIyuocHL8j3ZJq+kf76OW1WGoYxweBoORkusaBrqaBpSkEE UxODFxeegY7hkKC1w4QBOBGNGpBh3p0OWVy433x/oLGcnJrKsNhfAJU4S1jjCJEw/4c/ LGZ/BgFCJYL9vyc2oMmyD6jHLEZI1F1cRWrBlLpTdxpId3rLVx7OHqs9hNzokOzT0jfT T7uQ== X-Gm-Message-State: AOAM533gHxoX8KmwpdDws0k6RYjGcKZfHiTXvoxcfdn3vcoqhXg10ORJ OdvzNZif9tVrTDMQ7gc494jzg1t9+g6j X-Google-Smtp-Source: ABdhPJw+RO0rrBO027oJD1hLP2fHKQAtyLkx2NrKi4vtsumWDBYuaqHwRKm4La1dvErv8NTleKZ4vg== X-Received: by 2002:aed:2793:: with SMTP id a19mr19773030qtd.168.1596504869538; Mon, 03 Aug 2020 18:34:29 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id s30sm24245678qtc.87.2020.08.03.18.34.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:34:28 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 11/18] postgresql: update PostgreSQL SELinux Support section From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:34:27 -0400 Message-ID: <159650486774.8961.2667775016658143771.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Richard Haines Removed image 24 and replaced with a table, also reformatted to use only markdown. Added a section index to see if useful. Signed-off-by: Richard Haines Signed-off-by: Paul Moore --- src/images/24-database-table.png | Bin src/postgresql.md | 141 +++++++++++++++----------------------- 2 files changed, 57 insertions(+), 84 deletions(-) delete mode 100644 src/images/24-database-table.png diff --git a/src/images/24-database-table.png b/src/images/24-database-table.png deleted file mode 100644 index f1d81fcb0c6852be8d252c7fd94a1445b38f3b34..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 44747 zcmaHT1yq&Mwl3XBhjb$i(w$0!AQI9o(jgrpUD74pNFy!X(k0TJ(#=Ndt?h|>&K>W) z;TQ<=@4f$6YtFBxVXstVG0{lSU|?V{<>h45VPN3pU|?WBq9B2-*<-5#tz3kH=2N z&V0S?exXw8dN9UQTuMFx%e*K)C$~k%5aGkxDOOfHiZBjG8e69&Mi$=De7&a#VgXdc zR41t0+$a=Y2VA$y&SRp7!U?*OkxE~9m~ODv?%ft_`ENTEIa(6}<0ZjWu8vD%MFo_s zj_G(E*2PyfdeF5M#5MDd(y85QGfbFSakhxu?3GrM7%B@LHE!SvPH4a5Os&1yPHUdl zGF&oSSnUj0@_W2Bbi10fY+kT$U%JSRdCG0kn8c?0U73IBr|1J@W57+ipwnzJFIw!& z-4&|u`3OIwab^|a%{hq^l4QU@exXu^*<@*D+n%PbE${78sTPM@HzvP^7&Wq?-+f(F zl)lg9^l6Sl_7rQ&N!OLvPKH}O37^BNgd2F&Z)eSu^|!%?XPv|`V^``}W=y-(c;DS$ zuechphn`EJv*9DpgbEGNWl6^H27F9rOORaUM)Ahm$2N=7YQy-XZi)RO4-x zcVW13#aF zU(8`+az@uId+yWs8~WauH}sKM(>?lIv$tNT^MeJhg@$E3XgtC@qxA4PfcVLuyYsOn zlL$5o;~WeVPN&!xgpNdp-qoa>MiNd-y7sMGntF~eZto8pR_49chr+girQwPyK5GyWGLAsg~yqxmzf4WMQ}ut^j0P@ zMuPpjjBJ*FP@#Z31^sdD+%n7OO5rfmD?Ex9$N&u3D2Fkm1fFxYF3B+jEx7u z7W}Ou^gAE&%0S!u8#w8OUS)T^TdoO`KE+Nt76R z>*y%WuzSc;V#?58n|LF2f{l(#c9Sf)okDwah#Vqa@O>5(hj@AARHQWdU0LzRyBgug zyYs_G(d$K1Aq>w5`}K;}tGCzd5ggxfXkX606$uXfbMgE2%}ZV*@OL5QL`yFF$pO#! z{=03l2Z-rH_-j^7zWDXEEZh1yhMPlk?5FG8y_ObCscy?2-1I`8O%wYiao4&4KxI`4&ksW%tzYae>js+pYrRlLMmNyis*gr@19kY-JQh?U5&ZyP|qZWaiTo zHL+p_UYG=VOc--@c$ieW9F1-0KYZcd?-1#Smpl8G*0#Wcba{hBRYGd5t-hxS)G=~YZ4iT zX;-Ay$A?>n_V5Ds=P1yB;F})E{w|aH6Xux?16%9GWWCLG6#sHDZrgF&?c3YK&L?E0 zrrOUJTfN+LTm0_>!B*<6FEr|Ya?VrPdi7<_yaNGdAB9u7?>))zw8T4E_5`fuHWt^D zik344FA9c*ls=0$SUp$2r7FJfF?)$E==t5U+%|y_+t1bJiZS6vCRo8gHWO zl39B)&bPGWwqmCtS1{|vB?46bd>BV!h=o@qdzFY%gYo!SI5vdVH~C^ zwnCB|crO2wB1zsiB>fr3tN~h7A%lmm6l>;1^OWch(Ume!U&tEr%=Zub3dUOs0YB() zedcSee$92bsva-5Dj!t|CG>_$AS3>GmL<=+i*+bA{@VzLmL~zM?^yY@Ns}@o4{s!Y zLzf?(@1w`43?saeczM9B@KkY;>g}=lp)0G&eak5qTlkFoRP4q=_%fze z7tFOf7Xu!u9s}=-J-T?3Z~7-?r#09LPKTq_8041?g#pjH!+4J885-T>l;aN z?MQh+UCNO8VMd?-CW>msv7dYi^!Sv(!>aBl4EE!7yKNy(Y?$e2(G;Tdk)p7KO2jGj z20!%hx5uO7$Fg}$!$2Jb`wiUPNC_eu_Bm~eQ+LVFxChp;lyzh8k&uhJma82qAU%#B z1p-Q>1AgQes>J`GQ*dWGbn((2l6@VST0bi^0~*oRXMuH;Tji-+P`!0)-jc`LDbvKi zrw#bXC6TpT{eeA8QUXcx1Gp#V4Cdv6I-_~ck|7_}@E9OTU>*0Y;{WQ@HjjA9>#F3$ zPK!TG%>B0OfIGF<`L1LE`*ZdCu+bm>$Q17g*&UgmPCeuP`l`$8Tl!8EW#L>GI@{|{ z;{54cg>yqMyjel(QL|9jf9|sTiqyQnq1n*usMCq-X+swpOXF)*(P?tOyVIi#x8>@` z-fX23>h54nMc0F+&R?8|IXQMFiZ zKV+_%=&7|A)1a!sktn|~d1D;%gxsc-oKFze3y#&KJ2=Wvddt?=b5>k_ChUXO>4l3; zH+Pi7qq(=31#2s2#v4tYUYn174D^DQr@cg#_(d^Os^Uw8Stsmiw)Lq?A-5j0+iPyv zn*m!&Wy0r1Xx#O7l=D|}Mgf>{mO=H3rox5T3(qedM|(keGhfm?DF3GVBkjWG2hW#q zp7%eC1%B9wL8NwOntBm`5nb@0y`e#2G4yWZM>}9~4Q=pA*q@^?r1D4xos>`L&#@-i zGne)%TuHq!s@isZF_tocwPU?8y3wZ3o%IWL)+<)OCtq3d5PZ#v)$DjL_4PP8$a`$q zt&B^(lHhmi^>WP-ny{?(`bU`kr4*e?CT(vcjYvD?xBJH)dtZxe5ZDZp^EDjTb#mTZ z#JKBzEP6G=OcV(-3i{v`6VVefh!MZj<`02J1)|oruQTDbi%vs{W={(65ee_?g1i$^ zoCpqL)O(p$Y9^U+G>UNj`Rz5+0zI`!a-Q^I`@Ng#L98tbJxYc1}8Ps;qP%2AZ! z%NYPiz1cSByzb@wSn%Ya#OI_FIdRmOf}s{SlD)GEW1P zq9Eb6+RirO`d7+)iX4Ws~6)u3rURJ>u-9jhP-; znf|<8e75tm-?Ix66bSxu`BP=UF_r%^=0tKy} z;$&3#xHf$AxMoU4Sf`iXw+wCPUS!!Y;QA&eX*9)UTl85>PtdLNlQssYE?Vm$E%829e01Dwi&+>*a(P* zOmN;@pY9|m(tr9^EXSDcAa#~DjL3{r)xm{?OdX>c_7UTPukN_{SnT$SAQ*16KP#Ew zSc9%*`S#>|42IC&Gvir#oM+9i2T|!_83}s0N@Uyi`>QM1WBcxvke6L}nlvY4*S><2 zlc`c@%LUfE(t!#Hr>;>aVr#-QT;9Ibs|1{{_YMoaOlk^4$X!!>KBB>ijpkRYT0XM+ zsR*ilrK!f%L5YoWn6NDf-_&A3r$);|oqNl0@pZ%-=W*_QQ|q(4cxf5$g|i~H&UWnN zo$JQa-mIOhQ_#j!kB}C*DZ+^gBniF}qM$ckn?__HVj+@g-)Fu|^2l$*mDHZQ;2pw4R$@^8CC1|?*+Fs z!m|J4^{8R1Sz9|{F=W_nHL8r!W0kcK$PM-5(L<|uOPBLtlmdbLxtx@lEclWDGeSF! zyGyqFWY>}SRgQ3=&RUAqRN)pcXI!CN9^+*1R_5%9slof!%U`7~D!Z-3twDBp*3;T? z+-5(p(PfJ~*25SV0iQ7TZJ*FNQBopC^BGEF>(kF{c zaSi}=zdD6nhtJG!(U#*@b0&3?scQR+f37 zkuz7wv0caT2!KQ@%G8`cwN?Uwn5J#45ZB%HVH4V$esqQ;O;bJ3Ne7?uUwtMq=eDw$A zd6PwAhAtfpJ(Xe_0(q`Plwz4z@e26rM2RSSdAO1}3JAvZUFsao&el@eT&D)lO?pB% zwUfdzOXMyC-AcPqCV*xTCkMmPDH1~F6lz;@qD!|Pd9`-HX+Go{xss&+xeCGRmyTr} zwR;i_R1Zl~zqvM=CF@-ov;TAMlOrn>Z=eKUYrF6(i2;_@hn1d0%)7CGJkM$EG^NTU z*a}^T8K;j4ER)xGmKy7Z(;&O+P!FP6kzu8P{jTVITmTMmP?-*51%jD@dHze$bZ+U5}B$ z%|-azk2PWgpTX|RsmBEtQ~&$0kIZq{^x1-aoPpT9c})!n%z?#Xd-H$$!XS#xn&|C8 z&4Ax9ktw=ff;hM>2owaIkyt>=X*+y!S+#LqGbYAO8$;pu zvIJiVR+G=lx!&*cK*E1w%g2A> zT}v_j?6~6h*b11~O^IAoEt(FqQ>$znghx{&cF(_Ybvoe>b6L}JUfcTXtp9n)=4!Eg z3pU)>v!>C#onP^tP*eLF9XA$1$0I~etE43hNkm(W4;+o69(wgBh{#|U=?NJzvSsi@ z573K5pHvX~J>EAoshpB|pLE)7{)p{-`sQ?}hcRhmp3 z3S1U4a#NYeHTApA+V|6g+hj?4PVzGVNPtFsOmC+w5=piul-ZjV!O_-;Ipjnhl-Qfe zde)fFyneKJK=LS zz&KFX!O0iILlFjFK`!J{tZP%<8&}nMay~rnCDgOy?w-UbvI7>hD>_?k%p0Cbv6&O0 zJg-gBnCN^)-|VjNOv0=`*{sa!Vpf|()-++?B9x~xp#Gk%lfr2p8_>TF%!7|t)Z`i4`v^=m9f){WHQ0nF>UTClf2 zr&fxDt2w7m88cCj3p3n~g6etKD~}H|K-aN9%8yqmabfRCTjHC4M|%zKJ+kGU@Y8|1 zoH=&ZCnG?Btx!(myUMzu&vb@LggcyM(3dejz8Fz^!Hff%Nf8@zE{)pPqtLtSZ`kZs+&VEiSPHRzE`UoB0!2^nRV+9=A8M>wlje z{po<%F~res!-CuwO=7vbymGCiQcQpPz8i#&Vpy;CI709|0sK%Z}NdiG5RvU z0!YCct<+KHW8y0>N5X?7{g0NK`#V#g^1O>_Uj2l=zWNe5?^BaYtH~_j1~$To7F{O3 z4>y+lGkVT%gmwVQtMX5D0?TAFf$4ReC=b5a)kW1$F^orWbMzPLZR3rXfK1BUBt}GB z+`b;pQeyMsM|h=7N~wuG)@@K%t57B&cXJ8eFAt^iuGW0XhCPj=c7gWv4M*_mX)oue z5Jt4!naZrg&a)oUqed*Rui@1{@QThASjx>DjX4rlG;uS#$35rAz1^R9g{LIvcDe(| zxCFFDyER{U3!o*&OMWJ9*E#M)rgYJ@txJq@-TtJ2uqL>r9tKVtx0zAiW>}`0>GOyu zfXju4ipCJ41)Fqdpzt;tw0i2mu6P}{+HzCn8EYgx+}|=@Z=@gAFN^|&=41D8v(q5u z^mu>0UbM*1*O=JQrLYg=#uKH*uhe zkp2;v$*LLQTbONjpj>@Q;Ww%xd}xOB%AI{d_#Nx4UT7AhE8-N)1WZp9+*p4-MHF85 zB>?@YZ|GhU-}B*6T4s&*Z2Ww!TJ8d%DIwPx8)4YKF&wVktCOcsEs81CpMW0hJjonp z&((d4Phz5vOPe;KuW~_=K`7J@A$(V;YUltNzy&cxa6L`hZpz`i0XB=?{;%>4BQ+Y0*!QsQ zxar5>llbS-@O2X|y%JKy!w0@mGDX#%mzZW~;)gJ+vpMwO$j&Yjvfw=Y+2=?@uyCq- z5kY7X7(1Zgje8@iV1+*)-J|}MrLtwxw(Vv+5iGPF$wnHfpHE8U>LkiSyTERwL@qc| zJNtVelfB1J)whKi$Ypm%(QzxSEDF)g>Uffg#Xto3SCb|&doh`re+GZer~PtJw(YL# z4-UJ*S?pH&U)bHE_0lVD&`UM0-`<&OIfz;Pt?!Mcnk2Eeu{Fl(WN-Tno~p>H#=syW!TYPnQ80?Hg9K=%7@%ej9K2Sxl1{3Sjzo zDA8c}sADxEV=B<2gfz<4Po`O%1(150st05(Wa--wyEVJEh!qs4t_4f9OMRS%qX>?3 zyzDZ&YB?XZHf~~8JFtlq%u@Ha6)q%C>F(+ye+^@m_zsAXeErE0wF;ZI>yD}n+tMqq zC?;c&P&wZYyqhC+RQqHvyJHHR)3LEt{;sPgz@;o5C2SYsQxogH5 z0MFmG3_R#>qEVM&;gJw5@sZ%ed<)>cV!e$|Ax-pXGhvLG+P}4x4yvPD)eAnMzDL^z zh|QWHtUy$etxm)H?Xm*CmP_>Y#~=4y`h9CRvkQ4SQg5pbt$~)KI(mKwdbcKyu-lQ% z=yD3txkd5-3jlp^hA$*wu}*Qf;}qGy;v2A*6{94hkBHqKbWRN7m&jQ448^{Ob3_!E zZ|f!04GiIq)eNJuiDdu2o4e`e-exGZnf#iqX88FPx$FMq%dhu8$_y#q01ks0IBx)X zTcYq&lYH8v3FI+|OB1QPoS>rn` z;AU>hZ?%1Tqv(W4`%`~gCYMI5Qip$)S^YqI5Ho{+kzJM;ddI}WM8?ii0!qg;)ltLk zr{mlErnelFM`Pl<*#TYMZ;tklcN*s5_h*VRVgM9kDoT&LyXrILoct6=K_M&ki_oB? z?^uUCoarJ6@Xlt#iaQLo7w?UX3W^H@mwH~whe$0c#eN3Y-SN#2V^3d&eeiqy&=J&kV z-4x&cA;o$6V$Gz053yGZpBY=9o6yB|@8^J~UP%8CfqlcMUq8B6w*tb0h`l&RQlZ!) zztU;N_I!yELOK!?AKPKXsJR<+N6Vs&|XtKtb~6r2O5@a-fz{#mRSx zf5;erN!?_JKYX_XP7WwUHal4I%=!g) z;Ki^0U6cQ^zW;@LZp52JbWy1Tu|I@*x=Nu?55l3+fuGF%5#q3=Lce7TB3-uu>Mfv$ zLLFHAI-eRG`V5^eMkam>IKa<~IGXe%iMoVyaikKEQ0XQ%A%FHOmjI45UtWMjNxXgk zwP3L@&2A5>L0lg-AAia2Y_i)K%~%5bWBVWVeKinmN7FseZth#b%|_Umu@>UaX=mCZ z5N)@hA%pYaE67H4^O)Ez>*q{tWkTqO%=%m}Em>E#TC}%v07|zuK;8-eP8=-$yk^LH zgmQ6y20SojqXj=KyvvJHAM=0$AmQT{)Asusz7=n0H{f?H*e@oos~MnB`_p})iWWJO zJ6qt`l??3weJ7R-Ak&?L1+V$Yu{i*19z{e-^!(70|vDhvL**aIs5}(~S-3HzzlVEE$TO;0$(xpOEiCvkVR6Qs_Fw zrF5xN`wI>BF7?GMbTNDWodL+rz!hx-J?58fRVPxtjQi4unL1Ndv77wzE|aZaps%k# z5!$74n|MJqS50K#-dSEVDm37uo#eghkIZmw%1exQI`W0r8Qjx)Xxqz;mFyY5U8Y^}F9iS@W$HpuIH!lGhB7`XV_9 zJRH?dsVKI2JdBAy+6-kEsb(E*XSf+OGr|q5P_7H~j;$|?Y+SGS@#i#wY=w5-%Z)y# zeLboZkkBYr_}z0aH{=hGJpU*#3cz@28jn?+uIKLpTMq%2GZ^EZb6wzWkz@(1P>)XW zxQCd27VHy35cBC8?JP((cpt$CNaujevp&a%e->ohASh99+LS~z zHC|IIhz#Ln7#GD-nob#~xy^N!7q31kN&ZB~iPfB=P z203Rza>Mp*;4x2+;}zy}7r-gnHop1Sk9bj~j8ja?c~z3T&UUs`+u{{Z2t~hi7t%-M=AH+!EvH1K^FnCX0iOfIoU6~w<3{z5G$g$otpZ92`%pA=J&vh*h zjCn~)2eivmUII49&6bL^ZE%;aufIlQ^%LJOtJZvdZPIVjx*$6VRZGMunnaj z#{i&SWhJ`tuXxuifVW)&?z=I|Ov(kliuM-^)o4SVzLI>9_z@4A0;R$@Y6}Qd8|)w} zbP~&V8pU~bEvX%Nd~h8J*_su@6cH%}hLFd`u8zl6BAbZbNyl;w2=*|@Gj0ooV*Nfg zj-xOwT;oDuN@|tQqm~Y)JKj5-tKJmxwagMbP|KO>621`#z8Q^szibU8f~sjV z4rjJcPF;bh^$6+HdVrkOEhWETMWKuK<4+oUJR9Pu=OODPE*yDZTAq|{7^+R&JM=AL z4aBNk@Bdsz1hC-P!Jg>i+%<$u`>vHVJ1{lb4|m_@v*BS4!7Fw#i6`{x+BNlF?oQAO z5-wW;8Na3+`=>LZaXy=E^i)xb`TknXy7_+Q$u19U7gm#=htF5t>M$ zc7aCMHuY595Be$nYB|rCytT04sAh!EpP;BAlt!DT9Cvt~s05xLk`h!DtmSlfl+?T; zJ?l9}YN0G8bS_Z-5Snamxdzlchr{{08pwn(dh%UJOi~W4P9U}}YzybvZI8R(6^BPx z!6xvv<9$PD~bTOUe^8T?ii21(NF$G7Rs&En0)Fz_3z|Re@i;Kn% z4z{D&>O7wiI9RrhfI^syUmYvRBd{&Euo}M6hEDrqmpkrfq6?JgqHOIVzaFopZQm(p zzS2GIMumDeJ|YLvr$e6IYeFZ|mJed5!nXzA#SYgEzWb@P33z%7-FU%@>Yn@#w1Bg* z*@8#8fuw{)#aQLH)~Hfa&TxJUxH8e!LyB--3;nrHhA- zefsTyl`2xCDG(>0_lGYj3}kCMh-9Jm7XNMB;gDG|dC;|Fvn167#Ea#?N^xQ1V&J=t z=x65^8_`4PQ@7gTG5^vcfty<|uwPcQPNf#YS=P_Uus`X_rd#Pn7ZZprm4NsL0XP0< zqc$M`WeUn|Ydg$vVb!jhw*ZG>7X4VT<(F9 z$03N=*$#b}BmLA)+I~Y6u?-SoscZ}80nE3GvnfAb>hh(3^CpbI7QZ_Qu$8+9&CPb$ z(;tyg?kdEAE$PQxcEpD#d=m9`OW&R7XtZ&U_(#8O`hfS~LZ=i7QU3OLf9y9h5AT%` zs>MFLJ71(qxe(p;&6Lj)+H~t}(%m+EbP)UW*l+V@S1tg6n60zfGnap^I1P$}N)1Ja zSZTD_pC6O&fxXDxK*mbn2HM2|dF!R4kt%@|txOY*Ki%MytHi474L}s#fR|gtNpf0? zS>~I^?3-QX**WTAZ`COsFtUtyM*Vq&ZKM+LaDfj&%zN4>@n$zKTE&~dcse!F7-BGI+psiDghAL?O%mmWvW?e8P3C>UnK|}+C6-op zUfulebhXkPbUHU6#j1>sgt%3Ae6#RoGtPj3u2z+3p)F*AOIEsoB?igX$+=1jRz$R; z(Qe}FCv%>4KF!$h!LCM&N^~T%g!RwLkDkJIcT;+}b(RxOdL7@UJz{YRCl;l>6nrky zRy{xbd>0gz#R_>Z&H3h!W@ZDvTEWOqRHVi{9`jdYF>BH35Ui-_) zUK2osE2HueSmrjPf;+X4s-L3lq*nQfTu{m!1rv z|D7P|Ezo;yJRqVtsbe>`_u@|CW+ym8)&zJHcSjIfnsStW>KyU@{?t1Y#I+<{JF6QN zvFcew>&+grWeh=}TWIs9_E=xLE!{>0f4lY;VYe~2gt#WL1xTFtCU#GHLQkD!Y5-C>m<@;h%i zev)S-_K&`c@cdYdW6}X+g~szW>uyEVmQB2nt$8jh53~cyv;5wtYoT}o*%J)+H-UB{ z>kz0v^JY+6k8e_r#q^XnXpsBZVSqk4WgKB$DdpJPV{G8m$02HMMRaISM%5eO8d>7; z*t6T#b%9%vycVyb#DiYu&5Xnr83&u%iI<68-6H0^MeRjIR4K1E7MkDs3uJ7ZrN5l_ zF8VUK2d!C``-Wh87XdMOzzqRB-4d(T?$j9} zEUd4UQ+n{lPtms1(`(eFf{?BscvnBBG6^uI+~KSM?b=;cL+%Sw zf+k;ybkbQQ-!}EAZimy$k-K5{42~*d3R_rV*C#_=bENQA4-rmF(U>^^Q(2vfU&U_59@9=> z$4cO0!nxkm>>x*AWa^1UL9lEthF^SH$@fkeq{KbOIUZF#H%z$nt&XOP_NELA4n>H2 zhdmw|(uFeVO=9fWfoErgS%)Tfo|X`;ej^|9PzhyIi9tIM#rvzHQn0zaF{9Zbe1RsfrIFc0N zh@-DRo_axpr~_Ps#f-z(wRfI?x+}w|8Bovo&_$ln`s3r=+RC2~;8rFKZb=tmJ8r>1 z&z4S(g>;%)(W64KUGCJYAR~(fGlJe%ljPJZ=!W9q2^1liu(8ef$oSI53`Xvu(W))? zY)1~F-n_uw`t)D$9T0d0q>cNW-xNUR0D{K9DE?EU6_p4=wsj+F8C3At%u#Q}{tgq2 zOCryy+wlpsoei?oAKXISgxWD$GG;TZ5sNh2?fNBG-37z0Jw9*75rBs4{WhT^3^V#} z8N$HLw|&GXB}T@g&~s=KBc-jukX^?$1wu)6R3`PojxjH(*B3O=QlTnAZkJd!yjdF| zAUp{)E;A)RmlP3*E=LdIg9{jxaRtkA&JireCSU=~lqtFM%^Ja9AJmL77&iu>M0?GW z%FvsM&p_=VV{O}PoU^E(AmwEH3%LrrGn1}Oahj^uensrmx)w0k?;#YPKYRiEpINg) z)fPB8#h_L>%`Dv$STfz<@G5`zQ64_&-FfGp#4Z}GHw7k^CU#Z08hgU))Lkf0v&`Ur zlltQ`LfkXqckU;!GWNvW3fhg?Yl5decuOa1-Q|pm-2uF?to$%h@S-Ci$2H>v<^bxS z#v%n_MvRG^M+yVu?ofo)=#~H6u3UgbP&WyDp--^`7sm9B!j}SAG*V=e%nJSHFQ|;e zbkH%8BS7hS(BW;wdQS}i6ACDOL_Y0e#oZ3(RPAY6OnXV7h~%DBFww<|`Mb-@*tR3> z)gFkI+-@ZsF1{qS-E8}_SK1@YmR4ltEvMD~8$SZw#%1eiK53?-^bqcrgkU1-WS_2- zTIw@4fT&n=XiiXbU{9k^I1%E15ihz-DLckU(g#7lq;gwo{-Nw@QSnRbzzf8Baa&1b|Fp@9H`k1TSNV+%9K%TJ zk7aN%BahgnUrw-k;!GG$Hz0j85$oW>?ZMj03kn}nU^t#awzL=UKmYveokQ`afMtMW z0Mgtw8cUhc3eQVm?>Rh=Z2_}E-+_|V?F-M+EafMfKGa6&OrW>WmhCnoixNF3<0wZJ z_BP1TrLWU}B=Uk`4o7utD%$5(+0Eu92-!jPG+>gLZk%HHkL%`Zkz`?=9({Pk2p#*I zKmc;|x`EdrFH}$Y4h+r(i>_`g@x@>#lXVDO8e!}HrGW2pB*v}Koti48-3g?74tLNrkH8Xp_SLi-4;sXGH(WN z&=N5dqli)I)Jh>p$Y5_96QomPD#g6|i0TER3L|1qH!f$f;rnjB^4J90%v9)4?gs8~ zR}Wi=j~XxDPbzZM4Vb#_0D0-=&1kZ{oukS*YmN9(d^3`Jv`P@&eh;w=(sD7WXwmu+f|~{L=!p-` z|FHkdV#j88JcqBnQ{}OC->NETjWaJ$PAT`5cs3+gd=2IOlSBs+k0KuLu_`yv8e4 zFxavPO@|e@-2rKgu6+aIL2AzB%kK+)V`C7%95@yb^L_J1jyP*}ROhY*A|SfvU`H#a z0#DQzZNN>bN+v$Z66wcPY{T>L_Y@|~I_tIGsRU8udRALq4JjZ-(MXGmG-F>(rkYv8 zWm40HR`%~*f}2NSplSItpHc59!E27{kZacSW-FO7%E#MBnw1pn`T>b8Gn-7~G;rkd zB9Xgx$xzjc#=ztpRQnH2LIgHo^yEq;5OvI?mq1z;!!KVlum2_!Oo7elJ9Hur3|7|e z@0WI3+3?hU^Y07Va!{SW#H_Xfi<1Ffw9g^MAMM~&@k6(~PWwgucdA#M=f|g|<-dSh zOvg%R;~;f%2_IBJG+mUFh{+LoH?EztPm1=xTJ}E_`f!OZSKMWUpl5`MF5(WyTjo^gBwV3M0r6ImaH|y z>o21zGCW5?i0s`btI2%%BQPlD^two;+-Vf_&_lwv@2I^-HwWUEpoMJ)I_<`Q4gGWh zPbnT9s7GS5J)82O0W zzf_6!zms-jAS&`+$`VAi20W;(cJ6?maCHxeSR-hAVwYq*)p#lbonSOa(e(icT1QU= zR$+vHHM<@A*|P_7LeJS02v*J@9pwN<7ULJp;*}TCIa*ee3_PtGfa%%@e3U7kH0Z?8 z-(c38QcXhFV~(8V%LmXq|s2TZu-1D|QS3VZA`3CN#%6QX(n$ArQw% zJ}1G*9Cjbw3O`MJdSpsnt>jy55Nj8Tx9^tXPRw5ZTEmKO8VZeXgY5#Jkn~R?T)7Vz zgm8p9W;pyHjM)s<(SpA3%@&yS{LCGY^>7Qd>7P>R#!A|~I2h6`6TZKg zI&>q;s`Va2<2wdnEFo^Kz)Q!;u$8vt=-;_JnO>tj=)=?ny-$bMwF{uAXv9p7B!#zY zmgVZY%IpakTMiN4PBCRwo}3i48Lzfz1B7;{WznC@L-sZJ}XMH*m*N zIp5kfZ4Ixx_+a;^0(<7AL_iaevF4A#Zl5Djupb)X&(=ZB3aau3t7qvWEPUL?GS91K z*TcA~vcPUWE5|-<=5e`TsS#;L>d&fg+bj`{5m0C)+(X=@D^O?`%>c=l43m(hDuhm; z(kJy-OC3qhmQ{73T?rqy3Va^#Xhr(M)?JQ5`)pfu>a6sY&<>4C7G!A$eEg<%F*$TV zdB9#xT#jm*>w+DidM$pCxMkSbYqN~f{bbx7+?z}c8S`&{_%pQaMiEXrq zXIu;1*2W?B=HV{lcuQ@hpVj! zUcJv}vFci7fgQZAsD?2D3u!DTT?zHu?_volleJk=3dE(6xYS%{s6A z%E_d|3IJqBpM{Scz(xAJPp9-gk(_#733lD4nB&|D32v~7M}JD~b=NT-oDEQR>ja=a zP87NDFCLb`Vve*RxuHs_-xz?S7OCDHxy1Z1)QkN&9aHe*<<(m%1u21|wf^aQ&S;{S z7>DjHt}+}%-USOF)DZ9d?&HTG6~Qp+2k`$@!Xhbe-3}Paj}eop#=iuj(s}6aPWN`FmMBaoGHEjX5Vh|GX|-YZ&0f z*89*#Qn8H+A5;bSTpzE93lb({R#JOlB6qojKw712(TowqIL?^{!UM++@A_@e^S?)8W{E zn_Y(Rz2>K&cU0p7e~cNjL&UuyC##Wr-6GmdcO*g1+}Pi{ejt`kKoa1#Ps1~YhLF41 zqV~35e3+EwVTG1^D#ZY;6`n+-`tKeS8k0p#07?H><@~4o_#e&r69Y@kpUZvALK!f8 zBfD_81h~gF$p5|hCKNN~BxM_aJZIJaH%bZ`j3%05_rm2Mvhdt}p-hJvM%C+f2D2zy zXfo~yFcX!7*sV`K0w8tmViHpE9pW|`C&pV~IhJX62RTjbI@9^m$48!)ao@M&Z4@2l z5^-#pR`r!Y*M*n9MfJ;vlks&gvHjzMa8Kgm^PwK7J7t zT?=EN&Vfma#a*prJqs_Xb>}lt;Y00rSuB)o)#m)Z6+ScvNm!k9kt>G=G|D5K^9r_3;%Jn7bVZzDg_I{najw7y0$GA3sgadqQaOf7o>G0e#~Ly#7`$; zR#AS>KAs)6GQaVbnp}rJtwGaCu2e+d$BYFxY_emIcOC|biL3MzYJ!;0pGGjxG^n(h z{Q{P6fWl)FX9mo~F05XI(c|X2UvG!5)=2CXF_aI$6fLJ|_9E&2qQ(VV z!{YNuDX9v}TT_%NP%?+hzYQ{5oJ`gLn>TG@S|vlM3ABxc4@Zl0>z;#5McN!>Y%$9V zV0ccSUIjz}zTNltX~{vdZdt23;0j{{k0Yr^^j+tA%lu4p5o;uuDM-f91_)$3!ud%g zliBqT#IG%-^BaOGKG`!IRK(i1-a3S8BG6}F#LSuYq)#xHkt6!YgUJSf17xC8o zQs<&9p3C4O5LoulN2M)^P&6r;qwpWe=@TQxWTo*=sL2UjWka7wV%cH4p z=0ghC#wdFrWm_E_snBI#=DdR|7jt!x0;aKx9{N4GU-ENpqiW~{(@HnsJEntP@_AF6 zy%Fnp$L-?QtxpSAv%mUk*nUxJlSYfoKc{f~Cq{S4?E71w9mjD-2GgWFNUvEA!UpdczF zry0z2&5>{g$DQHmZm=VrHO8!I2`N(q;$)zntysenuWY4*X(9TZAi^HeHJ@)%ZCxN{ z5?2KgL!qULo@D*f|NC`h-Pwtb)vv*+Wl@G9LFKSTdS&8wijV{y(-%C{31 zZIN!BD;n&RNAZZ2)OB`C^AAN!A+`OttmHC6l>b-)Cgmc&UwP$y#=D+3?&fsLZ!tR`RI*d!INMMT-ytUSFw3H+6G@3Zc9CF+&sx}1y&u_OqmWvv~T3gcWi zc{kDT9xJ(-Xm6b#Y12ty7zykKCOzMp-UA$?IG-$I*Nbku3!Ar zbAQ?D`t;`5hrE|?WNMNzqV5dx&qrHdmFcSTx=Ins#w?D933gg;}iLxW8=L$>i1|+fw2>+6XF!YV32JldoDPRMG{wPI&|2+rXs5 zFOa9P-nJreeuRjcsKOgV64&*-vCDyecLe^IhUb>v?sUD!_`V4zxZ%1OwJe$b3;&0; zw~p&-+xkXD6p$8>4iQ06P`X1v0SPICpCC$ubc2K_DN<6>DWDRP(%l^@0+K&U6iFon z<&MeT&pFR~&U@eUyq|mj+JbIazqQt!bBu2d!lre`1TsB7zq%J|qkb$|d`4|&4ag+d zd?pw~@OQaoXS;mOu&2pat9+)I@-&d-?`f`EP0JZO`^VE#Z?Unsk0eCH*oZ%oyWO3y z6kXoDNIbx3PpC9DEqF56zW3r4FOZFOk=D2k70!;HA}3(+`tf{M`KVqSZr#(hDiwKB z0=`vYrblW77xkiNA28zhIhMkOjvb>275WoISosAnslxrS9}82`08U+6%@q6iUA7x` zRB`>?=U1CN+#V^811a2BJf*kD`lqE|qN_QVGmNNF;<0=hcJgSWKd;=8*?aiv4L*BB zw)TwWUjde@%k<+^9I^~0|JeaBv(ZZSAi>(mE@=L%fSBYJ3(Gz>`CIhP$!WpwpfBCd zp{ocAYpncyv3l9CDI~pKPBosNefKxuF=y**g>feb>1{gK8^QmZGp9q)MDYCq^moE$ zp5Zco+^{LqRECqzV%KqIp!rYluoMDR)gwf&!f1;1fh3W*rXjB%h)Oj@C>ux+-- zXYnkwAQ0?#816xIpM{Kp+=Zc~LK%ZA5Axm9D-5{+u%Ks$m)< z#-LO)t&i6QP4mli`9KZ>Vxz~ddnA7(YrFy$ckEVOYG`ST<=422S}2~n;OWz{8t-QW z=rs|ziI7dIrejJ>IYLf5HLi$3m-Ic+Ky}sdGZEWr=mD2UV_T^sxwKxlo@*PPcx|R>njsz zGXAF?m;KnLrbS}nRRa(L`XEqtL77ZJzNq>ZH(XITP$}Km>0`EDRpkCFQK$0G?2zP? zg_dhg?}8SS!Vy>$ zFK`~?eWTEb_C}Lzb!<&NdSq!=C|V0H%{Y6NV@G3;jg{Nll5kY7^MyUN79bnOM~O26 zEXZr3GeU2fXHfk$Tw+DE1lv>aOHMUWxR+km<<~uEMTC7F;%8{RslZ4NlXvnZ!S;vE?NKD!&x8~Pt95gSR&oS6imvA6iB@I>Ku0M3o+ zF%*7OWYm7gKhT#{ob#GY$IraA3B?fFnH0~BYp$T{&mlY;^0v*LP~VNMgEdTmoJIBL zeU-4b_C1THknr+Kns)rmw=E}pa}ZGRU^M931)~Om!h=Pw8!23lRzF&khM-xHFN|k=!bkj*d>z3hHD>)h-{PTMM!8xTTOh=*%Z#28R*03>>l$rPm}cX`IftY5}@`%{1h+ihG-M>Zh;fS5E%ONqP9@ zcaFA?%CpkFoiI{4?p$8wYH0SRyUCLU{L~rE#4YtV*W91vK1bCs0-l~)H`8wL_ciYv z$dgGKClp*VN@uz(u9(7`{JzUkwP3Gfz*?L_>7XCBoX8v0r6h#q?R!xt?&9V_+u6BF zYZY{gD26dJ^+rLSMkkh#Nsg>XH#k6xC^ODeO4>G5!jk^s8-bTIsW)G&GGkL&qNq~~ z1vH5*Ot@7KxaY-Kq$f5fa^h;PRjb#zhBJKgv^RbEgv>_v!O>*q4buD?kL{Hh@#8bA zyvZfei+bB9my}LdK5GB9^ihCr$)iYcD?~~_vcdj_*TYuTTSIC0gZ=qz0|M>#6)uHs ze#zg}=U>}{ojQ-I4M3b(;@m65wm8k~#MkD})REO{7npp(!t*L;4ZTW@X*o|R&!f|k z9XUf8$SjnAFV(XnopqGN-)ykC+$J=AH|CamKPb$XWstmkzI4CS!KOsX!19-Z$dMi;zGL&-vW&_Xi>TpAGvi_p6AX~tp**JzcE30n0Pp1*KA zDE0kXi=*PYm-4lJZkdqBM}D+eDEV&<7qCjMEJk2O1#J4yo&Aon_v|oB{p79B%h9JD z6zGZ-4ZKw*zcv<3{j&r^O$4sN^38PXM6dh>A#cWmQ(YJVuw{??KGAC3@>tEY?bp@{Q)W%-8S zZ2gQH{E?G=(#GH-d^acZAU-O~&U5{~lEAYG0oE(Op&+6^hLN;_ zUiSIZ)gko)lrFrw0&w zxzYOAeJ1);Avdq%e#E5v2=d+rliQsUz)fvA4v^(A>1c@Eif^k^o?kn4l9Ao7z{Pv& zirM-DkrO=4-=8Y0~NYcpP_ zZjV$pdoiG4qtonwKi#kTQU~AiQjHrVG!QP_6?Bns2zt51Z`}E)}LL?IMe-m zZTYL$Nq1NBLa-09PrCS0##A6 z3WEB?HBS&{Sla|2xY_dM4;IBclpTNb+rbHD>XPYBjdrX{)Vq?Mmb#x zYi}0_=3U3|{KymBcXXNZaz!*kd!Tka7#h9}r2Aryqrd`g?(fng`bnVi)dRStsr#zW zF|A|6Q6R{lzb^CJ>4GtsEna_TX^dDvnH!7Cpsuz7K1eWk2wa)DL7!p+>P|b6aXVlC{GvAcce*U^MRaUT+r3z` z)e=olRX{Df0%r75UaN{327*n#NeUeMwl`%WlNe>WPoytd@MPTUnWY}awc;%IA-Ska z2qB>XJyvT5C>|k78NqSDZ)@W>8q+vql7fl#B#hdKMId=o1QR|o& zJ^=M5UUpa=Ow)mARM$a2eM2?gsCgBP?Gt~OSnhE4=kY1-Xoq3SxgyVqpWQPj?yIP&e;d)`n{5~HD%?JTZD4* zDU-j1Rs-*`T>dgZ9*IYu!)gW48nwFZeX7jY`Z{jiAAblIsh6)c5$TGykhtt~tA1@+ z4a>5XZedl6Qtj3z*d)V>;=WrsB70@rbKjFKj+!N9@i^hjn9#UVe!R(~lg3>ABTJj~ zCu}Z~|Cn5+NIsgElQYro>O^jc0R?j{&Be>SIi(;8iTCkEcV>u}<2y!!(~JDRPuh0N zp~$Nk%hR7TfiH0Dj0}Ym4uF6vTB3u(ug)^B=HT5vk^*5Le7j7Pcar-EWA>qXEmKZ7 zbzb(){90P=>1nXBmPgMy`Yn1?W8M#FC(m3y$gA?)j?k0ZE8X!+ergDsMT1{vT>ZOi zODU_;A3GDt6=-*+huN~@1bdXze>9Svvbj9awR@e7ryk2%$Gv^>=JU&h_u~TerKHV0 z$wJzgbGu*7Ft%S6t~FF`)S%;i|D@~s;}$|8DfPb0Pc&O=JHH`0@)qGNomrB7z)gjK za-SKBfR_#@rvfLrK4CvCqLRsgHh{Fsb=5|m2Q{lVsm>pldLT#^fIGVvO(;l};!o|H zi>D{g>({25)#Zp7`lg3*5 zyEIY);)p(ZW@(l>x3z^Qs%H84Gur|cR>{1@b3kY4OY~{a)Qszmn6^5 z#d@PPlKHzX11fFR+|sWK#rvwUC$_+;?tCG?G;&w4X`9?TuVz+k+~&j8S#9F^8yt`; zBekbM8%8IZT;@VJUA(?kbz|;rT4IN0FLIh zAIfu%Y^nZoq4r)H*G-CDQd; z6=Y6ATXd3cg{_@rCl=&P&Pbp>AWej3E9h~+0#G2YskT71a^n}7prp+2AKF>Gt4BTH zV7@j29?yjR>yF1)4E%5K`7!HQjClG>gR3NRjr+ozFCW{R!ufvNxt$maFb8kpG(t%B zz6ZKX3hLJ>B9rA__8=D5oZh0K{#&BMc}njN-V5g`M-k%Y$2&S6A^VIx>+0dv{L4!J zKM12VkEM&93bAVQ5Z`F*^Im?r`%Qkte6-wl3XGMz1vEbcyRIxDSvj?^NU<)9_9eu@ zSxXzc9-xjmK#cFLEpc-@GE6P7fL^iMumHeZG4ab1&`n?0}2*^rEUoP2vvrg|Hk zxhB*vEB`=`Q5KpA^j4~Mf$^qM!U@_C%#fRV1xvpqxIgn}3>KvmY1AdY3x4jQYZs~0 zrvgKMvI08iJI0zlB4vOLx*yaq(YHe>M zh}haJ+-_o8rrq^}=0@N|H$LfsT=!Arulj6}lRS=`8>XO(3{J@8*PMivr$E$v?uMP- zG2T2`qbJ|_Y`J#P$vSzlRpc|<%FHY#JF2BwecFB){Wp<}%dkzwCOUUY3 zotT(pWW1;3$jNGauo}ITZTPmCa7$9$ueP%4?n~aXV}gUwW*|*=frRSCWJ|akvT)oi zIOi32-|Q)0s#a!kdhtnk`VUUkD|3<5YZ1`Q2om17oOZOhGlGx=$P3M{yZ!|I?Ij!q zsgDUeq@WA#T>GKALzqG>qj$%5%7dawId^TByw3Jk6CS=??h!#+!79kS&9cr2NmVo= zSZ-Y>F;#Mt3jKKI8MoGw+iT6y9h#WX184xh5}&83?q0fk7zX`0iTSL=B+A@mV4k7% z;DNr@IFZV%C(giw&+aBu>gtOHQYP^aJQdSVw$Q2PjLhFWQzZTM!2ejE_zqt3Wl)T> zl*5<0{V|~d6>ZlUVo%JfT#A$8sBmVM@vgCcLOhF_tZE2BoBd4KYR*ZY`OYH&=JKdAI$FT z)Sge-aR)_UQF!}y9VGoK?uEUr2bIL3KkySLY6?~2{w2j0aG>TpNLdwkavUfq8FTQg(%%`4gZ>!R)sbdx zpXC2m;zsnBK9aOZTu3;5w)f*@2x+JiKjKG-n5&=rBR_ElzPJ+&t^d5-%n{6X_%qz# zv7F~|2znbBpd$>ADk?3);vkMY`;XCWTsv@&oh7-k{MF}xar;6pcGKt+{x}QKz>fe> ztgV0ecJ(L0Ch5$;Ko?%KJ%Iv}?SgM+@N9?S7)z7b6G80*R*M3>rb&n8uMKbC7`|$w zOkt^(PJ2Q8;~newhniAD8wIQ}B$s&~4#8ddUxl;(RzUvqSOF|fsHOLYT+oKX_uvk> zQ;(g%aor{hNQL!>Yy$Q4V)zG0D*N;AWR8E@1OC0F{of&fvYSA2v>71EHu?QNK&-)k zsc;qL|2MH8|F=KgNY-q#9mNR~-jjas{2mQ-}J|8|a5ULKl05avEf~4zSfld7ujKC=vJc z)`aUl?FhL^5V{;HkbzDe>0A1k`{FQ#a5hsR)B)^|^&YS-O`sG?1E6T0eFpMuB7ngr zF6qUpG)gpv_tU=`gs>CPV}D196Wh==Na$U+s{a1Y1~iGiPAvThWQf(7diae8&8Dcn zdHe21l+0%XK#_7E2;A>2Pdwd*@_o@|++ML9@b2TTC*kw|2}HNVe2y3b6--0hAP8b1 z-i%oUq`M#J(g5gaQ;X+sMPW=f5QAd}x2Bql9UW~Fr40ls*&~CbLoZyFO;_UWh^-MLvTZ0D z66F-eX8`FEFtNh6JdI_B>$?(kczrFri4HJQqzW!TLKE-KJ1dLe4gkhdl0Jb6c^fI6 z2Qw9`dESjQH9^RXaH9M9fV^#t=X&b|Aj&EG_do-K`gNWHP6^CPvlT^&CigCijj?uF zhU`8&%lxufrUN7ph9MP(i+q+;Lj`vwB&ZMHC-nAZoNVsthGa@$yKE#99~*ET;%){F zR^1uTE8gg%J3qIADSmBWJg-TFV_JlHu4LN@qXpE+atwDzq_(H)Kl=b~7Ta5uBXNe~bJCnm*>-NZ5OpD@3#*m^G;DzM{xXCC_ zbJWYnEZq)b2AYx7%NbOWy-8y4kyZkU=T_hZ{3G%lUh$wK=&c{@7=>z|G7IP3l($Es zEMX;3!{>i1&RjE!xq0ig(D7WKB zF~<>_`WZsv$Kig{vMA3(Jdp#+`#ju9SBzg@pOI5LGG&hm#k=dr(TTDkWr-d#Ap z#1A1}pX$6k9JfMB<}@=ET62WPg!O_9;aU@pU8-4oa-s}PPAW4WYyv>i!3JDLD}I#M zmHH~-aZRAqRe0trfA%-kKSAWor!18hb333ypI~(CnL)XHu+)gr6q-s%#Tb-MK~i~? zBn-KBdWX@9g%CSl0qb5$3?J#Dw?W#k>*;;)+qE3Fsj5)nF;20*5`7p?;|l(TJB;Ky zXbU@`d1;_nI=3Kww!tGG>YSJ+L^nJWuvnF#|HHJS4}BO9w~Dy@-FdELHtaTlxs_-- zlK85mBUF?&{-RuAXvR>OOjJG3rm z+)G5plm$wPJAn^iCwuEeOqeCG5C7059JZw~APauVv??a9wYEuwXZiOAo|=!)P@su zLAt-5bG#%=#td~uu_udN_mIWRN<-}wSS!*cW$eBU3*mDzcn!C_2i{rhmLs1UM4VKi zX;YxWd=Nh+rQ&@mcoWk0jrz~r6Tg#d!BL z0bZEFBLeB)+t8uKkt2JG>V1!5$y{ledJ?k-*e3RVIhs**@MpVzYlZoMloc~nd2!PT za=`eqqOTKux(GFOXC*86Vajb4EZ%o)QHKpajq4{XV(jnzaGe zZ{U;c{n}!D%?tq)`HnRF_ZyC==!!cP6)Qb#HNKY0ZIXGz8KzEb7y?c$(7FvSvLN+q z9Weo*IC+*R?N#;BQG9`Q?kC8PrjhSKbt&YioJ8XnnJ$kznBI*Ql%Xvp;wQ+izMpq3 z*0n$K9tInNJ=yPs*s}s)$X|DvjK)Rc%t;DTjGmBY+*`& zh*cxyh!t4qejCjd+j4e`rU#W#5hlSMm6CGL$stY{?;7 zk)|Ooky|fWEuOO{f8$q&z4GSXZx~lFVjpWYXu*!`1k%+sY(3u5yKuQBHOIu+q#pk0 z*w2GqfOcY`Hud3GE)UmO-RCK=-cz$ohEM*KbC*>dZsrtGA)wewHzIoliR<_x%fn*dLu*!f8~_fukp5FZ#Prrpx22eg5O8~Cgb5^G`IT2X zq#QGpqaluK@f&?-SN*8JLDy=QUjZ~()P$Gq3MWkX&REo5r^&M1g}BPpK_tNMZrW+>uUAAcV} ze4Zm^}3-`~NsAqZoPdrVUOCTic^Ep2+=2k7v zOOo8H*FJAgcfRQ3W}U@d_m0;a7~O;9q1Sys^*D`_F7HpBkr5Bi8_xdp|*S?+JuG+l4G?K$e4mgPqnXp2GkJeosA z_2yn{?4l=C7m<4124%Yt4e`5lb3#@^HdJ$i0FKkELgr0Tvvh_-03E|tcMN3@;lkMJ zIY@xN`Y%=SKhEX9s^{$^ zS$m~fkx+|r7GfKnP`=vl6iN4DU08Fl>h3P0@N%MN?QJlSf0wBfa}dk+fPB>6*=>$Q zD+-o3G{~~G=@xcwJ3-@%^hd8%!-5OZTdfo_)dLa>8H(Y|)a8&Q*A^Ip!tt0Meo0?} zJehE^k0;hWV#Jx`3A6mqg=t@;zU!pv3Tr6l>N!^L@{0ZF;5-ZM^N4+gHTd$$pO^=c zG?-LPrnOzDDi&KBoe5XpA&(4utj?Je&;)Fc!x=pb=EB$0Jy||Zx@To#)FG8C_=>*!6@P{lC#2mA^Zh3C* zf&g>k%V4H&^`CGQtCG_A8!B#=!vh|c%*4u58uz3FFVKT=_-HPCiJO2-MVpQYRvQ2$ zT)`~#!UO(l0*)4&;0f52zZca1dARxOPwK&bJ36&oCV+<@4?4+~xB0X4TxtdA@g{%6 z!H7;cX93fm!W|Jf>ct-el)*=~Zn1sh^@>N}C-8QuyHB-7UHH!Wed5*~3-;{>T(Y?P zP1V2Q+&8xH0+ZN{V8{J1ob}LE+tH05%On3wXA}r*#zHn<+F=b9jH8`#$Rc4 zw)Z4YsNC2EZA0OYD>{+4lj@@&;b4>3$UQmON zt+=*Zar>_BbDQuf${!OAO-E~A=L>wjoANxDIQHuVmOu4Y zTaa0S+5DSTnB(>~Qn-cf_GnP*9`rprIj`Z!+WIs8=))_`?4FY}U23cjSzL47&kTp& z70`;#&1w668#n}{Vo~8Z5(_?4Xy(&$2lJBOV(5- zXc(DIEXK6R^QBeb%hnuP&Tvkp76FzgNyBK2K(wh=HtLHXy;o-LXasY`!k>6%oksC~xA{ExSEdz*-2SiWAgP^z_@tf`y; zoV!l=bRkIZ&d#UP4o!A9S4+Wj-r^qnw(|$G@f*CUWmV!}tF45eJ=KJ)_x4-HmEq=9 z(BX?6jFbgU5?A=6By zkROyQvUX@b%?j*)W!K4>ERSV`lNo@*L7rd!vJr@g_H+Xeo+~o*r7JHUXAPn#hKsKR zx7nvK`&Gy^9^u>ty-Td5K%Kg(^OQtQ!9cZ}LzY*a>o>5Z?yWvL&~0t@q+MKNI{Ac? z#bVn~nBZ|QXMO(#@$Skr%1SiIhdF>P(7^LcO=M2xM*J#LXpWtBdhD8$Dceq<#OA$8 z%38TmAiks&C^iSip8iB?G!k)RFG8M_@3?>8-8)GR$wW?~`%34N9fy1cyIt?zq2r#f zZZ(mzHeCi~?5!zHH*D#Q)MgpZy5nO@+L1K2E9YpAKZ|D(zlrIH$&R>iDfrsw zs-szP!c?vP`*N5(Ql~f|L;6HVAPCB(vw_}MY>tb`V`vpta#-I*QmRv51>70r7#bE~ z7w-{GWWby}mN%}miO*kzL2YrmYH+SsM#ZO#^? zOJEVQ931n4d+y<-(|_h@1Y(%+uE`hAN#N2DYZZCg0uFGZ;13ICg)QOY=-H>_?rG}= zH)v>oE=^RIJKvzC3p0og7`&)(=JCl3;`AXJt>pSlp67bxaXV7t)!J8gIO-o6cT=qEMK+&-KGnl1Ph_Va=KI0> z<}P7YFx`5EQLojJ{xLYGd<8arDQ=kiU z6w+&FY)3e_48}OcGXuQ2A_Jd4QuuZ94S{sQxfKIXpn8%-QpLi})_N(ftaMhFs6MH1 zkTwZ-j9b?MkNNplR?kZcKXVhq_;!b$Xe!6rtw|0gV#G}OQF@2&HgnsF#>8)Wrc)Qe z1(Y~r*hbvC2=8*q;@k4chhlFt$6HMzG+o74guFyH;suGi`{51Jk*g6o+r5N^?q{B>3^Km&*!_O+++vk`o~e&x zZxoB8L10ntGk*)22cZ_4O?S0t&eNu zc&nq|wM@~jab2TYm1G^BylzH#dp%v8<=UQ6_Gzm@YCE zN{dezL&Zw7w%GU^1?$GwSU7*^Ga6wom59$>=$UWZKE@IQ!TF#xVQzuw|)#uUv$)7=O)>ZaM%PKvCRL4&n zCx>QBR&U{!)h{m!TLwDu@a1<|Oor&y-+o>h* zNiiJa3-z>^dC{14vK>xurw0zQ@g2@gFKgvrPm-{+UzD*=S@5`3@Qc)bZ0-Vs{b=^) z6*Iinr?O8W*YLR6ZT5WTIpz1B?l_f`BH!tR{I||ql?>gFH@w?eoMX47t=3T`8NP3F zgo}jg$;jz|)i@8&a~0(N*eLc(v^S=sh+^B;9~XKlXKHx*(D7}3pMQd3-TLLOaa5;? znl#p!ONLXAQ<#-_*&l9o$A*3jR~U`+L=^kfW4HG1BKhJ;MM1SgWZPV0N9r!;bx%L@ z2Yw#6N}7850kS=XfBTu++g$QclK&BA{cqJd)s2WX-RGu+cmBe=S-Vd5jGH+xFllSZ zJ{hom_BY@iEs)MqXxRBrfL;4v!SH|k!3dWR5;xqK>$GX`!8siH4e5X(5=$?mu-f#3 z5Km;U$Y}3}hJ9k?V=BO^GY%m3;=9R*mabzKIhDYE4fhlK?%`$80Q4& zu?w(Ho}Lv}rvjyQ(OLNo8YtUxXew`3(Vz*0 zD*$x4zRy;3gh2+;6K10(FUpMcz(KkV*8MRwL9PNAy-F0Gpq3;$C=RJ5V15!!J^7HT!gokbRM8Vm3$98L~v0c9wj5)l@7rUmR z(4Rrs+3>Pl+=d3f0*H!!1ZV$TovI(I#C#dfPeiJs36x)Upvhl8Vo0Ro>bc(tVBM_C zn8i75<4*0%?r3WH1QfS6gjtKwiM(^X=4kprNu~fzOU&16fT!^d2C`#eP{f%}fH4rs zTg*vyC{oFuw(ST+x*k(+PBzYhLlhW5^6x1rU^(eR2E$m626xo2_ExnffiUZE;?YWr zCbZ7$hwI=d8gKvZ$1~DD&|fZ~f?3;CBTf=5Z2~4RscMy^z^MR6H*7r>+vs4MKxc6M zVw@4_o?82aBeaQC)I4|MSgJ;7CLn&soG_3~kt-2?&G+4gA)&OA-eO)9r>}P6AwYuT zX!7=*avN(x+^z<=n?F}WEsvDQ0Ge&VXeB`J^hG{y{tVC3PGDMxU-F+@`FG+oT%qZx zg11aS)2Y}2&0eot4?{ggZeDRPR|qFLbF6p*7&s}PMNZP8Q)ZuDZxRh=c6Y~OM@SKarNle0HJhk1Zc83G(=!J?`t!^ zpy@MeeYY9qnU^Gle)p)qR03#XeZr7HK=rFi z6~<1LRK*^{^>Gc^jfis2WN#NvB2M;~7I9`mkLhyPXWP*vsvCr60h}~7EL~}^A$?^< z_{qlQb1=JVYX#MISr0<6C4uH>?h&b|0AC?UfJb^LRFWWZR7^LlmCrOFZpq*&Rf!nL zv9@fDs(h3kQUoc$2IesFm=Tg2dVy;j=$#$A= zUkK5_t{E4zz&ZIq(z5tV*j|ajr)I)WD^!6d=*z#zX$@Ui9weZ&pZDL?=M=qL?c)4C zN4on`QTyig=#80(_NjfZK|{a_o8u3^W*Yo z@1hzEk&mAvRX6-xXa4lu;cIT*6OhN_&N5ywYiDvTJ>XQ}F25qXwRB~y=w68H{ip0* zw0L}RTtC)4O}UM(-h?IQa!92z$5l409W8X_U~y`|khYy8*@`H<%@xqcmr5I}GI(M! z3eO{X$FDG_ZFZa4U1J0OxSd5+82A-+S@XCi=ZwJtrxF|MpZ3FDgF=dvL&#rB+OxPJ zvdq)HTdUsgQY3zBq&hJnk+S~95w^DWW`3!AZKr!gVzI66#LLdXjnnwbNw?qm15ZtM zcoHigExF)%<#$65BMT77Lh}DVz+@SkYw$i+!CS#+_Auer!`-3)%$xrZf z9UjFoInb=~Nb9ZM$ms#K&mb~(9)kX!N`kyyS)mUB^67moaNUdR-WjGO>e+9hTQ<=4 zi%dOu#$BxBc_*|HhGW60yHdAjBLbPlNhWNTp7gonC(C?+@Zi*e19ihi6lK$+2?o`O zh?2hH@P%C7S;7X~wl9DWc*v+{{eV7o?EZT-k^CPMI-+RUABx&TOLj*?F1`2;!}N0O zb(~a(m*OUW>JNU~GTw0bT0CLi6|KTh1_O2~puN6jUpP+wD!2F-B8X?d!l5R7LVh%D zqFL5~t5I_c>Q|f8f#*(2eCrl@4vHU00l_^=(hDjz?M~eN=|*2`<7^nev2_5OZJ{QU zLMDn=Drx%y=}C^=+$ACY=!P%c{R6{?ittF8AMM*$Zvh`xb`XNcmp~b2`o7^Uz|l64 zkEPP&Gq?r8k5vH0y+7o$fQ5I3QG+h9Y*ex~$qU9a#d$Zbocj*qQCv z6X}4_D%iU}qx*PG=Mb@1R*QAvzDFPX#!DLHhTm)8!%v~uR%(UnZ6NW^Dxb5cLa9rL zDgGn#V?f>puEGv9#H#$wFW99y8DQ2(iKjn!Tt9$vp!X-3B$6Q(pwl_)w2Ei(g2XyU zJ?CQ2QEhy{Z@;6tArdL<$#CX5tIPtSG%&ObzogWm7B)L%-Q|F|5_TfxYiiviNEGo7 ztX6ZP5x4xd0sYi+t1~m{eI`dm36o3|gJ`*w&O9EZKGqBqRwfW}(3A%=3?Wn0#f6cz zVI4r+_Yh8&J5;7>@qPe@WB^W!yGx>M!XKH+3`Y@2EY5YNS9~>OrG^g98EacT{x@%1(S7ls-*ZsBP1=2inAmwT7Y1)_O@u(od-Gz zE$2e>mXhA~EGEWmqOL+q_@B=LZ%pVdBM#vardee9!urce8Fxg??V!kO->aOX+}q#Y>^f^iI{P4?MGCSHbE7b&~rbHd)FZ} zZ{0ZNc-Bh}6XKl%SY~*)#kN8H{PH~0Zc2>MB|=SA&$Mg@MM0*Qr=R)(W?KoscoPyx zT%!$T|Mm#x!6-6hnY0A<(Kkgtmrav3d)d=$h0DYuj?1I_uCx%9mP~ML4X>Rc7<*@J z8Tu9`#Xs@Cu5Eo8H@tAGn~b*6wDbX_%PIBAE}aewAw;t}VoalyJ0apHPe4wbSG?1F z1^{X7dlU=6{k?h6N&He>W*qw^Wt>`SQ&E#IuS1s^UccTBwwFk4P?YZ zN+-iazGR0MKJvMi&qb1m=C-UYC_r=dL*k+o5l zFkRzjaE*^4mhB236rLy630MbSpGcQ|W^gQ!G$L?twL-qv{CY(JLpnuY-$1$tRC|%2 zQd4<8)ZwZxs!ZZEWY~xkQmPK(6yZ=a>omvb7o^j%tpYk)jpzJGiBriH-UA$WRjFVn zngP>=r>tvb)!^DBiRofxDl05e$O(&Y0pfqdc!DPC!lh!#3o3ObXF2?y?|ohN=!&FC z@yu++42h}4hZ|(SsA7y{_d@q*%*L4Yc1qx!O0!m3|K-4;3yS3Zemhx4%%%}K95j92 z#!tyqPRoC3Xe)WjTG><*!7h#2NOpSq!nbu5s7OB1$Sn!acJAWS7ckuq)VgW?)=ii0 z7I=1V=W)BAq{uc<9o`|(BnCx}-GNO3>dvf>k$w{a;4%rrPazjgwjAmPFiXBbr`EZx zq87r)4w7Wmt$N<~vJ!zA(HDNF0Bxylc+GO_dXeB$y7Ytw3e#8>{=H%#XK!dqg3L!x z$(GLF-0=Q72TMqbVJRyO5b}?*%C_X91xU&yOJts@iw%&!Cs(;&nfJK0a643;Ykl}@ za5`(Y<7@M-RmcbdiY->TRhdvygI4BdAE$ZMvT4l|9#6&;Q+i@HAF;Ig2=WdklzvJrdG@}2Ua6JYAqDY zHc;`0tG{l6#Fd3ZeF-o~)!+&1MLOEUFbMTr=WNw@EQD_oxPmIBCGfngUcbbuWI5<` zs-ec{y$jh4Xi6}ee8Z)Z`?|Gl6-sXxz}(AGXQ~H7>`?v?Ry+8~VmZ*+=y+Ubg)*w_ zuu0&=xvgjKUkyFr1RNdnhv^0okdJYL!L{Q^DFaf1*rYw^@T$;}gJ=fWjOrYd#hr^C z56_9oOhq!VCQFoqo~9ajg5e2J2(18y=K@XZi_ZpuOnNZUCd#7`WNb#MP&w5MISzsS z1D`wPzZ(9}pg=&D42INOf}CayHWlee!UyxXz5p1l3oOh8?0i-S+hdlO%9{u;= zB0_>N_|bJ|E@5xZE1sf{K(e+zlQFZ4GKXTapbit0=7v|Q<*;X@7^r{rs2t3>)u8`> zk5c-E`TAR7nJ+^4t6Ji7AGCe*pguac7z&2l;;taL7s~nuQX)GzZo?Ubt>XMq0Nzi? zD;=ubJsfGZT-ZDgeV0l7V>(jPYK_yF^W;-CL+#f`eA;rC+!0+IPt>1d`hHHL*jSPqaZStUiOp$9%Ag+w7jE|dL9ukE|q z8EE#R@w=1rk$cZ&IE`81h^a$KEZ}ua?BxKt>MNd4+8!$I;|s zVMiM6t{udX*ns}n8BO&ei$CKr<+Xj2kZl#zW;a#3K^pXCh!5V)tV1R|Itc2DUh$D0 zZa*Ylbg@eJr!Mw7+e3<4(N6m!uBAki2WS7|xOLYT^*Ue#q;BjpupKLSatO{5>GDi+ZgF z(#@_-0x@daj`40!VNaO{p_|EaqK7o-HM93oM6b=-bmKeXu-TRrP_f z%U~cLN0se13^X?{c{)y+z@j zq=K$%>x39cd@uZNr%wu`%hW4mdD{1gS|__zOF}x!)R#oKu=X}*AaGp(aNLPuH}Z*G zFi4FIG;z-|1nSZOCa2tIOlqi0ft`bu^qrI(Gd5Ppn^P2XO5Bu6^Bv(jIP0rW_Z+Q; z_PuZfj*zn(fQqd=oRg=gVjZNonj-({g!rFGDFv0GI(J0Df{q%Psbx^X9d4FrpM%*u z=AIR&VZdt^1D~NE(%Sc=s;a%V@O*%qbRV1d1K7fMJ3`cJ>VkIDmmO(?57?3d!DH8! z^yJ~!%)B}{Ef&n4Za4v++Zy;S`D?U0<0cBlwSfUaPsyI*DO8qfwnjHQJav5C_;>?e zwFlO8VK3IF-gTUL){+x*Y$)`{f|zJ!+iM~3dAZ`YoT4r&O;`BLp^>2CAIXZQC0^W@oRzCJ~0sU3n_hA0-+mJ9Kf`K-CjQ#!huU zx2zFG(=*{q&nr21NhZG@%f9$IG+Xuc*sFwv+kEqdH|+c5)TS<601~}SET#@5vr)X! zBx8a}j4vW#3S$duwooRiQj?ntXoc@WIlBA^b(Q>AKQKX8dEGn&G|+L%DU&e1!75V( zVLAs0zuJQ{(^`-oiaZg^LX@{q-oxLmGXfCm9ExUe1r2lsV17CyaE94@LPO%V9>EYG zVJx(lY{!ry0@$f<>;?_yd*GCsh&M}Fx~1=KvW<>nr1XGgmo?;0aDGLTi8fhIR3B6_ z*J#;%VIk-Lygm;xhu;xqyL8e4j7R09M{4C8@6JQejj?xv+a;y9@=3>a=P?3neM56Lh8akg{mr3}{tFd=oFhrRX z9so2`WJL+yMPL}zCJzo+(6Gg3Qi%#s3~|I`Iw?{CAE*Lc9#hu@BJ;0R&fgXuZY?ie z7hifgSM@8S%G#D13f$MPEq2i?PlTvNG2(ae%z&2d6;;YA2J`hc%q4ABIYh>-eQ$@Q z#qG>Ramg9WLg{#djh~e8t@0=S?`lQ_f?B9g z&6*AQdc)N?aB!zk05fsjLOQMrnRrxv`1pgG{MITEH==Dx%x3s<2?&Zrr!bv2C*>0! z;*g-8QTEC|dPdF<#}w#mDR5Bm#~vtNChl0~n;eux%ZmpXjLKbRYk|sYTbXHFuKzqc zbYfYga9s2c%g#uugF*d!ZPW7+EyoXja`f*%J6(M^n4Z5`r#6uy3UXr6qJb@lv=1ckdUG-+aX-A|?6D)PK80HWd6fQ=$HBZ;9&HuVYa+N%(SPK+bB2~KX5m}^tNP~@n zj^ov3e6Ktl(tIXy+Mko-(tZ$s3Auecm!&w(`Az?hNa=_ytIM%2nbCiDJ!6?K3j>L4 zDrWFLy}6lde1Kn~h(_pS(VfK$YZ}~_TQ?xnhv^6BW17*3Qbc}042Wr`P}WNg@0d5= zd9LueKlhhgoqv687l$ei@a_*A@%(Gh8S4C627z&>P>N@NmsUMYk~PrIh#TCP$7xLx z4ji@RV8&j(dHYQVu^rogg!g6|-^X>}}7kP;L|4EFNLu zX$gZA?s@V?Mwj6)ANZnZBj+(Gd3%Nq^H*cdOgdd-d;NGF?j?Jv!(I?&dqqq|+>C3J zujhx>3;E)g>aoQ*n9rfyb6uMefA!Q~oF2{-U@@fi+&#_26y1Gs7TbR}i*tWBi&~uZ z${)7^=7JrEYdYl8w>LhN?q7~m;I8fd>5UeG_sN4Drigkz%q-g#H8|q05L*4!BSw=F ziJ>0xQ0@O7+*Aaay=d5(vkj)LMLJeTmZH*t>pi&mtf_rnNUw6;{)PNL*)5U7%gKhj z6asQWkJ)>;wT(;*COq$qr- z9Hi{+IVV`($Qu1WtzCIE)O*-36{5y63Ne<1isVZ6B+I0fY>7+Z3K0s^WOrj^$lJeZJHCo^#K6-}9dPp7Z+8an6{T-|zQ*p6By?7H8?N zKpOS}tH5{$bg}(l>Nkkdn9)*(WAok9?T~MWw#mM>z`dljLzSWk%VVDKZriIE6x=v3a@M9>B>w}*DfJiZJX(jkLL z{FLrmm%yj(2=l*p3#PLV2&Tk)K7@UavRj{`GT0(8jytvpKuKUweb^aj+`!`>g3bOS zgqW0o)S~$!44r5cj-V$YkhU%kvvse;b3zmvqM_$F%p_x4I;Hjoz+&4SqHi6W;tU&5 zn>`5Udg{A7k5WJy^k}H-^);KDaE_Ov8i$B~EqeiNFLXynHL&WXBXS%D{}Q!$3uiS9 zS|QY6QvG?i4%;2fP7k)OVz2SGPRorsV0>9PeFM1pIxN!&z%(y`!E#`zTLJmYm!clw z7;GsM>H!#jiZYV>p#oncGeqX5ftvfOO~9uRYFJWp6vQGND6z6*c9)>JlDYQx5r3$u z`8E}S%!CYNi(=(Q>7BF$fYA%Eu4trb=trA&RxXiAv|(CA>INv^EdaMR=S#O=@}Jd{ z;X=Uyk2#|tbpXGh1G~;C*n4Yy0DEzRllMd^*z?d1`An9I_k^JRchk+Y#_E~GEF~s4 zV4Kz^Q8Y<+T3*QvJ&4l@SMX$wx(!o)k(96#2oOeu)z~1^qCip#x&vR{v{(crt64#h z>Cao&m4vLan6cG;S6@&HkP+xO@Y)=d-k|K{V7j9od6QImY`~S{tC?H`xJBQ<{&1fi`wFZ^8r0%jlb!fO zG^SzYa}#Wv%pYG@D~{XQ4u|?A>h-J)`LtK=i$+~?3NT%59Q8^m;KKp7vO`;{1w_cuQ9X?)t z)n2VBUH1~iE>Xf(ozb~5{orLd1M#v zNY{0sJ17OWG+g;DRm8R@c|t&P0LFRQD1uWXM|%)LEKT)37e#}#3l5L6%n=hHy=j zRLg|>h-!mmW$qBb9mzF13h}IMv>h)6avA>ONxUx7xr_eBWz4e2T8Gw9h+;4Dbr9fD zB3eTFl!c*r79B=o54SM)=yugxl|g^S2m+>0XbMa!m0{SxuSp`T6H!}LzOc8AQqaPO2qZ2cj$0YHfpDl zY!}gz369R;>T2-3-hhaee2A^6ncQH~sY<@GaE55ptgxQ}WZx&Mopki-7)(|B(0ac< zjHItOrR!|0-ua4onRZ5{9rKf_pjl`Dl#~zQK<{TCLHIfHki};1fE1S801YT$H@aw> z)uf!Oi@AYl5`3LH$Tsorbi* zWcwIZ)Qb!wns+cwMpre1nB|z0dZq8zSIa8#hTXaBWX2SV}0m~n4Q^?MlEzOxKo4Fy#T6K zjHr-1kbdhE!0i2iGu$UR4Z`aZVTQ^N5b^%HdE%=)Z#nGF`aIMEkm(ZxX^|nT-Eo@O z@>_ig+OByF*HQK57ZZVzpA5zJ`GcAqMdvih0M28_MM0{Yrw$)<*j60%Fo7JsrWEX1 zA=JinR_=dA4*))x2jsvQ3a4~{%@LyHL0A@nRjzd8zKY5q63K=fdbyA9kps@^@365vZ|6qvEcU4yv5m zI2qkE)c3XYzkjlP;r)jq!?aPc<%I5@UC=s4BgCp7h;pC+V)5IgpAPMns-~HJ11COH zZ?@n<$mm5hHo7IfFkF7#`tw4Wu~(0KwrTQc@k`T4n9k5WqG<84qYPL&W*jwfxnK0} zEK^}^UXQANaazjGw{UM2eF9>)Tha7STDKc+O`G$O*{K|$O4y9~4a5I?8N>GEDwWXk z#KBfap@Qn&TxXZZkI?*LRpsWjbe}Q7iImy5i1Rmg@qH1)unmQTNfCWCJ+?P`ZXk*_ z>m_>gJmS!*10j48_Z2SmO~eawJNSfL1W$s)cMGk|pYt=W*H~2O;bR6BKsM^Dn?mBC z7S?uH9wf-sen`%LcYn7~*{vmTN$PedM=PDC+k9L5F?zWEHU{THyG6ClkZ5A8OmKR@ zH_}(FwMCRY|*d>WYiM^;g1xx z^-}pwB7Ytx^+o?=jLTfeAWGa^Psr-e9mokRGZy-F8R}wiLTrx&dqHn2v5d&$`>MAU zydv42tX$$bxb-`8Dge(IMy%M=&U0I;s*`T+S>c|RkZ4|`_0L4Cxp zhD5Ev3CzhaK;4rm5(yPsfz!7iPCKXF*%|;2JCDT}!Z*r&JN^3}(te>#6jQpuTwRmKf&kXbK6V7=#KE?bW%e<``RP{hnU z1P=`{uY=KP7YL-Q7Udlu{Jcd!-?AQ`Y&dG9^#+9l5h^gN=ON(vI2y7lLkX>9C8@ zeq~sX|KeqGyyALd>tm0_;LTNqAo?Y}&QZ3|BzftRx`DgsWLNtzhFh%Qk}pm2Q|07I zbDouKOY_1fhXXClE$l+GLpED>#bT;~PUO0s>$+S=;{n~w#W4Tn3A?!Xn?Kq|0=$-W z8n-p4&)rMVteoRb_%7eX^`d+wH+rxAUX^AB&rM--U$%s7QJf4u@{||;2XgOu@}M-~ z@u|ei3nPA-I8l7!qtF?N<`kPV%Z=Ixx+*LR6DF)jWG+}X1q7JnSU($RNUumUiL;^z zjUo>YU9vqae+&a9a)ylSAsEMOMKq0Tc8}+tRU`H~2@C>l#wqd|6@%Q}X*<)!@;+MXOyXD89Rl2`mPZQSliuZcdnqQzy=)lyP;q>9re^E`89?fV z^wx$!))`={y+JvGbpHDj>lWiEmDdVvIVO)M#2anL$8 zwni_HH+0O|>sE-C@X-}R%-3Pkxo3?I&ksz>pGni8wro2>9#&U_4x7@Jth~7;>Re8x zx95N;TXgw@E!p-T8)qlsKQB~yT>j|Mvf{6np&iHRqFmVf$$If{kGn04P!V;>wAy1D zMMSQL6^O7|roSMP-I={m^bV4urov43tpk04m+bXOQ~@hoY;~e*D%9=e?2PVUd+jfc zgCAjoeKj47R4TU~lOV&f{~S?(-OTuGB$iq;x@(lnCasJz|KoSK+<9B(Vch`0|zN{ z_D*l3GV!Kg+K1Du6O%BT3iP;#d;VYOmK+E5p-z`lZ}4k}ztNtGK`-IRF8;?A{#=6- z+h{QAM~A>A1e8>c_i?)gTJ0z z_Rf(j>!5b1MUG796*~8I@}d}4^y`1KB>I1P3;#;o@h?AF)yC$OmbOrn&+f-J!Otl@ LL*0CB+u;8I - ## sepgsql Overview The *sepgsql* extension adds SELinux mandatory access controls (MAC) to database objects such as tables, columns, views, functions, schemas and -sequences. **Figure 24: Database Security Context Information** shows a simple -database with one table, two columns and three rows, each with their object -class and associated security context (the [**Internal Tables**](#internal-tables) +sequences. **Table 1: Database Security Context Information** shows a simple +database with one table and two columns, each with their object class and +associated security context (the [**Internal Tables**](#internal-tables) section shows these entries from the *testdb* database in the [**Notebook sepgsql Example**](notebook-examples/sepgsql/testdb-example.sql). The database object classes and permissions are described in [**Appendix A - Object Classes and Permissions**](object_classes_permissions.md#database-object-classes). -![](./images/24-database-table.png) +| | +| :---: | +| **database** (*db_database*) - context = 'unconfined_u:object_r:postgresql_db_t:s0' This context is inherited from the database directory label - ls -Z /var/lib/pgsql/data | +| **schema** (*db_schema*) - security_label = 'unconfined_u:object_r:sepgsql_schema_t:s0:c10' | +| **table** (*db_table*) - security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c20' | + +| | | +| :---: | :---: | +| **column 1** (*db_column*) - security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c30' | **column 2** - (*db_column*) security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c40' | -**Figure 24: Database Security Context Information** - *Showing the security -contexts that can be associated to a schema, table and columns.* +**Table 1: Database Security Context Information** - *Showing the security contexts that can be associated to a schema, table and columns.* To use SE-PostgreSQL each Linux user must have a valid PostgreSQL database role (not to be confused with an SELinux role). The default @@ -68,9 +82,7 @@ with AVC audits being logged via the standard PostgreSQL logfile as described in the [**Logging Security Events**](#logging-security-events) section. -
- -### Installing SE-PostgreSQL +## Installing SE-PostgreSQL The [**https://www.postgresql.org/docs/11/sepgsql.html**](https://www.postgresql.org/docs/11/sepgsql.html) page contains all the information required to install the *sepgsql* extension. @@ -79,7 +91,7 @@ There are also instructions in the [**Notebook sepgsql Example - README**](notebook-examples/sepgsql/README.md) that describes building the example database used in the sections below. -### *SECURITY LABEL* SQL Command +## *SECURITY LABEL* SQL Command The '*SECURITY LABEL*' SQL command has been added to PostgreSQL to allow security providers to label or change a label on database objects. @@ -102,34 +114,32 @@ SECURITY LABEL ON COLUMN test_ns.info.email_addr IS 'unconfined_u:object_r:sepgsql_table_t:s0:c40'; ``` -### Additional SQL Functions +## Additional SQL Functions The following functions have been added: - - - - - - - - - - - - - - - - - - - -
sepgsql_getcon()Returns the client security context.
sepgsql_mcstrans_in(text con)Translates the readable range of the context into raw format provided the mcstransd daemon is running.
sepgsql_mcstrans_out(text con)Translates the raw range of the context into readable format provided the mcstransd daemon is running.
sepgsql_restorecon(text specfile)Sets security contexts on all database objects (must be superuser) according to the specfile. This is normally used for initialisation of the database by the sepgsql.sql script. If the parameter is NULL, then the default sepgsql_contexts file is used. See selabel_db(5) details.
- -
- -### *postgresql.conf* Entries +*sepgsql_getcon()* + +Returns the client security context. + +*sepgsql_mcstrans_in(text con)* + +Translates the readable *range* of the context into raw format provided the +***mcstransd**(8)* daemon is running. + +*sepgsql_mcstrans_out(text con)* + +Translates the raw *range* of the context into readable format provided the +***mcstransd**(8)* daemon is running. + +*sepgsql_restorecon(text specfile)* + +Sets security contexts on all database objects (must be superuser) according +to the *specfile*. This is normally used for initialisation of the database +by the *sepgsql.sql* script. If the parameter is NULL, then the default +*sepgsql_contexts* file is used. See ***selabel_db**(5)* details. + +## *postgresql.conf* Entries The *postgresql.conf* file supports the following additional entries to enable and manage SE-PostgreSQL: @@ -167,9 +177,7 @@ on (1 row) ``` -
- -### Logging Security Events +## Logging Security Events SE-PostgreSQL manages its own AVC audit entries in the standard PostgreSQL log normally located within the */var/lib/pgsql/data/pg_log* @@ -177,9 +185,7 @@ directory and by default only errors are logged (Note that there are no SE-PostgreSQL AVC entries added to the standard *audit.log*). The '*sepgsql.debug_audit = on*' can be set to log all audit events. -
- -### Internal Tables +## Internal Tables To support the overall database operation PostgreSQL has internal tables in the system catalog that hold information relating to databases, @@ -188,46 +194,15 @@ that holds the security label and other references. The *pg_seclabel* is shown in the table below and has been taken from . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeReferencesComments
objoidoidany OID columnThe OID of the object this security label pertains to.
classoidoidpg_class.oidThe OID of the system catalog this object appears in.
objsubidint4For a security label on a table column, this is the column number (the objoid and classoid refer to the table itself). For all other objects this column is zero.
providertextThe label provider associated with this label. Currently only SELinux is supported.
labeltextThe security label applied to this object.
+ +| **Name** | **Type** | **References** | **Comments** | +| -------- | -------- | -------------- | ------------ | +| objoid | oid | any OID column | The OID of the object this security label pertains to. | +| classoid | oid | pg_class.oid | The OID of the system catalog this object appears in. | +| objsubid | int4 | | For a security label on a table column, this is the column number (the *objoid* and *classoid* refer to the table itself). For all other objects this column is zero. | +| provider | text | | The label provider associated with this label. Currently only SELinux is supported. | +| label | text | | The security label applied to this object. | + These are entries taken from a '*SELECT * FROM pg_seclabel;*' command that refers to the example *testdb* database built using the @@ -260,8 +235,6 @@ objoid|classoid|objsubid|objtype|objnamespace| objname | provider| label | | | | | email_addr | | ``` -
- --- From patchwork Tue Aug 4 01:34:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699391 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8FFD9722 for ; Tue, 4 Aug 2020 01:34:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9D80C20786 for ; Tue, 4 Aug 2020 01:34:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="dptBOWjT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729319AbgHDBek (ORCPT ); Mon, 3 Aug 2020 21:34:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBej (ORCPT ); Mon, 3 Aug 2020 21:34:39 -0400 Received: from mail-qv1-xf29.google.com (mail-qv1-xf29.google.com [IPv6:2607:f8b0:4864:20::f29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 88884C06174A for ; Mon, 3 Aug 2020 18:34:39 -0700 (PDT) Received: by mail-qv1-xf29.google.com with SMTP id l13so11954348qvt.10 for ; Mon, 03 Aug 2020 18:34:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=GrU7H9Y0OErMqYLuGeNNZ6xbLnS1xeFSeQpf7f18GFo=; b=dptBOWjTJPMd9W1sisM5tYL5q/xsz+J6V4hNKrDkEnkgEoXUbXkhXNL1p9WJg1PaoM jtREClr5oBvonWh/n4kYtBc6m+xlJS96slnkyxmtxLcKVglOahxNoykKjQdG2jaXVaoJ 2lc4RWbmuMYlhd+90QLLwCcoWqyGoH7dsn34HgH3bT6IIZYMUTZkMXpnOlsJoj++h7p1 kWd4xRRgczuTrBz/mp3CQqR5wBHIsWNtIYQoVp9tVGELetAnyy1l3uILAOIDkcOOWRoJ UYECd8DYuqh3XddptKItfK2XjeBuX/hDptoUEgD1/mcx943pYPDp5FjupndWSh9SqqO9 plLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=GrU7H9Y0OErMqYLuGeNNZ6xbLnS1xeFSeQpf7f18GFo=; b=UreyaYIiHzgD34LuuLy33zzJ/0XayuAc1zQ6oBr0Tgy4of1yc3krGnN1NJO3JY5hhA Ujic+kpsOOla8B3A+2wBVoG6bSYCbZ5GJY8s7MpdaCqve7w3AsIH0bHBQ9aKcPxram4E RJZUvRGrvqJcI0PF7iAhoqqrUkSZrqOjsWqx+gVaJDTwljzZURWjKxDYvpZ+NGcpZb7O je8vBVQfsXHZ6MgVUmI5Ysm93EPcuvWrDG/nPw6SZg6vcKNHvEQFL6DaimJAVfKE5imL WZ+USVYH50l4ImGgZzi5aS0WuU0cYtCHKGf/AtVWr8MQaTnVJfBd8Qs760U0AvRK0vZV gZ6g== X-Gm-Message-State: AOAM530+bDuXe52oB/qZHugJZUGkPsHlx1MQTa2OKdXlC9PtMLJTPr1h nZsAi4JHvyGjXoe3KF5MzjuwpRLZg3R+ X-Google-Smtp-Source: ABdhPJx0ICOXfKg9WDl97nFBUU4LXNTNc3Vs8GMf0NTk2cK/0paKUpXCuK/us2vZSUF8rxGFO3UNeA== X-Received: by 2002:a0c:9e4e:: with SMTP id z14mr19676925qve.71.1596504876177; Mon, 03 Aug 2020 18:34:36 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id f7sm21431559qkj.32.2020.08.03.18.34.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:34:35 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 12/18] all: remove all the
tags we haven't gotten to yet From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:34:34 -0400 Message-ID: <159650487464.8961.11767629431550973827.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This was done with the following script: for i in *.md; do sed '/^[ \t]*
[ \t]*$/d' -i $i done Signed-off-by: Paul Moore --- src/apache_support.md | 4 --- src/auditing.md | 7 ----- src/avc_rules.md | 6 ----- src/bounds_rules.md | 2 -- src/cil_overview.md | 1 - src/class_permission_statements.md | 5 ---- src/computing_access_decisions.md | 1 - src/computing_security_contexts.md | 15 ----------- src/conditional_statements.md | 3 -- src/configuration_files.md | 3 -- src/constraint_statements.md | 4 --- src/core_components.md | 5 ---- src/debug_policy_hints.md | 1 - src/default_rules.md | 4 --- src/domain_object_transitions.md | 4 --- src/file_labeling_statements.md | 5 ---- src/global_config_files.md | 7 ----- src/implementing_seaware_apps.md | 6 ----- src/infiniband_statements.md | 3 -- src/kernel_policy_language.md | 7 ----- src/libselinux_functions.md | 1 - src/lsm_selinux.md | 8 ------ src/mac.md | 2 -- src/mls_mcs.md | 6 ----- src/mls_statements.md | 10 -------- src/modes.md | 1 - src/modular_policy_statements.md | 4 --- src/network_statements.md | 4 --- src/network_support.md | 7 ----- src/object_classes_permissions.md | 21 ---------------- src/objects.md | 3 -- src/pam_login.md | 1 - src/policy_config_files.md | 35 --------------------------- src/policy_config_statements.md | 1 - src/policy_languages.md | 1 - src/policy_store_config_files.md | 20 --------------- src/policy_validation_example.md | 1 - src/polyinstantiation.md | 7 ----- src/rbac.md | 1 - src/reference_policy.md | 47 ------------------------------------ src/role_statements.md | 6 ----- src/seandroid.md | 15 ----------- src/security_context.md | 1 - src/selinux_cmds.md | 1 - src/selinux_overview.md | 2 -- src/sid_statement.md | 2 -- src/subjects.md | 2 -- src/terminology.md | 2 -- src/title.md | 1 - src/toc.md | 1 - src/type_enforcement.md | 3 -- src/types_of_policy.md | 10 -------- src/users.md | 1 - 53 files changed, 321 deletions(-) diff --git a/src/apache_support.md b/src/apache_support.md index 60f09d9..22ce966 100644 --- a/src/apache_support.md +++ b/src/apache_support.md @@ -50,7 +50,6 @@ the LAPP1 ## `mod_selinux` Overview @@ -76,7 +75,6 @@ itself, for example: 3. The web application exits, handing control back to the web server that replies with the HTTP response. -
## Bounds Overview @@ -122,7 +120,6 @@ operation will be denied and an `SELINUX_ERR` entry will be added to the audit log stating `op=security_compute_av reason=bounds` with the context strings and the denied class and permissions. -
@@ -131,7 +128,6 @@ the context strings and the denied class and permissions.
-
diff --git a/src/auditing.md b/src/auditing.md index 295373a..17cc2e6 100644 --- a/src/auditing.md +++ b/src/auditing.md @@ -40,7 +40,6 @@ Notes: ***selinux_set_callback**(3)* and specifying an alternative log handler. -
## AVC Audit Events @@ -233,7 +232,6 @@ exe="/usr/move_file/move_file_c" subj=unconfined_u:unconfined_r:move_file_t key=(null) ``` -
## General SELinux Audit Events @@ -271,7 +269,6 @@ policyload notice (seqno=2) : exe="/usr/bin/Xorg" sauid=0 hostname=? addr=? terminal=?' ``` -
Change enforcement mode - `MAC_STATUS` - This was generated when the SELinux enforcement mode was changed: @@ -287,7 +284,6 @@ tty=pts0 ses=2 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) ``` -
Change boolean value - `MAC_CONFIG_CHANGE` - This event was generated when ***setsebool**(8)* was run to change a boolean. Note that the @@ -323,7 +319,6 @@ exe="/sbin/netlabelctl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) ``` -
Labeled IPSec - `MAC_IPSEC_EVENT` - Generated when running ***setkey**(8)* to load IPSec configuration: @@ -376,7 +371,6 @@ exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0-s0:c0.c300 key=(null) ``` -
Role changes - `USER_ROLE_CHANGE` - Used ***newrole**(1)* to set a new role that was not valid. @@ -391,7 +385,6 @@ new-context=?: exe="/usr/bin/newrole" hostname=? addr=? terminal=/dev/pts/0 res=failed' ``` -
diff --git a/src/avc_rules.md b/src/avc_rules.md index 5c2a491..de8e9c3 100644 --- a/src/avc_rules.md +++ b/src/avc_rules.md @@ -77,7 +77,6 @@ section. -
## `allow` @@ -138,7 +137,6 @@ allow bootloader_t system_dbusd_t:dbus { acquire_svc send_msg }; allow files_unconfined_type file_type:{ file chr_file } ~execmod; ``` -
## `dontaudit` @@ -158,7 +156,6 @@ also helps to manage the audit log by excluding known events. dontaudit traceroute_t { port_type -port_t }:tcp_socket name_bind; ``` -
## `auditallow` @@ -176,7 +173,6 @@ to grant permission. auditallow ada_t self:process execstack; ``` -
## `neverallow` @@ -207,7 +203,6 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; ``` -
    @@ -216,7 +211,6 @@ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
-
diff --git a/src/bounds_rules.md b/src/bounds_rules.md index 08393dd..e890955 100644 --- a/src/bounds_rules.md +++ b/src/bounds_rules.md @@ -12,7 +12,6 @@ NOT enforced by the SELinux kernel services). The [**CIL Reference Guide**](notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf) gives details. -
## `typebounds` @@ -91,7 +90,6 @@ allow httpd_t etc_t : file { getattr read }; allow httpd_child_t etc_t : file { read write }; ``` -
diff --git a/src/cil_overview.md b/src/cil_overview.md index 1403666..e0364d7 100644 --- a/src/cil_overview.md +++ b/src/cil_overview.md @@ -147,7 +147,6 @@ declarations with the order in which they are declared in the kernel. A module store is created by `semodule` to give easy access to the source and that allows for full control over the policy. -
diff --git a/src/class_permission_statements.md b/src/class_permission_statements.md index 65f2bed..eb42b1f 100644 --- a/src/class_permission_statements.md +++ b/src/class_permission_statements.md @@ -16,7 +16,6 @@ There are two variants of the `class` statement for writing policy: [**Associating Permissions to a Class**](#associating-permissions-to-a-class) section. -
## `class` @@ -75,7 +74,6 @@ definition: class db_tuple ``` -
### Associating Permissions to a Class @@ -90,7 +88,6 @@ Permissions can be defined within policy in two ways: A list of classes and their permissions used by the **Reference Policy** can be found in the *./policy/flask/access_vectors* file. -
## `common` @@ -154,7 +151,6 @@ The statement definition is: common database { create drop getattr setattr relabelfrom relabelto } ``` -
## `class` @@ -246,7 +242,6 @@ class db_blob inherits database class db_blob inherits database { read write import export } ``` -
diff --git a/src/computing_access_decisions.md b/src/computing_access_decisions.md index 0670240..ce4cf11 100644 --- a/src/computing_access_decisions.md +++ b/src/computing_access_decisions.md @@ -57,7 +57,6 @@ require kernel system call over-heads once set up. Note that these functions are only available from *libselinux* 2.0.99, with Linux kernel 2.6.37 and above. -
diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md index ca7ba5d..100a8cf 100644 --- a/src/computing_security_contexts.md +++ b/src/computing_security_contexts.md @@ -46,7 +46,6 @@ various kernel objects (also see the [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) section. -
### Process @@ -74,7 +73,6 @@ Processes inherit their security context as follows: practice is generally discouraged - exec-based transitions are preferred. -
### Files @@ -113,13 +111,11 @@ SID, which is mapped to a context by the policy. This default may be overridden via the `defcontext=` mount option on a per-mount basis as described in ***mount**(8)*. -
### File Descriptors Inherits the label of its creator/parent. -
### Filesystems @@ -166,7 +162,6 @@ Notes: `context=`, `fscontext=`, `defcontext=` and `rootcontext=`. They are fully described in the ***mount**(8)* man page. -
### Network File System (nfsv4.2) @@ -174,7 +169,6 @@ If labeled NFS is implemented with `xattr` support, then the creation of inodes are treated as described in the [Files](#files) section. -
### INET Sockets @@ -208,13 +202,11 @@ Some sockets may be labeled with the kernel SID to reflect the fact that they are kernel-internal sockets that are not directly exposed to applications. -
### IPC Inherits the label of its creator/parent. -
### Message Queues @@ -239,19 +231,16 @@ the message queue it will be stored in as follows: with the selected range being low, high or low-high to be defined for the message object class). -
### Semaphores Inherits the label of its creator/parent. -
### Shared Memory Inherits the label of its creator/parent. -
### Keys @@ -260,7 +249,6 @@ Inherits the label of its creator/parent. Security-aware applications may use ***setkeycreatecon**(3)* to explicitly label keys they create if permitted by policy. -
## Using libselinux Functions @@ -359,7 +347,6 @@ new context `newcon` (referenced by SIDs for **Table 1** -
### *avc_compute_member* and *security_compute_member* @@ -435,7 +422,6 @@ the new context `newcon` (referenced by SIDs for **Table 2** -
### *security_compute_relabel* @@ -514,7 +500,6 @@ following notes also apply: **Table 3** -
diff --git a/src/conditional_statements.md b/src/conditional_statements.md index e7254cc..00159b6 100644 --- a/src/conditional_statements.md +++ b/src/conditional_statements.md @@ -56,7 +56,6 @@ getsebool -a getsebool allow_daemons_use_tty ``` -
## bool @@ -133,7 +132,6 @@ bool allow_execheap false; bool allow_execstack true; ``` -
### if @@ -258,7 +256,6 @@ if (read_untrusted_content) { } ``` -
diff --git a/src/configuration_files.md b/src/configuration_files.md index 6738ec4..10092c6 100644 --- a/src/configuration_files.md +++ b/src/configuration_files.md @@ -33,7 +33,6 @@ as follows: viewing the currently loaded policy using tools such as ***apol**(1)* (e.g. *apol /sys/fs/selinux/policy*). -
## The Policy Store @@ -149,7 +148,6 @@ already available, the following message will be given: "*A higher priority <name> module exists at priority <999> and will override the module currently being installed at priority <111>*". -
## Converting policy packages to CIL @@ -175,7 +173,6 @@ Options: -h, --help print this message and exit ``` -
diff --git a/src/constraint_statements.md b/src/constraint_statements.md index 50733b1..9708306 100644 --- a/src/constraint_statements.md +++ b/src/constraint_statements.md @@ -170,7 +170,6 @@ constrain { dir file lnk_file sock_file fifo_file chr_file blk_file } { create r (u1 == u2 or t1 == can_change_object_identity); ``` -
## `validatetrans` @@ -269,7 +268,6 @@ Note there are no `validatetrans` statements specified within the `validatetrans { file } { t1 == unconfined_t );` -
## `mlsconstrain` @@ -394,7 +392,6 @@ mlsconstrain dir search ( t2 == mlstrustedobject )); ``` -
## `mlsvalidatetrans` @@ -524,7 +521,6 @@ mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file } (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 )))); ``` -
diff --git a/src/core_components.md b/src/core_components.md index dde17a1..0cc9e65 100644 --- a/src/core_components.md +++ b/src/core_components.md @@ -17,7 +17,6 @@ manage enforcement of the policy and comprise of the following: 5. An Access Vector Cache (AVC) that improves system performance by caching security server decisions. -
![](./images/1-core.png) @@ -26,13 +25,11 @@ Security Server are cached in the AVC to enhance performance of future requests. Note that it is the kernel and userspace Object Managers that enforce the policy.* -
![](./images/2-high-level-arch.png) **Figure 2: High Level SELinux Architecture** - *Showing the major supporting services* -
**Figure 2** shows a more complex diagram of kernel and userspace with a number of supporting services that are used to manage the SELinux environment. @@ -134,7 +131,6 @@ The [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module section goes into greater detail of the LSM / SELinux modules with a walk through of a ***fork**(2)* and ***exec**(2)* process. -
    @@ -149,7 +145,6 @@ statement that allows a domain to run in permissive mode while the others are st
-
diff --git a/src/debug_policy_hints.md b/src/debug_policy_hints.md index edccce9..913a82a 100644 --- a/src/debug_policy_hints.md +++ b/src/debug_policy_hints.md @@ -5,7 +5,6 @@ I'm sure there is more to add here !!! -
diff --git a/src/default_rules.md b/src/default_rules.md index a5ea085..e759a84 100644 --- a/src/default_rules.md +++ b/src/default_rules.md @@ -77,7 +77,6 @@ default_user file target; default_user { x_selection x_property } source; ``` -
## `default_role` @@ -152,7 +151,6 @@ default_role file target; default_role { x_selection x_property } source; ``` -
## `default_type` @@ -227,7 +225,6 @@ default_type file target; default_type { x_selection x_property } source; ``` -
## `default_range` @@ -327,7 +324,6 @@ default_type { x_selection x_property } source low_high; default_range db_table glblub; ``` -
diff --git a/src/domain_object_transitions.md b/src/domain_object_transitions.md index c4cf83b..2c5e45a 100644 --- a/src/domain_object_transitions.md +++ b/src/domain_object_transitions.md @@ -8,7 +8,6 @@ This section discusses the `type_transition` statement that is used to: These transitions can also be achieved using the **libselinux** API functions for SELinux-aware applications. -
## Domain Transition @@ -89,7 +88,6 @@ SELinux enabled kernel. within the `unconfined_t` domain and then transitioned to the `ext_gateway_t` domain.* -
### Type Enforcement Rules @@ -209,7 +207,6 @@ Other ways to resolve this issue are: It was decided to use runcon as it demonstrates the command usage better than reading the man pages. -
## Object Transition @@ -276,7 +273,6 @@ drwxr-xr-x root root system_u:object_r:unconfined_t .. -rw-r--r-- root root unconfined_u:object_r:in_file_t Message-2 ``` -
diff --git a/src/file_labeling_statements.md b/src/file_labeling_statements.md index ad0036b..dad3361 100644 --- a/src/file_labeling_statements.md +++ b/src/file_labeling_statements.md @@ -12,7 +12,6 @@ therefore if the policy supports MCS / MLS, then an `mls_range` is required as described in the [**MLS range Definition**](mls_statements.md#mls-range-definition) section. -
## `fs_use_xattr` @@ -85,7 +84,6 @@ fs_use_xattr ext2 system_u:object_r:fs_t:s0; fs_use_xattr ext3 system_u:object_r:fs_t:s0; ``` -
## `fs_use_task` @@ -156,7 +154,6 @@ fs_use_task pipefs system_u:object_r:fs_t:s0; fs_use_task sockfs system_u:object_r:fs_t:s0; ``` -
## `fs_use_trans` @@ -227,7 +224,6 @@ fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0; fs_use_trans devpts system_u:object_r:devpts_t:s0; ``` -
## `genfscon` @@ -319,7 +315,6 @@ genfscon proc /fs/openafs system_u:object_r:proc_afs_t:s0 genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255 ``` -
diff --git a/src/global_config_files.md b/src/global_config_files.md index 2897e1b..3cc3bbd 100644 --- a/src/global_config_files.md +++ b/src/global_config_files.md @@ -9,7 +9,6 @@ important files are: - */etc/selinux/semanage.conf* - This is used by the SELinux policy configuration subsystem for modular or CIL policies. -
## */etc/selinux/config* @@ -83,7 +82,6 @@ SELINUX=permissive SELINUXTYPE=targeted ``` -
## */etc/selinux/semanage.conf* @@ -275,7 +273,6 @@ args = $@ [end] ``` -
## */etc/selinux/restorecond.conf* ## *restorecond-user.conf* @@ -319,14 +316,12 @@ directories). ~/public_html/* ``` -
## */etc/selinux/newrole_pam.conf* The optional *newrole\_pam.conf* file is used by ***newrole**(1)* and maps commands to ***PAM**(8)* service names. -
## */etc/sestatus.conf* @@ -367,7 +362,6 @@ List of processes to display context /usr/sbin/sshd ``` -
## */etc/security/sepermit.conf* @@ -413,7 +407,6 @@ example that describes the configuration: xguest:exclusive ``` -
diff --git a/src/implementing_seaware_apps.md b/src/implementing_seaware_apps.md index dbdbae4..244d3ac 100644 --- a/src/implementing_seaware_apps.md +++ b/src/implementing_seaware_apps.md @@ -36,7 +36,6 @@ SELinux-aware applications do not (they rely on 'Object Managers' to do this e.g. the kernel based Object Managers such as those that manage filesystem, IPC and network labeling). -
## Implementing SELinux-aware Applications @@ -96,7 +95,6 @@ developing SELinux-aware applications and object managers using explained at: -
## Implementing Object Managers @@ -157,7 +155,6 @@ classes/permissions. the [**X Access Control Extension Specification**](http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.pdf), and for reference, the SE-PostgreSQL service also implements a similar interface. -
## Reference Policy Changes @@ -211,7 +208,6 @@ not require modification, and supplying the module files (*\*.te*, ## ``` -
## Adding New Object Classes and Permissions @@ -288,7 +284,6 @@ dynamic class/perm discovery: by the kernel. Then add allow rules as appropriate to the policy for the new permissions. -
    @@ -301,7 +296,6 @@ applied to their objects as defined by policy.
      @@ -992,7 +986,6 @@ to assist policy build:
-
diff --git a/src/libselinux_functions.md b/src/libselinux_functions.md index 52232aa..d3dd2f1 100644 --- a/src/libselinux_functions.md +++ b/src/libselinux_functions.md @@ -1093,7 +1093,6 @@ The appropriate ***man**(3)* pages should consulted for detailed usage. -
diff --git a/src/lsm_selinux.md b/src/lsm_selinux.md index f762614..d4be834 100644 --- a/src/lsm_selinux.md +++ b/src/lsm_selinux.md @@ -15,7 +15,6 @@ the SELinux kernel source code). The major areas covered are: 4. The SELinux filesystem */sys/fs/selinux*. 5. The */proc* filesystem area most applicable to SELinux. -
## The LSM Module @@ -90,7 +89,6 @@ inserted security hooks and structures to allow access control to be managed by 3rd party modules (see ./linux-3.14/include/linux/security.h).* -
| ***/proc/self/attr/*** **Permissions** | **File Name**| **Function** | | ------------ | ------------ | ------------------------------------------------------------------------ | @@ -145,7 +143,6 @@ hooks and structures. **Table 3:** *The core LSM source modules.* -
## The SELinux Module @@ -271,7 +268,6 @@ to see how some of these kernel source modules fit together. **Table 4: The core SELinux source modules** - *The .h files and those in the include directory have a number of useful comments.* -
### Fork System Call Walk-thorough @@ -337,7 +333,6 @@ is valid): required to check access permissions for Object Class `process` and permission `fork`.* -
### Process Transition Walk-thorough @@ -458,7 +453,6 @@ computed. This function will (assuming there are no errors): check if a transition is allowed from the `unconfined_t` domain to the `ext_gateway_t` domain.* -
![](./images/12-lsm-selinux-arch.png) @@ -466,7 +460,6 @@ check if a transition is allowed from the `unconfined_t` domain to the link to [**Figure 7**](domain_object_transitions.md#domain-transition) where the transition process is described.* -
#### SELinux Filesystem @@ -740,7 +733,6 @@ Notes: interfaces. -
diff --git a/src/mac.md b/src/mac.md index cfdc0e0..5c746f2 100644 --- a/src/mac.md +++ b/src/mac.md @@ -29,7 +29,6 @@ chain for DAC and MAC are shown in **Figure 3**. **Figure 3: Processing a System Call** - *The DAC checks are carried out first, if they pass then the Security Server is consulted for a decision.* -
SELinux supports two forms of MAC: @@ -63,7 +62,6 @@ application separation, for example SELinux enabled: [**Security Enhancements for Android - Computing a Context**](seandroid.md#computing-process-context-examples) section). -
diff --git a/src/mls_mcs.md b/src/mls_mcs.md index 2f80ac6..59ff4a0 100644 --- a/src/mls_mcs.md +++ b/src/mls_mcs.md @@ -111,7 +111,6 @@ The format used in the policy language statements is fully described in the [MLS Statements](mls_statements.md#mls-statements) section, however a brief overview follows. -
#### MLS / MCS Range Format @@ -146,7 +145,6 @@ user:role:type:sensitivity[:category,...] - sensitivity [:category,...] -
#### Translating Levels @@ -163,7 +161,6 @@ command can be used to set up this translation and is shown in the [**setrans.conf**](policy_config_files.md#setrans.conf) configuration file section. -
### Managing Security Levels via Dominance Rules @@ -282,13 +279,11 @@ the `mlsconstrain` statement as illustrated in **Table 2: MLS Security Levels** - *Showing the scope of a process running at a security range of `s0 - s3:c1.c5`.* -
![](./images/9-mls-constrain.png) **Figure 9: Showing the mlsconstrain Statements controlling Read Down & Write Up** - *This ties in with* **Table 2: MLS Security Levels** *that shows a process running with a security range of s0 - s3:c1.c5.* -
Using **Figure 9: `mlsconstrain` Statements controlling Read Down & Write Up**: @@ -359,7 +354,6 @@ An interesting point: evaluated. -
diff --git a/src/mls_statements.md b/src/mls_statements.md index 5731df8..d4a0c7f 100644 --- a/src/mls_statements.md +++ b/src/mls_statements.md @@ -61,14 +61,12 @@ the circumstances, there can be one level defined or a **Table 1: Sensitivity and Category = Security Level** - *this table shows the meanings depending on the context being discussed.* -
To make the security levels more meaningful, it is possible to use the setransd daemon to translate these to human readable formats. The **semanage**(8) command will allow this mapping to be defined as discussed in the [**setrans.conf**](policy_config_files.md#setrans.conf) section. -
#### MLS range Definition @@ -100,7 +98,6 @@ discussed at the start of the [**MLS section**](#mls-statements). -
## `sensitivity` @@ -179,7 +176,6 @@ sensitivity s15; sensitivity s0 alias secret wellmaybe ornot; ``` -
## `dominance` @@ -242,7 +238,6 @@ The statement is valid in: dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } ``` -
## `category` @@ -321,7 +316,6 @@ category c255; category c0 alias planning development benefits; ``` -
## `level` @@ -395,7 +389,6 @@ level s0:c0.c255; level s15:c0.c255; ``` -
## `range_transition` @@ -484,7 +477,6 @@ range_transition initrc_t auditd_exec_t:process s15:c0.c255; range_transition initrc_t cupsd_exec_t:process s15:c0.c255; ``` -
## `mlsconstrain` @@ -492,7 +484,6 @@ This is decribed in the [**Constraint Statements - `mlsconstrain`**](constraint_statements.md#mlsconstrain) section. -
## `mlsvalidatetrans` @@ -500,7 +491,6 @@ This is decribed in the [**Constraint Statements - `mlsvalidatetrans`**](constraint_statements.md#mlsvalidatetrans) section. -
diff --git a/src/modes.md b/src/modes.md index 0f714e4..f5ceaef 100644 --- a/src/modes.md +++ b/src/modes.md @@ -43,7 +43,6 @@ enforcement mode in its output, however it does not display individual domain or object manager enforcement modes. -
diff --git a/src/modular_policy_statements.md b/src/modular_policy_statements.md index 30ac4e0..2918010 100644 --- a/src/modular_policy_statements.md +++ b/src/modular_policy_statements.md @@ -3,7 +3,6 @@ This section contains statements used to support policy modules. They are not part of the kernel policy language. -
## `module` @@ -72,7 +71,6 @@ modules within the policy. module bind 1.0.0; ``` -
## `require` @@ -165,7 +163,6 @@ require { shmemhost shmemserv }; } ``` -
## `optional` @@ -266,7 +263,6 @@ optional { } # end optional ``` -
diff --git a/src/network_statements.md b/src/network_statements.md index ef1c873..da66612 100644 --- a/src/network_statements.md +++ b/src/network_statements.md @@ -68,7 +68,6 @@ Or `::` -
## `netifcon` @@ -161,7 +160,6 @@ netifcon eth2 system_u:object_r:netif_t:s0 system_u:object_r:netif_t:s0 ``` -
## `nodecon` @@ -260,7 +258,6 @@ This command will produce the following file in the default nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0 ``` -
## `portcon` @@ -352,7 +349,6 @@ This command will produce the following file in the default portcon udp 1234 system_u:object_r:reserved_port_t:s0 ``` -
diff --git a/src/network_support.md b/src/network_support.md index 309e863..b207247 100644 --- a/src/network_support.md +++ b/src/network_support.md @@ -63,7 +63,6 @@ the inode associated to the socket and not from the actual kernel socket structure (as currently there is no standard kernel/userspace interface to achieve this). -
## SECMARK @@ -177,7 +176,6 @@ The following articles explain the SECMARK service: - [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html) -
## NetLabel - Fallback Peer Labeling @@ -217,7 +215,6 @@ netlabelctl -p map list Note that the security contexts must be valid in the policy otherwise the commands will fail. -
## NetLabel – CIPSO/CALIPSO @@ -286,7 +283,6 @@ netlabelctl -p map list The examples use the *nb_client*/*nb_server* from the Notebook examples section, plus the standard Fedora 'targeted' policy for the tests. -
## Labeled IPSec @@ -431,7 +427,6 @@ article and a good reference covering **Basic Labeled IPsec Configuration** available at: -
## Labeled Network FileSystem (NFS) @@ -449,7 +444,6 @@ Labeled NFS clients must use a consistent security policy. The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels. -
    @@ -459,7 +453,6 @@ The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels.
-
diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md index 498d872..833d4d6 100644 --- a/src/object_classes_permissions.md +++ b/src/object_classes_permissions.md @@ -69,7 +69,6 @@ Language, and the [**CIL Reference Guide**](./notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf) specifies the CIL Policy Language. -
# Kernel Object Classes and Permissions @@ -667,7 +666,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes. -
## File Object Classes @@ -908,7 +906,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes. -
## Network Object Classes @@ -1134,7 +1131,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes. -
## IPSec Network Object Classes @@ -1215,7 +1211,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes. -
## Netlink Object Classes @@ -1616,7 +1611,6 @@ Netlink sockets communicate between userspace and the kernel – also see -
## Miscellaneous Network Object Classes @@ -1720,7 +1714,6 @@ Netlink sockets communicate between userspace and the kernel – also see -
## Sockets via *extended_socket_class* @@ -1908,7 +1901,6 @@ These socket classes that were introduced by the -
## BPF Object Class @@ -1947,7 +1939,6 @@ These socket classes that were introduced by the -
## Performance Event Object Class @@ -1990,7 +1981,6 @@ These socket classes that were introduced by the -
## Lockdown Object Class @@ -2021,7 +2011,6 @@ implementation. -
## IPC Object Classes @@ -2132,7 +2121,6 @@ implementation. -
## Process Object Class @@ -2298,7 +2286,6 @@ implementation. -
## Security Object Class @@ -2369,7 +2356,6 @@ implementation. -
## System Operation Object Class @@ -2456,7 +2442,6 @@ Note that while this is defined as a kernel object class, the userspace -
## Miscellaneous Kernel Object Classes @@ -2577,7 +2562,6 @@ Note that while this is defined as a kernel object class, the userspace -
## Capability Object Classes @@ -2657,7 +2641,6 @@ Note that while this is defined as a kernel object class, the userspace -
## InfiniBand Object Classes @@ -2699,7 +2682,6 @@ Note that while this is defined as a kernel object class, the userspace -
**Userspace** Object Classes ============================= @@ -3339,7 +3321,6 @@ These are userspace objects managed by XSELinux. -
## Database Object Classes @@ -3671,7 +3652,6 @@ explains the objects, their permissions and how they should be used in detail. -
## Miscellaneous Userspace Object Classes @@ -3886,7 +3866,6 @@ explains the objects, their permissions and how they should be used in detail. -
diff --git a/src/objects.md b/src/objects.md index 4ddac6e..e39e1b3 100644 --- a/src/objects.md +++ b/src/objects.md @@ -91,7 +91,6 @@ Where: -
![](./images/6-allow-rule.png) @@ -322,7 +321,6 @@ process itself should clear or shred the information before releasing the object (which can be difficult in some cases unless the source code is available). -
    @@ -333,7 +331,6 @@ associated with the file.

    -
    diff --git a/src/pam_login.md b/src/pam_login.md index 213a9f3..8d3a831 100644 --- a/src/pam_login.md +++ b/src/pam_login.md @@ -110,7 +110,6 @@ perform the following functions: to the context defined in the policy. -
    diff --git a/src/policy_config_files.md b/src/policy_config_files.md index 3178b08..6ce2020 100644 --- a/src/policy_config_files.md +++ b/src/policy_config_files.md @@ -29,7 +29,6 @@ additional two files are required: SELinux. - *./context/x_contexts* - To allow the X-Windows service to run under SELinux. -
    ## *seusers* @@ -75,7 +74,6 @@ __default__:user_u:s0-s0 - ***getseuser**(3)* - ***getseuserbyname**(3)* -
    ## *booleans* ## *booleans.local* @@ -123,7 +121,6 @@ Note that if *SETLOCALDEFS* is set in the SELinux in the ***selinux_booleans_path**(3)*, and also a *local.users* file in the ***selinux_users_path**(3)*. -
    ## *booleans.subs_dist* @@ -168,7 +165,6 @@ Supporting libselinux API functions are: - ***security_get_boolean_names**(3)* - ***security_set_boolean**(3)* -
    ## setrans.conf @@ -226,7 +222,6 @@ Supporting libselinux API functions are: - ***selinux_raw_to_trans_context**(3)* - ***selinux_trans_to_raw_context**(3)* -
    ## *secolor.conf* @@ -319,7 +314,6 @@ user : role : type : range black white white black tan orange black green ``` -
    ## *policy/policy.<ver>* @@ -336,7 +330,6 @@ discussed in the [**Types of SELinux Policy - Policy Versions**](types_of_policy.md#policy-versions) section. -
    ## *contexts/customizable_types* @@ -377,7 +370,6 @@ sysadm_untrusted_content_tmp_t - ***selinux_customizable_types_path**(3)* - ***selinux_context_path**(3)* -
    ## *contexts/default_contexts* @@ -464,7 +456,6 @@ The login process could now set the context correctly to *contexts/users/unconfined_u* configuration file instead could also have achieved this. -
    ## *contexts/dbus_contexts* @@ -492,7 +483,6 @@ information at: - ***selinux_context_path**(3)* -
    ## *contexts/default_type* @@ -530,7 +520,6 @@ user_r:user_t - ***selinux_default_type_path**(3)* - ***get_default_type**(3)* -
    ## *contexts/failsafe_context* @@ -572,7 +561,6 @@ sysadm_r:sysadm_t:s0 - ***get_ordered_context_list**(3)* - ***get_ordered_context_list_with_level**(3)* -
    ## *contexts/initrc_context* @@ -609,7 +597,6 @@ system_u:system_r:initrc_t:s0-s15:c0.c255 - ***selinux_context_path**(3)* -
    ## *contexts/lxc_contexts* @@ -665,7 +652,6 @@ sandbox_lxc_process = "system_u:system_r:container_t:s0" - ***selinux_context_path**(3)* - ***selinux_lxc_context_path**(3)* -
    ## *contexts/netfilter_contexts* - Obsolete @@ -677,7 +663,6 @@ matching of network packets - Never been used. - ***selinux_context_path**(3)* - ***selinux_netfilter_context_path**(3)* -
    ## *contexts/openrc_contexts* @@ -694,7 +679,6 @@ matching of network packets - Never been used. - ***selinux_context_path**(3)* - ***selinux_openrc_contexts_path**(3)* -
    ## *contexts/openssh_contexts* @@ -712,7 +696,6 @@ matching of network packets - Never been used. - ***selinux_context_path**(3)* - ***selinux_openssh_contexts_path**(3)* -
    ## *contexts/removable_context* @@ -745,7 +728,6 @@ system_u:object_r:removable_t:s0 - ***selinux_removable_context_path**(3)* -
    ## *contexts/sepgsql_contexts* @@ -786,7 +768,6 @@ db_database * system_u:object_r:sepgsql_db_t:s0 db_schema *.* system_u:object_r:sepgsql_schema_t:s0 ``` -
    ## *contexts/snapperd_contexts* @@ -804,7 +785,6 @@ db_schema *.* system_u:object_r:sepgsql_schema_t:s0 - ***selinux_context_path**(3)* - ***selinux_snapperd_contexts_path**(3)* -
    ## *contexts/securetty_types* @@ -838,7 +818,6 @@ staff_tty_device_t - ***selinux_securetty_types_path**(3)* -
    ## *contexts/systemd_contexts* @@ -874,7 +853,6 @@ runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 - ***selinux_context_path**(3)* - ***selinux_systemd_contexts_path**(3)* -
    ## *contexts/userhelper_context* @@ -906,7 +884,6 @@ system_u:sysadm_r:sysadm_t:s0 - ***selinux_context_path**(3)* -
    ## *contexts/virtual_domain_context* @@ -927,7 +904,6 @@ system_u:system_r:svirt_tcg_t:s0 - ***selinux_virtual_domain_context_path**(3)* -
    ## *contexts/virtual_image_context* @@ -948,7 +924,6 @@ system_u:object_r:virt_content_t:s0 - ***selinux_virtual_image_context_path**(3)* -
    ## *contexts/x_contexts* @@ -993,7 +968,6 @@ selection PRIMARY system_u:object_r:clipboard_xselection_t:s0 - ***selabel_lookup**(3)* - ***selabel_stats**(3)* -
    ## *contexts/files/file_contexts* @@ -1027,7 +1001,6 @@ compatible regular expression (PCRE) internal format. - ***selabel_lookup**(3)* - ***selabel_stats**(3)* -
    ## *contexts/files/file_contexts.local* @@ -1040,7 +1013,6 @@ file section to allow locally defined files to be labeled correctly. The - ***selinux_file_context_local_path**(3)* -
    ## *contexts/files/file_contexts.homedirs* @@ -1066,7 +1038,6 @@ Perl compatible regular expression (PCRE) internal format. - ***selinux_file_context_homedir_path**(3)* - ***selinux_homedir_context_path**(3)* -
    ## contexts/files/file_contexts.subs ## contexts/files/file_contexts.subs_dist @@ -1097,7 +1068,6 @@ with */var/www*, with the final result being: - ***matchpathcon**(3)* (deprecated) - ***matchpathcon_index**(3)* (deprecated) -
    ## *contexts/files/media* @@ -1137,7 +1107,6 @@ disk system_u:object_r:fixed_disk_device_t:s0 - ***selinux_media_context_path**(3)* -
    ## *contexts/users/[seuser_id]* @@ -1176,7 +1145,6 @@ system_r:init_t:s0 unconfined_r:unconfined_t:s0 - ***get_ordered_context_list**(3)* - ***get_ordered_context_list_with_level**(3)* -
    ## *logins/<linuxuser_id>* @@ -1230,7 +1198,6 @@ another_service:unconfined_u:s0 - ***getseuser**(3)* -
    ## users/local.users @@ -1251,7 +1218,6 @@ Note that if *SETLOCALDEFS* is set in the SELinux in the ***selinux_booleans_path**(3)*, and also a *local.users* file in the ***selinux_users_path**(3)*. -
      @@ -1260,7 +1226,6 @@ in the ***selinux_users_path**(3)*.
    -
    diff --git a/src/policy_config_statements.md b/src/policy_config_statements.md index a69fbc0..4289136 100644 --- a/src/policy_config_statements.md +++ b/src/policy_config_statements.md @@ -63,7 +63,6 @@ continue to use the original functionality. policycap network_peer_controls; ``` -
    diff --git a/src/policy_languages.md b/src/policy_languages.md index 9bd4247..fe579fe 100644 --- a/src/policy_languages.md +++ b/src/policy_languages.md @@ -55,7 +55,6 @@ domain_transition_pattern(sysadm_t, ls_exec_t, test_stat_domain) domain_entry_file(test_stat_domain, ls_exec_t) ``` -
    diff --git a/src/policy_store_config_files.md b/src/policy_store_config_files.md index fe857d1..45ff3fa 100644 --- a/src/policy_store_config_files.md +++ b/src/policy_store_config_files.md @@ -54,7 +54,6 @@ The command types are: - [***semanage user***](#activeusers.local) Manage SELinux confined users (Roles and levels for an SELinux user) -
    ## active/modules Directory Contents @@ -84,7 +83,6 @@ test_policy 400 pp ... ``` -
    ### *tmp* Policy Store (build failure) @@ -95,14 +93,12 @@ message indicating the failing line number is: `Failed to resolve mlsconstrain statement at /var/lib/selinux/targeted/tmp/modules/400/test_mlsconstrain/cil:1` -
    ## *active/commit_num* This is a binary file used by ***semanage*** for managing updates to the store. The format is not relevant to policy construction. -
    ### *active/policy.kern* @@ -112,7 +108,6 @@ is then becomes the */etc/selinux/<SELINUXTYPE>/policy/policy.<ver>* binary policy that will be loaded into the kernel. -
    ## *active/policy.linked* ## *active/seusers.linked* @@ -121,7 +116,6 @@ that will be loaded into the kernel. These are saved policy files prior to merging local changes to improve performance. -
    ## *active/booleans.local* @@ -143,7 +137,6 @@ the new value) if requested. daemons_enable_cluster_mode=1 ``` -
    ## *disable_dontaudit* @@ -152,7 +145,6 @@ to build the policy or ***semanage dontaudit***. It indicates that a policy has been built without the `dontaudit` rules. This allows utilities such as ***audit2allow**(8)* to list all denials to assist debugging policy. -
    ## *active/file_contexts* @@ -216,7 +208,6 @@ section. /var/run -dsystem_u:object_r:var_run_t:s0-s15:c0.c255 /usr/tmp -dsystem_u:object_r:tmp_t:s0-s15:c0.c255 ``` -
    ### Building the File Labeling Support Files @@ -274,7 +265,6 @@ files.* -
    Keywords that can be in policy source \*.fc files and then form the *file_contexts.template* file entries are: @@ -345,7 +335,6 @@ HOME_ROOT/lost\+found/.* <> /home -l gen_context(system_u:object_r:home_root_t,s0) ``` -
    ## *active/file_contexts.local* @@ -374,7 +363,6 @@ The resulting *file_contexts.local* file will be: /usr/move_file system_u:object_r:unlabeled_t:s0 ``` -
    ## *active/homedir_template* @@ -400,7 +388,6 @@ HOME_ROOT/\.journal <> HOME_DIR/.+ system_u:object_r:user_home_t:s0 ``` -
    ### *active/file_contexts.homedirs* @@ -437,7 +424,6 @@ libsepol library function. /home/[^/]+/.+ unconfined_u:object_r:user_home_t:s0 ``` -
    ## active/seusers ## active/seusers.local @@ -519,7 +505,6 @@ __default__:unconfined_u:s0-s0:c0.c1023 rch:user_u:s0 ``` -
    ## *active/users_extra* ## *active/users_extra.local* @@ -625,7 +610,6 @@ and the resulting *users.local* file will be: user test_u roles { staff_r } level s0 range s0; ``` -
    ## *active/interfaces.local* @@ -649,7 +633,6 @@ in the [**`netifcon`**](network_statements.md#netifcon) section. netifcon enp7s0 system_u:object_r:netif_t:s0:c20.c250 system_u:object_r:netif_t:s0:c20.c250 ``` -
    ## *active/nodes.local* @@ -674,7 +657,6 @@ with examples in the policy language nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0:c20.c250 ``` -
    ## *active/ports.local* @@ -700,7 +682,6 @@ with examples in the policy language portcon tcp 8888 system_u:object_r:port_t:s0:c20.c350 ``` -
    ## Set domain permissive mode @@ -720,7 +701,6 @@ Note that the CIL `typepermissive` statement is used, the equivalent kernel policy statement would be [**`permissive`**](type_statements.md#permissive). -
    diff --git a/src/policy_validation_example.md b/src/policy_validation_example.md index 50375ab..19a380d 100644 --- a/src/policy_validation_example.md +++ b/src/policy_validation_example.md @@ -93,7 +93,6 @@ options as described in the [**Global Configuration Files** - *semanage.conf*](global_config_files.md#etcselinuxsemanage.conf) file section. -
    diff --git a/src/polyinstantiation.md b/src/polyinstantiation.md index cd740fa..cf2b889 100644 --- a/src/polyinstantiation.md +++ b/src/polyinstantiation.md @@ -23,7 +23,6 @@ To clarify polyinstantiation support: function of the XSELinux Object Manager and the supporting XACE service. -
    ## Polyinstantiated Objects @@ -34,7 +33,6 @@ libselinux API functions. These are not limited to specific object classes, however only `dir`, `x_selection` and `x_property` objects are currently supported. -
    ## Polyinstantiation support in PAM @@ -104,7 +102,6 @@ instance, and the user name. If a new instance is being set up, the directory permissions are set and the ***restorecon**(8)* command is run to set the correct file contexts. -
    #### *namespace.conf* Configuration File @@ -140,7 +137,6 @@ Where: -
    ### Example Configurations @@ -207,7 +203,6 @@ following polyinstantiated directories: /home/rch/rch.inst/unconfined_u:unconfined_r:unconfined_t_rch ``` -
    ## Polyinstantiation support in X-Windows @@ -217,7 +212,6 @@ objects as discussed in the [**SELinux X-Windows Support**](x_windows.md#x-windows-selinux-support) section. -
    ## Polyinstantiation support in the Reference Policy @@ -231,7 +225,6 @@ The polyinstantiation of X-Windows objects (*x_selection* and *x_property*) are not currently supported by the reference policy. -
    diff --git a/src/rbac.md b/src/rbac.md index 25a4e07..b051d09 100644 --- a/src/rbac.md +++ b/src/rbac.md @@ -23,7 +23,6 @@ Some policies, for example Android, only make use of one role called `r`. access via user, role and domain type association.* -
    diff --git a/src/reference_policy.md b/src/reference_policy.md index b51f4b1..4d4fd5d 100644 --- a/src/reference_policy.md +++ b/src/reference_policy.md @@ -26,7 +26,6 @@ In most documentation the policy name is defined using the */etc/selinux/config* file entry **SELINUXTYPE=**. This part of the Notebook uses both forms. -
    ### Reference Policy Overview @@ -70,7 +69,6 @@ section explains a simple build from source. **Figure 26: The Reference Policy Source Tree** - *When building a modular policy, files are added to the policy store. For monolithic builds the policy store is not used.* -
    The Reference Policy can be used to build two policy types: @@ -93,7 +91,6 @@ forming a single 'base' source file. The Reference Policy relies heavily on the ***m4**(1)* macro processor as the majority of supporting services are m4 macros. -
    ### Distributing Policies @@ -135,7 +132,6 @@ The selinux-policy-sandbox rpm contains the sandbox module for use by the *policycoreutils-sandbox* package. This will be installed as a module for one of the three main policies described above. -
    ### Policy Functionality @@ -150,7 +146,6 @@ the *SELINUXTYPE* entry of the *build.conf* as shown in and can also confine other areas and users. - mls - MLS policy for server based systems. -
    ### Reference Policy Module Files @@ -313,7 +308,6 @@ interface(`ada_run',` /usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0) ``` -
    ### Reference Policy Documentation @@ -342,7 +336,6 @@ the ada module interfaces. **Figure 27: Example Documentation Screen Shot** -
    ## Reference Policy Source @@ -356,7 +349,6 @@ updated with the authors comments as necessary). There is also a VERSION file that contains the Reference Policy release date, this can then be used to obtain a change list . -
    ### Source Layout @@ -382,7 +374,6 @@ The section then describes how the initial source is installed and configured to allow a policy to be built. -
    ### Reference Policy Files and Directories @@ -542,14 +533,12 @@ modular policy is being built. This file is explained in the **Table 1: The Reference Policy Files and Directories** -
    ### Source Configuration Files There are two major configuration files (build.conf and modules.conf) that define the policy to be built and are detailed in this section. -
    #### Reference Policy Build Options - build.conf @@ -656,7 +645,6 @@ policy is built with examples shown in the **Table 2:** *build.conf* **Entries** -
    @@ -715,7 +703,6 @@ policy is built with examples shown in the **Table 3: m4 parameters set at build time** - *These have been extracted from the Reference Policy Makefile.* -
    #### Reference Policy Build Options - policy/modules.conf @@ -917,7 +904,6 @@ reference policy are different) **Table 4: Mandatory modules.conf Entries** -
    ##### Building the modules.conf File @@ -931,7 +917,6 @@ As will be seen in the pre-configured files that are used to produce the required policy including multiple versions of the *modules.conf* file. -
    ### Source Installation and Build Make Options @@ -1065,7 +1050,6 @@ taken from the *README* file. **Table 7: Monolithic Policy Build Make Targets** -
    ### Booleans, Global Booleans and Tunable Booleans @@ -1093,7 +1077,6 @@ built and used as follows:
    -
    ### Modular Policy Build Structure @@ -1222,7 +1205,6 @@ in **Table 9: Module Build**. **Table 8: Base Module Build** - *This shows the temporary build files used to build the base module 'base.conf' as a part of the 'make' process. Note that the modules marked as base in modules.conf are built here.* -
    @@ -1260,7 +1242,6 @@ in **Table 9: Module Build**. **Table 9: Module Build** - *This shows the module files and the temporary build files used to build each module as a part of the 'make' process (i.e. those modules marked as module in modules.conf).* -
    ### Creating Additional Layers @@ -1284,7 +1265,6 @@ completed: `ABC modules for the XYZ components.` -
    ## Installing and Building the Reference Policy Source @@ -1294,7 +1274,6 @@ the Fedora targeted policy. The Fedora version of the targeted policy build is discussed but building without using the rpm spec file is more complex. -
    ### Building Standard Reference Policy @@ -1435,7 +1414,6 @@ WERROR = n as ***apol**(8)* or loaded by editing the */etc/selinux/config* file, running '*touch /.autorelabel*' and rebooting the system. -
    ### Building the Fedora Policy @@ -1605,7 +1583,6 @@ QUIET = n '*touch /.autorelabel*' and rebooting the system. It should have the same number of rules, types, classes etc. as the original release. -
    ## Reference Policy Headers @@ -1642,7 +1619,6 @@ source two steps are required: - Copy the module interface files (*.if*) to the relevant module directories at: */usr/share/selinux/<SELINUXTYPE>/include/modules*. -
    ### Using the Reference Policy Headers @@ -1711,7 +1687,6 @@ modules built from headers. **Table 10: Header Policy Build Make Targets** -
    ### Using Fedora Supplied Headers @@ -1727,7 +1702,6 @@ manner as Fedora installs: - The documentation is installed in the */usr/share/doc/selinux-policy/html* directory. -
    ## Reference Policy Support Macros @@ -1876,7 +1850,6 @@ Incorrect: `policy_module (ftp, 1.7.0)` -
    ### Loadable Policy Macros @@ -1961,7 +1934,6 @@ require { } ``` -
    #### `gen_require` Macro @@ -2025,7 +1997,6 @@ require { } ``` -
    #### `optional_policy` Macro @@ -2193,7 +2164,6 @@ optional { } # end optional ``` -
    #### `gen_tunable` Macro @@ -2271,7 +2241,6 @@ gen_tunable(allow_ftpd_use_nfs, false) bool allow_ftpd_use_nfs false; ``` -
    #### `tunable_policy` Macro @@ -2349,7 +2318,6 @@ if (allow_ftpd_use_nfs && allow_ftpd_anon_write) { } # end allow_ftpd_use_nfs && allow_ftpd_anon_write ``` -
    #### `interface` Macro @@ -2470,7 +2438,6 @@ optional { } # end optional ``` -
    #### `template` Macro @@ -2624,7 +2591,6 @@ template(`djbdns_daemontools_domain_template',` ##### end djbdns_daemontools_domain_template(dnscache) depth: 0 ``` -
    ### Miscellaneous Macros @@ -2693,7 +2659,6 @@ where it is used to set the files security context. /dev/\.tmp-block-.* -c system_u:object_r:fixed_disk_device_t:s15:c0.c1023 ``` -
    #### `gen_user` Macro @@ -2790,7 +2755,6 @@ user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - s15 user root prefix sysadm; ``` -
    #### `gen_bool` Macro @@ -2924,7 +2888,6 @@ if( ! secure_mode_insmod ) { } ``` -
    ### MLS and MCS Macros @@ -2997,7 +2960,6 @@ category c1; category c1023; ``` -
    #### `gen_sens` Macro @@ -3066,7 +3028,6 @@ sensitivity s1; sensitivity s15; ``` -
    #### `gen_levels` Macro @@ -3137,7 +3098,6 @@ level s1:c0.c1023; level s15:c0.c1023; ``` -
    #### System High/Low Parameters @@ -3183,14 +3143,12 @@ s0:c0.c1023 c0.c1023 ``` -
    ### `ifdef` / `ifndef` Parameters This section contains examples of the common `ifdef` / `ifndef` parameters that can be used in module source files. -
    #### `hide_broken_symptoms` @@ -3212,7 +3170,6 @@ ifdef(`hide_broken_symptoms',` ') ``` -
    #### `enable_mls` and `enable_mcs` @@ -3241,7 +3198,6 @@ ifdef(`enable_mcs',` ') ``` -
    #### `enable_ubac` @@ -3272,7 +3228,6 @@ define(`basic_ubac_conditions',` ') ``` -
    #### `direct_sysadm_daemon` @@ -3296,7 +3251,6 @@ ifndef(`direct_sysadm_daemon',` ') ``` -
    ## Module Expansion Process @@ -3326,7 +3280,6 @@ section. **Figure 29: The expansion process** -
    diff --git a/src/role_statements.md b/src/role_statements.md index de86c8b..36fe4c3 100644 --- a/src/role_statements.md +++ b/src/role_statements.md @@ -91,7 +91,6 @@ role user_r types user_t; role user_r types chfn_t; ``` -
    ## `attribute_role` @@ -155,7 +154,6 @@ attribute_role role_list_1; attribute_role srole_list_2; ``` -
    ## `roleattribute` @@ -226,7 +224,6 @@ role service_r; roleattribute service_r role_list_1; ``` -
    ## `allow` @@ -297,7 +294,6 @@ Note that the role allow rule has the same keyword as the allow AV rule. allow sysadm_r secadm_r; ``` -
    ## `role_transition` @@ -371,7 +367,6 @@ Or from Policy version 25: `role_transition system_r unconfined_exec_t:process unconfined_r;` -
    ## `dominance` - Deprecated @@ -452,7 +447,6 @@ Where: dominance { role message_filter_r { role unconfined_r };} ``` -
    diff --git a/src/seandroid.md b/src/seandroid.md index 6cfa960..d9a184c 100644 --- a/src/seandroid.md +++ b/src/seandroid.md @@ -42,7 +42,6 @@ The sections that follow cover: 8. Logging and auditing 9. Configuration file formats -
    ## SE for Android Project Updates @@ -198,7 +197,6 @@ Build information for each device that includes device specific policy as discussed in the [**The SELinux Policy**](#the-selinux-policy) and [**Managing Device Policy Files**](#managing-device-policy-files) sections. -
    ## Kernel LSM / SELinux Support @@ -222,7 +220,6 @@ Kernel 5.0+ supports Dynamically Allocated Binder Devices, therefore configuring specific devices (e.g. **CONFIG_ANDROID_BINDER_DEVICES="binder"**) is no longer required (use ***CONFIG_ANDROID_BINDERFS=y*** instead). -
    ## Android Classes & Permissions @@ -466,7 +463,6 @@ not all are required for Android.
    -
    ## SELinux Commands @@ -529,7 +525,6 @@ for example: -
    ## SELinux Public Methods @@ -633,7 +628,6 @@ TV package *AboutFragment.java* calls **SELinux.isSELinuxEnabled()**. -
    ## Android Init Language SELinux Extensions @@ -680,7 +674,6 @@ service ueventd /system/bin/ueventd restorecon --recursive --skip-ce /data ``` -
    ## The SELinux Policy @@ -978,7 +971,6 @@ domains (not allowed) and `neverallow` assertions **version_policy** - Takes the given public platform policy, a private policy and a version number to produced a combined "versioned" policy file. -
    ## Logging and Auditing @@ -1002,7 +994,6 @@ in the kernel buffers that can be read using ***dmesg**(1)*: `adb shell dmesg` -
    ## Policy File Formats @@ -1117,7 +1108,6 @@ example taken from *device/generic/goldfish/fstab.ranchu*: /dev/block/pci/pci0000:00/0000:00:06.0/by-name/metadata /metadata ext4 ..... ``` -
    ### ***seapp_contexts*** @@ -1367,7 +1357,6 @@ LABEL USER PID PPID NAME u:r:untrusted_app:s0:c149,c256,c512,c768 u0_a149 1138 64 com.example.myapplication ``` -
    ### ***property_contexts*** @@ -1410,7 +1399,6 @@ ro.telephony.call_ring.multiple u:object_r:telephony_config_prop:s0 exact bool ro.telephony.default_cdma_sub u:object_r:telephony_config_prop:s0 exact int ``` -
    ### ***service_contexts*** @@ -1460,7 +1448,6 @@ manager u:object_r:service_manager_vndservice:s0 * u:object_r:default_android_vndservice:s0 ``` -
    ### ***mac_permissions.xml*** @@ -1548,7 +1535,6 @@ file: ``` -
    ### ***keys.conf*** @@ -1590,7 +1576,6 @@ USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem ``` -
    diff --git a/src/security_context.md b/src/security_context.md index 936e6a5..bb219cb 100644 --- a/src/security_context.md +++ b/src/security_context.md @@ -114,7 +114,6 @@ unconfined_u:object_r:out_file_t Message-11 # (see the process example above). The role remained as object_r. ``` -
    diff --git a/src/selinux_cmds.md b/src/selinux_cmds.md index 9bbeb32..077ffb6 100644 --- a/src/selinux_cmds.md +++ b/src/selinux_cmds.md @@ -153,7 +153,6 @@ has a page that details all the available tools and commands at: -
    diff --git a/src/selinux_overview.md b/src/selinux_overview.md index 10de4dc..0fa89b9 100644 --- a/src/selinux_overview.md +++ b/src/selinux_overview.md @@ -43,7 +43,6 @@ locations as follows: -
    ## Is SELinux useful @@ -125,7 +124,6 @@ The following maybe useful in providing a practical view of SELinux: 4. Older NSA documentation at: that is informative. -
    diff --git a/src/sid_statement.md b/src/sid_statement.md index 4e64b68..cbb3ec9 100644 --- a/src/sid_statement.md +++ b/src/sid_statement.md @@ -71,7 +71,6 @@ sid unlabeled sid fs ``` -
    ## `sid context` @@ -148,7 +147,6 @@ sid unlabeled sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255 ``` -
    diff --git a/src/subjects.md b/src/subjects.md index c3a3338..99459a1 100644 --- a/src/subjects.md +++ b/src/subjects.md @@ -37,7 +37,6 @@ under `semanage_t`). **Untrusted** - Everything else. -
      @@ -46,7 +45,6 @@ under `semanage_t`).
    -
    diff --git a/src/terminology.md b/src/terminology.md index c180633..59e9c0f 100644 --- a/src/terminology.md +++ b/src/terminology.md @@ -37,7 +37,6 @@ | UID | User Identifier | | XACE | X (windows) Access Control Extension | -
    ## Terminology @@ -118,7 +117,6 @@ core SELinux infrastructure. -
    diff --git a/src/title.md b/src/title.md index a686d52..68a4eb1 100644 --- a/src/title.md +++ b/src/title.md @@ -80,7 +80,6 @@ Android. **Object Classes and Permissions** - Describes the SELinux object classes and permissions. -
    diff --git a/src/toc.md b/src/toc.md index 5595512..70ffc9c 100644 --- a/src/toc.md +++ b/src/toc.md @@ -61,7 +61,6 @@ - [Appendix D - Debugging Policy - Hints and Tips](debug_policy_hints.md#appendix-d---debugging-policy---hints-and-tips) - [Appendix E - Policy Validation Example](policy_validation_example.md#appendix-e---policy-validation-example) -
    diff --git a/src/type_enforcement.md b/src/type_enforcement.md index 6828404..898dae7 100644 --- a/src/type_enforcement.md +++ b/src/type_enforcement.md @@ -54,7 +54,6 @@ any SELinux service (i.e. it is only used to identify the type component), although as explained above CIL with namespaces does make identification of types easier. -
    ### Constraints @@ -85,7 +84,6 @@ The kernel policy language constraints are defined in the [**Constraint Statements**](constraint_statements.md#constraint-statements) section. -
    ### Bounds @@ -102,7 +100,6 @@ section defines the `typebounds` rule and also gives a summary of the `userbounds` and `rolebounds` rules. -
    diff --git a/src/types_of_policy.md b/src/types_of_policy.md index cbb755a..dcbe573 100644 --- a/src/types_of_policy.md +++ b/src/types_of_policy.md @@ -31,7 +31,6 @@ The type of SELinux policy can described in a number of ways: As can be seen the description of a policy can vary depending on the context. -
    ## Reference Policy @@ -57,7 +56,6 @@ number of RPMs. The Reference Policy can be built as a Monolithic policy or as a Modular policy that has a 'base module' with zero or more optional 'loadable modules'. -
    ## Policy Functionality Based on Name or Type @@ -95,7 +93,6 @@ The *NAME* and *TYPE* entries are defined in the reference policy [**Source Configuration Files**](reference_policy.md#source-configuration-files) section. -
    ## Custom Policy @@ -121,7 +118,6 @@ classes/permissions (see kernel *Documentation/admin-guide/LSM/SELinux.rst* for build instructions, also the [**Notebook Sample Policy - README**](./notebook-examples/selinux-policy/README.md)). -
    ## Monolithic Policy @@ -137,7 +133,6 @@ The Reference Policy supports building of monolithic policies. In some cases the kernel policy binary file is also called a monolithic policy. -
    ## Loadable Module Policy @@ -171,7 +166,6 @@ into the final [**binary policy**](#policy-versions) for loading into the kernel, see "[**SELinux Policy Module Primer**](http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/)". -
    ### Optional Policy @@ -180,7 +174,6 @@ The loadable module policy infrastructure supports an allows policy rules to be defined but only enabled in the binary policy once the conditions have been satisfied. -
    ## Conditional Policy @@ -204,7 +197,6 @@ the state of the boolean value or values. See the [**Conditional Policy Statements**](conditional_statements.md#conditional-policy-statements) section. -
    ## Binary Policy @@ -233,7 +225,6 @@ is supported by Fedora): */etc/selinux/targeted/policy/policy.32* -
    ## Policy Versions @@ -381,7 +372,6 @@ quoted (some SELinux utilities give both version numbers). **Table 1: Policy version descriptions** -
    diff --git a/src/users.md b/src/users.md index 44ffb7b..48ffa36 100644 --- a/src/users.md +++ b/src/users.md @@ -25,7 +25,6 @@ the [**Type Enforcement (TE)**](type_enforcement.md#type-enforcement) section. Some policies, for example Android, only make use of one user called `u`. -
    From patchwork Tue Aug 4 01:34:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699393 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2B5C51392 for ; Tue, 4 Aug 2020 01:34:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3DAA920786 for ; Tue, 4 Aug 2020 01:34:47 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="VWmg8VaP" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729321AbgHDBeq (ORCPT ); Mon, 3 Aug 2020 21:34:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51140 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBeq (ORCPT ); Mon, 3 Aug 2020 21:34:46 -0400 Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DDABC06174A for ; Mon, 3 Aug 2020 18:34:46 -0700 (PDT) Received: by mail-qk1-x732.google.com with SMTP id 2so32951518qkf.10 for ; Mon, 03 Aug 2020 18:34:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=pDdF886iwjKBG/bGOWLC/P/3s/YzgDNofqWOtZJ8w9I=; b=VWmg8VaPgK0sFcQyiQRp/P3Ee2H7ibjF5A+GXP4ZZtplAdGyKhqCbafEDYWl8J8t1E SMk6k/UNnz+Jy+8e8EavMWw0bkIAsipM9r0Ci/gpEoYvaNh5trK1yCh6iDDyddOA7M+W iXvsZ13Uz+nQBS6EKoP9gRGaUUagHzQWPkTBMqB8bkYicXnm0z/yGuYvAjurxb1vCQjY VLH6nGAv6HBs7va19dxVrYmLVI2lCT2MIa4WXhy9SDVMhKi4QuM6WyAb35OWg5IEsid1 VU/Dujg3LD2Zm3EN4C3k7yO+wCAB1EWis89vZo2a02IkKZG5Z7NbtuwOU8PMCfP1OWAy MTPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=pDdF886iwjKBG/bGOWLC/P/3s/YzgDNofqWOtZJ8w9I=; b=d0baws/3ci7wjSBOXwjtrGvt9QAlgWNwkxgrYA0vSNnxa/HnzuqmDG0yFq12w64zGH aAl3pChmWiB5a6jbTsMCa2PAED2AHy+ggiU0Q6dlwfPy8QKLPU3UJ2QwJvuCyBwAqAea /h5I7wwfVtxtf/O85qpj1KrrQFBuyxx+we//mF0kVAfU5kVqnpdlxsMYFaLyvjkouFJd PXi2MpwEfXfoWBhEKMCBoPpL+KLaWHd1IA7QWhNrhxjtrNz/kUdCCo42D1Naa/cU8dyd xtG9uKK49SFuEP86r8TnE5mQdMgepiF1DHSzqschhzLxzOyUbZ3u7JJtJwniBhwZVeHl GKSg== X-Gm-Message-State: AOAM531mnln0WfAn2wCvzKdfffmkQODKvdwai0AONrPCdmnCPuW23tVU YZTX4W/YgHJ3GgP6jwcki5wmDWhcrzpH X-Google-Smtp-Source: ABdhPJziltZjfAjfM98rkia9dEWF773jUCQltOUPcHfCyZz7ZL8pwJvXGy7SiTPx5OwN2Rg+/TowSg== X-Received: by 2002:a37:b647:: with SMTP id g68mr17643788qkf.70.1596504882898; Mon, 03 Aug 2020 18:34:42 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id t8sm25123620qtc.50.2020.08.03.18.34.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:34:42 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 13/18] all: unify example formatting (scripts, code, policy, etc) in markdown From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:34:41 -0400 Message-ID: <159650488135.8961.8180818265945682261.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org While the impact to the rendered markdown, HTML, and PDF is minimal, this provides a more consistent look-and-feel when reading the raw markdown. The following script was used to do the conversion: for i in *.md; do sed 's/^[ \t]*`\([^`]\+\)`[ \t]*$/```\n\1\n```/p' -i $i done Signed-off-by: Paul Moore --- src/apache_support.md | 4 +- src/avc_rules.md | 4 +- src/bounds_rules.md | 4 +- src/class_permission_statements.md | 12 ++++- src/computing_security_contexts.md | 4 +- src/conditional_statements.md | 8 +++- src/configuration_files.md | 4 +- src/constraint_statements.md | 20 +++++++-- src/default_rules.md | 16 +++++-- src/domain_object_transitions.md | 44 +++++++++++++++----- src/file_labeling_statements.md | 16 +++++-- src/implementing_seaware_apps.md | 4 +- src/infiniband_statements.md | 16 +++++-- src/lsm_selinux.md | 12 ++++- src/mls_statements.md | 32 +++++++++++--- src/modular_policy_statements.md | 12 ++++- src/network_statements.md | 52 ++++++++++++++++++----- src/network_support.md | 28 +++++++++---- src/pam_login.md | 4 +- src/policy_config_files.md | 80 +++++++++++++++++++++++++++--------- src/policy_config_statements.md | 4 +- src/policy_store_config_files.md | 52 ++++++++++++++++++----- src/policy_validation_example.md | 8 +++- src/polyinstantiation.md | 4 +- src/postgresql.md | 4 +- src/reference_policy.md | 80 +++++++++++++++++++++++++++--------- src/role_statements.md | 36 ++++++++++++---- src/seandroid.md | 28 +++++++++---- src/security_context.md | 4 +- src/sid_statement.md | 8 +++- src/type_enforcement.md | 8 +++- src/type_statements.md | 36 ++++++++++++---- src/types_of_policy.md | 4 +- src/user_statements.md | 8 +++- src/userspace_libraries.md | 8 +++- src/vm_support.md | 12 ++++- src/x_windows.md | 4 +- src/xen_statements.md | 32 +++++++++++--- src/xperm_rules.md | 8 +++- 39 files changed, 543 insertions(+), 181 deletions(-) diff --git a/src/apache_support.md b/src/apache_support.md index 22ce966..d74695a 100644 --- a/src/apache_support.md +++ b/src/apache_support.md @@ -7,7 +7,9 @@ library and policy that will allow finer grained access control when using Apache with threads. The additional Apache module is called `mod_selinux.so` and has a supporting policy module called `mod_selinux.pp`. -`dnf install mod_selinux` +``` +dnf install mod_selinux +``` The `mod_selinux` policy module makes use of the `typebounds` statement that was introduced into version 24 of the policy (requires a minimum kernel of diff --git a/src/avc_rules.md b/src/avc_rules.md index de8e9c3..d200caf 100644 --- a/src/avc_rules.md +++ b/src/avc_rules.md @@ -20,7 +20,9 @@ section. **The common format for Access Vector Rules are:** -`rule_name source_type target_type : class perm_set;` +``` +rule_name source_type target_type : class perm_set; +``` **Where:** diff --git a/src/bounds_rules.md b/src/bounds_rules.md index e890955..4aa68c4 100644 --- a/src/bounds_rules.md +++ b/src/bounds_rules.md @@ -23,7 +23,9 @@ context associated to threads in multi-threaded applications. **The statement definition is:** -`typebounds bounding_domain bounded_domain;` +``` +typebounds bounding_domain bounded_domain; +``` **Where:** diff --git a/src/class_permission_statements.md b/src/class_permission_statements.md index eb42b1f..29cf855 100644 --- a/src/class_permission_statements.md +++ b/src/class_permission_statements.md @@ -22,7 +22,9 @@ There are two variants of the `class` statement for writing policy: Object classes are declared within a policy with the following statement definition: -`class class_id` +``` +class class_id +``` **Where:** @@ -95,7 +97,9 @@ Declare a `common` identifier and associate one or more `common` permissions. The statement definition is: -`common common_id { perm_set }` +``` +common common_id { perm_set } +``` **Where:** @@ -158,7 +162,9 @@ Inherit and / or associate permissions to a perviously declared `class` identifi **The statement definition is:** -`class class_id [ inherits common_set ] [ { perm_set } ]` +``` +class class_id [ inherits common_set ] [ { perm_set } ] +``` **Where:** diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md index 100a8cf..807c4f7 100644 --- a/src/computing_security_contexts.md +++ b/src/computing_security_contexts.md @@ -124,7 +124,9 @@ language statement as they are mounted, they are based on the filesystem type name (e.g. `ext4`) and their behaviour (e.g. `xattr`). For example if the policy specifies the following: -`fs_use_task pipefs system_u:object_r:fs_t:s0` +``` +fs_use_task pipefs system_u:object_r:fs_t:s0 +``` then as the `pipefs` filesystem is being mounted, the SELinux LSM security hook `selinux_set_mnt_opts` will call `security_fs_use` diff --git a/src/conditional_statements.md b/src/conditional_statements.md index 00159b6..218e1fc 100644 --- a/src/conditional_statements.md +++ b/src/conditional_statements.md @@ -66,7 +66,9 @@ initial state (`true` or `false`) that can then be used with the **The statement definition is:** -`bool bool_id default_value;` +``` +bool bool_id default_value; +``` **Where:** @@ -148,7 +150,9 @@ are: **The statement definition is:** -`if (conditional_expression) { true_list } [ else { false_list } ]` +``` +if (conditional_expression) { true_list } [ else { false_list } ] +``` **Where:** diff --git a/src/configuration_files.md b/src/configuration_files.md index 10092c6..9cb97cd 100644 --- a/src/configuration_files.md +++ b/src/configuration_files.md @@ -157,7 +157,9 @@ format. This is achieved via a *pp* to CIL high level language conversion utility located at */usr/libexec/selinux/hll/pp*. This utility can be used manually as follows: - `cat module_name.pp | /usr/libexec/selinux/hll/pp > module_name.cil` +``` +cat module_name.pp | /usr/libexec/selinux/hll/pp > module_name.cil +``` There is no man page for '*pp*', however the help text is as follows: diff --git a/src/constraint_statements.md b/src/constraint_statements.md index 9708306..e2c088f 100644 --- a/src/constraint_statements.md +++ b/src/constraint_statements.md @@ -8,7 +8,9 @@ source and target types, roles and users as described in the examples. **The statement definition is:** -`constrain class perm_set expression;` +``` +constrain class perm_set expression; +``` **Where:** @@ -185,7 +187,9 @@ Note there are no `validatetrans` statements specified within the **The statement definition is:** -`validatetrans class expression;` +``` +validatetrans class expression; +``` **Where:** @@ -266,7 +270,9 @@ Note there are no `validatetrans` statements specified within the **Example:** -`validatetrans { file } { t1 == unconfined_t );` +``` +validatetrans { file } { t1 == unconfined_t ); +``` ## `mlsconstrain` @@ -278,7 +284,9 @@ in the examples. **The statement definition is:** -`mlsconstrain class perm_set expression;` +``` +mlsconstrain class perm_set expression; +``` **Where:** @@ -405,7 +413,9 @@ third `u3.r3.t3` is the context of the process performing the transition. **The statement definition is:** -`mlsvalidatetrans class expression;` +``` +mlsvalidatetrans class expression; +``` **Where:** diff --git a/src/default_rules.md b/src/default_rules.md index e759a84..336d161 100644 --- a/src/default_rules.md +++ b/src/default_rules.md @@ -12,7 +12,9 @@ Requires policy version 27. **The statement definition is:** -`default_user class default;` +``` +default_user class default; +``` **Where:** @@ -86,7 +88,9 @@ Requires policy version 27. **The statement definition is:** -`default_role class default;` +``` +default_role class default; +``` **Where:** @@ -160,7 +164,9 @@ Requires policy version 28. **The statement definition is:** -`default_type class default;` +``` +default_type class default; +``` **Where:** @@ -240,7 +246,9 @@ greater of the low sensitivities and the lower of the high sensitivities. **The statement definition is:** -`default_range class [default range] | [glblub];` +``` +default_range class [default range] | [glblub]; +``` **Where:** diff --git a/src/domain_object_transitions.md b/src/domain_object_transitions.md index 2c5e45a..8882da9 100644 --- a/src/domain_object_transitions.md +++ b/src/domain_object_transitions.md @@ -20,14 +20,18 @@ two ways a process can define a domain transition: themselves SELinux-aware. This is the most common method and would be in the form of the following statement: -`type_transition unconfined_t secure_services_exec_t : process ext_gateway_t;` +``` +type_transition unconfined_t secure_services_exec_t : process ext_gateway_t; +``` 1. SELinux-aware applications can specify the domain of the new process using the **libselinux** API call ***setexeccon**(3)*. To achieve this the SELinux-aware application must also have the setexec permission, for example: -`allow crond_t self:process setexec;` +``` +allow crond_t self:process setexec; +``` However, before any domain transition can take place the policy must specify that: @@ -63,18 +67,24 @@ bullet numbers correspond to the numbers shown in **Figure 7: Domain Transition* 1. The *domain* needs permission to *transition* into the `ext_gateway_t` (target) domain: -`allow unconfined_t ext_gateway_t : process transition;` +``` +allow unconfined_t ext_gateway_t : process transition; +``` 2. The executable file needs to be *executable* in the `unconfined_t` (source) domain, and therefore also requires that the file is readable: -`allow unconfined_t secure_services_exec_t : file { execute read getattr };` +``` +allow unconfined_t secure_services_exec_t : file { execute read getattr }; +``` 3. The executable file needs an *entry point* into the `ext_gateway_t` (target) domain: -`allow ext_gateway_t secure_services_exec_t : file entrypoint;` +``` +allow ext_gateway_t secure_services_exec_t : file entrypoint; +``` These are shown in **Figure 7: Domain Transition** where `unconfined_t` forks a child process, that then exec's the new program into a new domain @@ -96,11 +106,15 @@ intention was to have both of these transition to their respective domains via `type_transition` statements. The `ext_gateway_t` statement would be: -`type_transition unconfined_t secure_services_exec_t : process ext_gateway_t;` +``` +type_transition unconfined_t secure_services_exec_t : process ext_gateway_t; +``` and the `int_gateway_t` statement would be: -`type_transition unconfined_t secure_services_exec_t : process int_gateway_t;` +``` +type_transition unconfined_t secure_services_exec_t : process int_gateway_t; +``` However, when linking these two loadable modules into the policy, the following error was given: @@ -215,7 +229,9 @@ that of its parent. For example a file is being created that requires a different label to that of its parent directory. This can be achieved automatically using a `type_transition` statement as follows: -`type_transition ext_gateway_t in_queue_t:file in_file_t;` +``` +type_transition ext_gateway_t in_queue_t:file in_file_t; +``` The following details an object transition used in n example *ext_gateway.conf* loadable module where by default, files would be labeled @@ -251,16 +267,22 @@ rules, where: 1. The source domain needs permission to *add file entries into the directory*: -`allow ext_gateway_t in_queue_t : dir { write search add_name };` +``` +allow ext_gateway_t in_queue_t : dir { write search add_name }; +``` 2. The source domain needs permission to *create file entries*: -`allow ext_gateway_t in_file_t : file { write create getattr };` +``` +allow ext_gateway_t in_file_t : file { write create getattr }; +``` 3. The policy can then ensure (via the SELinux kernel services) that files created in the `in_queue` are relabeled: -`type_transition ext_gateway_t in_queue_t : file in_file_t;` +``` +type_transition ext_gateway_t in_queue_t : file in_file_t; +``` An example output from a directory listing shows the resulting file labels: diff --git a/src/file_labeling_statements.md b/src/file_labeling_statements.md index dad3361..cd6bd55 100644 --- a/src/file_labeling_statements.md +++ b/src/file_labeling_statements.md @@ -25,7 +25,9 @@ section. **The statement definition is:** -`fs_use_xattr fs_name fs_context;` +``` +fs_use_xattr fs_name fs_context; +``` **Where:** @@ -93,7 +95,9 @@ sockets. **The statement definition is:** -`fs_use_task fs_name fs_context;` +``` +fs_use_task fs_name fs_context; +``` **Where:** @@ -164,7 +168,9 @@ filesystem type based on transition rules. **The statement definition is:** -`fs_use_trans fs_name fs_context;` +``` +fs_use_trans fs_name fs_context; +``` **Where:** @@ -239,7 +245,9 @@ semi-colon on this statement. **The statement definition is:** -`genfscon fs_name partial_path fs_context` +``` +genfscon fs_name partial_path fs_context +``` **Where:** diff --git a/src/implementing_seaware_apps.md b/src/implementing_seaware_apps.md index 244d3ac..d2cd9c4 100644 --- a/src/implementing_seaware_apps.md +++ b/src/implementing_seaware_apps.md @@ -224,7 +224,9 @@ The class configuration file is at: and each entry must be added to the end of the file in the following format: -`class object_name # userspace` +``` +class object_name # userspace +``` Where ***class*** is the class keyword and *object_name* is the name of the object. The `# userspace` is used by build scripts to detect userspace diff --git a/src/infiniband_statements.md b/src/infiniband_statements.md index 79c29da..6d46d37 100644 --- a/src/infiniband_statements.md +++ b/src/infiniband_statements.md @@ -19,7 +19,9 @@ the policy using the ***semanage ibpkey*** command that will associate the **The statement definition is:** -`ibpkeycon subnet pkey pkey_context` +``` +ibpkeycon subnet pkey pkey_context +``` **Where:** @@ -80,7 +82,9 @@ ibpkeycon fe80:: 0-0x10 system_u:object_r:public_ibpkey_t:s0 ***semanage**(8)* **Command example:** -`semanage ibpkey -a -t default_ibpkey_t -x fe80:: 0xFFFF` +``` +semanage ibpkey -a -t default_ibpkey_t -x fe80:: 0xFFFF +``` The above command will produce the following file: */var/lib/selinux/<SELINUXTYPE>/active/ibpkeys.local* @@ -104,7 +108,9 @@ end port to a security context. **The statement definition is:** -`ibendportcon device_id port_number port_context` +``` +ibendportcon device_id port_number port_context +``` **Where:** @@ -165,7 +171,9 @@ ibendportcon mlx5_0 1 system_u:object_r:opensm_ibendport_t:s0 ***semanage**(8)* **Command example:** -`semanage ibendport -a -t opensm_ibendport_t -z mlx4_0 2` +``` +semanage ibendport -a -t opensm_ibendport_t -z mlx4_0 2 +``` This command will produce the following file */var/lib/selinux/<SELINUXTYPE>/active/ibendports.local* in the default diff --git a/src/lsm_selinux.md b/src/lsm_selinux.md index d4be834..ffb4214 100644 --- a/src/lsm_selinux.md +++ b/src/lsm_selinux.md @@ -53,9 +53,13 @@ The basic idea behind LSM is to: services by extending the */proc* filesystem with a security namespace as shown in . These are located at: - `/proc//attr/` +``` +/proc//attr/ +``` - `/proc//task//attr/` +``` +/proc//task//attr/ +``` Where `` is the process id, `` is the thread id, and `` is the entry described in **Table 2: /proc Filesystem attribute files**. @@ -67,7 +71,9 @@ entry described in **Table 2: /proc Filesystem attribute files**. - Later kernels (ver ?) allow 'module stacking' where the LSM modules can be called in a predifined order, for example: - `lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf` +``` +lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf +``` It should be noted that the LSM does not provide any security services itself, only the hooks and structures for supporting 3rd diff --git a/src/mls_statements.md b/src/mls_statements.md index d4a0c7f..1cc5733 100644 --- a/src/mls_statements.md +++ b/src/mls_statements.md @@ -3,7 +3,9 @@ The optional MLS policy extension adds an additional security context component that consists of the following highlighted entries: -`user:role:type:sensitivity[:category,...]- sensitivity [:category,...]` +``` +user:role:type:sensitivity[:category,...]- sensitivity [:category,...] +``` These consist of a mandatory hierarchical [**sensitivity**](#sensitivity) and optional @@ -76,7 +78,9 @@ discussed at the start of the [**MLS section**](#mls-statements). **The definition is:** -`low_level [ - high_level ]` +``` +low_level [ - high_level ] +``` **Where:** @@ -106,7 +110,9 @@ and optional alias identifiers. **The statement definition is:** -`sensitivity sens_id [alias sensitivityalias_id ...];` +``` +sensitivity sens_id [alias sensitivityalias_id ...]; +``` **Where:** @@ -185,7 +191,9 @@ required to define the actual hierarchy between all sensitivities. **The statement definition is:** -`dominance { sensitivity_id ... }` +``` +dominance { sensitivity_id ... } +``` **Where:** @@ -246,7 +254,9 @@ identifiers and optional alias identifiers. **The statement definition is:** -`category category_id [alias categoryalias_id ...];` +``` +category category_id [alias categoryalias_id ...]; +``` **Where:** @@ -327,7 +337,9 @@ Note there must only be one `level` statement for each **The statement definition is:** -`level sensitivity_id [ :category_id ];` +``` +level sensitivity_id [ :category_id ]; +``` **Where:** @@ -400,11 +412,15 @@ enhanced in Policy version 21 to accept other object classes. **The statement definition is (for pre-policy version 21):** -`range_transition source_type target_type new_range;` +``` +range_transition source_type target_type new_range; +``` **or (for policy version 21 and greater):** -`range_transition source_type target_type : class new_range;` +``` +range_transition source_type target_type : class new_range; +``` **Where:** diff --git a/src/modular_policy_statements.md b/src/modular_policy_statements.md index 2918010..564c2be 100644 --- a/src/modular_policy_statements.md +++ b/src/modular_policy_statements.md @@ -15,7 +15,9 @@ modules within the policy. **The statement definition is:** -`module module_name version_number;` +``` +module module_name version_number; +``` **Where:** @@ -88,7 +90,9 @@ The require statement is used for two reasons: **The statement definition is:** -`require { rule_list }` +``` +require { rule_list } +``` **Where:** @@ -174,7 +178,9 @@ a [**`require`**](#require) statement at the start of the list. **The statement definition is:** -`optional { rule_list } [ else { rule_list } ]` +``` +optional { rule_list } [ else { rule_list } ] +``` **Where:** diff --git a/src/network_statements.md b/src/network_statements.md index da66612..8049aa7 100644 --- a/src/network_statements.md +++ b/src/network_statements.md @@ -33,14 +33,18 @@ sid port system_u:object_r:port_t:s0 IPv4 addresses are represented in dotted-decimal notation (four numbers, each ranging from 0 to 255, separated by dots as shown: -`192.77.188.166` +``` +192.77.188.166 +``` ### IPv6 Address Formats IPv6 addresses are written as eight groups of four hexadecimal digits, where each group is separated by a colon ':' as follows: -`2001:0db8:85a3:0000:0000:8a2e:0370:7334` +``` +2001:0db8:85a3:0000:0000:8a2e:0370:7334 +``` To shorten the writing and presentation of addresses, the following rules apply: @@ -48,25 +52,35 @@ rules apply: 1. Any leading zeros in a group may be replaced with a single '0' as shown: -`2001:db8:85a3:0:0:8a2e:370:7334` +``` +2001:db8:85a3:0:0:8a2e:370:7334 +``` 2. Any leading zeros in a group may be omitted and be replaced with two colons '::', however this is only allowed once in an address as follows: -`2001:db8:85a3::8a2e:370:7334` +``` +2001:db8:85a3::8a2e:370:7334 +``` 3. The *localhost* (loopback) address can be written as: -`0000:0000:0000:0000:0000:0000:0000:0001` +``` +0000:0000:0000:0000:0000:0000:0000:0001 +``` Or -`::1` +``` +::1 +``` 4. An undetermined IPv6 address i.e. all bits are zero is written as: -`::` +``` +:: +``` ## `netifcon` @@ -80,7 +94,9 @@ the interface to a security context. **The statement definition is:** -`netifcon netif_id netif_context packet_context` +``` +netifcon netif_id netif_context packet_context +``` **Where:** @@ -145,7 +161,9 @@ netifcon lo system_u:object_r:lo_netif_t:s0 - s15:c0.c255 system_u:object_r:unla ***semanage**(8)* **Command example:** -`semanage interface -a -t netif_t eth2` +``` +semanage interface -a -t netif_t eth2 +``` This command will produce the following file in the default <SELINUXTYPE> policy store and then activate the policy: @@ -174,7 +192,9 @@ context. **The statement definition is:** -`nodecon subnet netmask node_context` +``` +nodecon subnet netmask node_context +``` **Where:** @@ -244,7 +264,9 @@ nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 - s15:c0.c255 ***semanage**(8)* **Command example:** -`semanage node -a -t node_t -p ipv4 -M 255.255.255.255 127.0.0.2` +``` +semanage node -a -t node_t -p ipv4 -M 255.255.255.255 127.0.0.2 +``` This command will produce the following file in the default <SELINUXTYPE> policy store and then activate the policy: @@ -269,7 +291,9 @@ policy using the ***semanage**(8)* 'port' command that will associate the port **The statement definition is:** -`portcon protocol port_number port_context` +``` +portcon protocol port_number port_context +``` **Where:** @@ -335,7 +359,9 @@ portcon udp 1-599 system_u:object_r:reserved_port_t:s0 ***semanage**(8)* **Command example:** -`semanage port -a -t reserved_port_t -p udp 1234` +``` +semanage port -a -t reserved_port_t -p udp 1234 +``` This command will produce the following file in the default <SELINUXTYPE> policy store and then activate the policy: diff --git a/src/network_support.md b/src/network_support.md index b207247..63df855 100644 --- a/src/network_support.md +++ b/src/network_support.md @@ -40,16 +40,22 @@ SELinux filesystem as shown in the To support peer labeling, CIPSO and CALIPSO the NetLabel tools need to be installed: -`dnf install netlabel_tools` +``` +dnf install netlabel_tools +``` To support Labeled IPSec the IPSec tools need to be installed: -`dnf install ipsec-tools` +``` +dnf install ipsec-tools +``` It is also possible to use an alternative Labeled IPSec service that was OpenSwan but is now distributed as LibreSwan: -`dnf install libreswan` +``` +dnf install libreswan +``` It is important to note that the kernel must be configured to support these services. The Fedora kernels are configured to handle all the above @@ -246,7 +252,9 @@ the LSM infrastructure. The implementation supports: show in **Figure 15**). - Note that CALIPSO only supports this option, and an example ***netlabelctl**(8)* command setting a DOI of 16 is: - `netlabelctl calipso add pass doi:16` +``` +netlabelctl calipso add pass doi:16 +``` ![](./images/15-mls1.png) @@ -395,7 +403,9 @@ echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy By default Fedora does not enable IPSEC via its default firewall configuration, therefore the server side requires the following command: -`firewall-cmd --add-service ipsec` +``` +firewall-cmd --add-service ipsec +``` There are two simple examples in the [***notebook-examples/network/ipsec***](notebook-examples/network/README.md) @@ -434,11 +444,15 @@ Version 4.2 of NFS supports labeling between client/server and requires the ***exports**(5)* / ***exportfs**(8)* '*security_label*' option to be set: -`exportfs -o rw,no_root_squash,security_label localhost:$MOUNT` +``` +exportfs -o rw,no_root_squash,security_label localhost:$MOUNT +``` Labeled NFS requires kernel 3.14 and the following package installed: -`dnf install nfs-utils` +``` +dnf install nfs-utils +``` Labeled NFS clients must use a consistent security policy. diff --git a/src/pam_login.md b/src/pam_login.md index 8d3a831..02878ab 100644 --- a/src/pam_login.md +++ b/src/pam_login.md @@ -37,7 +37,9 @@ section and also the ***sepermit.conf**(5)*. The main login service related PAM configuration files (e.g. *gdm*) consist of multiple lines of information that are formatted as follows: -`service type control module-path arguments` +``` +service type control module-path arguments +``` **Where:** diff --git a/src/policy_config_files.md b/src/policy_config_files.md index 6ce2020..aa4f1d1 100644 --- a/src/policy_config_files.md +++ b/src/policy_config_files.md @@ -3,7 +3,9 @@ Each file discussed in this section is relative to the policy name as follows: -`/etc/selinux/` +``` +/etc/selinux/ +``` All files under this area form the 'running policy' once the [*/etc/selinux/config*](global_config_files.md#etcselinuxconfig) files @@ -97,7 +99,9 @@ Both files have the same format and contain one or more boolean names. **The format is:** -`boolean_name value` +``` +boolean_name value +``` **Where:** @@ -136,7 +140,9 @@ the translated name. Each line within the substitution file *booleans.subs_dist* is: -`policy_bool_name new_name` +``` +policy_bool_name new_name +``` **Where:** @@ -181,7 +187,9 @@ The daemon will not load unless a valid MCS or MLS policy is active. The translations can be disabled by adding the following line to the file: -`disable = 1` +``` +disable = 1 +``` This file will also support the display of information in colour. The configuration file that controls this is called *secolor.conf* and is @@ -340,7 +348,9 @@ list unless the -F flag is used (see the man pages). **The file format is as follows:** -`type` +``` +type +``` **Where:** @@ -388,7 +398,9 @@ login applications) where: **The file format is as follows:** -`role:type[:range] role:type[:range] ...` +``` +role:type[:range] role:type[:range] ... +``` **Where:** @@ -449,7 +461,9 @@ The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the *default_contexts* file entries were set to: -`unconfined_r:unconfined_t unconfined_r:unconfined_t` +``` +unconfined_r:unconfined_t unconfined_r:unconfined_t +``` The login process could now set the context correctly to `unconfined_r:unconfined_t`. Note that adding the same entry to the @@ -491,7 +505,9 @@ The **default_type**(5) file allows SELinux-aware applications such as **The file format is as follows:** -`role:type` +``` +role:type +``` **Where:** @@ -529,7 +545,9 @@ to allow an administrator access to the system. **The file format is as follows:** -`role:type[:range]` +``` +role:type[:range] +``` **Where:** @@ -570,7 +588,9 @@ used by other SELinux-aware applications for the same purpose. **The file format is as follows:** -`user:role:type[:range]` +``` +user:role:type[:range] +``` **Where:** @@ -689,7 +709,9 @@ matching of network packets - Never been used. **Example file contents:** -`privsep_preauth=sshd_net_t` +``` +privsep_preauth=sshd_net_t +``` **Supporting libselinux API functions are:** @@ -705,7 +727,9 @@ should be used for removable devices that are not defined in the **The file format is as follows:** -`user:role:type[:range]` +``` +user:role:type[:range] +``` **Where:** @@ -736,7 +760,9 @@ database objects and is descibed in ***selabel_db**(5)*. **The file format is as follows:** -`object_type object_name context` +``` +object_type object_name context +``` **Where:** @@ -778,7 +804,9 @@ db_schema *.* system_u:object_r:sepgsql_schema_t:s0 **Example file contents:** -`snapperd_data = system_u:object_r:snapperd_data_t:s0` +``` +snapperd_data = system_u:object_r:snapperd_data_t:s0 +``` **Supporting libselinux API functions are:** @@ -793,7 +821,9 @@ to find the type to use with tty devices when changing roles or levels. **The file format is as follows:** -`type` +``` +type +``` **Where:** @@ -825,7 +855,9 @@ This file contains security contexts to be used by tasks run via ***systemd**(8) **The file format is as follows:** -`service_class = security_context` +``` +service_class = security_context +``` **Where:** @@ -861,7 +893,9 @@ system-config-* applications when running from root. **The file format is as follows:** -`security_context` +``` +security_context +``` **Where:** @@ -1058,7 +1092,9 @@ Then (for example), when ***selabel_lookup**(3)* is passed a path */myweb/index.html* the functions will substitute the */myweb* component with */var/www*, with the final result being: -`/var/www/index.html` +``` +/var/www/index.html +``` **Supporting libselinux API functions are:** @@ -1078,7 +1114,9 @@ is used instead. **The file format is as follows:** -`media_id file_context` +``` +media_id file_context +``` **Where:** @@ -1165,7 +1203,9 @@ used to retrieve default information. **The file format is as follows:** -`service_name:seuser_id:level` +``` +service_name:seuser_id:level +``` **Where:** diff --git a/src/policy_config_statements.md b/src/policy_config_statements.md index 4289136..351513c 100644 --- a/src/policy_config_statements.md +++ b/src/policy_config_statements.md @@ -10,7 +10,9 @@ continue to use the original functionality. **The statement definition is:** -`policycap capability;` +``` +policycap capability; +``` **Where:** diff --git a/src/policy_store_config_files.md b/src/policy_store_config_files.md index 45ff3fa..de7e9dc 100644 --- a/src/policy_store_config_files.md +++ b/src/policy_store_config_files.md @@ -91,7 +91,9 @@ the *tmp* directory (*/var/lib/selinux<SELINUXTYPE>/tmp*) will contain a copy of the failed policy for inspection. An example ***semodule*** failure message indicating the failing line number is: -`Failed to resolve mlsconstrain statement at /var/lib/selinux/targeted/tmp/modules/400/test_mlsconstrain/cil:1` +``` +Failed to resolve mlsconstrain statement at /var/lib/selinux/targeted/tmp/modules/400/test_mlsconstrain/cil:1 +``` ## *active/commit_num* @@ -126,7 +128,9 @@ the new value) if requested. **Example** ***semanage boolean*** **command to modify a boolean value:** -`semanage boolean -m --on daemons_enable_cluster_mode` +``` +semanage boolean -m --on daemons_enable_cluster_mode +``` **The resulting** *booleans.local* **file will be:** @@ -235,7 +239,9 @@ files.* **The format of these files is:** -`pathname_regexp [file_type] security_context | <>` +``` +pathname_regexp [file_type] security_context | <> +``` **Where:** @@ -352,7 +358,9 @@ The format of the *file_contexts.local* file is the same as the Example ***semanage fcontext*** command to add a new entry: -`semanage fcontext -a -t unlabeled_t /usr/move_file` +``` +semanage fcontext -a -t unlabeled_t /usr/move_file +``` The resulting *file_contexts.local* file will be: @@ -452,7 +460,9 @@ The *seusers* file is built or modified when: **The format of the** *seusers* & *seusers.local* **files are as follows:** -`[%]user_id:seuser_id[:range]` +``` +[%]user_id:seuser_id[:range] +``` **Where:** @@ -483,7 +493,9 @@ __default__:unconfined_u:s0-s0:c0.c1023 now use ***semanage login*** command to add a Linux user: -`semanage login -a -s user_u rch` +``` +semanage login -a -s user_u rch +``` the resulting *seusers.local* file will be: @@ -540,7 +552,9 @@ follows: **The format of the** *users_extra* & *users_extra.local* **files are:** -`user seuser_id prefix prefix_id;` +``` +user seuser_id prefix prefix_id; +``` **Where:** @@ -577,7 +591,9 @@ user root prefix user; **Example** ***semanage user*** **command to add a new SELinux user:** -`semanage user -a -R staff_r -P staff test_u` +``` +semanage user -a -R staff_r -P staff test_u +``` the resulting *users_extra.local* file is as follows: @@ -622,7 +638,9 @@ in the [**`netifcon`**](network_statements.md#netifcon) section. **Example** ***semanage interface*** **command:** -`semanage interface -a -t netif_t -r s0:c20.c250 enp7s0` +``` +semanage interface -a -t netif_t -r s0:c20.c250 enp7s0 +``` **The resulting** *interfaces.local* **file will be:** @@ -646,7 +664,9 @@ with examples in the policy language **Example** ***semanage node*** **command:** -`semanage node -a -M 255.255.255.255 -t node_t -r s0:c20.c250 -p ipv4 127.0.0.2` +``` +semanage node -a -M 255.255.255.255 -t node_t -r s0:c20.c250 -p ipv4 127.0.0.2 +``` **The resulting** *nodes.local* **file will be:** @@ -671,7 +691,9 @@ with examples in the policy language **Example** ***semanage port*** **command:** -`semanage port -a -t port_t -p tcp -r s0:c20.c350 8888` +``` +semanage port -a -t port_t -p tcp -r s0:c20.c350 8888 +``` **The resulting** *ports.local* **file will be:** @@ -690,12 +712,16 @@ module that sets the requested domain in permissive mode. **Example** ***semanage permissive*** **command to set permissive mode:** -`semanage permissive -a tabrmd_t` +``` +semanage permissive -a tabrmd_t +``` This will by default add a CIL policy module to *active/modules/400/permissive_tabrmd_t*, that if expanded will contain: -`(typepermissive tabrmd_t)` +``` +(typepermissive tabrmd_t) +``` Note that the CIL `typepermissive` statement is used, the equivalent kernel policy statement would be [**`permissive`**](type_statements.md#permissive). diff --git a/src/policy_validation_example.md b/src/policy_validation_example.md index 19a380d..857a2a5 100644 --- a/src/policy_validation_example.md +++ b/src/policy_validation_example.md @@ -50,7 +50,9 @@ args = $@ Next try rebuilding the policy with no changes: -`semodule -B` +``` +semodule -B +``` It should succeed, therefore build a module that would violate this rule: @@ -86,7 +88,9 @@ semodule: Failed! Now run ***sesearch*** to ensure that there is no matching rule: -`sesearch --allow -s user_t -t shadow_t -c file` +``` +sesearch --allow -s user_t -t shadow_t -c file +``` Note that there are also a **\[verify module\]** and **\[verify linked\]** options as described in the diff --git a/src/polyinstantiation.md b/src/polyinstantiation.md index cf2b889..bd3579c 100644 --- a/src/polyinstantiation.md +++ b/src/polyinstantiation.md @@ -107,7 +107,9 @@ to set the correct file contexts. Each line in the namespace.conf file is formatted as follows: -`polydir instance_prefix method list_of_uids` +``` +polydir instance_prefix method list_of_uids +``` Where: diff --git a/src/postgresql.md b/src/postgresql.md index f7ab1e6..8e69f3f 100644 --- a/src/postgresql.md +++ b/src/postgresql.md @@ -147,7 +147,9 @@ enable and manage SE-PostgreSQL: 1. This entry is mandatory to enable the *sepgsql* extension to be loaded: -`shared_preload_libraries = 'sepgsql'` +``` +shared_preload_libraries = 'sepgsql' +``` 2. These entries are optional and default to '*off*'. diff --git a/src/reference_policy.md b/src/reference_policy.md index 4d4fd5d..73e2990 100644 --- a/src/reference_policy.md +++ b/src/reference_policy.md @@ -56,7 +56,9 @@ can be found at: **Figure 26: The Reference Policy Source Tree** shows the layout of the reference policy source tree, that once installed would be located at -`/etc/selinux//src/policy` +``` +/etc/selinux//src/policy +``` Where the **<SELINUXTYPE>** entry is taken from the *build.conf* file as discussed in the @@ -740,7 +742,9 @@ ddcprobe = off The only active lines (those without comments) contain: -` = base | module | off` +``` + = base | module | off +``` However note that the comments are important as they form part of the documentation when it is generated by the *make html* target. @@ -1263,7 +1267,9 @@ completed: will be used as a part of the documentation. An example is as follows: -`ABC modules for the XYZ components.` +``` +ABC modules for the XYZ components. +``` ## Installing and Building the Reference Policy Source @@ -1432,7 +1438,9 @@ Note: The following steps were tested on Fedora 31 with no problems. Install the source as follows: -`rpm -Uvh selinux-policy-.src.rpm` +``` +rpm -Uvh selinux-policy-.src.rpm +``` The *rpmbuild/SOURCES* directory contents that will be used to build a copy of the **targeted** policy are as follows (there are other files, however @@ -1637,7 +1645,9 @@ directory. This *Makefile* can be used to build the example modules by using makes *-f* option as follows (assuming that the example module files are in the local directory): -`make -f /usr/share/selinux//include/Makefile` +``` +make -f /usr/share/selinux//include/Makefile +``` However there is another *Makefile* (*./policy/doc Makefile.example*)that can be installed in the users home directory (*$HOME*) that will call the master @@ -1844,11 +1854,15 @@ with examples shown in the [*ifdef*](#ifdef-ifndef-parameters) section. Correct: -`policy_module(ftp, 1.7.0)` +``` +policy_module(ftp, 1.7.0) +``` Incorrect: -`policy_module (ftp, 1.7.0)` +``` +policy_module (ftp, 1.7.0) +``` ### Loadable Policy Macros @@ -1867,7 +1881,9 @@ classes and permissions, and optionally MCS / MLS information ****The macro definition is:**** -`policy_module(module_name,version)` +``` +policy_module(module_name,version) +``` **Where:** @@ -2181,7 +2197,9 @@ used to describe the function and are extracted for the **The macro definition is:** -`gen_tunable(boolean_name,boolean_value)` +``` +gen_tunable(boolean_name,boolean_value) +``` **Where:** @@ -2604,7 +2622,9 @@ where it is used to set the files security context. **The macro definition is:** -`gen_context(context[,mls | mcs])` +``` +gen_context(context[,mls | mcs]) +``` **Where:** @@ -2669,7 +2689,9 @@ configuration file if it exists. **The macro definition is:** -`gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])` +``` +gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories]) +``` **Where:** @@ -2772,7 +2794,9 @@ used to describe the function and are extracted for the **The macro definition is:** -`gen_bool(name,default_value)` +``` +gen_bool(name,default_value) +``` **Where:** @@ -2905,7 +2929,9 @@ in the current reference policy. **The macro definition is:** -`gen_cats(mcs_num_cats | mls_num_cats)` +``` +gen_cats(mcs_num_cats | mls_num_cats) +``` **Where:** @@ -2974,7 +3000,9 @@ in the current reference policy (note that the *mcs* file has **The macro definition is:** -`gen_sens(mls_num_sens)` +``` +gen_sens(mls_num_sens) +``` **Where:** @@ -3038,7 +3066,9 @@ that contain this macro in the current reference policy. **The macro definition is:** -`gen_levels(mls_num_sens,mls_num_cats)` +``` +gen_levels(mls_num_sens,mls_num_cats) +``` **Where:** @@ -3103,7 +3133,9 @@ level s15:c0.c1023; These macros define system high etc. as shown. -`mls_systemlow` +``` +mls_systemlow +``` ``` # gives: @@ -3111,7 +3143,9 @@ These macros define system high etc. as shown. s0 ``` -`mls_systemhigh` +``` +mls_systemhigh +``` ``` # gives: @@ -3119,7 +3153,9 @@ s0 s15:c0.c1023 ``` -`mcs_systemlow` +``` +mcs_systemlow +``` ``` # gives: @@ -3127,7 +3163,9 @@ s15:c0.c1023 s0 ``` -`mcs_systemhigh` +``` +mcs_systemhigh +``` ``` # gives: @@ -3135,7 +3173,9 @@ s0 s0:c0.c1023 ``` -`mcs_allcats` +``` +mcs_allcats +``` ``` # gives: diff --git a/src/role_statements.md b/src/role_statements.md index 36fe4c3..c61d9d7 100644 --- a/src/role_statements.md +++ b/src/role_statements.md @@ -15,11 +15,15 @@ types with the role. **The statement definition to declare a role is:** -`role role_id;` +``` +role role_id; +``` **The statement definition to associate a role to one or more types is:** -`role role_id types type_id;` +``` +role role_id types type_id; +``` **Where:** @@ -99,7 +103,9 @@ can then be used to refer to a group of roles. **The statement definition is:** -`attribute_role attribute_id;` +``` +attribute_role attribute_id; +``` **Where:** @@ -162,7 +168,9 @@ declared roles to one or more previously declared attribute_roles. **The statement definition is:** -`roleattribute role_id attribute_id;` +``` +roleattribute role_id attribute_id; +``` **Where:** @@ -235,7 +243,9 @@ Note that the role allow rule has the same keyword as the allow AV rule. **The statement definition is:** -`allow from_role_id to_role_id;` +``` +allow from_role_id to_role_id; +``` **Where:** @@ -303,11 +313,15 @@ version 25, the `class` can now be defined. **The statement definition is:** -`role_transition current_role_id type_id new_role_id;` +``` +role_transition current_role_id type_id new_role_id; +``` Or from Policy version 25: -`role_transition current_role_id type_id : class new_role_id;` +``` +role_transition current_role_id type_id : class new_role_id; +``` **Where:** @@ -365,7 +379,9 @@ Or from Policy version 25: **Example:** -`role_transition system_r unconfined_exec_t:process unconfined_r;` +``` +role_transition system_r unconfined_exec_t:process unconfined_r; +``` ## `dominance` - Deprecated @@ -386,7 +402,9 @@ Notes: **The statement definition is:** -`dominance { role dom_role_id { role role_id; } }` +``` +dominance { role dom_role_id { role role_id; } } +``` Where: diff --git a/src/seandroid.md b/src/seandroid.md index d9a184c..db0de4f 100644 --- a/src/seandroid.md +++ b/src/seandroid.md @@ -471,7 +471,9 @@ and are listed in . Some are available as Toolbox or Toybox commands (see *system/core/shell_and_utilities/README.md*) and can be run via *adb shell*, for example: -`adb shell pm list permissions -g` +``` +adb shell pm list permissions -g +``` ### SELinux enabled commands @@ -854,7 +856,9 @@ will help sort out ordering issues. Example *BoardConfig.mk* usage from the Tuna device *device/samsung/tuna/BoardConfig.mk*: -`BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy` +``` +BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy +``` Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4 definitions during the build. A definition consists of a string in the form @@ -977,7 +981,9 @@ and a version number to produced a combined "versioned" policy file. Android supports auditing of SELinux events via the AOSP logger service that can be viewed using *logcat*, for example: -`adb logcat > logcat.log` +``` +adb logcat > logcat.log +``` Example SELinux audit events (avc denials) are: @@ -992,7 +998,9 @@ dmesg : type=1400 audit(0.0:198): avc: denied { syslog_read } for scontext=u:r Note that before the auditing daemon is loaded, messages will be logged in the kernel buffers that can be read using ***dmesg**(1)*: -`adb shell dmesg` +``` +adb shell dmesg +``` ## Policy File Formats @@ -1018,7 +1026,9 @@ devices to specify their entries as described in the Each line within the file consists of the following: -`pathname_regexp [file_type] security_context` +``` +pathname_regexp [file_type] security_context +``` Where: @@ -1369,7 +1379,9 @@ allowing vendors to specify their entries. The file format is: -`property_key security_context type value` +``` +property_key security_context type value +``` type = prefix or exact value = int, double, bool or string @@ -1413,7 +1425,9 @@ devices to specify their entries. The file format is: -`service_key security_context` +``` +service_key security_context +``` Example *service_contexts* Entries: diff --git a/src/security_context.md b/src/security_context.md index bb219cb..11d2387 100644 --- a/src/security_context.md +++ b/src/security_context.md @@ -14,7 +14,9 @@ Linux user id is mapped to the SELinux user id by configuration files), their role, a type identifier and an optional MCS / MLS security range or level as follows: -`user:role:type[:range]` +``` +user:role:type[:range] +``` **Where:** diff --git a/src/sid_statement.md b/src/sid_statement.md index cbb3ec9..132adb0 100644 --- a/src/sid_statement.md +++ b/src/sid_statement.md @@ -14,7 +14,9 @@ the start of a policy source file. **The statement definition is:** -`sid sid_id` +``` +sid sid_id +``` **Where:** @@ -79,7 +81,9 @@ context to the SID. **The statement definition is:** -`sid sid_id context` +``` +sid sid_id context +``` **Where:** diff --git a/src/type_enforcement.md b/src/type_enforcement.md index 898dae7..02fb100 100644 --- a/src/type_enforcement.md +++ b/src/type_enforcement.md @@ -61,7 +61,9 @@ It is possible to add constraints on users, roles, types and MLS ranges, for example within a TE environment, the way that subjects are allowed to access an object is via a TE [**`allow`**](avc_rules.md#allow), for example: -`allow unconfined_t ext_gateway_t : process transition;` +``` +allow unconfined_t ext_gateway_t : process transition; +``` This states that a process running in the `unconfined_t` domain has permission to transition a process to the `ext_gateway_t` domain. @@ -71,7 +73,9 @@ domain is the same as the role of the target domain. To achieve this a constraint can be imposed using a [**`constrain`**](constraint_statements.md#constrain) statement: -`constrain process transition ( r1 == r2 );` +``` +constrain process transition ( r1 == r2 ); +``` This states that a process transition can only occur if the source role is the same as the target role, therefore a constraint is a condition diff --git a/src/type_statements.md b/src/type_statements.md index 76dedab..fb7ec83 100644 --- a/src/type_statements.md +++ b/src/type_statements.md @@ -21,7 +21,9 @@ component of the [**Security Context**](security_context.md#security-context). **The statement definition is:** -`type type_id [alias alias_id] [, attribute_id];` +``` +type type_id [alias alias_id] [, attribute_id]; +``` **Where:** @@ -126,7 +128,9 @@ refer to a group of *type* identifiers. **The statement definition is:** -`attribute attribute_id;` +``` +attribute attribute_id; +``` **Where:** @@ -171,7 +175,9 @@ declared types to one or more previously declared attributes. **The statement definition is:** -`typeattribute type_id attribute_id;` +``` +typeattribute type_id attribute_id; +``` **Where:** @@ -243,7 +249,9 @@ The *typealias* statement allows the association of a previously declared **The statement definition is:** -`typealias type_id alias alias_id;` +``` +typealias type_id alias alias_id; +``` **Where:** @@ -311,7 +319,9 @@ policy denial. **The statement definition is:** -`permissive type_id;` +``` +permissive type_id; +``` **Where:** @@ -381,12 +391,16 @@ the transition. **The statement definitions are:** -`type_transition source_type target_type : class default_type;` +``` +type_transition source_type target_type : class default_type; +``` Policy versions 25 and above also support a 'name transition' rule however, this is only appropriate for the file classes: -`type_transition source_type target_type : class default_type object_name;` +``` +type_transition source_type target_type : class default_type object_name; +``` **Where:** @@ -510,7 +524,9 @@ section for more details. **The statement definition is:** -`type_change source_type target_type : class change_type;` +``` +type_change source_type target_type : class change_type; +``` **Where:** @@ -579,7 +595,9 @@ section for more details. **The statement definition is:** -`member_type source_type target_type : class member_type;` +``` +member_type source_type target_type : class member_type; +``` **Where:** diff --git a/src/types_of_policy.md b/src/types_of_policy.md index dcbe573..01ff1d6 100644 --- a/src/types_of_policy.md +++ b/src/types_of_policy.md @@ -188,7 +188,9 @@ The boolean flag status is held in kernel and can be changed using the temporarily (i.e. only valid until a re-boot). The following example shows a persistent conditional policy change: -`setsebool -P ext_gateway_audit false` +``` +setsebool -P ext_gateway_audit false +``` The conditional policy language statements are the `bool` Statement that defines the boolean flag identifier and its initial status, and the diff --git a/src/user_statements.md b/src/user_statements.md index 46f2846..7a5ff8a 100644 --- a/src/user_statements.md +++ b/src/user_statements.md @@ -11,11 +11,15 @@ previously declared within the policy. **The statement definition is:** -`user seuser_id roles role_id;` +``` +user seuser_id roles role_id; +``` Or for MCS/MLS Policy: -`user seuser_id roles role_id level mls_level range mls_range;` +``` +user seuser_id roles role_id level mls_level range mls_range; +``` Where: diff --git a/src/userspace_libraries.md b/src/userspace_libraries.md index 6db6bb7..8939246 100644 --- a/src/userspace_libraries.md +++ b/src/userspace_libraries.md @@ -123,7 +123,9 @@ SELinux sub-system: There is a static version of the library that is not installed by default: -`dnf install libselinux-static` +``` +dnf install libselinux-static +``` ## libsepol Library @@ -132,7 +134,9 @@ binary policy files. There is a static version of the library that is not installed by default: -`dnf install libsepol-static` +``` +dnf install libsepol-static +``` This is used by commands such as ***audit2allow**(8)* and ***checkpolicy**(8)* as they require access to functions that are not available in the dynamic diff --git a/src/vm_support.md b/src/vm_support.md index 09321ed..07ad32f 100644 --- a/src/vm_support.md +++ b/src/vm_support.md @@ -20,7 +20,9 @@ to configure VMs, then an overview of the Xen implementation follows. To ensure all dependencies are installed run: -`dnf install libvirt qemu virt-manager` +``` +dnf install libvirt qemu virt-manager +``` ## KVM / QEMU Support @@ -205,7 +207,9 @@ To overcome this error, the following boolean needs to be enabled with ***setsebool**(8)* to allow access to shared memory (the *-P* option will set the boolean across reboots): -`setsebool -P virt_use_execmem on` +``` +setsebool -P virt_use_execmem on +``` Now that the image has been configured as shareable, the following initialisation process will take place: @@ -274,7 +278,9 @@ enforcing mode (just so all errors are flagged during the build): 1. To set the required security context requires editing the *Static_VM1* configuration file using ***virsh**(1)* as follows: -`virsh edit Static_VM1` +``` +virsh edit Static_VM1 +``` Then add the following at the end of the file: diff --git a/src/x_windows.md b/src/x_windows.md index 86f966e..898123c 100644 --- a/src/x_windows.md +++ b/src/x_windows.md @@ -121,7 +121,9 @@ following command will enable the boolean, however it will be necessary to reload X-Windows to initialise the extension (i.e. run the **init 3** and then **init 5** commands): -`setsebool -P xserver_object_manager true` +``` +setsebool -P xserver_object_manager true +``` If the boolean is set to *false*, the x-server log will indicate that "SELinux: Disabled by boolean". Important note - If the boolean is diff --git a/src/xen_statements.md b/src/xen_statements.md index 5688893..e2c4cc3 100644 --- a/src/xen_statements.md +++ b/src/xen_statements.md @@ -20,7 +20,9 @@ Label i/o memory. This may be a single memory location or a range. **The statement definition is:** -`iomemcon addr context` +``` +iomemcon addr context +``` **Where:** @@ -64,7 +66,9 @@ Label i/o ports. This may be a single port or a range. **The statement definition is:** -`ioportcon port context` +``` +ioportcon port context +``` **Where:** @@ -108,7 +112,9 @@ Label a PCI device. **The statement definition is:** -`pcidevicecon pci_id context` +``` +pcidevicecon pci_id context +``` **Where:** @@ -140,7 +146,9 @@ Conditional Policy Statements **Example:** -`pcidevicecon 0xc800 system_u:object_r:nicP_t` +``` +pcidevicecon 0xc800 system_u:object_r:nicP_t +``` ## *pirqcon* @@ -148,7 +156,9 @@ Label an interrupt level. **The statement definition is:** -`pirqcon irq context` +``` +pirqcon irq context +``` **Where:** @@ -180,7 +190,9 @@ Conditional Policy Statements **Example:** -`pirqcon 33 system_u:object_r:nicP_t` +``` +pirqcon 33 system_u:object_r:nicP_t +``` ## *devicetreecon* @@ -188,7 +200,9 @@ Label device tree nodes. **The statement definition is:** -`devicetreecon path context` +``` +devicetreecon path context +``` **Where:** @@ -221,7 +235,9 @@ Conditional Policy Statements **Example:** -`devicetreecon "/this is/a/path" system_u:object_r:arm_path` +``` +devicetreecon "/this is/a/path" system_u:object_r:arm_path +``` diff --git a/src/xperm_rules.md b/src/xperm_rules.md index 21878ea..7f8744b 100644 --- a/src/xperm_rules.md +++ b/src/xperm_rules.md @@ -12,7 +12,9 @@ libsepol 2.7 minimum is required). **The common format for Extended Access Vector Rules are:** -`rule_name source_type target_type : class operation xperm_set;` +``` +rule_name source_type target_type : class operation xperm_set; +``` **Where:** @@ -82,7 +84,9 @@ versions < 30 only controls whether an *ioctl* permission is allowed or not, for example this rule allows the object class *tcp_socket* the *ioctl* permission: -`allow src_t tgt_t : tcp_socket ioctl;` +``` +allow src_t tgt_t : tcp_socket ioctl; +``` From Policy version 30 it is possible to control ***ioctl**(2)* '*request*' parameters provided the *ioctl* permission is also allowed, From patchwork Tue Aug 4 01:34:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699395 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5EA101392 for ; Tue, 4 Aug 2020 01:35:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 64F8220786 for ; Tue, 4 Aug 2020 01:35:03 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="DagEDq2I" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729326AbgHDBfD (ORCPT ); Mon, 3 Aug 2020 21:35:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51184 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBfC (ORCPT ); Mon, 3 Aug 2020 21:35:02 -0400 Received: from mail-qk1-x744.google.com (mail-qk1-x744.google.com [IPv6:2607:f8b0:4864:20::744]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42BAEC06174A for ; Mon, 3 Aug 2020 18:35:02 -0700 (PDT) Received: by mail-qk1-x744.google.com with SMTP id h7so37044563qkk.7 for ; Mon, 03 Aug 2020 18:35:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=ZY89rM2rO8pnp20lNV+4n3feqFHQvV+sidSJGkuwYfY=; b=DagEDq2I7Ll9FUdqU/cB26G+v9x5h94sRQLSAVHBDkobwdILpwUBHZnrYNGPSXbRDU LqdUl+ufLgOcPgIZEQdX9EPnlO27DxMaVS9OSDSPDsdUataVO9+sBoe7tbe/ypuSBTa0 sL1hGNleJhNn62kdeRij8L86oR7gw5xde9hklFL263a8KIK2yMwqHZ19RcCEHnsssyZo jRoU0QUgVN39NlxMJ7NfQVlraiIaWyvgfiE63XwinHt7neoV/oHlNBtzXXx8QRvoTc6N iv8apHxWaXwfceoVWBqeOoVbJLkws4rjQEIPwc7PMOgDTvSnr5nWBioFJ6zHZ0Huh5yr 0BBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=ZY89rM2rO8pnp20lNV+4n3feqFHQvV+sidSJGkuwYfY=; b=iLuWegM591dRzNQyiDHaAew7J3glBmx1HO7cPcQmN7Fo81ZQ7KCHr+cLfaqoC1DTfB DhVGocvCu6hn08tW4K3/U3ButB8Ca53sgYPucvXZDdvciqQgtkZCddLtEZudfSzYJI55 YNCvzKMT4kjanqCsKvxrNRtQL43y6vOlxwn8IciyBrHj4VndOHAkBIdAXEYscSE1/mWC cxO04sbMo40jRqwy1hjMTn/y+4zpupcGJ36DJbVAbugBVTYCnKaNvnGLzpDAIGT49b92 jQN5qC1FBruOiQ0Do/mEGwVdZ+R4l+jEE227qVqEsTf9BgCUaXroxBF5O+5lqeA1Gd/J LyGA== X-Gm-Message-State: AOAM532sDKPQYXvH/z2UDe99s2zcbmKmAxcMArsJmhsUnQAmhErzczJS rtElnG3+sc18fjmmFWyc40e2erdecIrc X-Google-Smtp-Source: ABdhPJzJV2ynT8oMzHAs4TG3Ks+HzMDzywFOYjLE0UnSf0VI5FRlHGw8tWEvlqKT4A4L8hTmnIB/Wg== X-Received: by 2002:a37:614a:: with SMTP id v71mr19237587qkb.31.1596504897396; Mon, 03 Aug 2020 18:34:57 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id b23sm20313392qtp.41.2020.08.03.18.34.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:34:56 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 15/18] all: consolidate multiple blank lines into one From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:34:55 -0400 Message-ID: <159650489559.8961.12208306588424867928.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This has zero impact on the rendered formats, but improves the consistency of the raw markdown. Done with the following script: for i in *.md; do sed -i 'N;/^\n$/D;P;D;' $i done Signed-off-by: Paul Moore --- src/apache_support.md | 5 ---- src/auditing.md | 7 ----- src/avc_rules.md | 6 ---- src/bounds_rules.md | 2 - src/cil_overview.md | 2 - src/class_permission_statements.md | 5 ---- src/computing_access_decisions.md | 1 - src/computing_security_contexts.md | 15 ----------- src/conditional_statements.md | 3 -- src/configuration_files.md | 3 -- src/constraint_statements.md | 4 --- src/core_components.md | 5 ---- src/debug_policy_hints.md | 4 --- src/default_rules.md | 4 --- src/domain_object_transitions.md | 4 --- src/file_labeling_statements.md | 5 ---- src/global_config_files.md | 7 ----- src/implementing_seaware_apps.md | 6 ---- src/infiniband_statements.md | 3 -- src/kernel_policy_language.md | 8 ------ src/libselinux_functions.md | 1 - src/lsm_selinux.md | 9 ------ src/mac.md | 3 -- src/mls_mcs.md | 9 ------ src/mls_statements.md | 10 ------- src/modes.md | 2 - src/modular_policy_statements.md | 2 - src/network_statements.md | 4 --- src/network_support.md | 9 ------ src/object_classes_permissions.md | 24 ----------------- src/objects.md | 5 ---- src/pam_login.md | 2 - src/policy_config_files.md | 43 ------------------------------- src/policy_config_statements.md | 1 - src/policy_languages.md | 1 - src/policy_store_config_files.md | 23 ----------------- src/policy_validation_example.md | 1 - src/polyinstantiation.md | 8 ------ src/rbac.md | 2 - src/reference_policy.md | 50 ------------------------------------ src/role_statements.md | 6 ---- src/seandroid.md | 18 ------------- src/security_context.md | 1 - src/selinux_cmds.md | 2 - src/selinux_overview.md | 2 - src/sid_statement.md | 2 - src/subjects.md | 3 -- src/terminology.md | 3 -- src/title.md | 1 - src/toc.md | 1 - src/type_enforcement.md | 4 --- src/types_of_policy.md | 11 -------- src/users.md | 2 - src/vm_support.md | 2 - 54 files changed, 366 deletions(-) diff --git a/src/apache_support.md b/src/apache_support.md index 6b794c6..8e8df1c 100644 --- a/src/apache_support.md +++ b/src/apache_support.md @@ -52,7 +52,6 @@ the LAPP1

    1. This is similar to the LAMP (Linux, Apache, MySQL, PHP/Perl/Python) stack, however MySQL is not SELinux-aware.

- --- diff --git a/src/auditing.md b/src/auditing.md index e07429a..56f2a00 100644 --- a/src/auditing.md +++ b/src/auditing.md @@ -40,7 +40,6 @@ Notes: ***selinux_set_callback**(3)* and specifying an alternative log handler. - ## AVC Audit Events **Table 1** describes the general format of AVC audit @@ -232,7 +231,6 @@ exe="/usr/move_file/move_file_c" subj=unconfined_u:unconfined_r:move_file_t key=(null) ``` - ## General SELinux Audit Events This section shows a selection of non-AVC SELinux-aware services audit @@ -269,7 +267,6 @@ policyload notice (seqno=2) : exe="/usr/bin/Xorg" sauid=0 hostname=? addr=? terminal=?' ``` - Change enforcement mode - *MAC_STATUS* - This was generated when the SELinux enforcement mode was changed: @@ -284,7 +281,6 @@ tty=pts0 ses=2 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) ``` - Change boolean value - *MAC_CONFIG_CHANGE* - This event was generated when ***setsebool**(8)* was run to change a boolean. Note that the bolean name plus new and old values are shown in the @@ -319,7 +315,6 @@ exe="/sbin/netlabelctl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) ``` - Labeled IPSec - *MAC_IPSEC_EVENT* - Generated when running ***setkey**(8)* to load IPSec configuration: @@ -371,7 +366,6 @@ exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0-s0:c0.c300 key=(null) ``` - Role changes - *USER_ROLE_CHANGE* - Used ***newrole**(1)* to set a new role that was not valid. @@ -385,7 +379,6 @@ new-context=?: exe="/usr/bin/newrole" hostname=? addr=? terminal=/dev/pts/0 res=failed' ``` - --- diff --git a/src/avc_rules.md b/src/avc_rules.md index c216fc8..7572302 100644 --- a/src/avc_rules.md +++ b/src/avc_rules.md @@ -79,7 +79,6 @@ rule_name source_type target_type : class perm_set; - ## *allow* The allow rule checks whether the operations between the source\_type @@ -139,7 +138,6 @@ allow bootloader_t system_dbusd_t:dbus { acquire_svc send_msg }; allow files_unconfined_type file_type:{ file chr_file } ~execmod; ``` - ## *dontaudit* The *dontaudit* rule stops the auditing of denial messages as it is known @@ -158,7 +156,6 @@ also helps to manage the audit log by excluding known events. dontaudit traceroute_t { port_type -port_t }:tcp_socket name_bind; ``` - ## *auditallow* Audit the event as a record as it is useful for auditing purposes. Note @@ -175,7 +172,6 @@ to grant permission. auditallow ada_t self:process execstack; ``` - ## *neverallow* This rule specifies that an *allow* rule must not be generated for the @@ -205,7 +201,6 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; ``` -

  1. neverallow statements are allowed in modules, however to detect these the semanage.conf file must have the 'expand-check=1' entry present.

    2. @@ -213,7 +208,6 @@ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
- --- diff --git a/src/bounds_rules.md b/src/bounds_rules.md index 2949bc2..55a793a 100644 --- a/src/bounds_rules.md +++ b/src/bounds_rules.md @@ -12,7 +12,6 @@ NOT enforced by the SELinux kernel services). The [**CIL Reference Guide**](notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf) gives details. - ## *typebounds* The *typebounds* rule was added in version 24 of the policy. This @@ -92,7 +91,6 @@ allow httpd_t etc_t : file { getattr read }; allow httpd_child_t etc_t : file { read write }; ``` - --- diff --git a/src/cil_overview.md b/src/cil_overview.md index c3e280f..aa22bff 100644 --- a/src/cil_overview.md +++ b/src/cil_overview.md @@ -35,7 +35,6 @@ language perspective it will: | *allow* (role) | *roleallow* | | *dominance* | *sensitivityorder* | - 2. Additional CIL statements have been defined to enhance functionality: @@ -147,7 +146,6 @@ declarations with the order in which they are declared in the kernel. A module store is created by *semodule* to give easy access to the source and that allows for full control over the policy. - --- diff --git a/src/class_permission_statements.md b/src/class_permission_statements.md index a0a1379..4090fa0 100644 --- a/src/class_permission_statements.md +++ b/src/class_permission_statements.md @@ -16,7 +16,6 @@ There are two variants of the *class* statement for writing policy: [**Associating Permissions to a Class**](#associating-permissions-to-a-class) section. - ## *class* Object classes are declared within a policy with the following statement @@ -76,7 +75,6 @@ class class_id class db_tuple ``` - ### Associating Permissions to a Class Permissions can be defined within policy in two ways: @@ -90,7 +88,6 @@ Permissions can be defined within policy in two ways: A list of classes and their permissions used by the **Reference Policy** can be found in the *./policy/flask/access_vectors* file. - ## *common* Declare a *common* identifier and associate one or more *common* permissions. @@ -155,7 +152,6 @@ common common_id { perm_set } common database { create drop getattr setattr relabelfrom relabelto } ``` - ## *class* Inherit and / or associate permissions to a perviously declared *class* identifier. @@ -248,7 +244,6 @@ class db_blob inherits database class db_blob inherits database { read write import export } ``` - --- diff --git a/src/computing_access_decisions.md b/src/computing_access_decisions.md index ce4cf11..5ab9430 100644 --- a/src/computing_access_decisions.md +++ b/src/computing_access_decisions.md @@ -57,7 +57,6 @@ require kernel system call over-heads once set up. Note that these functions are only available from *libselinux* 2.0.99, with Linux kernel 2.6.37 and above. - --- diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md index 1d7c975..5849375 100644 --- a/src/computing_security_contexts.md +++ b/src/computing_security_contexts.md @@ -46,7 +46,6 @@ various kernel objects (also see the [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) section. - ### Process The initial task starts with the kernel security context, but the @@ -73,7 +72,6 @@ Processes inherit their security context as follows: practice is generally discouraged - exec-based transitions are preferred. - ### Files The default behavior for labeling files (actually inodes that consist of @@ -111,12 +109,10 @@ SID, which is mapped to a context by the policy. This default may be overridden via the *defcontext=* mount option on a per-mount basis as described in ***mount**(8)*. - ### File Descriptors Inherits the label of its creator/parent. - ### Filesystems Filesystems are labeled using the appropriate *fs_use* kernel policy @@ -164,14 +160,12 @@ Notes: *context=*, *fscontext=*, *defcontext=* and *rootcontext=*. They are fully described in the ***mount**(8)* man page. - ### Network File System (nfsv4.2) If labeled NFS is implemented with *xattr* support, then the creation of inodes are treated as described in the [Files](#files) section. - ### INET Sockets If a socket is created by the ***socket**(3)* call they are labeled as @@ -204,12 +198,10 @@ Some sockets may be labeled with the kernel SID to reflect the fact that they are kernel-internal sockets that are not directly exposed to applications. - ### IPC Inherits the label of its creator/parent. - ### Message Queues Inherits the label of its sending process. However if sending a message @@ -233,17 +225,14 @@ the message queue it will be stored in as follows: with the selected range being low, high or low-high to be defined for the message object class). - ### Semaphores Inherits the label of its creator/parent. - ### Shared Memory Inherits the label of its creator/parent. - ### Keys Inherits the label of its creator/parent. @@ -251,7 +240,6 @@ Inherits the label of its creator/parent. Security-aware applications may use ***setkeycreatecon**(3)* to explicitly label keys they create if permitted by policy. - ## Using libselinux Functions ### *avc_compute_create* and *security_compute_create* @@ -349,7 +337,6 @@ new context *newcon* (referenced by SIDs for **Table 1** - ### *avc_compute_member* and *security_compute_member* **Table 2** shows how the components from the source context, @@ -424,7 +411,6 @@ the new context *newcon* (referenced by SIDs for **Table 2** - ### *security_compute_relabel* **Table 3** below shows how the components from the source context, @@ -502,7 +488,6 @@ following notes also apply: **Table 3** - --- diff --git a/src/conditional_statements.md b/src/conditional_statements.md index 7930b45..3cf07df 100644 --- a/src/conditional_statements.md +++ b/src/conditional_statements.md @@ -56,7 +56,6 @@ getsebool -a getsebool allow_daemons_use_tty ``` - ## bool The *bool* statement is used to specify a boolean identifier and its @@ -134,7 +133,6 @@ bool allow_execheap false; bool allow_execstack true; ``` - ### if The if statement is used to form a 'conditional block' of statements and @@ -260,7 +258,6 @@ if (read_untrusted_content) { } ``` - --- diff --git a/src/configuration_files.md b/src/configuration_files.md index 9cb97cd..3515f1b 100644 --- a/src/configuration_files.md +++ b/src/configuration_files.md @@ -33,7 +33,6 @@ as follows: viewing the currently loaded policy using tools such as ***apol**(1)* (e.g. *apol /sys/fs/selinux/policy*). - ## The Policy Store Version 2.7 of *libsemanage*, *libsepol*, and *policycoreutils* had the @@ -148,7 +147,6 @@ already available, the following message will be given: "*A higher priority <name> module exists at priority <999> and will override the module currently being installed at priority <111>*". - ## Converting policy packages to CIL A component of the update is to add a facility that converts compiled @@ -175,7 +173,6 @@ Options: -h, --help print this message and exit ``` - --- diff --git a/src/constraint_statements.md b/src/constraint_statements.md index 39f441e..4834f6b 100644 --- a/src/constraint_statements.md +++ b/src/constraint_statements.md @@ -172,7 +172,6 @@ constrain { dir file lnk_file sock_file fifo_file chr_file blk_file } { create r (u1 == u2 or t1 == can_change_object_identity); ``` - ## *validatetrans* This statement is used to control the ability to change the objects @@ -274,7 +273,6 @@ validatetrans class expression; validatetrans { file } { t1 == unconfined_t ); ``` - ## *mlsconstrain* The mlsconstrain statement allows further restriction on permissions for @@ -400,7 +398,6 @@ mlsconstrain dir search ( t2 == mlstrustedobject )); ``` - ## *mlsvalidatetrans* The *mlsvalidatetrans* is the MLS equivalent of the *validatetrans* @@ -531,7 +528,6 @@ mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file } (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 )))); ``` - --- diff --git a/src/core_components.md b/src/core_components.md index 0cc9e65..0bb9058 100644 --- a/src/core_components.md +++ b/src/core_components.md @@ -17,7 +17,6 @@ manage enforcement of the policy and comprise of the following: 5. An Access Vector Cache (AVC) that improves system performance by caching security server decisions. - ![](./images/1-core.png) **Figure 1: High Level Core SELinux Components** - *Decisions by the @@ -25,12 +24,10 @@ Security Server are cached in the AVC to enhance performance of future requests. Note that it is the kernel and userspace Object Managers that enforce the policy.* - ![](./images/2-high-level-arch.png) **Figure 2: High Level SELinux Architecture** - *Showing the major supporting services* - **Figure 2** shows a more complex diagram of kernel and userspace with a number of supporting services that are used to manage the SELinux environment. This diagram will be referenced a number of times to explain areas of @@ -131,7 +128,6 @@ The [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module section goes into greater detail of the LSM / SELinux modules with a walk through of a ***fork**(2)* and ***exec**(2)* process. -

  1. When SELinux is enabled, the policy can be running in 'permissive mode' (SELINUX=permissive), where all accesses are allowed. The policy @@ -145,7 +141,6 @@ statement that allows a domain to run in permissive mode while the others are st

- --- diff --git a/src/debug_policy_hints.md b/src/debug_policy_hints.md index 913a82a..1bdd8f4 100644 --- a/src/debug_policy_hints.md +++ b/src/debug_policy_hints.md @@ -2,10 +2,6 @@ I'm sure there is more to add here !!! - - - - --- diff --git a/src/default_rules.md b/src/default_rules.md index b6e35d2..92ba272 100644 --- a/src/default_rules.md +++ b/src/default_rules.md @@ -79,7 +79,6 @@ default_user file target; default_user { x_selection x_property } source; ``` - ## *default_role* Allows the default role to be taken from the source or target context @@ -155,7 +154,6 @@ default_role file target; default_role { x_selection x_property } source; ``` - ## *default_type* Allows the default type to be taken from the source or target context @@ -231,7 +229,6 @@ default_type file target; default_type { x_selection x_property } source; ``` - ## *default_range* Allows the default range or level to be taken from the source or target @@ -332,7 +329,6 @@ default_type { x_selection x_property } source low_high; default_range db_table glblub; ``` - --- diff --git a/src/domain_object_transitions.md b/src/domain_object_transitions.md index c7e74e0..030d866 100644 --- a/src/domain_object_transitions.md +++ b/src/domain_object_transitions.md @@ -8,7 +8,6 @@ This section discusses the *type_transition* statement that is used to: These transitions can also be achieved using the **libselinux** API functions for SELinux-aware applications. - ## Domain Transition A domain transition is where a process in one domain starts a new @@ -98,7 +97,6 @@ SELinux enabled kernel. within the *unconfined_t* domain and then transitioned to the *ext_gateway_t* domain.* - ### Type Enforcement Rules When building the *ext_gateway.conf* and *int_gateway.conf* modules the @@ -221,7 +219,6 @@ Other ways to resolve this issue are: It was decided to use runcon as it demonstrates the command usage better than reading the man pages. - ## Object Transition An object transition is where a new object requires a different label to @@ -295,7 +292,6 @@ drwxr-xr-x root root system_u:object_r:unconfined_t .. -rw-r--r-- root root unconfined_u:object_r:in_file_t Message-2 ``` - --- diff --git a/src/file_labeling_statements.md b/src/file_labeling_statements.md index b28c1ff..34c2ca8 100644 --- a/src/file_labeling_statements.md +++ b/src/file_labeling_statements.md @@ -12,7 +12,6 @@ therefore if the policy supports MCS / MLS, then an *mls_range* is required as described in the [**MLS range Definition**](mls_statements.md#mls-range-definition) section. - ## *fs_use_xattr* The *fs_use_xattr* statement is used to allocate a security context to @@ -86,7 +85,6 @@ fs_use_xattr ext2 system_u:object_r:fs_t:s0; fs_use_xattr ext3 system_u:object_r:fs_t:s0; ``` - ## *fs_use_task* The *fs_use_task* statement is used to allocate a security context to @@ -158,7 +156,6 @@ fs_use_task pipefs system_u:object_r:fs_t:s0; fs_use_task sockfs system_u:object_r:fs_t:s0; ``` - ## *fs_use_trans* The *fs_use_trans* statement is used to allocate a security context to @@ -230,7 +227,6 @@ fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0; fs_use_trans devpts system_u:object_r:devpts_t:s0; ``` - ## *genfscon* The *genfscon* statement is used to allocate a security context to @@ -323,7 +319,6 @@ genfscon proc /fs/openafs system_u:object_r:proc_afs_t:s0 genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255 ``` - --- diff --git a/src/global_config_files.md b/src/global_config_files.md index 682b0fb..80e557b 100644 --- a/src/global_config_files.md +++ b/src/global_config_files.md @@ -9,7 +9,6 @@ important files are: - */etc/selinux/semanage.conf* - This is used by the SELinux policy configuration subsystem for modular or CIL policies. - ## */etc/selinux/config* If this file is missing or corrupt no SELinux policy will be loaded @@ -82,7 +81,6 @@ SELINUX=permissive SELINUXTYPE=targeted ``` - ## */etc/selinux/semanage.conf* The ***semanage.config**(5)* file controls the configuration and actions @@ -273,7 +271,6 @@ args = $@ [end] ``` - ## */etc/selinux/restorecond.conf* ## *restorecond-user.conf* @@ -316,13 +313,11 @@ directories). ~/public_html/* ``` - ## */etc/selinux/newrole_pam.conf* The optional *newrole\_pam.conf* file is used by ***newrole**(1)* and maps commands to ***PAM**(8)* service names. - ## */etc/sestatus.conf* The ***sestatus.conf**(5)* file is used by the ***sestatus**(8)* command to @@ -362,7 +357,6 @@ List of processes to display context /usr/sbin/sshd ``` - ## */etc/security/sepermit.conf* The ***sepermit.conf**(5)* file is used by the *pam_sepermit.so* module @@ -407,7 +401,6 @@ example that describes the configuration: xguest:exclusive ``` - --- diff --git a/src/implementing_seaware_apps.md b/src/implementing_seaware_apps.md index 1aa1f90..13020c9 100644 --- a/src/implementing_seaware_apps.md +++ b/src/implementing_seaware_apps.md @@ -36,7 +36,6 @@ SELinux-aware applications do not (they rely on 'Object Managers' to do this e.g. the kernel based Object Managers such as those that manage filesystem, IPC and network labeling). - ## Implementing SELinux-aware Applications This section puts forward various points that may be useful when @@ -95,7 +94,6 @@ developing SELinux-aware applications and object managers using explained at: - ## Implementing Object Managers To implement object managers for applications, an understanding of the @@ -155,7 +153,6 @@ classes/permissions. the [**X Access Control Extension Specification**](http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.pdf), and for reference, the SE-PostgreSQL service also implements a similar interface. - ## Reference Policy Changes When adding a new object manager to SELinux, it will require at least a @@ -208,7 +205,6 @@ not require modification, and supplying the module files (*\*.te*, ## ``` - ## Adding New Object Classes and Permissions Because userspace object managers do not require their new classes and @@ -286,7 +282,6 @@ dynamic class/perm discovery: by the kernel. Then add allow rules as appropriate to the policy for the new permissions. -

  1. The SELinux security server does not enforce a decision, it merely @@ -298,7 +293,6 @@ applied to their objects as defined by policy. @@ -205,7 +204,6 @@ Where: **Table 3** shows a cross reference matrix of statements and rules allowed in each type of policy source file. - ## Conditional, Optional and Require Statement Rules The language grammar specifies what statements and rules can be included @@ -260,7 +258,6 @@ Where: **Table 3** shows a cross reference matrix of statements and rules allowed in each of the above policy statements. - ## MLS Statements and Optional MLS Components The [**MLS Statements**](mls_statements.md#mls-statements) section defines @@ -270,7 +267,6 @@ context as an argument, (for example the [**Network Labeling Statements**](network_statements.md#network-labeling-statements)), therefore these statements show an example taken from the MLS **Reference Policy** build. - ## General Statement Information 1. Identifiers can generally be any length but should be restricted to @@ -480,7 +476,6 @@ same). **Table 2: Policy language reserved words** - **Table 3** shows what policy language statements and rules are allowed within each type of policy source file, and whether the statement is valid within an *if/else* construct, *optional {rule_list}*, or @@ -948,7 +943,6 @@ policy source file. The right hand side of the table shows whether the statement is valid within the *if/else* construct, *optional {rule_list}*, or *require {rule_list}* statement.* - ## Section Contents The policy language statement and rule sections are as follows: @@ -975,7 +969,6 @@ Note these are not kernel policy statements, but used by the Reference Policy to assist policy build: - [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements) -

    1. It is important to note that the Reference Policy builds policy using makefiles and m4 support macros within its own source file structure. However, the end result of the make process is that there can be three possible types of source file built (depending on the MONOLITHIC=Y/N build option). These files contain the policy language statements and rules that are finally complied into a binary policy.

      2. @@ -986,7 +979,6 @@ to assist policy build:
    - --- diff --git a/src/libselinux_functions.md b/src/libselinux_functions.md index 34f9a06..9cae37a 100644 --- a/src/libselinux_functions.md +++ b/src/libselinux_functions.md @@ -1093,7 +1093,6 @@ The appropriate ***man**(3)* pages should consulted for detailed usage. - --- diff --git a/src/lsm_selinux.md b/src/lsm_selinux.md index 9c2aac4..e426f28 100644 --- a/src/lsm_selinux.md +++ b/src/lsm_selinux.md @@ -15,7 +15,6 @@ the SELinux kernel source code). The major areas covered are: 4. The SELinux filesystem */sys/fs/selinux*. 5. The */proc* filesystem area most applicable to SELinux. - ## The LSM Module The LSM is the Linux security framework that allows 3rd party @@ -95,7 +94,6 @@ inserted security hooks and structures to allow access control to be managed by 3rd party modules (see ./linux-3.14/include/linux/security.h).* - | ***/proc/self/attr/*** **Permissions** | **File Name**| **Function** | | ------------ | ------------ | ------------------------------------------------------------------------ | | *current* | *-rw-rw-rw-* | Contains the current process security context. | @@ -149,7 +147,6 @@ hooks and structures. **Table 3:** *The core LSM source modules.* - ## The SELinux Module This section does not go into detail of all the SELinux module @@ -274,7 +271,6 @@ to see how some of these kernel source modules fit together. **Table 4: The core SELinux source modules** - *The .h files and those in the include directory have a number of useful comments.* - ### Fork System Call Walk-thorough This section walks through the the ***fork**(2)* system call shown in @@ -339,7 +335,6 @@ is valid): required to check access permissions for Object Class *process* and permission *fork*.* - ### Process Transition Walk-thorough This section walks through the ***execve**(2)* and checking whether a @@ -459,14 +454,12 @@ computed. This function will (assuming there are no errors): check if a transition is allowed from the *unconfined_t* domain to the *ext_gateway_t* domain.* - ![](./images/12-lsm-selinux-arch.png) **Figure 12: The Main LSM / SELinux Modules** - *The fork and exec functions link to [**Figure 7**](domain_object_transitions.md#domain-transition) where the transition process is described.* - #### SELinux Filesystem **Table 6: SELinux filesystem Information** shows the information contained @@ -738,8 +731,6 @@ Notes: */proc/<self|pid>/task/<tid>/attr/<attr>* interfaces. - - --- diff --git a/src/mac.md b/src/mac.md index 5c746f2..7b88c24 100644 --- a/src/mac.md +++ b/src/mac.md @@ -29,7 +29,6 @@ chain for DAC and MAC are shown in **Figure 3**. **Figure 3: Processing a System Call** - *The DAC checks are carried out first, if they pass then the Security Server is consulted for a decision.* - SELinux supports two forms of MAC: **Type Enforcement** - Where processes run in domains and the actions on @@ -61,8 +60,6 @@ application separation, for example SELinux enabled: by the same app running on behalf of another user (see the [**Security Enhancements for Android - Computing a Context**](seandroid.md#computing-process-context-examples) section). - - --- diff --git a/src/mls_mcs.md b/src/mls_mcs.md index 862196b..4b4c15c 100644 --- a/src/mls_mcs.md +++ b/src/mls_mcs.md @@ -111,7 +111,6 @@ The format used in the policy language statements is fully described in the [MLS Statements](mls_statements.md#mls-statements) section, however a brief overview follows. - #### MLS / MCS Range Format The following components (shown in bold) are used to define the MLS / @@ -145,7 +144,6 @@ user:role:type:sensitivity[:category,...] - sensitivity [:category,...] - #### Translating Levels When writing policy for MLS / MCS security level components it is usual @@ -161,7 +159,6 @@ command can be used to set up this translation and is shown in the [**setrans.conf**](policy_config_files.md#setrans.conf) configuration file section. - ### Managing Security Levels via Dominance Rules As stated earlier, allowing a process access to an object is managed by @@ -279,12 +276,10 @@ the *mlsconstrain* statement as illustrated in **Table 2: MLS Security Levels** - *Showing the scope of a process running at a security range of *s0 - s3:c1.c5*.* - ![](./images/9-mls-constrain.png) **Figure 9: Showing the mlsconstrain Statements controlling Read Down & Write Up** - *This ties in with* **Table 2: MLS Security Levels** *that shows a process running with a security range of s0 - s3:c1.c5.* - Using **Figure 9: *mlsconstrain* Statements controlling Read Down & Write Up**: 1. To allow write-up, the source level (l1) must be **dominated by** @@ -309,7 +304,6 @@ read-down. The default is to use l1 eq l2 (i.e. the levels are equal). The reference policy MLS source file (policy/mls) shows these *mlsconstrain* statements. - ### MLS Labeled Network and Database Support Networking for MLS is supported via the NetLabel CIPSO (commercial IP @@ -322,7 +316,6 @@ PostgreSQL supports labeling for MLS database services as discussed in the [**SE-PostgreSQL Support**](postgresql.md#postgresql-selinux-support) section. - ### Common Criteria Certification While the [*Common Criteria*](http://www.commoncriteriaportal.org/) @@ -353,8 +346,6 @@ An interesting point: look at the protection profiles as they define what was actually evaluated. - - --- diff --git a/src/mls_statements.md b/src/mls_statements.md index c2bb4f3..f61ced6 100644 --- a/src/mls_statements.md +++ b/src/mls_statements.md @@ -63,13 +63,11 @@ the circumstances, there can be one level defined or a **Table 1: Sensitivity and Category = Security Level** - *this table shows the meanings depending on the context being discussed.* - To make the security levels more meaningful, it is possible to use the setransd daemon to translate these to human readable formats. The **semanage**(8) command will allow this mapping to be defined as discussed in the [**setrans.conf**](policy_config_files.md#setrans.conf) section. - #### MLS range Definition The MLS range is appended to a number of statements and defines the lowest and @@ -102,7 +100,6 @@ low_level [ - high_level ] - ## *sensitivity* The sensitivity statement defines the MLS policy sensitivity identifies @@ -182,7 +179,6 @@ sensitivity s15; sensitivity s0 alias secret wellmaybe ornot; ``` - ## *dominance* When more than one [*sensitivity*](#sensitivity) @@ -246,7 +242,6 @@ The statement is valid in: dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } ``` - ## *category* The *category* statement defines the MLS policy category @@ -326,7 +321,6 @@ category c255; category c0 alias planning development benefits; ``` - ## *level* The *level* statement enables the previously declared sensitivity and @@ -401,7 +395,6 @@ level s0:c0.c255; level s15:c0.c255; ``` - ## *range_transition* The *range_transition* statement is primarily used by the init process or @@ -493,21 +486,18 @@ range_transition initrc_t auditd_exec_t:process s15:c0.c255; range_transition initrc_t cupsd_exec_t:process s15:c0.c255; ``` - ## *mlsconstrain* This is decribed in the [**Constraint Statements - *mlsconstrain***](constraint_statements.md#mlsconstrain) section. - ## *mlsvalidatetrans* This is decribed in the [**Constraint Statements - *mlsvalidatetrans***](constraint_statements.md#mlsvalidatetrans) section. - --- diff --git a/src/modes.md b/src/modes.md index 2b23353..344b72f 100644 --- a/src/modes.md +++ b/src/modes.md @@ -42,8 +42,6 @@ The ***sestatus**(8)* command will show the current SELinux enforcement mode in its output, however it does not display individual domain or object manager enforcement modes. - - --- diff --git a/src/modular_policy_statements.md b/src/modular_policy_statements.md index 5efe604..e829e32 100644 --- a/src/modular_policy_statements.md +++ b/src/modular_policy_statements.md @@ -3,7 +3,6 @@ This section contains statements used to support policy modules. They are not part of the kernel policy language. - ## *module* This statement is mandatory for loadable modules (non-base) and must be @@ -269,7 +268,6 @@ optional { } # end optional ``` - --- diff --git a/src/network_statements.md b/src/network_statements.md index 171790d..a625c26 100644 --- a/src/network_statements.md +++ b/src/network_statements.md @@ -82,7 +82,6 @@ Or :: ``` - ## *netifcon* The *netifcon* statement is used to label network interface objects (e.g. @@ -178,7 +177,6 @@ netifcon eth2 system_u:object_r:netif_t:s0 system_u:object_r:netif_t:s0 ``` - ## *nodecon* The *nodecon* statement is used to label network address objects for peer @@ -280,7 +278,6 @@ This command will produce the following file in the default nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0 ``` - ## *portcon* The *portcon* statement is used to label udp, tcp, dccp or sctp ports. @@ -375,7 +372,6 @@ This command will produce the following file in the default portcon udp 1234 system_u:object_r:reserved_port_t:s0 ``` - --- diff --git a/src/network_support.md b/src/network_support.md index b519fb7..62f87f2 100644 --- a/src/network_support.md +++ b/src/network_support.md @@ -69,7 +69,6 @@ the inode associated to the socket and not from the actual kernel socket structure (as currently there is no standard kernel/userspace interface to achieve this). - ## SECMARK SECMARK makes use of the standard kernel NetFilter framework that @@ -181,8 +180,6 @@ The following articles explain the SECMARK service: - [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html) - [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html) - - ## NetLabel - Fallback Peer Labeling Fallback labeling can optionally be implemented on a system if the @@ -204,7 +201,6 @@ the policy capability *network_peer_controls* being set to 0 and 1. **Figure 14: Fallback Labeling** - *Showing the differences between the policy capability ***network_peer_controls*** set to 0 and 1.* - The *selinux-testsuite inet_socket* and *sctp* tests have examples of fallback labeling, and the following are a set of ***netlabelctl**(8)* commands from the *sctp* test: @@ -221,7 +217,6 @@ netlabelctl -p map list Note that the security contexts must be valid in the policy otherwise the commands will fail. - ## NetLabel – CIPSO/CALIPSO To allow MLS [**security levels**](mls_mcs.md#security-levels) to be passed @@ -291,7 +286,6 @@ netlabelctl -p map list The examples use the *nb_client*/*nb_server* from the Notebook examples section, plus the standard Fedora 'targeted' policy for the tests. - ## Labeled IPSec Labeled IPSec has been built into the standard GNU / Linux IPSec @@ -437,7 +431,6 @@ article and a good reference covering **Basic Labeled IPsec Configuration** available at: - ## Labeled Network FileSystem (NFS) Version 4.2 of NFS supports labeling between client/server and requires @@ -458,7 +451,6 @@ Labeled NFS clients must use a consistent security policy. The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels. -

    1. For example, an ftp session where the server is listening on a specific port (the destination port) but the client will be assigned a random source port. The CONNSECMARK will ensure that all packets for the ftp session are marked with the same label.

      2. @@ -467,7 +459,6 @@ The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels.
    - --- diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md index 7337ef0..c07027f 100644 --- a/src/object_classes_permissions.md +++ b/src/object_classes_permissions.md @@ -69,7 +69,6 @@ Language, and the [**CIL Reference Guide**](./notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf) specifies the CIL Policy Language. - # Kernel Object Classes and Permissions ## Common Permissions @@ -345,7 +344,6 @@ inherited by a number of object classes. - ### Common Capability Permissions @@ -575,7 +573,6 @@ explains the objects, their permissions and how they should be used in detail.
    - ### Common X_Device Permissions The following table describes the common *x_device* permissions that are @@ -666,7 +663,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes. - ## File Object Classes ### *filesystem* @@ -906,7 +902,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes. - ## Network Object Classes ### *node* @@ -1131,7 +1126,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes. - ## IPSec Network Object Classes ### *association* @@ -1211,7 +1205,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes. - ## Netlink Object Classes Netlink sockets communicate between userspace and the kernel – also see @@ -1611,7 +1604,6 @@ Netlink sockets communicate between userspace and the kernel – also see - ## Miscellaneous Network Object Classes ### *peer* @@ -1714,7 +1706,6 @@ Netlink sockets communicate between userspace and the kernel – also see - ## Sockets via *extended_socket_class* These socket classes that were introduced by the @@ -1901,7 +1892,6 @@ These socket classes that were introduced by the - ## BPF Object Class ### *bpf* @@ -1939,7 +1929,6 @@ These socket classes that were introduced by the - ## Performance Event Object Class ### *perf_event* @@ -1981,7 +1970,6 @@ These socket classes that were introduced by the - ## Lockdown Object Class Note: If the *lockdown* LSM is enabled alongside SELinux, then the @@ -2011,7 +1999,6 @@ implementation. - ## IPC Object Classes ### *ipc* (Deprecated) @@ -2121,7 +2108,6 @@ implementation. - ## Process Object Class ### *process* @@ -2286,7 +2272,6 @@ implementation. - ## Security Object Class ### *security* @@ -2356,7 +2341,6 @@ implementation. - ## System Operation Object Class Note that while this is defined as a kernel object class, the userspace @@ -2442,7 +2426,6 @@ Note that while this is defined as a kernel object class, the userspace - ## Miscellaneous Kernel Object Classes ### *kernel_service* @@ -2562,7 +2545,6 @@ Note that while this is defined as a kernel object class, the userspace - ## Capability Object Classes ### *capability* @@ -2641,7 +2623,6 @@ Note that while this is defined as a kernel object class, the userspace - ## InfiniBand Object Classes ### *infiniband_pkey* @@ -2682,7 +2663,6 @@ Note that while this is defined as a kernel object class, the userspace - **Userspace** Object Classes ============================= @@ -3321,7 +3301,6 @@ These are userspace objects managed by XSELinux. - ## Database Object Classes These are userspace objects - The PostgreSQL database supports these @@ -3652,7 +3631,6 @@ explains the objects, their permissions and how they should be used in detail. - ## Miscellaneous Userspace Object Classes ### *passwd* @@ -3865,8 +3843,6 @@ explains the objects, their permissions and how they should be used in detail. - - --- diff --git a/src/objects.md b/src/objects.md index 9dff3fa..09c77f3 100644 --- a/src/objects.md +++ b/src/objects.md @@ -91,7 +91,6 @@ Where: - ![](./images/6-allow-rule.png) **Figure 6: The *allow* rule** - *Showing that the subject (the processes @@ -186,7 +185,6 @@ security.selinux="unconfined_u:object_r:user_home:s0 # (or label) held for the file is displayed. ``` - #### Copying and Moving Files Assuming that the correct permissions have been granted by the policy, @@ -321,7 +319,6 @@ process itself should clear or shred the information before releasing the object (which can be difficult in some cases unless the source code is available). -

    1. These file systems store the security context in an attribute @@ -330,8 +327,6 @@ associated with the file.

    - - --- diff --git a/src/pam_login.md b/src/pam_login.md index 02878ab..08e1599 100644 --- a/src/pam_login.md +++ b/src/pam_login.md @@ -111,8 +111,6 @@ perform the following functions: - ***pam_selinux.so close*** - This will reset the login programs context to the context defined in the policy. - - --- diff --git a/src/policy_config_files.md b/src/policy_config_files.md index 408d06d..b6ae69c 100644 --- a/src/policy_config_files.md +++ b/src/policy_config_files.md @@ -31,7 +31,6 @@ additional two files are required: SELinux. - *./context/x_contexts* - To allow the X-Windows service to run under SELinux. - ## *seusers* The ***seusers**(5)* file is used by login programs (normally via the @@ -76,7 +75,6 @@ __default__:user_u:s0-s0 - ***getseuser**(3)* - ***getseuserbyname**(3)* - ## *booleans* ## *booleans.local* @@ -125,7 +123,6 @@ Note that if *SETLOCALDEFS* is set in the SELinux in the ***selinux_booleans_path**(3)*, and also a *local.users* file in the ***selinux_users_path**(3)*. - ## *booleans.subs_dist* The *booleans.subs_dist* file (if present) will allow new boolean names @@ -171,7 +168,6 @@ Supporting libselinux API functions are: - ***security_get_boolean_names**(3)* - ***security_set_boolean**(3)* - ## setrans.conf The ***setrans.conf**(8)* file is used by the ***mcstransd**(8)* daemon @@ -230,7 +226,6 @@ Supporting libselinux API functions are: - ***selinux_raw_to_trans_context**(3)* - ***selinux_trans_to_raw_context**(3)* - ## *secolor.conf* The **secolor.conf**(5) file controls the colour to be associated to the @@ -322,7 +317,6 @@ user : role : type : range black white white black tan orange black green ``` - ## *policy/policy.<ver>* This is the binary policy file that is loaded into the kernel to enforce @@ -338,7 +332,6 @@ discussed in the [**Types of SELinux Policy - Policy Versions**](types_of_policy.md#policy-versions) section. - ## *contexts/customizable_types* The ***customizable_types**(5)* file contains a list of types that will @@ -380,7 +373,6 @@ sysadm_untrusted_content_tmp_t - ***selinux_customizable_types_path**(3)* - ***selinux_context_path**(3)* - ## *contexts/default_contexts* The ***default_contexts**(5)* file is used by SELinux-aware applications @@ -442,7 +434,6 @@ these functions. - ***query_user_context**(3)* - ***manual_user_enter_context**(3)* - An example use in this Notebook (to get over a small feature) is that when the initial **basic policy** was built, no default_contexts file entries were required as only one *role:type* of *unconfined_r:unconfined_t* @@ -470,7 +461,6 @@ The login process could now set the context correctly to *contexts/users/unconfined_u* configuration file instead could also have achieved this. - ## *contexts/dbus_contexts* This file is for the dbus messaging service daemon (a form of IPC) that @@ -497,7 +487,6 @@ information at: - ***selinux_context_path**(3)* - ## *contexts/default_type* The **default_type**(5) file allows SELinux-aware applications such as @@ -536,7 +525,6 @@ user_r:user_t - ***selinux_default_type_path**(3)* - ***get_default_type**(3)* - ## *contexts/failsafe_context* The **failsafe_context**(5) is used when a login process cannot @@ -579,7 +567,6 @@ sysadm_r:sysadm_t:s0 - ***get_ordered_context_list**(3)* - ***get_ordered_context_list_with_level**(3)* - ## *contexts/initrc_context* This is used by the ***run_init**(8)* command to allow system services to @@ -605,7 +592,6 @@ user:role:type[:range] **Example file contents:** - ``` # Taken from the MLS policy # Note that the init process has full access via the range s0-s15:c0.c255. @@ -617,7 +603,6 @@ system_u:system_r:initrc_t:s0-s15:c0.c255 - ***selinux_context_path**(3)* - ## *contexts/lxc_contexts* This file supports labeling lxc containers within the *libvirt* library @@ -672,7 +657,6 @@ sandbox_lxc_process = "system_u:system_r:container_t:s0" - ***selinux_context_path**(3)* - ***selinux_lxc_context_path**(3)* - ## *contexts/netfilter_contexts* - Obsolete This file was to support the Secmark labeling for Netfilter / iptable rule @@ -683,30 +667,25 @@ matching of network packets - Never been used. - ***selinux_context_path**(3)* - ***selinux_netfilter_context_path**(3)* - ## *contexts/openrc_contexts* **To be determined** **The file format is as follows:** - **Example file contents:** - **Supporting libselinux API functions are:** - ***selinux_context_path**(3)* - ***selinux_openrc_contexts_path**(3)* - ## *contexts/openssh_contexts* **To be determined** **The file format is as follows:** - **Example file contents:** ``` @@ -718,7 +697,6 @@ privsep_preauth=sshd_net_t - ***selinux_context_path**(3)* - ***selinux_openssh_contexts_path**(3)* - ## *contexts/removable_context* The **removable_context**(5) file contains a single default label that @@ -752,7 +730,6 @@ system_u:object_r:removable_t:s0 - ***selinux_removable_context_path**(3)* - ## *contexts/sepgsql_contexts* This file contains the default security contexts for SE-PostgreSQL @@ -784,7 +761,6 @@ object_type object_name context - **Example file contents:** ``` @@ -794,14 +770,12 @@ db_database * system_u:object_r:sepgsql_db_t:s0 db_schema *.* system_u:object_r:sepgsql_schema_t:s0 ``` - ## *contexts/snapperd_contexts* **To be determined** **The file format is as follows:** - **Example file contents:** ``` @@ -813,7 +787,6 @@ snapperd_data = system_u:object_r:snapperd_data_t:s0 - ***selinux_context_path**(3)* - ***selinux_snapperd_contexts_path**(3)* - ## *contexts/securetty_types* The ***securetty_types**(5)* file is used by the ***newrole**(1)* command @@ -848,7 +821,6 @@ staff_tty_device_t - ***selinux_securetty_types_path**(3)* - ## *contexts/systemd_contexts* This file contains security contexts to be used by tasks run via ***systemd**(8)*. @@ -885,7 +857,6 @@ runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 - ***selinux_context_path**(3)* - ***selinux_systemd_contexts_path**(3)* - ## *contexts/userhelper_context* This file contains the default security context used by the @@ -918,7 +889,6 @@ system_u:sysadm_r:sysadm_t:s0 - ***selinux_context_path**(3)* - ## *contexts/virtual_domain_context* The ***virtual_domain_context**(5)* file is used by the virtulization @@ -938,7 +908,6 @@ system_u:system_r:svirt_tcg_t:s0 - ***selinux_virtual_domain_context_path**(3)* - ## *contexts/virtual_image_context* The ***virtual_image_context**(5)* file is used by the virtulization API @@ -958,7 +927,6 @@ system_u:object_r:virt_content_t:s0 - ***selinux_virtual_image_context_path**(3)* - ## *contexts/x_contexts* The ***x_contexts**(5)* file provides the default security contexts for @@ -1002,7 +970,6 @@ selection PRIMARY system_u:object_r:clipboard_xselection_t:s0 - ***selabel_lookup**(3)* - ***selabel_stats**(3)* - ## *contexts/files/file_contexts* The ***file_contexts**(5)* file is managed by the ***semodule**(8)* and @@ -1035,7 +1002,6 @@ compatible regular expression (PCRE) internal format. - ***selabel_lookup**(3)* - ***selabel_stats**(3)* - ## *contexts/files/file_contexts.local* This file is added by the ***semanage fcontext*** command as described in the @@ -1047,7 +1013,6 @@ file section to allow locally defined files to be labeled correctly. The - ***selinux_file_context_local_path**(3)* - ## *contexts/files/file_contexts.homedirs* This file is managed by the ***semodule**(8)* and ***semanage**(8)* commands @@ -1072,7 +1037,6 @@ Perl compatible regular expression (PCRE) internal format. - ***selinux_file_context_homedir_path**(3)* - ***selinux_homedir_context_path**(3)* - ## contexts/files/file_contexts.subs ## contexts/files/file_contexts.subs_dist @@ -1104,7 +1068,6 @@ with */var/www*, with the final result being: - ***matchpathcon**(3)* (deprecated) - ***matchpathcon_index**(3)* (deprecated) - ## *contexts/files/media* The **media**(5)* file is used to map media types to a file context. If @@ -1145,7 +1108,6 @@ disk system_u:object_r:fixed_disk_device_t:s0 - ***selinux_media_context_path**(3)* - ## *contexts/users/[seuser_id]* These optional files are named after the SELinux user they represent. @@ -1183,7 +1145,6 @@ system_r:init_t:s0 unconfined_r:unconfined_t:s0 - ***get_ordered_context_list**(3)* - ***get_ordered_context_list_with_level**(3)* - ## *logins/<linuxuser_id>* These optional files are used by SELinux-aware login applications such @@ -1238,7 +1199,6 @@ another_service:unconfined_u:s0 - ***getseuser**(3)* - ## users/local.users **NOTE: These were removed in libselinux 3.0** @@ -1258,15 +1218,12 @@ Note that if *SETLOCALDEFS* is set in the SELinux in the ***selinux_booleans_path**(3)*, and also a *local.users* file in the ***selinux_users_path**(3)*. -

    1. As each module would have its own file_contexts component that is either added or removed from the policies overall /etc/selinux/<SELINUXTYPE>/contexts/ files/file_contexts file.

    - - --- diff --git a/src/policy_config_statements.md b/src/policy_config_statements.md index b5cf10a..156b434 100644 --- a/src/policy_config_statements.md +++ b/src/policy_config_statements.md @@ -65,7 +65,6 @@ policycap capability; policycap network_peer_controls; ``` - --- diff --git a/src/policy_languages.md b/src/policy_languages.md index fe579fe..90c17fe 100644 --- a/src/policy_languages.md +++ b/src/policy_languages.md @@ -55,7 +55,6 @@ domain_transition_pattern(sysadm_t, ls_exec_t, test_stat_domain) domain_entry_file(test_stat_domain, ls_exec_t) ``` - --- diff --git a/src/policy_store_config_files.md b/src/policy_store_config_files.md index c1337c7..3e7f8ab 100644 --- a/src/policy_store_config_files.md +++ b/src/policy_store_config_files.md @@ -54,7 +54,6 @@ The command types are: - [***semanage user***](#activeusers.local) Manage SELinux confined users (Roles and levels for an SELinux user) - ## active/modules Directory Contents Under this directory are the respective priority directories containing @@ -83,7 +82,6 @@ test_policy 400 pp ... ``` - ### *tmp* Policy Store (build failure) When adding/updating a policy module and it fails to build for some reason, @@ -95,13 +93,11 @@ message indicating the failing line number is: Failed to resolve mlsconstrain statement at /var/lib/selinux/targeted/tmp/modules/400/test_mlsconstrain/cil:1 ``` - ## *active/commit_num* This is a binary file used by ***semanage*** for managing updates to the store. The format is not relevant to policy construction. - ### *active/policy.kern* This is the binary policy file built by either the ***semanage**(8)* or @@ -110,7 +106,6 @@ is then becomes the */etc/selinux/<SELINUXTYPE>/policy/policy.<ver>* binary policy that will be loaded into the kernel. - ## *active/policy.linked* ## *active/seusers.linked* ## *active/seusers_extra.linked* @@ -118,7 +113,6 @@ that will be loaded into the kernel. These are saved policy files prior to merging local changes to improve performance. - ## *active/booleans.local* This file is created and updated by the ***semanage boolean*** command and @@ -141,7 +135,6 @@ semanage boolean -m --on daemons_enable_cluster_mode daemons_enable_cluster_mode=1 ``` - ## *disable_dontaudit* This file is only present when the ***semodule**(8)* '-D' flag is used to @@ -149,7 +142,6 @@ to build the policy or ***semanage dontaudit***. It indicates that a policy has been built without the *dontaudit* rules. This allows utilities such as ***audit2allow**(8)* to list all denials to assist debugging policy. - ## *active/file_contexts* This file becomes the policy @@ -271,7 +263,6 @@ pathname_regexp [file_type] security_context | <> - Keywords that can be in policy source \*.fc files and then form the *file_contexts.template* file entries are: @@ -305,7 +296,6 @@ Keywords that can be in policy source \*.fc files and then form the *file_contex
    - **Example policy source file from Reference Policy** *policy/modules/system/userdomain.fc*: ``` @@ -341,7 +331,6 @@ HOME_ROOT/lost\+found/.* <> /home -l gen_context(system_u:object_r:home_root_t,s0) ``` - ## *active/file_contexts.local* This file is created and updated by the ***semanage fcontext*** command. It is @@ -371,7 +360,6 @@ The resulting *file_contexts.local* file will be: /usr/move_file system_u:object_r:unlabeled_t:s0 ``` - ## *active/homedir_template* This file is built as described in the @@ -396,7 +384,6 @@ HOME_ROOT/\.journal <> HOME_DIR/.+ system_u:object_r:user_home_t:s0 ``` - ### *active/file_contexts.homedirs* This file becomes the policy @@ -432,7 +419,6 @@ libsepol library function. /home/[^/]+/.+ unconfined_u:object_r:user_home_t:s0 ``` - ## active/seusers ## active/seusers.local @@ -517,7 +503,6 @@ __default__:unconfined_u:s0-s0:c0.c1023 rch:user_u:s0 ``` - ## *active/users_extra* ## *active/users_extra.local* ## *active/users.local* @@ -579,7 +564,6 @@ user seuser_id prefix prefix_id; - **Example** *users_extra* **file contents:** ``` @@ -626,7 +610,6 @@ and the resulting *users.local* file will be: user test_u roles { staff_r } level s0 range s0; ``` - ## *active/interfaces.local* This file is created and updated by the ***semanage interface*** command to @@ -651,7 +634,6 @@ semanage interface -a -t netif_t -r s0:c20.c250 enp7s0 netifcon enp7s0 system_u:object_r:netif_t:s0:c20.c250 system_u:object_r:netif_t:s0:c20.c250 ``` - ## *active/nodes.local* This file is created and updated by the ***semanage node*** command to hold @@ -677,7 +659,6 @@ semanage node -a -M 255.255.255.255 -t node_t -r s0:c20.c250 -p ipv4 127.0.0.2 nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0:c20.c250 ``` - ## *active/ports.local* This file is created and updated by the ***semanage port*** command to hold @@ -688,7 +669,6 @@ Each line of the file contains a *portcon* statement that is defined along with examples in the policy language [***portcon***](network_statements.md#portcon) section. - **Example** ***semanage port*** **command:** ``` @@ -704,7 +684,6 @@ semanage port -a -t port_t -p tcp -r s0:c20.c350 8888 portcon tcp 8888 system_u:object_r:port_t:s0:c20.c350 ``` - ## Set domain permissive mode The ***semanage permissive*** command will either add or remove a policy @@ -726,8 +705,6 @@ This will by default add a CIL policy module to Note that the CIL *typepermissive* statement is used, the equivalent kernel policy statement would be [***permissive***](type_statements.md#permissive). - - --- diff --git a/src/policy_validation_example.md b/src/policy_validation_example.md index 628ee7b..8b7513f 100644 --- a/src/policy_validation_example.md +++ b/src/policy_validation_example.md @@ -97,7 +97,6 @@ options as described in the [**Global Configuration Files** - *semanage.conf*](global_config_files.md#etcselinuxsemanage.conf) file section. - --- diff --git a/src/polyinstantiation.md b/src/polyinstantiation.md index cca439b..3a64918 100644 --- a/src/polyinstantiation.md +++ b/src/polyinstantiation.md @@ -23,7 +23,6 @@ To clarify polyinstantiation support: function of the XSELinux Object Manager and the supporting XACE service. - ## Polyinstantiated Objects Determining a polyinstantiated context for an object is supported by @@ -33,7 +32,6 @@ libselinux API functions. These are not limited to specific object classes, however only *dir*, *x_selection* and *x_property* objects are currently supported. - ## Polyinstantiation support in PAM PAM supports polyinstantiation (namespaces) of directories at login time @@ -102,7 +100,6 @@ instance, and the user name. If a new instance is being set up, the directory permissions are set and the ***restorecon**(8)* command is run to set the correct file contexts. - #### *namespace.conf* Configuration File Each line in the namespace.conf file is formatted as follows: @@ -139,7 +136,6 @@ Where: - ### Example Configurations This section shows two sample *namespace.conf* configurations, the first @@ -205,7 +201,6 @@ following polyinstantiated directories: /home/rch/rch.inst/unconfined_u:unconfined_r:unconfined_t_rch ``` - ## Polyinstantiation support in X-Windows The X-Windows SELinux object manager and XACE (X Access Control @@ -214,7 +209,6 @@ objects as discussed in the [**SELinux X-Windows Support**](x_windows.md#x-windows-selinux-support) section. - ## Polyinstantiation support in the Reference Policy The reference policy *files.te* and *files.if* modules (in the kernel @@ -226,8 +220,6 @@ boolean is set *false* (off). The polyinstantiation of X-Windows objects (*x_selection* and *x_property*) are not currently supported by the reference policy. - - --- diff --git a/src/rbac.md b/src/rbac.md index 7bb1b4f..4063e38 100644 --- a/src/rbac.md +++ b/src/rbac.md @@ -22,8 +22,6 @@ Some policies, for example Android, only make use of one role called *r*. **Figure 4: Role Based Access Control** - *Showing how SELinux controls access via user, role and domain type association.* - - --- diff --git a/src/reference_policy.md b/src/reference_policy.md index 760d154..7b7dd64 100644 --- a/src/reference_policy.md +++ b/src/reference_policy.md @@ -26,7 +26,6 @@ In most documentation the policy name is defined using the */etc/selinux/config* file entry **SELINUXTYPE=**. This part of the Notebook uses both forms. - ### Reference Policy Overview Strictly speaking the 'Reference Policy' should refer to the policy @@ -71,7 +70,6 @@ section explains a simple build from source. **Figure 26: The Reference Policy Source Tree** - *When building a modular policy, files are added to the policy store. For monolithic builds the policy store is not used.* - The Reference Policy can be used to build two policy types: 1. **Loadable Module Policy** - A policy that has a @@ -93,7 +91,6 @@ forming a single 'base' source file. The Reference Policy relies heavily on the ***m4**(1)* macro processor as the majority of supporting services are m4 macros. - ### Distributing Policies It is possible to distribute the Reference Policy in two forms: @@ -134,7 +131,6 @@ The selinux-policy-sandbox rpm contains the sandbox module for use by the *policycoreutils-sandbox* package. This will be installed as a module for one of the three main policies described above. - ### Policy Functionality As can be seen from the policies distributed with Fedora above, they can @@ -148,7 +144,6 @@ the *SELINUXTYPE* entry of the *build.conf* as shown in and can also confine other areas and users. - mls - MLS policy for server based systems. - ### Reference Policy Module Files The reference policy modules are constructed using a mixture of @@ -310,7 +305,6 @@ interface(*ada_run',* /usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0) ``` - ### Reference Policy Documentation One of the advantages of the reference policy is that it is possible to @@ -338,7 +332,6 @@ the ada module interfaces. **Figure 27: Example Documentation Screen Shot** - ## Reference Policy Source This section explains the source layout and configuration files, with @@ -351,7 +344,6 @@ updated with the authors comments as necessary). There is also a VERSION file that contains the Reference Policy release date, this can then be used to obtain a change list . - ### Source Layout **Figure 26: The Reference Policy Source Tree** shows the layout of the @@ -376,7 +368,6 @@ The section then describes how the initial source is installed and configured to allow a policy to be built. - ### Reference Policy Files and Directories **Table 1: The Reference Policy Files and Directories** shows the major @@ -535,13 +526,11 @@ modular policy is being built. This file is explained in the **Table 1: The Reference Policy Files and Directories** - ### Source Configuration Files There are two major configuration files (build.conf and modules.conf) that define the policy to be built and are detailed in this section. - #### Reference Policy Build Options - build.conf This file defines the policy type to be built that will influence its @@ -550,7 +539,6 @@ An example file content is shown in the [**Installing and Building the Reference Policy Source**](#installing-and-building-the-reference-policy-source) section where it is used to install and then build the policy. - **Table 2:** *build.conf* **Entries** explains the fields that can be defined within this file, however there are a number of *m4* macro parameters that are set up when this file is read by the build process makefiles. These macro definitions are shown @@ -647,7 +635,6 @@ policy is built with examples shown in the **Table 2:** *build.conf* **Entries** - @@ -705,7 +692,6 @@ policy is built with examples shown in the **Table 3: m4 parameters set at build time** - *These have been extracted from the Reference Policy Makefile.* - #### Reference Policy Build Options - policy/modules.conf This file will not be present until *make conf* is run and controls @@ -908,7 +894,6 @@ reference policy are different) **Table 4: Mandatory modules.conf Entries** - ##### Building the modules.conf File The file can be created by an editor, however it is generally built @@ -921,7 +906,6 @@ As will be seen in the pre-configured files that are used to produce the required policy including multiple versions of the *modules.conf* file. - ### Source Installation and Build Make Options This section explains the various make options available that have been @@ -967,7 +951,6 @@ taken from the *README* file. **Table 5: General Build Make Targets** -
    @@ -1054,7 +1037,6 @@ taken from the *README* file. **Table 7: Monolithic Policy Build Make Targets** - ### Booleans, Global Booleans and Tunable Booleans The three files *booleans.conf*, *global_booleans* and *global_tunables* are @@ -1081,7 +1063,6 @@ built and used as follows:
    - ### Modular Policy Build Structure This section explains the way a modular policy is constructed, this does @@ -1209,7 +1190,6 @@ in **Table 9: Module Build**. **Table 8: Base Module Build** - *This shows the temporary build files used to build the base module 'base.conf' as a part of the 'make' process. Note that the modules marked as base in modules.conf are built here.* - @@ -1246,7 +1226,6 @@ in **Table 9: Module Build**. **Table 9: Module Build** - *This shows the module files and the temporary build files used to build each module as a part of the 'make' process (i.e. those modules marked as module in modules.conf).* - ### Creating Additional Layers One objective of the reference policy is to separate the modules into @@ -1271,7 +1250,6 @@ completed: ABC modules for the XYZ components. ``` - ## Installing and Building the Reference Policy Source This section will give a brief overview of how to build the Reference @@ -1280,7 +1258,6 @@ the Fedora targeted policy. The Fedora version of the targeted policy build is discussed but building without using the rpm spec file is more complex. - ### Building Standard Reference Policy This will run through a simple configuration process and build of a @@ -1420,7 +1397,6 @@ WERROR = n as ***apol**(8)* or loaded by editing the */etc/selinux/config* file, running '*touch /.autorelabel*' and rebooting the system. - ### Building the Fedora Policy Note, the Fedora [**selinux-policy**](https://github.com/fedora-selinux) @@ -1591,7 +1567,6 @@ QUIET = n '*touch /.autorelabel*' and rebooting the system. It should have the same number of rules, types, classes etc. as the original release. - ## Reference Policy Headers This method of building policy and adding new modules is used for @@ -1627,7 +1602,6 @@ source two steps are required: - Copy the module interface files (*.if*) to the relevant module directories at: */usr/share/selinux/<SELINUXTYPE>/include/modules*. - ### Using the Reference Policy Headers Note that this section describes the standard Reference Policy headers, @@ -1697,7 +1671,6 @@ modules built from headers. **Table 10: Header Policy Build Make Targets** - ### Using Fedora Supplied Headers The Fedora distribution installs the headers in a slightly different @@ -1712,7 +1685,6 @@ manner as Fedora installs: - The documentation is installed in the */usr/share/doc/selinux-policy/html* directory. - ## Reference Policy Support Macros This section explains some of the support macros used to build reference @@ -1864,7 +1836,6 @@ Incorrect: policy_module (ftp, 1.7.0) ``` - ### Loadable Policy Macros The loadable policy module support macros are located in the @@ -1950,7 +1921,6 @@ require { } ``` - #### *gen_require* Macro For use within module files to insert a *require* block. @@ -2013,7 +1983,6 @@ require { } ``` - #### *optional_policy* Macro For use within module files to insert an *optional* block that will be @@ -2180,7 +2149,6 @@ optional { } # end optional ``` - #### *gen_tunable* Macro This macro defines booleans that are global in scope. The corresponding @@ -2336,7 +2304,6 @@ if (allow_ftpd_use_nfs && allow_ftpd_anon_write) { } # end allow_ftpd_use_nfs && allow_ftpd_anon_write ``` - #### *interface* Macro Access *interface* macros are defined in the interface module file (*.if*) @@ -2456,7 +2423,6 @@ optional { } # end optional ``` - #### *template* Macro A template interface is used to help create a domain and set up the @@ -2609,7 +2575,6 @@ template(*djbdns_daemontools_domain_template',* ##### end djbdns_daemontools_domain_template(dnscache) depth: 0 ``` - ### Miscellaneous Macros These macros are in the *misc_macros.spt* file. @@ -2679,7 +2644,6 @@ gen_context(context[,mls | mcs]) /dev/\.tmp-block-.* -c system_u:object_r:fixed_disk_device_t:s15:c0.c1023 ``` - #### *gen_user* Macro This macro is used to generate a valid [***user***](user_statements.md#user) @@ -2758,7 +2722,6 @@ ifdef(*direct_sysadm_daemon',* ') ``` - **Expanded Macro:** ``` @@ -2777,7 +2740,6 @@ user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - s15 user root prefix sysadm; ``` - #### *gen_bool* Macro This macro defines a boolean and requires the following steps: @@ -2912,7 +2874,6 @@ if( ! secure_mode_insmod ) { } ``` - ### MLS and MCS Macros These macros are in the *mls_mcs_macros.spt* file. @@ -2986,7 +2947,6 @@ category c1; category c1023; ``` - #### *gen_sens* Macro This macro will generate a @@ -3056,7 +3016,6 @@ sensitivity s1; sensitivity s15; ``` - #### *gen_levels* Macro This macro will generate a [*level*](mls_statements.md#level) for each level @@ -3128,7 +3087,6 @@ level s1:c0.c1023; level s15:c0.c1023; ``` - #### System High/Low Parameters These macros define system high etc. as shown. @@ -3183,13 +3141,11 @@ mcs_allcats c0.c1023 ``` - ### *ifdef* / *ifndef* Parameters This section contains examples of the common *ifdef* / *ifndef* parameters that can be used in module source files. - #### *hide_broken_symptoms* This is used within modules as shown in the example. The parameter is @@ -3210,7 +3166,6 @@ ifdef(*hide_broken_symptoms',* ') ``` - #### *enable_mls* and *enable_mcs* These are used within modules as shown in the example. The parameters @@ -3238,7 +3193,6 @@ ifdef(*enable_mcs',* ') ``` - #### *enable_ubac* This is used within the *./policy/constraints* configuration file to set @@ -3268,7 +3222,6 @@ define(*basic_ubac_conditions',* ') ``` - #### *direct_sysadm_daemon* This is used within modules as shown in the example. The parameter is @@ -3291,7 +3244,6 @@ ifndef(*direct_sysadm_daemon',* ') ``` - ## Module Expansion Process The objective of this section is to show how the modules are expanded by @@ -3319,8 +3271,6 @@ section. **Figure 29: The expansion process** - - --- diff --git a/src/role_statements.md b/src/role_statements.md index ad73750..c11a01d 100644 --- a/src/role_statements.md +++ b/src/role_statements.md @@ -95,7 +95,6 @@ role user_r types user_t; role user_r types chfn_t; ``` - ## *attribute_role* The *attribute_role* statement declares a role attribute identifier that @@ -160,7 +159,6 @@ attribute_role role_list_1; attribute_role srole_list_2; ``` - ## *roleattribute* The roleattribute statement allows the association of previously @@ -232,7 +230,6 @@ role service_r; roleattribute service_r role_list_1; ``` - ## *allow* The role *allow* rule checks whether a request to change roles is allowed, @@ -304,7 +301,6 @@ allow from_role_id to_role_id; allow sysadm_r secadm_r; ``` - ## *role_transition* The *role_transition* rule specifies that a role transition is required, @@ -383,7 +379,6 @@ role_transition current_role_id type_id : class new_role_id; role_transition system_r unconfined_exec_t:process unconfined_r; ``` - ## *dominance* - Deprecated This rule has been deprecated and therefore should not be used. The role @@ -465,7 +460,6 @@ Where: dominance { role message_filter_r { role unconfined_r };} ``` - --- diff --git a/src/seandroid.md b/src/seandroid.md index f3537c5..b1833eb 100644 --- a/src/seandroid.md +++ b/src/seandroid.md @@ -42,7 +42,6 @@ The sections that follow cover: 8. Logging and auditing 9. Configuration file formats - ## SE for Android Project Updates This gives a high level view of the new and updated projects to support @@ -128,7 +127,6 @@ Provides the policy build tool. Added support for MacOS X. Not available on the device as policy rebuilds are done in the development environment. There are no specific updates to support Android except an *Android.bp* file. - ### ***bootable/recovery*** Changes to manage file labeling on recovery using functions such as @@ -197,7 +195,6 @@ Build information for each device that includes device specific policy as discussed in the [**The SELinux Policy**](#the-selinux-policy) and [**Managing Device Policy Files**](#managing-device-policy-files) sections. - ## Kernel LSM / SELinux Support The paper "Security Enhanced (SE) Android: Bringing Flexible MAC to @@ -220,7 +217,6 @@ Kernel 5.0+ supports Dynamically Allocated Binder Devices, therefore configuring specific devices (e.g. **CONFIG_ANDROID_BINDER_DEVICES="binder"**) is no longer required (use ***CONFIG_ANDROID_BINDERFS=y*** instead). - ## Android Classes & Permissions Additional classes have been added to Android and are listed in the @@ -463,7 +459,6 @@ not all are required for Android.
    - ## SELinux Commands A subset of the Linux SELinux commands have been implemented in Android @@ -527,7 +522,6 @@ adb shell pm list permissions -g - ## SELinux Public Methods The public methods implemented are equivalent to *libselinux* functions @@ -630,7 +624,6 @@ TV package *AboutFragment.java* calls **SELinux.isSELinuxEnabled()**. - ## Android Init Language SELinux Extensions The Android init process language has been expanded to support SELinux @@ -676,7 +669,6 @@ service ueventd /system/bin/ueventd restorecon --recursive --skip-ce /data ``` - ## The SELinux Policy This section covers the SELinux policy, its supporting configuration files @@ -975,7 +967,6 @@ domains (not allowed) and *neverallow* assertions **version_policy** - Takes the given public platform policy, a private policy and a version number to produced a combined "versioned" policy file. - ## Logging and Auditing Android supports auditing of SELinux events via the AOSP logger @@ -1002,7 +993,6 @@ in the kernel buffers that can be read using ***dmesg**(1)*: adb shell dmesg ``` - ## Policy File Formats This section details the following Android policy files: @@ -1118,7 +1108,6 @@ example taken from *device/generic/goldfish/fstab.ranchu*: /dev/block/pci/pci0000:00/0000:00:06.0/by-name/metadata /metadata ext4 ..... ``` - ### ***seapp_contexts*** The build process supports additional *seapp_contexts* files allowing @@ -1367,7 +1356,6 @@ LABEL USER PID PPID NAME u:r:untrusted_app:s0:c149,c256,c512,c768 u0_a149 1138 64 com.example.myapplication ``` - ### ***property_contexts*** This file holds property service keys and their contexts that are @@ -1386,7 +1374,6 @@ property_key security_context type value type = prefix or exact value = int, double, bool or string - Example entries: ``` @@ -1411,7 +1398,6 @@ ro.telephony.call_ring.multiple u:object_r:telephony_config_prop:s0 exact bool ro.telephony.default_cdma_sub u:object_r:telephony_config_prop:s0 exact int ``` - ### ***service_contexts*** This file holds binder service keys and their contexts that are matched @@ -1462,7 +1448,6 @@ manager u:object_r:service_manager_vndservice:s0 * u:object_r:default_android_vndservice:s0 ``` - ### ***mac_permissions.xml*** The *mac_permissions.xml* file is used to configure Run/Install-time MMAC @@ -1549,7 +1534,6 @@ file: ``` - ### ***keys.conf*** The *keys.conf* file is used by **insertkeys.py** for mapping the @@ -1589,8 +1573,6 @@ USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem ``` - - --- diff --git a/src/security_context.md b/src/security_context.md index c002c81..3ca93a2 100644 --- a/src/security_context.md +++ b/src/security_context.md @@ -116,7 +116,6 @@ unconfined_u:object_r:out_file_t Message-11 # (see the process example above). The role remained as object_r. ``` - --- diff --git a/src/selinux_cmds.md b/src/selinux_cmds.md index 077ffb6..918d4c1 100644 --- a/src/selinux_cmds.md +++ b/src/selinux_cmds.md @@ -152,8 +152,6 @@ has a page that details all the available tools and commands at: - - --- diff --git a/src/selinux_overview.md b/src/selinux_overview.md index 0fa89b9..a71b762 100644 --- a/src/selinux_overview.md +++ b/src/selinux_overview.md @@ -43,7 +43,6 @@ locations as follows: - ## Is SELinux useful There are many views on the usefulness of SELinux on Linux based @@ -124,7 +123,6 @@ The following maybe useful in providing a practical view of SELinux: 4. Older NSA documentation at: that is informative. - --- diff --git a/src/sid_statement.md b/src/sid_statement.md index dfe5684..07feb2c 100644 --- a/src/sid_statement.md +++ b/src/sid_statement.md @@ -73,7 +73,6 @@ sid unlabeled sid fs ``` - ## *sid context* The *sid context* statement is used to associate an initial security @@ -151,7 +150,6 @@ sid unlabeled sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255 ``` - --- diff --git a/src/subjects.md b/src/subjects.md index 38c7fe1..4f677cb 100644 --- a/src/subjects.md +++ b/src/subjects.md @@ -37,15 +37,12 @@ under *semanage_t*). **Untrusted** - Everything else. -

    1. The object class and its associated permissions are explained in the Appendix A - Object Classes and Permissions - Process Object Class section.

    - - --- diff --git a/src/terminology.md b/src/terminology.md index 59e9c0f..77eaade 100644 --- a/src/terminology.md +++ b/src/terminology.md @@ -37,7 +37,6 @@ | UID | User Identifier | | XACE | X (windows) Access Control Extension | - ## Terminology These give a brief introduction to the major components that form the @@ -116,8 +115,6 @@ core SELinux infrastructure. - - --- diff --git a/src/title.md b/src/title.md index 68a4eb1..b218559 100644 --- a/src/title.md +++ b/src/title.md @@ -80,7 +80,6 @@ Android. **Object Classes and Permissions** - Describes the SELinux object classes and permissions. - --- diff --git a/src/toc.md b/src/toc.md index 2bd299b..d7a4a72 100644 --- a/src/toc.md +++ b/src/toc.md @@ -61,7 +61,6 @@ - [Appendix D - Debugging Policy - Hints and Tips](debug_policy_hints.md#appendix-d---debugging-policy---hints-and-tips) - [Appendix E - Policy Validation Example](policy_validation_example.md#appendix-e---policy-validation-example) - --- diff --git a/src/type_enforcement.md b/src/type_enforcement.md index 20f14af..d8d08be 100644 --- a/src/type_enforcement.md +++ b/src/type_enforcement.md @@ -54,7 +54,6 @@ any SELinux service (i.e. it is only used to identify the type component), although as explained above CIL with namespaces does make identification of types easier. - ### Constraints It is possible to add constraints on users, roles, types and MLS ranges, @@ -88,7 +87,6 @@ The kernel policy language constraints are defined in the [**Constraint Statements**](constraint_statements.md#constraint-statements) section. - ### Bounds It is possible to add bounds to users, roles and types, however @@ -103,8 +101,6 @@ services. The [**Bounds Rules**](bounds_rules.md#bounds-rules) section defines the *typebounds* rule and also gives a summary of the *userbounds* and *rolebounds* rules. - - --- diff --git a/src/types_of_policy.md b/src/types_of_policy.md index 32b36f9..a55fdd0 100644 --- a/src/types_of_policy.md +++ b/src/types_of_policy.md @@ -31,7 +31,6 @@ The type of SELinux policy can described in a number of ways: As can be seen the description of a policy can vary depending on the context. - ## Reference Policy Note that this section only gives an introduction to the Reference @@ -56,7 +55,6 @@ number of RPMs. The Reference Policy can be built as a Monolithic policy or as a Modular policy that has a 'base module' with zero or more optional 'loadable modules'. - ## Policy Functionality Based on Name or Type Generally a policy is installed with a given name such as *targeted*, @@ -93,7 +91,6 @@ The *NAME* and *TYPE* entries are defined in the reference policy [**Source Configuration Files**](reference_policy.md#source-configuration-files) section. - ## Custom Policy This generally refers to a policy source that is either: @@ -118,7 +115,6 @@ classes/permissions (see kernel *Documentation/admin-guide/LSM/SELinux.rst* for build instructions, also the [**Notebook Sample Policy - README**](./notebook-examples/selinux-policy/README.md)). - ## Monolithic Policy A Monolithic policy is an SELinux policy that is compiled from one @@ -133,7 +129,6 @@ The Reference Policy supports building of monolithic policies. In some cases the kernel policy binary file is also called a monolithic policy. - ## Loadable Module Policy The loadable module infrastructure allows policy to be managed on a @@ -166,7 +161,6 @@ into the final [**binary policy**](#policy-versions) for loading into the kernel, see "[**SELinux Policy Module Primer**](http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/)". - ### Optional Policy The loadable module policy infrastructure supports an @@ -174,7 +168,6 @@ The loadable module policy infrastructure supports an allows policy rules to be defined but only enabled in the binary policy once the conditions have been satisfied. - ## Conditional Policy Conditional policies can be implemented in monolithic or loadable module @@ -199,7 +192,6 @@ the state of the boolean value or values. See the [**Conditional Policy Statements**](conditional_statements.md#conditional-policy-statements) section. - ## Binary Policy This is also know as the kernel policy and is the policy file that is @@ -227,7 +219,6 @@ is supported by Fedora): */etc/selinux/targeted/policy/policy.32* - ## Policy Versions SELinux has a policy database (defined in the libsepol library) that @@ -373,8 +364,6 @@ quoted (some SELinux utilities give both version numbers). **Table 1: Policy version descriptions** - - --- diff --git a/src/users.md b/src/users.md index b1dec2f..a1a86b1 100644 --- a/src/users.md +++ b/src/users.md @@ -24,8 +24,6 @@ the [**Type Enforcement (TE)**](type_enforcement.md#type-enforcement) section. Some policies, for example Android, only make use of one user called *u*. - - --- diff --git a/src/vm_support.md b/src/vm_support.md index 07ad32f..80d5cd5 100644 --- a/src/vm_support.md +++ b/src/vm_support.md @@ -122,7 +122,6 @@ ls -Z /var/lib/libvirt/images system_u:object_r:svirt_image_t:s0:c585,c813 Dynamic_VM1.img system_u:object_r:svirt_image_t:s0:c535,c601 Dynamic_VM2.img - ps -eZ | grep qemu system_u:system_r:svirt_tcg_t:s0:c585,c813 8707 ? 00:00:44 qemu-system-x86 @@ -228,7 +227,6 @@ initialisation process will take place: The following example shows each VM having the same file label but different process labels: - | VM Image | Object | Security context | | -------------------| ----------| -------------------------------------------- | | Shareable_VM | *process* | *system_u:system_r:svirt_tcg_t:s0:c231,c245* | From patchwork Tue Aug 4 01:35:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699397 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C90CE913 for ; Tue, 4 Aug 2020 01:35:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F0C9820786 for ; Tue, 4 Aug 2020 01:35:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="15BT/TZ7" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729347AbgHDBfF (ORCPT ); Mon, 3 Aug 2020 21:35:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBfF (ORCPT ); Mon, 3 Aug 2020 21:35:05 -0400 Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28732C06174A for ; Mon, 3 Aug 2020 18:35:05 -0700 (PDT) Received: by mail-qk1-x733.google.com with SMTP id 77so4765263qkm.5 for ; Mon, 03 Aug 2020 18:35:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=ivAGTN7etltds3ch7v/VpVgRVbT8MzGpjp7NnjPwaMY=; b=15BT/TZ7fnVSYUFQEoIXxbNiLu+hdic8/A19lLYFEv7OOpj3GAFiMKGDDR6CpF3Sl+ sAv27P4zSvIPkCjlDU2haPHTc9byApBsCEBfJnc7nNhiDKLokm/be/z5KvxV5Vbyy92G 08JS0Jrd8rXvU7H4rvdGHg0aOtpKjq9enYh6Qrsb3/vj3JYK2LTtFZSE8QLBedRxagmy 9/Pn9f4X1UKBRf7whb/OIW3/NSJZRMKAWPYNAc9v7gJPjvLUjZoEM7fBcwB7qeFNL3Jl TK3CpYnopTXPqW0Lw3OSrhx/DSGBTEkYXZvJKZPUHI1g2KZXbLuFFylqiAxTO5gfSqhx BiVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=ivAGTN7etltds3ch7v/VpVgRVbT8MzGpjp7NnjPwaMY=; b=itpdRiTZ8XHbWpZgSDwSkFKkhvhynI71ZX7sQDxbfZXBf/+h7sDwFy7nCmNjupUG5U Ujv3hEipYIcbBO12keLsjOz9xQubhryjijKYF25R8wWI08ZaS+T2V9y9fIQt6qyGu3pZ 2Zo/fqJhI92/wE95E0o5Q4TVEfSijuizOnoxyHW6xZZg22R9eQVZq/9k8QwYD0C2qKCN FbUMKkZ6QG3tusKaKlFb+9LRW2Vv1IbrigcWTJttYxOzYFn6SctoRu19th1Ek5JUiMKa ykm/5zX86T7HsJM4tOKm0Ik3gGTV6HWrWa5uDGVZNrBBnle/o+Y69GUeMwhvmSFHavPK bskA== X-Gm-Message-State: AOAM533VB6GwE4Bqw8U/lErbKmvuDKLYgEU/UF6yrn5ixHxUpbn1uDtZ FW9iLCT2B3QJIMbzRMVZFZSQBnJ8H+ye X-Google-Smtp-Source: ABdhPJwT4pw8wMpc6F/KWYSTmHx8TPr/hFLLsWHAVf0meMoKATr3eOTuYB9Tkl39x5GFV66pOBS2TA== X-Received: by 2002:a37:4c84:: with SMTP id z126mr19467777qka.130.1596504903854; Mon, 03 Aug 2020 18:35:03 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id 65sm19285921qkn.103.2020.08.03.18.35.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:35:03 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 16/18] kernel_policy_language: convert the footnotes to markdown From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:35:02 -0400 Message-ID: <159650490255.8961.4142736519349867696.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org There are still more footnotes that need to be converted, and the kernel_policy_language.md file still needs to be fully converted to markdown, but this resolved a problem seen while building the PDF. Signed-off-by: Paul Moore --- src/kernel_policy_language.md | 38 +++++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/src/kernel_policy_language.md b/src/kernel_policy_language.md index eba0564..a4118f9 100644 --- a/src/kernel_policy_language.md +++ b/src/kernel_policy_language.md @@ -6,9 +6,9 @@ then has links to each section within this document. ## Policy Source Files -There are three basic types of policy source file1 that can contain language statements -and rules. The three types of policy -source file2 are: +There are three basic types of policy source file[^fn_kpl_1] that can contain +language statements and rules. The three types of policy source file[^fn_kpl_2] +are: **Monolithic Policy** - This is a single policy source file that contains all statements. By convention this file is called policy.conf @@ -739,7 +739,7 @@ within an *if/else* construct, *optional {rule_list}*, or neverallow Yes Yes -Yes3 +Yes[^fn_kpl_3] No Yes No @@ -801,9 +801,9 @@ within an *if/else* construct, *optional {rule_list}*, or require No -Yes4 +Yes[^fn_kpl_4] Yes -Yes5 +Yes[^fn_kpl_5] Yes No @@ -969,15 +969,23 @@ Note these are not kernel policy statements, but used by the Reference Policy to assist policy build: - [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements) -
    -
      -

    1. It is important to note that the Reference Policy builds policy using makefiles and m4 support macros within its own source file structure. However, the end result of the make process is that there can be three possible types of source file built (depending on the MONOLITHIC=Y/N build option). These files contain the policy language statements and rules that are finally complied into a binary policy.

      2. -

    2. This does not include the file_contexts file as it does not contain policy statements, only default security contexts (labels) that will be used to label files and directories.

      3. -

    3. neverallow statements are allowed in modules, however to detect these the semanage.conf file must have the expand-check=1 entry present.

      4. -

    4. Only if preceded by the optional statement.

      5. -

    5. Only if preceded by the optional statement.

      6. -
    -
    +[^fn_kpl_1]: It is important to note that the Reference Policy builds policy +using makefiles and m4 support macros within its own source file structure. +However, the end result of the make process is that there can be three possible +types of source file built (depending on the *MONOLITHIC=Y/N* build option). +These files contain the policy language statements and rules that are finally +complied into a binary policy. + +[^fn_kpl_2]: This does not include the *file_contexts* file as it does not +contain policy statements, only default security contexts (labels) that will be +used to label files and directories. + +[^fn_kpl_3]: *neverallow* statements are allowed in modules, however to detect +these the *semanage.conf* file must have the *expand-check=1* entry present. + +[^fn_kpl_4]: Only if preceded by the *optional* statement. + +[^fn_kpl_5]: Only if preceded by the *optional* statement. From patchwork Tue Aug 4 01:35:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699399 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7DD2B14DD for ; Tue, 4 Aug 2020 01:35:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A48C72086A for ; Tue, 4 Aug 2020 01:35:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="v29EOfJr" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729349AbgHDBfM (ORCPT ); Mon, 3 Aug 2020 21:35:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51212 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBfL (ORCPT ); Mon, 3 Aug 2020 21:35:11 -0400 Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB8DCC06174A for ; Mon, 3 Aug 2020 18:35:11 -0700 (PDT) Received: by mail-qt1-x836.google.com with SMTP id o22so29553583qtt.13 for ; Mon, 03 Aug 2020 18:35:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=5dWgmW70+/Vqbdm69y5q3AHiArm+HIn4KdvjPt7tW/k=; b=v29EOfJrPsfsKl9j3tQV01I6nxHJmXTucIN7Z/Uu+FOuyHfP/cUEgWrp4OlJXBLfEX Gd92YF/SENX0JTZSaznRqGM7KC01OHRWLe247OPDqQwDdOG+YUx4fvtCmy9G2ypQ/Ygg nnX5G27sVENw4ems/7MBA3asMRMLm65CVUwcD2U94Am1iCJ8WQB7peeygVSEcpMiw+zO C27JuDc63WoPDXrVr5y0VYq97M2CvoP7Dsn0zADHRI57BOIdis4RMjT5FyuQUvuevyJb ejuRMWqKcczqP7yFdTFSkq8Is2FhrK5XuddLhH9Y4vnc7K1Q/ij96LSnvORanQDZrkqD GbtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=5dWgmW70+/Vqbdm69y5q3AHiArm+HIn4KdvjPt7tW/k=; b=Cjsghz7C30uV8Slld2GtNKGpXv+v/zZ7Lwetq8NWkQbxUPxE7fttFUY9GZYUYfhATE ZVzNYwvpqw4wHR7mAPX8r8DqXMoi/RXJpsRnvZ8/cLPsqb77oE9/mXU3Q2kbH1P7XsqT PoZPapwoor3uvzbB2ak040Y/J30ySOOpT7XEYHxBk2AY48bESy+H2kMnUDBlSk+sJMUu 72eGdIGTgkBvju6k+N5WCZqXSMAySXf836HJN/Fz3FxcQbO6XzLGj/Ciq5r7eE2OAYBr KzaRNUAs/URwe+Ik2p1SK38ep0ekkiWSvIm0A+u6WR/Zx1PWdRVXNGoGXcm19ePXicce xtrQ== X-Gm-Message-State: AOAM533H0nw20+FsGw1TPKT0laNo+2aA/1uwG1eUF2wk6P0i6cH+0yJz Drs9Ja4BViXGGZM5S4VGTjdwDDV3jjKS X-Google-Smtp-Source: ABdhPJyjNsc/O9qMvqn+y4P/bSUbk+JMcQKORJIzd4JyA69E9pm180fwc6HgfDEMd0BBH1ycI6rlJw== X-Received: by 2002:ac8:b01:: with SMTP id e1mr18697262qti.98.1596504910407; Mon, 03 Aug 2020 18:35:10 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id n127sm22596257qke.29.2020.08.03.18.35.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:35:09 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 17/18] title: assorted updates From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:35:09 -0400 Message-ID: <159650490901.8961.770608607313355868.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Several small updates to the title page(s), in no particular order: - Add my name to the copyright list - Add an acknowledgment to Richard thanking him for donating the notebook's source material - Updated the link for Máirín Duffy - Provide a link to the GitHub repo so people can find the most recent release Signed-off-by: Paul Moore --- src/title.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/title.md b/src/title.md index b218559..5c98d9d 100644 --- a/src/title.md +++ b/src/title.md @@ -20,7 +20,9 @@ ## Copyright Information -Copyright © 2020 [*Richard Haines*](mailto:richard_c_haines@btinternet.com). +Copyright (c) 2020 [*Richard Haines*](mailto:richard_c_haines@btinternet.com) + +Copyright (c) 2020 [*Paul Moore*](mailto:paul@paul-moore.com) Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -30,7 +32,10 @@ See: **** ## Acknowledgements -Logo designed by [*Máirín Duffy*](http://pookstar.deviantart.com/) +The Notebook was originally created by *Richard Haines* who graciously donated +the source material to the SELinux project. + +The SELinux logo was designed by [*Máirín Duffy*](https://blog.linuxgrrl.com). @@ -80,6 +85,13 @@ Android. **Object Classes and Permissions** - Describes the SELinux object classes and permissions. +### Updated Editions + +The SELinux Notebook is being maintained as part of the SELinux project, more +recent editions may be available. + +See: **** + --- From patchwork Tue Aug 4 01:35:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699401 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0BBF8913 for ; Tue, 4 Aug 2020 01:35:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 28BF520786 for ; Tue, 4 Aug 2020 01:35:19 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="vu33aD4s" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729354AbgHDBfS (ORCPT ); Mon, 3 Aug 2020 21:35:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51230 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBfS (ORCPT ); Mon, 3 Aug 2020 21:35:18 -0400 Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5797AC06174A for ; Mon, 3 Aug 2020 18:35:18 -0700 (PDT) Received: by mail-qt1-x830.google.com with SMTP id t23so26673148qto.3 for ; Mon, 03 Aug 2020 18:35:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=Dc8AYh+xKrW6bt28TiOUk6Y7q3XKmI9/D9m478kISuY=; b=vu33aD4saztHtCOIQHLCxZoN2R4/t9bRfXaeHWivjipW3WDlp7seo1u9j99IWX5Cbd HD3kA3DLJE3fFwGJk7iqlt4a20C/a+fU8k8I9z8lTCW7lQAqMlVJj7k0V1wMbJE1Mq1K U4DBSL9xoOrjE6sJWdwQ6H3tSllBmaMz7ONTK/QEZGyUOkWOdQqf36D0t5l5GLpmd9AZ Z4ndrWFtA8SXaCUEB3N7kRGfa4PHUeej5KumjVI2nJbQvqmhfkRPExJmRtiroNhtq7IP jw7a2gwvvb2XMHGDqyKVk7mbtNytJuYXLK8hhd/gWABwi/pGNhaeX2LkoURJ//LoWOBy j79A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=Dc8AYh+xKrW6bt28TiOUk6Y7q3XKmI9/D9m478kISuY=; b=CvpImKKlPQEnJxjryq2O5ENtFRJ2qOJ1an3GOYIH03rXEdRwiM9F8hOf3Qpf9277Vi 9kW4iIycH2MJS0MfbpLCXr9jASfxSRpHqOCAhanQodEm7CxgdWVMq6YL+OVxfzAZbDXo /YPFGmO8C3bm5Jy3IbEDXuR3RwEv6LWfC7CanPanykRM6jd5MK/oFUt9c1UakP04H4xD qFZfR6on6TXYs7joKCnsWCPvWrzDaIR6ww50bfmb5h1rKaBiE969tESAIdPyAAKdjnZw Rv0o/0ig+1EFRkQXkGLulgRl1/pYY7Wruefp5d2GN8DtAXneZNxzXKf1ELiUR8ACMPQu INhQ== X-Gm-Message-State: AOAM530sTLAGQ2dh3mAAOzIqIIVpYtyP868Id+B/4neVMolbTIrVkiB2 +8Atez8lJsmfHio1MPoMZgnFfoByXHul X-Google-Smtp-Source: ABdhPJxsX+aISkL207IEthO78BoMQ+Kyz/ZwHr1IrSvedI7Uh0d1GFs6b1rHyGT+p5qw/TBV4wAUVA== X-Received: by 2002:ac8:d4e:: with SMTP id r14mr1351953qti.325.1596504916833; Mon, 03 Aug 2020 18:35:16 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id d8sm24130998qtr.12.2020.08.03.18.35.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:35:16 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 18/18] x_windows: don't call table 12 a table From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:35:15 -0400 Message-ID: <159650491552.8961.7366503197541412357.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Richard Haines I've removed the Table 12: reference and reworded. This now just looks like a list. Also fixed a few minor nits + added a contents list. Signed-off-by: Richard Haines Signed-off-by: Paul Moore --- src/x_windows.md | 146 +++++++++++++++++++++++++++++------------------------- 1 file changed, 79 insertions(+), 67 deletions(-) diff --git a/src/x_windows.md b/src/x_windows.md index 6fdd39e..74edc62 100644 --- a/src/x_windows.md +++ b/src/x_windows.md @@ -1,5 +1,14 @@ # X-Windows SELinux Support +- [**Infrastructure Overview**](#infrastructure-overview) +- [**Polyinstantiation**](#polyinstantiation) +- [**Configuration Information**](#configuration-information) + - [**Enable/Disable the OM from Policy Decisions**](#enabledisable-the-om-from-policy-decisions) + - [**Configure OM Enforcement Mode**](#configure-om-enforcement-mode) + - [**Determine OM X-extension Opcode**](#determine-om-x-extension-opcode) + - [**The *x_contexts* File**](#the-x_contexts-file) +- [**SELinux Extension Functions**](#selinux-extension-functions) + The SELinux X-Windows (XSELinux) implementation provides fine grained access control over the majority of the X-server objects (known as resources) using an X-Windows extension acting as the object manager @@ -53,7 +62,7 @@ information that is required by the OM for labeling certain objects. The OM reads its contents using the ***selabel_lookup**(3)* function. **XSELinux Object Manager** - This is an X-extension for the X-server -process that mediates all access decisions between the the X-server (via +process that mediates all access decisions between the X-server (via the XACE interface) and the SELinux security server (via *libselinux*). The OM is initialised before any X-clients connect to the X-server. @@ -235,21 +244,30 @@ A full description of the *x_contexts* file format is given in the ## SELinux Extension Functions -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxQueryVersion | 0 | None | +The XSELinux Extension Functions listed below are supported by the object +manager as X-protocol extensions. + +Note that **XSELinuxGet\*** functions return a default context, however +those with Minor Parameter: 2, 6, 9, 11, 16 and 18 will not return a value +unless one has been set by the appropriate **XSELinuxSet\*** function (Minor +Parameter: 1, 5, 8, 10, 15 and 17). + +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxQueryVersion | 0 | None | Returns the XSELinux version. Fedora returns 1.1. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxSetDeviceCreateContext | 1 | Context + Len | + +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxSetDeviceCreateContext | 1 | Context + Len | Sets the context for creating a device object (*x_device*). -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetDeviceCreateContext | 2 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetDeviceCreateContext | 2 | None | Retrieves the context set by *XSELinuxSetDeviceCreateContext*. @@ -259,115 +277,115 @@ Retrieves the context set by *XSELinuxSetDeviceCreateContext*. Sets the context for creating the specified DeviceID object. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetDeviceContext | 4 | DeviceID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetDeviceContext | 4 | DeviceID | Retrieves the context set by *XSELinuxSetDeviceContext*. -| Function Name | Minor Parameters | Opcode | +| Function Name | Minor Parameter | Opcode | | --------------------------------- | ---------------- | --------------------- | | XSELinuxSetWindowCreateContext | 5 | Context + Len | Set the context for creating a window object (*x_window*). -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetWindowCreateContext | 6 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetWindowCreateContext | 6 | None | Retrieves the context set by *XSELinuxSetWindowCreateContext*. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetWindowContext | 7 | WindowID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetWindowContext | 7 | WindowID | Retrieves the specified WindowID context. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxSetPropertyCreateContext | 8 | Context | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxSetPropertyCreateContext | 8 | Context | Sets the context for creating a property object (*x_property*). -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetPropertyCreateContext | 9 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetPropertyCreateContext | 9 | None | Retrieves the context set by *XSELinuxSetPropertyCreateContext*. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxSetPropertyUseContext | 10 | Context + Len | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxSetPropertyUseContext | 10 | Context + Len | Sets the context of the property object to be retrieved when polyinstantiation is being used. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetPropertyUseContext | 11 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetPropertyUseContext | 11 | None | Retrieves the property object context set by *SELinuxSetPropertyUseContext*. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetPropertyContext | 12 | WindowID + AtomID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetPropertyContext | 12 | WindowID + AtomID | Retrieves the context of the property atom object. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetPropertyDataContext | 13 | WindowID + AtomID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetPropertyDataContext | 13 | WindowID + AtomID | Retrieves the context of the property atom data. -| Function Name | Minor Parameters | Opcode | +| Function Name | Minor Parameter | Opcode | | --------------------------------- | ---------------- | --------------------- | | XSELinuxListProperties | 14 | WindowID | Lists the object and data contexts of properties associated with the selected WindowID. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxSetSelectionCreateContext | 15 | Context + Len | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxSetSelectionCreateContext | 15 | Context + Len | Sets the context to be used for creating a selection object. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetSelectionCreateContext | 16 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetSelectionCreateContext | 16 | None | Retrieves the context set by *SELinuxSetSelectionCreateContext*. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxSetSelectionUseContext | 17 | Context + Len | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxSetSelectionUseContext | 17 | Context + Len | Sets the context of the selection object to be retrieved when polyinstantiation is being used. See the *XSELinuxListSelections* function for an example. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetSelectionUseContext | 18 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetSelectionUseContext | 18 | None | Retrieves the selection object context set by *SELinuxSetSelectionUseContext*. -| Function Name | Minor Parameters | Opcode | +| Function Name | Minor Parameter | Opcode | | --------------------------------- | ---------------- | --------------------- | | XSELinuxGetSelectionContext | 19 | AtomID | Retrieves the context of the specified selection atom object. -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetSelectionDataContext | 20 | AtomID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetSelectionDataContext | 20 | AtomID | Retrieves the context of the selection data from the current selection owner (*x_application_data* object). -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxListSelections | 21 | None | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxListSelections | 21 | None | Lists the selection atom object and data contexts associated with this display. The main difference in the listings is that when (for example) the *PRIMARY* @@ -391,18 +409,12 @@ Atom: PRIMARY - Labels for client 2: - Object Context: *system_u:object_r:x_select_paste2_t* - Data Context: *system_u:object_r:x_select_paste2_t* -| Function Name | Minor Parameters | Opcode | -| --------------------------------- | ---------------- | --------------------- | -| XSELinuxGetClientContext | 22 | ResourceID | +| Function Name | Minor Parameter | Opcode | +| --------------------------------- | --------------- | --------------------- | +| XSELinuxGetClientContext | 22 | ResourceID | Retrieves the client context of the specified ResourceID. -**Table 12: The XSELinux Extension Functions** - *Supported by the object -manager as X-protocol extensions. Note that some functions will return -the default contexts, while others (2, 6, 9, 11, 16, 18) will not return -a value unless one has been set the the appropriate function (1, 5, 8, -10, 15, 17) by an SELinux-aware application.* - ---