| As explained in Chapter 6, an SELinux policy consists of 11 elements, several of which are optional: -
- classes
-
Defines the security object classes recognized by SELinux. -
- initial_sids
-
Defines initial SIDs for important security objects. -
- access_vectors
-
Defines access vectors associated with each security object class. -
- mls
-
Defines MLS configuration (optional). -
- te_rbac
-
Defines type-enforcement and role-based access control configuration. -
- users
-
Defines the user configuration. -
- constraints
-
Defines constraints that the security policy must observe (optional). -
- initial_sid_contexts
-
Defines the security contexts of important security objects. -
- fs_use
-
Defines the method of labeling of filesystem inodes. -
- genfs_contexts
-
Defines security contexts for filesystems lacking persistent labels (optional). -
- net_contexts
-
Defines security contexts for network objects. The te_rbac element specifies both the role-based access control policies and the type-enforcement policies. Within the element, role-based access control and type-enforcement declarations can be freely intermingled. The following section explains the SELinux type-enforcement declarations. |