NSA Security-enhanced Linux  Home ToC Prev Up Next 
Types of AC
DTE model
SELinux TE
Access modes
Type declaration
AV rules
Transitions
Change rules
+Assertions
RBAC model
MLS model
FLASK
SecDecs
Conclusion
  

Assertions

  • allows the policy writer to define a set of TE acess vector assertions which are checked by the policy compiler

  • used to detect errors in the TE access vector rules that may be not evident from a manual inspection of the rules

  • specifies permissions which should not be used in an access vector for a given type pair and class 

    neverallow domain ~domain:process transition;
neverallow ~{ kmod_t insmod_t rmmod_t ifconfig_t } 
self:capability sys_module;
neverallow local_login_t ~login_exec_t:file entrypoint;
Copyright © 2004 Pavol Lupták  Prev Next