1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
SID Statements
==============
sid
---
Declares a new SID identifier in the current namespace.
**Statement definition:**
```secil
(sid sid_id)
```
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>sid</code></p></td>
<td align="left"><p>The <code>sid</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>sid_id</code></p></td>
<td align="left"><p>The <code>sid</code> identifier.</p></td>
</tr>
</tbody>
</table>
**Examples:**
These examples show three [`sid`](cil_sid_statements.md#sid) declarations:
```secil
(sid kernel)
(sid security)
(sid igmp_packet)
```
sidorder
--------
Defines the order of [sid](#sid)'s. This is a mandatory statement when SIDs are defined. Multiple [`sidorder`](cil_sid_statements.md#sidorder) statements declared in the policy will form an ordered list.
**Statement definition:**
```secil
(sidorder (sid_id ...))
```
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>sidorder</code></p></td>
<td align="left"><p>The <code>sidorder</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>sid_id</code></p></td>
<td align="left"><p>One or more <code>sid</code> identifiers.</p></td>
</tr>
</tbody>
</table>
**Example:**
This will produce an ordered list of "`kernel security unlabeled`"
```secil
(sid kernel)
(sid security)
(sid unlabeled)
(sidorder (kernel security))
(sidorder (security unlabeled))
```
sidcontext
----------
Associates an SELinux security [context](#context) to a previously declared [`sid`](cil_sid_statements.md#sid) identifier.
**Statement definition:**
```secil
(sidcontext sid_id context_id)
```
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>sidcontext</code></p></td>
<td align="left"><p>The <code>sidcontext</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>sid_id</code></p></td>
<td align="left"><p>A single previously declared <code>sid</code> identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>context_id</code></p></td>
<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
</tr>
</tbody>
</table>
**Examples:**
This shows two named security context examples plus an anonymous context:
```secil
; Two named context:
(sid kernel)
(context kernel_context (u r process low_low))
(sidcontext kernel kernel_context)
(sid security)
(context security_context (u object_r process low_low))
(sidcontext security security_context)
; An anonymous context:
(sid unlabeled)
(sidcontext unlabeled (u object_r ((s0) (s0))))
```
|
