In a previous post, I claimed that SELinux uses a kind of object-oriented approach, and that this has several advantages over path name based access.

Since SELinux policy isn’t actually a ‘program’, the term is somewhat surprising. It’s just one fragement of “object oriented programming” that is available in SELinux, and actually a rather simple fragment. Also it’s not how it’s evaluated; but the OOP ‘design pattern’ of ‘classes’ is somewhat present in the SELinux reference policy. The syntax is kind of twisted, too.

Let me give you a simple example policy fragment:

type mylog_t;
logging_log_file(mylog_t)

This fragment defines a new type, and ‘inherits’ from the ‘log_file’ class. (you can think of “logging_log_file” as com.tresys.oss.refpolicy.system.logging.log_file if you are a Java freak)

The logging_log_file ‘class’ (which technically is a M4 macro, and maps to the SELinux ‘typeattribute’ ‘logfile’ - this would be called an abstract class in other programming languages) in turn will make mylog_t also be a “file_type” type attribute.

So above line means that the new mylog_t type will ‘inherit’ certain access rules. Namely those defined via the logfile type attribute or file_type.

This means that I can write policy to grant access on “any file” (e.g. for security scanners such as ‘samhain’ or the SELinux relabeling utilities, backup application, etc.) or just to any log files (e.g. for logrotate). Independend of where they live or who wrote the policy for them.

So if I write policy for a custom application, add mylog_t for files living somewhere in /home/myapp/logs, I don’t need to modify the logrotate policy, because that policy contains:

logging_manage_all_logs(logrotate_t)

(You can again think of this as logrotate being derived from a “log file manager” class, though it’s implemented differently this time. Also note that multiple inheritance is no problem in SELinux policy)

Macro names in the reference policy usually start with a namespace prefix. In this example, it’s logging_. Since it uses M4 for processing the files, the syntax is largely determined by what is easy to use in M4.