Contents

• 1 Overview
  • 1.1 Feature
  • 1.2 Overview of SPDL configuration elements
  • 1.3 Default deny rule
  • 1.4 Terms
  
  
• 2 Structure of configuration by simplified language
  • 2.1 Syntax of section
  
  
• 3 Import configuration from other file:include
• 4 Declare domain and role
  • 4.1 Declare domain:domain
  • 4.2 Declare role:role
  
  
• 5 Configure RBAC:user
• 6 Domain transition
  • 6.1 Domain transition:domain_trans
  • 6.2 Simplified domain transition:program
  
  
• 7 Access control to normal files:allow/deny
  • 7.1 allow
  • 7.2 deny
  • 7.3 Priority of allow, deny when conflict happens
  • 7.4 Special files
  • 7.5 Notice about links
  
  
• 8 Access control to devices:allowdev
  • 8.1 allowdev(1)
  • 8.2 allowdev(2)
  
  
• 9 Access control to files on misc file systems:allowfs
• 10 Access control to temporally file:allowtmp
  • 10.1 Why allowtmp is necessary?
  • 10.2 What is allowtmp?
  • 10.3 Syntax and meaning
  
  
• 11 Access control to network:allownet
  • 11.1 Port usage
  • 11.2 Usage of RAW socket
  • 11.3 Usage of Network Interface(netif) and IP address(node)
  • 11.4 Inherit socket from other domain
  
  
• 12 Access control of process communication:allowcom
  • 12.1 allowcom (IPC)
  • 12.2 allowcom(Signal)
  
  
• 13 Access control other administrative access rights:allowpriv
  • 13.1 allowpriv: POSIX capability
  • 13.2 allowpriv: related to kernel
  • 13.3 allowpriv: related to SELinux operations
  • 13.4 allowpriv: other privileges
  • 13.5 denypriv

This document describes syntax and meaning of SPDL configuration elements.