next up previous contents
Next: TE configuration Up: Security Server Previous: System Calls for Applications   Contents

Policy Configuration Language

The current Linux security server prototype implements a security policy that is a combination of three subpolicies: type enforcement (TE), role-based access control (RBAC), and multi-level security (MLS). The MLS policy is only included if the CONFIG_FLASK_MLS kernel configuration option is enabled. The TE and RBAC policies are always included in the current implementation. This subsection describes the policy configuration language that may be used to customize these policies.

The policy configuration files are located in the policy directory. The m4 macro processor is applied to these configuration files during the policy build, with the output written to policy.conf, and this output file is then compiled by the checkpolicy program into a binary representation stored in policy. The policy file is installed as /ss_policy, and this file is read by the security server during initialization.