Basic question on policy design

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dhruv Gami <dgami@uncc.edu>
To: SELINUX <SELinux@tycho.nsa.gov>
Subject: Basic question on policy design
Date: Wed, 03 Dec 2003 16:49:13 +0100	[thread overview]
Message-ID: <3FCE05F9.8090006@uncc.edu> (raw)

Hello Everyone,

I am trying to understand how  Type Enforcement has been implemented in 
SELinux, and am using the sample policy given with the SELinux packages 
as an example.

In the paper "Meeting Critical Security Objectives with SELinux", 
Stephen Smalley and Peter Loscocco say:

The TE Configuration file defines an extensible set of types. Using the 
allow statement, allowable permissions between pairs of types are 
specified for each object class.

allow type_1 type_2:class { perm_1 ... perm_n };

The meaning of this above rule is not too clear to me.
1. what exactly is the relationship between type_1 and type_2 ?
2. is the class associated with type_2 only ?
3. Are type_1 and type_2 interchangable in the above rule ?
4. is there any rule that type_1 should be subject and type_2 should be 
an object type ?

The structure of the policy rules is not very clear to me. Is there any 
documentation available which makes it clear ? maybe im missing 
something somewhere. any help in this regard would be greatly appreciated.

regards,
Dhruv Gami

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next             reply	other threads:[~2003-12-03 15:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-12-03 15:49 Dhruv Gami [this message]
2003-12-03 22:11 ` Basic question on policy design Stephen Smalley
2003-12-04 13:29 ` Frank Mayer
2003-12-04 20:18   ` Diyab
2003-12-05  0:04     ` Russell Coker
2003-12-09 12:14       ` Timothy Wood
2003-12-09 17:05     ` Frank Mayer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3FCE05F9.8090006@uncc.edu \
    --to=dgami@uncc.edu \
    --cc=SELinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.