In File ACL form, you can configure access rights between domain and files. The screenshots are shown below. The second screenshot indicates the state where the page in the right frame was scrolled down.
In the middle pane, the directory tree of your system is displayed. By clicking a directory on this tree, subdirectories and files that are under the clicked directory are displayed in the right pane. There are some check-boxes on the right side of each subdirectory or file. These check-boxes indicate r(readable), w(writable), x(executable) and s(searchable), respectively. These check-boxes indicate the permissions the domain is granted for the subdirectory or the file.
The definitions of the file ACL in SELinux Policy Editor are based on the concept ¡Æglobal domain', 'Dynamic labeled file' and 'Priority order of access permissions'.
The name of the subdirectory or the file displayed in the right pane is colored according to the rule that is indicated by following table.
| Color | Description |
|---|---|
| Black | This file inherits its permission from parent directory. |
| Blue | This subdirectory inherits its permission from parent directory. |
| Red | This subdirectory or file is granted permissions in the "global" domain. |
| Green | This subdirectory or file is granted permissions specifically in the current domain. |
| Yellow | This subdirectory or file is granted permissions both in the "global" domain and in the current domain. |
The top "default" line indicates the permissions which the domain have to current directory. The permissions marked with "ok" are permissions granted to current domain. Usually, files inherit permissions to the parent (current) directory. If the "inherited by child directory" column is marked with "ok", the subdirectories inherit the permissions indicated in the "default" line.
Under the "default" line, the names of the all subdirectories and the all files that are under the current directory are displayed. If the line indicate a subdirectory, you can see the "yes" and the "no" radio-buton at the "inherited by child directory" column. If you check the "no" check-box, the child-directory of this subdirectory does not inherit the permissions granted to this subdirectory. If you check the "yes" check-box, the child-directory inherits the permissions granted to this subdirectory.
In addition to the above check-boxes, there is an additional check-box in the File ACL form in "global" domain.
The additional check-box is a check-box named "deny". By checking this check-box, you can explicitly refuse any access to the object. If you check this check-box in the "global" domain, any domain can not access to the object. If you want to allow the general domain to access this object, you have to allow the access in the File ACL form of the general domain specifically. You can protect the important files by checking the "deny" check-box.
There are "property" buttons for each object. This button displays the domain names that are allowed to access the object. You can check whether your configuration is valid or not.
You can change the access policy by selecting/unselecting check-boxes in this window. The domains that have no permissions to access current object are not displayed. If you want to display all domains, you have to click "Show all domains" button. By clicking "apply" button, the inter-configuration files are updated with the changes in this window.
The dynamic labeled files under the current directory are displayed by list as shown below.
This example indicates that the file "mtab" labeled "etc_runtime" exists under the current directory. There is an additional check-box for the dynamic labeled file. The check-box is named "c". If you check this check-box, the file created under the current directory by the current domain are given the security label. By clicking the "property" button, you can display the list of the domain names that are allowed to access the dynamic labeled file.
If the entities of the dynamic labeled files already exist under current directory, the list of those files is displayed below the label of the dynamic labeled file. These files do not have any permission check-box.
You can allow the current domain to create dynamic labeled files under the current directory. By clicking the "define dynamic labeling" button, the following window will open.
Specify the security label name in the input-field, and click "OK" button. If the current domain creates a file under the current directory, the file is labeled with the above security label.
By clicking this button, the inter-configuration files are updated with the changes.
You can display the configuration status for the current domain in child window by clicking the "All configured files" button.
In this list, the permissions colored red indicate the configuration specified in "global" domain. The "DENY" colored red indicates that any domain is explicitly defined to access the object. The permissions colored black indicate the configuration specified in the current domain.