cil_sid_statements.xml - Android社区 - https://www.androidos.net.cn/

<!-- Common Interface Language (CIL) Reference Guide -->
           <!-- sid_statements.xml -->

   <sect1>
      <title>SID Statements</title>
      <sect2 id="sid">
         <title>sid</title>
         <para>Declares a new SID identifier in the current namespace.</para>
         <para><emphasis role="bold">Statement definition:</emphasis></para>
         <programlisting><![CDATA[(sid sid_id)]]></programlisting>
         <para><emphasis role="bold">Where:</emphasis></para>
         <informaltable frame="all">
            <tgroup cols="2">
            <colspec colwidth="2 *"/>
            <colspec colwidth="6 *"/>
               <tbody>
               <row>
                  <entry>
                     <para><literal>sid</literal></para>
                  </entry>
                  <entry>
                     <para>The <literal>sid</literal> keyword.</para>
                  </entry>
               </row>
               <row>
                  <entry>
                     <para><literal>sid_id</literal></para>
                  </entry>
                  <entry>
                     <para>The <literal>sid</literal> identifier.</para>
                  </entry>
               </row>
            </tbody></tgroup>
         </informaltable>

         <para><emphasis role="bold">Examples:</emphasis></para>
         <para>These examples show three <literal>sid</literal> declarations:</para>
            <programlisting><![CDATA[
(sid kernel)
(sid security)
(sid igmp_packet)]]>
         </programlisting>
      </sect2>

      <sect2 id="sidorder">
         <title>sidorder</title>
         <para>Defines the order of <link linkend="sid">sid</link>'s. This is a mandatory statement when SIDs are defined. Multiple <literal>sidorder</literal> statements declared in the policy will form an ordered list.</para>
         <para><emphasis role="bold">Statement definition:</emphasis></para>
         <programlisting><![CDATA[(sidorder (sid_id ...))]]></programlisting>
         <para><emphasis role="bold">Where:</emphasis></para>
         <informaltable frame="all">
            <tgroup cols="2">
            <colspec colwidth="2 *"/>
            <colspec colwidth="6 *"/>
               <tbody>
               <row>
                  <entry>
                     <para><literal>sidorder</literal></para>
                  </entry>
                  <entry>
                     <para>The <literal>sidorder</literal> keyword.</para>
                  </entry>
               </row>
               <row>
                  <entry>
                     <para><literal>sid_id</literal></para>
                  </entry>
                  <entry>
                     <para>One or more <literal><link linkend="sid">sid</link></literal> identifiers.</para>
                  </entry>
               </row>
            </tbody></tgroup>
         </informaltable>

         <para><emphasis role="bold">Example:</emphasis></para>
         <para>This will produce an ordered list of "<literal>kernel security unlabeled</literal>"</para>
         <programlisting><![CDATA[
(sid kernel)
(sid security)
(sid unlabeled)
(sidorder (kernel security))
(sidorder (security unlabeled))]]>
      </programlisting>
      </sect2>

      <sect2 id="sidcontext">
         <title>sidcontext</title>
         <para>Associates an SELinux security <link linkend="context">context</link> to a previously declared <literal><link linkend="sid">sid</link></literal> identifier.</para>
         <para><emphasis role="bold">Statement definition:</emphasis></para>
         <programlisting><![CDATA[(sidcontext sid_id context_id)]]></programlisting>
         <para><emphasis role="bold">Where:</emphasis></para>
         <informaltable frame="all">
            <tgroup cols="2">
            <colspec colwidth="2 *"/>
            <colspec colwidth="6 *"/>
               <tbody>
               <row>
                  <entry>
                     <para><literal>sidcontext</literal></para>
                  </entry>
                  <entry>
                     <para>The <literal>sidcontext</literal> keyword.</para>
                  </entry>
               </row>
               <row>
                  <entry>
                     <para><literal>sid_id</literal></para>
                  </entry>
                  <entry>
                     <para>A single previously declared <literal><link linkend="sid">sid</link></literal> identifier.</para>
                  </entry>
               </row>
               <row>
                  <entry>
                     <para><literal>context_id</literal></para>
                  </entry>
                  <entry>
                     <para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
                  </entry>
               </row>
            </tbody></tgroup>
         </informaltable>

         <para><emphasis role="bold">Examples:</emphasis></para>
         <para>This shows two named security context examples plus an anonymous context:</para>
         <programlisting><![CDATA[
; Two named context:
(sid kernel)
(context kernel_context (u r process low_low))
(sidcontext kernel kernel_context)

(sid security)
(context security_context (u object_r process low_low))
(sidcontext security security_context)

; An anonymous context:
(sid unlabeled)
(sidcontext unlabeled (u object_r ((s0) (s0))))]]>
         </programlisting>
      </sect2>

   </sect1>