General Definitions

SELinux policies consist of a large number of files. Many of them contain policy parts which need no adjustment, e.g. basic rules, macro definitions, object classes and methods etc. Classes are e.g. blk_file (block device file), netif (network interface), file etc. There are probably more than onehundred possible operations (of course not for every class). Typical operations are getattr, create, write, unmount etc.

A special element are so called attributes which are collections of types and act as container definitions. SELinux Admins can introduce new attributes or change existing ones.

All in all the mechanism reminds one at the (in)famous imake program configuration system which required intimate knowledge on every installation.