1setrans.conf(8) setrans.conf documentation setrans.conf(8)
2
3
4
6 setrans.conf - translation configuration file for MCS/MLS SELinux sys‐
7 tems
8
9
11 The /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file speci‐
12 fies the way that SELinux MCS/MLS labels are translated into human
13 readable form by the mcstransd daemon. The default policies support 16
14 sensitivity levels (s0 through s15) and 1024 categories (c0 through
15 c1023). Multiple categories can be separated with commas (c0,c1,c3,c5)
16 and a range of categories can be shortened using dot notation
17 (c0.c3,c5).
18
19
20 Keywords
21 Base once a base is declared, subsequent sensitivity label defini‐
22 tions will have all modifiers applied to them during transla‐
23 tion. Sensitivity labels defined before the base declaration
24 are immediately cached and no modifiers will be applied these
25 are used as direct translations.
26
27
28 Default
29 defines the category bit range that will be used for inverse
30 bits.
31
32
33 Domain creates a new domain with the supplied name.
34
35
36 Include
37 read and process the contents of the specified configuration
38 file.
39
40
41 Join defines a character used to separate members of a modifier group
42 when more than one is specified (ex. USA/AUS).
43
44
45 ModifierGroup
46 a means of grouping category bit definitions by how they modify
47 the sensitivity label.
48
49
50 Prefix word(s) that may proceed member(s) of a modifier group (ex. REL
51 USA).
52
53
54 Suffix word(s) that may follow member(s) of a modifier group (ex. USA
55 EYES ONLY).
56
57
58 Whitespace
59 defines the set of acceptable white space characters that may be
60 used in label being translated.
61
62
63 Sensitivity Level Definition Examples
64 s0=SystemLow
65 defines a translation of s0 (the lowest sensitivity level) with
66 no categories to SystemLow.
67
68
69 s15:c0.c1023=SystemHigh
70 defines a translation of s15:c0.c1023 to SystemHigh. c0.c1023 is
71 shorthand for all categories. A colon separates the sensitivity
72 level and categories.
73
74
75 s0-s15:c0.c1023=SystemLow-SystemHigh
76 defines a range translation of of s0-s15:c0.c1023 to System‐
77 Low-SystemHigh. The two range components are separated by a
78 dash.
79
80
81 s0:c0=PatientRecord
82 defines a translation of sensitivity s0 with category c0 to
83 PatientRecord.
84
85
86 s0:c1=Accounting
87 defines a translation of sensitivity s0 with category c1 to
88 Accounting.
89
90
91 s2:c1,c2,c3=Confidential3Categories
92
93 s2:c1.c3=Confidential3Categories
94 both define a translation of sensitivity s2 with categories c1,
95 c2 and c3 to Confidential3Categories.
96
97
98 s5=TopSecret
99 defines a translation of sensitivity s5 with no categories to
100 TopSecret.
101
102
103 Constraint Examples
104 c0!c1 if category bits 0 and 1 are both set, the constraint will fail
105 and the original context will be returned.
106
107
108 c5.c9>c1
109 if category bits 5 through 9 are set, bit 1 must also be set or
110 the constraint will fail and the original context will be
111 returned.
112
113
114 s1!c5,c9
115 if category bits 5 and 9 are set and the sensitivity level is
116 s1, the constraint will fail and the original context will be
117 returned.
118
119
121 Written by Joe Nall <joe@nall.com>.
122 Updated by Ted X. Toth <txtoth@gmail.com>.
123
124
126 selinux(8), mcs(8), mls(8), chcon(1)
127
128
130 /etc/selinux/{SELINUXTYPE}/setrans.conf
131 /usr/share/mcstrans/examples
132
133
134
135txtoth@gmail.com 13 July 2010 setrans.conf(8)