The names of objects, types and other things in policy are simply opaque string identifiers; they hold no intrinsic meaning. It is their usage in object managers and in the policy configuration itself that gives them meaning. The object class for directories could very well have been named "foo"; object managers would simply then use this string (or its integer constant equivalent) when referring to directories in interaction with the security server. For more information, please refer to "Configuring the SELinux Policy," at http://www.nsa.gov/research/_files/selinux/papers/policy2/x109.shtml. The page pointed to by that URL contains an explanation TE types and their lack of implicit meaning, being defined only through their usage. Thanks,David On Thu, Nov 3, 2011 at 8:30 AM, Artur Szymczak <artur@xxxxxxxxxxx> wrote: > Hi, > > how can kernel distinguishes objects in system and object in policy? I > mean. How kernel know, that this allow rule is correct to /etc/passwd > and not correct for /etc itself (as dir): > allow httpd_t etc_t : file { ioctl read getattr lock open } ; > > Ok, it is written in policy, that it is a file, but it is only a object > class. Is it defined somewher, that object class 'file' is file, and > object class 'dir' is directory? > > How can I create new object class named foo, which will be usedd for > named_pipe? > > Regards > > -- > Artur Szymczak | RHCE: 100-001-734 | CAcert Assurer > RHCA, RHCSS, RHCX, CLE11, CNI, UCP-1, UCI, Linux+, LPIC-2 > GPG: C03A 385E 5C10 82C5 6564 C1E9 3D6A 616E B15D 122D > http://CodzienneChodzenieZBogiem.blogspot.com/ > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- PGP: 6141 5FFD 11AE 9844 153E F268 7C98 7268 6B19 6CC9 -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
