Chapter 2. SELinux Policy Overview
27
# name_list : name | name_list name#
#
#
# Restrict the ability to transition to other users
# or roles to a few privileged types.
#
constrain process transition
( u1 == u2 or t1 == privuser );
constrain process transition
( r1 == r2 or t1 == privrole );
#
# Restrict the ability to label objects with other
# user identities to a few privileged types.
#
constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );
2.12. Special Interfaces and File Systems
Some of these are discussed more extensively in other locations, and are here to highlight their nature.
These are various special interfaces into the kernel and file system details.
Tip
The shared library libselinux provides an abstraction layer for all of these interfaces. If you are
writing an application, use this library instead of trying to directly access these interfaces. To see
what is provided with libselinux, run the command rpm ql libselinux. This will show all the
utilities and associated manual pages included in the library.
The special files at
/proc/ PID /attr/
allow userspace access to context information about a
6
7
process.
PID
is the process ID for the process you are examining. This access includes getting
8
9
and setting security attributes for the process. These pseudo files expose the getting and setting:
current
current security context.
prev
the context prior to the last
exec
, which means the context of the process that called
this process.
exec
the context to apply at the next
exec
fscreate
the context to apply to any new files created by this process.
The pseudo file system selinuxfs is mounted at
/selinux/
. It provides the SELinux policy API
for userspace. Some of what
libselinux
abstracts from this pseudo file system is loading policy,
enabling or disabling SELinux, and making AVC checks.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved