On Fri, 2020-07-10 at 09:14 +0200, Dominick Grift wrote: > v2: fixes patch description > Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxxxx> > --- > src/objects.md | 24 ++++++++++++++++++++++-- > 1 file changed, 22 insertions(+), 2 deletions(-) > Acked-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > diff --git a/src/objects.md b/src/objects.md > index 58664ef..aadb539 100644 > --- a/src/objects.md > +++ b/src/objects.md > @@ -110,14 +110,20 @@ objects is managed by the system and generally > unseen by the users > (until labeling goes wrong !!). As processes and objects are created > and > destroyed, they either: > > -1. Inherit their labels from the parent process or object. > +1. Inherit their labels from the parent process or object. The > policy > + default type, role and range statements can be used to change > the > + behavior as discussed in the [**Default > Rules**](default_rules.md#default-object-rules) > + section. > 2. The policy type, role and range transition statements allow a > different label to be assigned as discussed in the > [**Domain and Object > Transitions**](domain_object_transitions.md#domain-and-object- > transitions) > section. > 3. SELinux-aware applications can enforce a new label (with the > policies approval of course) using the **libselinux** API > - functions. > + functions. The `process setfscreate` access vector can be used > to > + allow subjects to create files with a new label programmatically > + using the ***setfscreatecon**(3)* function, overriding default > + rules and transition statements. > 4. An object manager (OM) can enforce a default label that can > either > be built into the OM or obtained via a configuration file (such > as > those used by > @@ -269,6 +275,20 @@ and manage their transition: > > `type_transition`, `role_transition` and `range_transition` > > +SELinux-aware applications can enforce a new label (with the > policies > +approval of course) using the **libselinux** API functions. The > +`process setexec`, `process setkeycreate` and `process > setsockcreate` > +access vectors can be used to allow subjects to label processes, > +kernel keyrings, and sockets programmatically using the > +***setexec**(3)*, ***setkeycreatecon**(3)* and > +***setsockcreatecon**(3)* functions respectively, overriding > +transition statements. > + > +The `kernel` and `unlabeled` **initial security identifiers** are > used > +to associate specified labels with subjects that were left unlabeled > +due to initialization or with subjects that had their label > +invalidated due to policy changes at runtime respectively. > + > ### Object Reuse > > As GNU / Linux runs it creates instances of objects and manages the
