table of contents
setrans.conf(8) | setrans.conf documentation | setrans.conf(8) |
NAME¶
setrans.conf - translation configuration file for MCS/MLS SELinux systemsDESCRIPTION¶
The /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file specifies the way that SELinux MCS/MLS labels are translated into human readable form by the mcstransd daemon. The default policies support 16 sensitivity levels (s0 through s15) and 1024 categories (c0 through c1023). Multiple categories can be separated with commas (c0,c1,c3,c5) and a range of categories can be shortened using dot notation (c0.c3,c5).Keywords¶
- Base
- once a base is declared, subsequent sensitivity label
definitions will have all modifiers applied to them during translation.
Sensitivity labels defined before the base declaration are immediately
cached and no modifiers will be applied these are used as direct
translations.
- Default
- defines the category bit range that will be used for
inverse bits.
- Domain
- creates a new domain with the supplied name.
- Include
- read and process the contents of the specified
configuration file.
- Join
- defines a character used to separate members of a modifier
group when more than one is specified (ex. USA/AUS).
- ModifierGroup
- a means of grouping category bit definitions by how they
modify the sensitivity label.
- Prefix
- word(s) that may proceed member(s) of a modifier group (ex.
REL USA).
- Suffix
- word(s) that may follow member(s) of a modifier group (ex.
USA EYES ONLY).
- Whitespace
- defines the set of acceptable white space characters that
may be used in label being translated.
Sensitivity Level Definition Examples¶
- s0=SystemLow
- defines a translation of s0 (the lowest sensitivity level)
with no categories to SystemLow.
- s15:c0.c1023=SystemHigh
- defines a translation of s15:c0.c1023 to SystemHigh.
c0.c1023 is shorthand for all categories. A colon separates the
sensitivity level and categories.
- s0-s15:c0.c1023=SystemLow-SystemHigh
- defines a range translation of of s0-s15:c0.c1023 to
SystemLow-SystemHigh. The two range components are separated by a dash.
- s0:c0=PatientRecord
- defines a translation of sensitivity s0 with category c0 to
PatientRecord.
- s0:c1=Accounting
- defines a translation of sensitivity s0 with category c1 to
Accounting.
- s2:c1,c2,c3=Confidential3Categories
- s2:c1.c3=Confidential3Categories
- both define a translation of sensitivity s2 with categories
c1, c2 and c3 to Confidential3Categories.
- s5=TopSecret
- defines a translation of sensitivity s5 with no categories
to TopSecret.
Constraint Examples¶
- c0!c1
- if category bits 0 and 1 are both set, the constraint will
fail and the original context will be returned.
- c5.c9>c1
- if category bits 5 through 9 are set, bit 1 must also be
set or the constraint will fail and the original context will be returned.
- s1!c5,c9
- if category bits 5 and 9 are set and the sensitivity level
is s1, the constraint will fail and the original context will be returned.
AUTHOR¶
Written by Joe Nall <joe@nall.com>.
Updated by Ted X. Toth <txtoth@gmail.com>.
SEE ALSO¶
selinux(8), mcs(8), mls(8), chcon(1)FILES¶
/etc/selinux/{SELINUXTYPE}/setrans.conf13 July 2010 | txtoth@gmail.com |