Difference between revisions of "XENStatements"
Line 11: | Line 11: | ||
'''The statement definition is:''' | '''The statement definition is:''' | ||
<pre> | <pre> | ||
− | iomemcon addr context | + | iomemcon addr context |
</pre> | </pre> | ||
Line 58: | Line 58: | ||
'''Example:''' | '''Example:''' | ||
<pre> | <pre> | ||
− | iomemcon 0xfebd9 system_u:object_r:nicP_t | + | iomemcon 0xfebd9 system_u:object_r:nicP_t |
− | + | iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t | |
− | iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t | + | |
</pre> | </pre> | ||
Line 69: | Line 68: | ||
'''The statement definition is:''' | '''The statement definition is:''' | ||
<pre> | <pre> | ||
− | ioportcon port context | + | ioportcon port context |
</pre> | </pre> | ||
Line 116: | Line 115: | ||
'''Example:''' | '''Example:''' | ||
<pre> | <pre> | ||
− | ioportcon 0xeac0 system_u:object_r:nicP_t | + | ioportcon 0xeac0 system_u:object_r:nicP_t |
− | + | ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t | |
− | ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t | + | |
</pre> | </pre> | ||
Line 127: | Line 125: | ||
'''The statement definition is:''' | '''The statement definition is:''' | ||
<pre> | <pre> | ||
− | pcidevicecon pci_id context | + | pcidevicecon pci_id context |
</pre> | </pre> | ||
Line 174: | Line 172: | ||
'''Example:''' | '''Example:''' | ||
<pre> | <pre> | ||
− | pcidevicecon 0xc800 system_u:object_r:nicP_t | + | pcidevicecon 0xc800 system_u:object_r:nicP_t |
</pre> | </pre> | ||
Line 183: | Line 181: | ||
'''The statement definition is:''' | '''The statement definition is:''' | ||
<pre> | <pre> | ||
− | pirqcon irq context | + | pirqcon irq context |
</pre> | </pre> | ||
Line 230: | Line 228: | ||
'''Example:''' | '''Example:''' | ||
<pre> | <pre> | ||
− | pirqcon 33 system_u:object_r:nicP_t | + | pirqcon 33 system_u:object_r:nicP_t |
+ | </pre> | ||
+ | |||
+ | == devicetreecon == | ||
+ | Label device tree nodes. | ||
+ | |||
+ | '''The statement definition is:''' | ||
+ | <pre> | ||
+ | devicetreecon path context | ||
+ | </pre> | ||
+ | |||
+ | '''Where:''' | ||
+ | |||
+ | {| border="1" | ||
+ | | devicetreecon | ||
+ | | The devicetreecon keyword. | ||
+ | |||
+ | |- | ||
+ | | path | ||
+ | | the device tree path. If this contains spaces enclose within "". | ||
+ | |||
+ | |- | ||
+ | | context | ||
+ | | The security context to be applied. | ||
+ | |||
+ | |} | ||
+ | |||
+ | |||
+ | '''The statement is valid in:''' | ||
+ | |||
+ | {| border="1" | ||
+ | |<center>'''Monolithic Policy'''</center> | ||
+ | |<center>'''Base Policy'''</center> | ||
+ | |<center>'''Module Policy'''</center> | ||
+ | |||
+ | |- | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''Yes'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |- | ||
+ | | <center>[[ConditionalStatements#if | if Statement]]</center> | ||
+ | | <center>[[PolicyStatements#optional | optional Statement]] </center> | ||
+ | | <center>[[PolicyStatements#require | require Statement]] </center> | ||
+ | |||
+ | |- | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | | <center>'''No'''</center> | ||
+ | |||
+ | |} | ||
+ | |||
+ | |||
+ | '''Example:''' | ||
+ | <pre> | ||
+ | devicetreecon "/this is/a/path" system_u:object_r:arm_path | ||
</pre> | </pre> | ||
Revision as of 15:25, 19 March 2015
Xen Statements
Xen policy supports additional policy language statements: iomemcon, ioportcon, pcidevicecon and pirqcon that are discussed in the sections that follow.
Policy version 30 introduced the devicetreecon statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages).
To compile these additional statements using semodule(8), ensure that the semanage.conf(5) file has the policy-target=xen entry.
iomemcon
Label i/o memory. This may be a single memory location or a range.
The statement definition is:
iomemcon addr context
Where:
iomemcon | The iomemcon keyword. |
addr | The memory address to apply the context. This may also be a range that consists of a start and end address separated by a hypen (-). |
context | The security context to be applied. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Example:
iomemcon 0xfebd9 system_u:object_r:nicP_t iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t
ioportcon
Label i/o ports. This may be a single port or a range.
The statement definition is:
ioportcon port context
Where:
ioportcon | The ioportcon keyword. |
port | The port to apply the context. This may also be a range that consists of a start and end port number separated by a hypen (-). |
context | The security context to be applied. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Example:
ioportcon 0xeac0 system_u:object_r:nicP_t ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t
pcidevicecon
Label a PCI device.
The statement definition is:
pcidevicecon pci_id context
Where:
pcidevicecon | The pcidevicecon keyword. |
pci_id | The PCI indentifer. |
context | The security context to be applied. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Example:
pcidevicecon 0xc800 system_u:object_r:nicP_t
pirqcon
Label an interrupt level.
The statement definition is:
pirqcon irq context
Where:
pirqcon | The pirqcon keyword. |
irq | The interrupt request number. |
context | The security context to be applied. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Example:
pirqcon 33 system_u:object_r:nicP_t
devicetreecon
Label device tree nodes.
The statement definition is:
devicetreecon path context
Where:
devicetreecon | The devicetreecon keyword. |
path | the device tree path. If this contains spaces enclose within "". |
context | The security context to be applied. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Example:
devicetreecon "/this is/a/path" system_u:object_r:arm_path
Previous | |
|