This section lists the basic concepts used within the te policy family.
Permissions
A permission is an identifier of a certain action or actions. For example, rw can be used as the read-and-write permission.
The list of permissions is statically defined in the security configuration of the te family instance in the permissions element.
...
"permissions": ["rw", "r"]
...
Types
Type is an identifier that can be associated with security domains by using policies of the te family. In te family implementation, a type can be associated with a subject (such as an entity) as well as with the object of an action (such as a file).
The list of types is statically defined in the configuration of the te family instance in the types element.
...
"types": ["file", "file_readonly", "process.user", "process.root"]
...
Permissions matrix (allows)
A permissions matrix is a matrix that describes which permissions are granted to domains of one type (subjects) when they call domains of a different type (objects).
The permissions matrix is statically defined in the configuration of the te family instance in the allows element. If an interaction between types of domains is not defined, it is assumed that permissions for this interaction are missing.
...
"allows" : [{ "process.root": { "file_readonly": ["rw"] }},
{ "process.user": { "file_readonly": ["r"] }},
{ "process.root": { "file": ["rw"] }},
{ "process.user": { "file": ["rw"] }}]
...
Images
An image is an identifier that is used to bind the initial type with a set of inherited types.
The list of images is statically defined in the configuration of the te family instance in the images element.
...
"images": ["login_image", "passwd_image", "create_file"]
...
Inheritance matrix (transitions)
An inheritance matrix is a matrix that describes which type can be assigned to a security domain by a domain of a different type.
The inheritance matrix is statically defined in the configuration of the te family instance in the transitions element. The matrix is defined as an array, with each element of the array containing information about the parent type, image, and array of possible child types. The special character "*" (wildcard) can be used.
Use of the "*" character as a parent type matches any of the declared types in the types element. This is the same for images. The parent type and image are a key that helps determine the possible child types.
Use of the "*" character as a child type matches the value specified in the parent type.
...
"transitions":[
{ "process.root": { "login_image": ["process.user"] }},
{ "process.user": { "passwd_image":["process.root"] }},
{ "*": { "create_file": ["file",
"file_readonly"] }},
{ "*": { "*": ["*"] }}]
...
Every inheritance rule must have a unique key (the parent-image value thread). A special rule is used to determine which child types are allowed.
For example, the {"*":{"*":["*"]}} rule means that any image is allowed to inherit parent type. However, the above-mentioned matrix prohibits the parent of the process.user type to assign the same type to the child, if the image value is passwd_image, because the matrix already contains an inheritance rule for this scenario: { "process.user": { "passwd_image":["process.root"] }.
Type assignment
A type is assigned by using initializing policies of the te family. These policies initialize the security context for the specified domain, associating the SID of the domain with one of the types. An assigned type cannot be changed.
The initialize_direct and initialize_direct_ policies directly assign the passed type to the domain.
The initialize_transition_check and initialize_transition_check_ policies assign the passed type to the domain, if this is allowed by the type inheritance matrix.
The initialize_transition_auto and initialize_transition_auto_ policies automatically assign the first type of those allowed by the inheritance matrix to the domain.
Checking permissions
The validate policy verifies permissions when one security domain calls another. This verification is performed based on the permissions matrix defined in the configuration of the te family instance.