Chapter 2. SELinux Policy Overview

27

# name_list : name | name_list name#

#

#

# Restrict the ability to transition to other users

# or roles to a few privileged types.

#

constrain process transition

( u1 == u2 or t1 == privuser );

constrain process transition

( r1 == r2 or t1 == privrole );

#

# Restrict the ability to label objects with other

# user identities to a few privileged types.

#

constrain dir_file_class_set { create relabelto relabelfrom }

( u1 == u2 or t1 == privowner );

constrain socket_class_set { create relabelto relabelfrom }

( u1 == u2 or t1 == privowner );

2.12. Special Interfaces and File Systems

Some of these are discussed more extensively in other locations, and are here to highlight their nature.

These are various special interfaces into the kernel and file system details.

Tip

The shared library libselinux provides an abstraction layer for all of these interfaces. If you are

writing an application, use this library instead of trying to directly access these interfaces. To see

what is provided with libselinux, run the command rpm  ql libselinux. This will show all the

utilities and associated manual pages included in the library.

The special files at

/proc/ PID /attr/

allow userspace access to context information about a

6

7

process.

PID

is the process ID for the process you are examining. This access includes getting

8

9

and setting security attributes for the process. These pseudo files expose the getting and setting:

current

  current security context.

prev

  the context prior to the last

exec

, which means the context of the process that called

this process.

exec

  the context to apply at the next

exec

fscreate

  the context to apply to any new files created by this process.

The pseudo file system selinuxfs is mounted at

/selinux/

. It provides the SELinux policy API

for userspace. Some of what

libselinux

abstracts from this pseudo file system is loading policy,

enabling or disabling SELinux, and making AVC checks.