Where Is The Policy - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for ENTERPRISE LINUX 5 - DEPLOYMENT:
- Manual (402 pages) ,
- Configuration (86 pages) ,
- Overview (68 pages)
Table of Contents
Advertisement
The policy can be defined either by modifying the existing files or by adding local Type Enforcement
(TE) and File Context (FC) files to the policy tree. These new policies can be loaded into the kernel
in real time. Otherwise, the policy is loaded during the boot process by init, as explained in
Section 44.7.3, "The Role of Policy in the Boot
determined by the policy and the type-labeling of the files.
Important
After loading a new policy, it is recommended that you restart any services that may have
new or changed labeling. Generally speaking, this is only the targeted daemons, as listed
Section 44.8.1, "What is the Targeted
in
44.7.1.2. SELinux and Mandatory Access Control
SELinux is an implementation of Mandatory Access Control (MAC). Depending on the security policy
type, SELinux implements either Type Enforcment (TE), Roles Based Access Control (RBAC) or Bell-
La Padula Model Multi-Level Security (MLS).
The policy specifies the rules in the implemented environment. It is written in a language created
specifically for writing security policy. Policy writers use m4 macros to capture common sets of low-
level rules. A number of m4 macros are defined in the existing policy, which facilitate the writing of new
policy. These rules are preprocessed into many additional rules as part of building the policy.conf
file, which is compiled into the binary policy.
Access rights are divided differently among domains, and no domain is required to act as a master
for all other domains. Moving between domains is controlled by the policy, through login programs,
userspace programs such as newrole, or by requiring a new process execution in the new domain.
This movement between domains is referred to as a transition.
44.7.2. Where is the Policy?
There are two components to the policy: the binary tree and the source tree. The binary tree is
provided by the selinux-policy-<policyname> package and supplies the binary policy file.
Alternatively, the binary policy can be built from source when the selinux-policy-devel package
is installed.
Note
Information on how to edit, write and compile policy is currently outside the scope of this
document.
44.7.2.1. Binary Tree Files
• /etc/selinux/targeted/ — this is the root directory for the targeted policy, and contains the
binary tree.
• /etc/selinux/targeted/policy/ — this is the location of the the binary policy file
policy.<xx>. In this guide, the variable SELINUX_POLICY is used for this directory.
• /etc/selinux/targeted/contexts/ — this is the location of the security context information
and configuration files, which are used during runtime by various applications.
Process". Ultimately, every system operation is
Policy?".
Where is the Policy?
743
Advertisement
Table of Contents
