5.2 Contents of directory for simplified policy

Sample simplified policy is located at "/etc/selinux/seedit/src/policy/". Some directories and files are located there.

5.2.1 simplified_policy

This is the most important. At the directory sample simplified policy is stored. For detail of syntax for simplified policy, see 8.
Sample simplified policy are described in global, and domain.te

• global
  This is a configuration commonly used by all domains. Be careful that some access rights(For example, tmpfs usage, tty device access) are granted by default to show that SELinux can become easy.
• domain.a
  Here configuration for domains are described. For example,in file httpd_t.a, configuration for httpd_t domain is described.
• all
  global, and *.a are jointed. converter reads this file. This file is automatically generated. Do not edit.

5.2.2 Makefile

This is Makefile to compile simplified policy and to load policy to kernel. See 5.3.

5.2.3 base_policy

Files in this directory is used by converter to generate SELinux policy.

• default.te
  This file is useful. Statements described in this file is included in policy to be generated by converter. In this file, allow statements allowed by default in simplified policy is described. This means you can know which access vectors and object classes are not supported by simplified policy.
  For example, look at next line.

  allow global self:capability ~{ net_raw net_bind_service 
  net_admin sys_boot sys_module sys_rawio sys_ptrace sys_chroot };
  

  global attribute is used in generated SELinux policy. global attribute is attached to every domain. So this means, every domain is allowed to use capability other than net_raw net_bind_service net_admin sys_boot etc. This means, simplified policy language does not support those access vectors.

  In addition, you can write original SELinux's rules here. To write auditallow rule is a good idea. But allow rules must not be written here, because it can break the security of generated policy.

• attribute.te
  In this file, attributes used in policy to be generated by converter is described. Do not edit.
• types.te
  In this file, types used in policy generated by converter is described. Do not edit.
  The meaning of below files are the same as original SELinux's policy. Do not edit them.
  • genfs_contexts
    File system that are unlabeled are not supported.
  • security_classes
  • access_vectors
  • initial_sid_contexts
  • fs_use
  • initial_sids

5.2.4 macros

Macros to generate SELinux policy is stored. Converter generates policy including macros. In make, macros are processed by m4 and policy.conf is generated.

5.2.5 sepolicy

Generated SELinux policy is written in this directory.

• test.conf
  Policy that includes macros.
• policy.conf Policy file that is processed by m4. This is understandable by checkpolicy.
• file_contexts
  This will be installed in /etc/selinux/seedit/contexts/files/file_contexts.