057d72af2d
Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
3.1 KiB
Context Statement
Contexts are formed using previously declared parameters and may be named or anonymous where:
-
Named - The context is declared with a context identifier that is used as a reference.
-
Anonymous - They are defined within the CIL labeling statement using user, role etc. identifiers.
Each type is shown in the examples.
context
Declare an SELinux security context identifier for labeling. The range (or current and clearance levels) MUST be defined whether the policy is MLS/MCS enabled or not.
Statement definition:
(context context_id (user_id role_id type_id levelrange_id)))
Where:
|
The |
|
The |
|
A single previously declared |
|
A single previously declared |
|
A single previously declared |
|
A single previously declared |
Examples:
This example uses a named context definition:
(context runas_exec_context (u object_r exec low_low))
(filecon "/system/bin/run-as" file runas_exec_context)
to resolve/build a file_contexts entry of (assuming MLS enabled policy):
/system/bin/run-as -- u:object_r:runas.exec:s0-s0
This example uses an anonymous context where the previously declared user role type levelrange identifiers are used to specify two portcon statements:
(portcon udp 1024 (test.user object_r test.process ((s0) (s1))))
(portcon tcp 1024 (test.user object_r test.process (system_low system_high)))
This example uses an anonymous context for the first and named context for the second in a netifcon statement:
(context netif_context (test.user object_r test.process ((s0 (c0)) (s1 (c0)))))
(netifcon eth04 (test.user object_r test.process ((s0 (c0)) (s1 (c0)))) netif_context)