Elaborate on labeling. Touch on the significance of the default statement, on various av permissions related to labeling using the libselinux API, and on how the kernel and unlabeled initial security identifiers are used to address labeling challenges in special cases such as initialization and failover respectively.
Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxxxx>
---
v2: fixes patch description
v3: adding patch description, s/policies/policy's/, split unlabeled and kernel descriptions for clarity
v4: fixes another typo in description and emphasize system initialization a bit
v5: emphasize kernel threads with kernel isid description
v6: forgot to mention defaultuser, can only associate one label with isids
src/objects.md | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/src/objects.md b/src/objects.md
index 58664ef..d27f881 100644
--- a/src/objects.md
+++ b/src/objects.md
@@ -110,14 +110,20 @@ objects is managed by the system and generally unseen by the users
(until labeling goes wrong !!). As processes and objects are created and
destroyed, they either:
-1. Inherit their labels from the parent process or object.
+1. Inherit their labels from the parent process or object. The policy
+ default user, type, role and range statements can be used to
+ change the behavior as discussed in the [**Default Rules**](default_rules.md#default-object-rules)
+ section.
2. The policy type, role and range transition statements allow a
different label to be assigned as discussed in the
[**Domain and Object Transitions**](domain_object_transitions.md#domain-and-object-transitions)
section.
3. SELinux-aware applications can enforce a new label (with the
- policies approval of course) using the **libselinux** API
- functions.
+ policy's approval of course) using the **libselinux** API
+ functions. The `process setfscreate` access vector can be used to
+ allow subjects to create files with a new label programmatically
+ using the ***setfscreatecon**(3)* function, overriding default
+ rules and transition statements.
4. An object manager (OM) can enforce a default label that can either
be built into the OM or obtained via a configuration file (such as
those used by
@@ -269,6 +275,23 @@ and manage their transition:
`type_transition`, `role_transition` and `range_transition`
+SELinux-aware applications can enforce a new label (with the policy's
+approval of course) using the **libselinux** API functions. The
+`process setexec`, `process setkeycreate` and `process setsockcreate`
+access vectors can be used to allow subjects to label processes,
+kernel keyrings, and sockets programmatically using the
+***setexec**(3)*, ***setkeycreatecon**(3)* and
+***setsockcreatecon**(3)* functions respectively, overriding
+transition statements.
+
+The `kernel` **initial security identifier** is used to associate
+specified a label with subjects that were left unlabeled due to
+system initialization, for example kernel threads.
+
+The `unlabeled` **initial security identifier** is used
+to associate a specified label with subjects that had their label
+invalidated due to policy changes at runtime.
+
### Object Reuse
As GNU / Linux runs it creates instances of objects and manages the
--
2.27.0
