1setrans.conf(5) setrans.conf documentation setrans.conf(5)
2
6 setrans.conf - translation configuration file for MCS/MLS SELinux sys‐
7 tems
8
11 The /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file speci‐
12 fies the way that SELinux MCS/MLS labels are translated into human
13 readable form by the mcstransd daemon. The default policies support 16
14 sensitivity levels (s0 through s15) and 1024 categories (c0 through
15 c1023). Multiple categories can be separated with commas (c0,c1,c3,c5)
16 and a range of categories can be shortened using dot notation
17 (c0.c3,c5).
18 Keywords
21 Base once a base is declared, subsequent sensitivity label defini‐
22 tions will have all modifiers applied to them during transla‐
23 tion. Sensitivity labels defined before the base declaration
24 are immediately cached and no modifiers will be applied these
25 are used as direct translations.
26 Default
29 defines the category bit range that will be used for inverse
30 bits.
31 Domain creates a new domain with the supplied name.
34 Include
37 read and process the contents of the specified configuration
38 file.
39 Join defines a character used to separate members of a modifier group
42 when more than one is specified (ex. USA/AUS).
43 ModifierGroup
46 a means of grouping category bit definitions by how they modify
47 the sensitivity label.
48 Prefix word(s) that may proceed member(s) of a modifier group (ex. REL
51 USA).
52 Suffix word(s) that may follow member(s) of a modifier group (ex. USA
55 EYES ONLY).
56 Whitespace
59 defines the set of acceptable white space characters that may be
60 used in label being translated.
61 Sensitivity Level Definition Examples
64 s0=SystemLow
65 defines a translation of s0 (the lowest sensitivity level) with
66 no categories to SystemLow.
67 s15:c0.c1023=SystemHigh
70 defines a translation of s15:c0.c1023 to SystemHigh. c0.c1023 is
71 shorthand for all categories. A colon separates the sensitivity
72 level and categories.
73 s0-s15:c0.c1023=SystemLow-SystemHigh
76 defines a range translation of s0-s15:c0.c1023 to SystemLow-Sys‐
77 temHigh. The two range components are separated by a dash.
78 s0:c0=PatientRecord
81 defines a translation of sensitivity s0 with category c0 to
82 PatientRecord.
83 s0:c1=Accounting
86 defines a translation of sensitivity s0 with category c1 to
87 Accounting.
88 s2:c1,c2,c3=Confidential3Categories
91 s2:c1.c3=Confidential3Categories
93 both define a translation of sensitivity s2 with categories c1,
94 c2 and c3 to Confidential3Categories.
95 s5=TopSecret
98 defines a translation of sensitivity s5 with no categories to
99 TopSecret.
100 Constraint Examples
103 c0!c1 if category bits 0 and 1 are both set, the constraint will fail
104 and the original context will be returned.
105 c5.c9>c1
108 if category bits 5 through 9 are set, bit 1 must also be set or
109 the constraint will fail and the original context will be
110 returned.
111 s1!c5,c9
114 if category bits 5 and 9 are set and the sensitivity level is
115 s1, the constraint will fail and the original context will be
116 returned.
117
120 Written by Joe Nall <joe@nall.com>.
121 Updated by Ted X. Toth <txtoth@gmail.com>.
122
125 selinux(8), mcs(8), mls(8), chcon(1)
126
129 /etc/selinux/{SELINUXTYPE}/setrans.conf
130 /usr/share/mcstrans/examples
131txtoth@gmail.com 13 July 2010 setrans.conf(5)