setrans.conf(8)setrans.conf documentation setrans.conf(8)NAMEsetrans.conf - translation configuration file for MCS/MLS SELinux sys‐
tems
DESCRIPTION
The /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file speci‐
fies the way that SELinux MCS/MLS labels are translated into human
readable form by the mcstransd daemon. The default policies support 16
sensitivity levels (s0 through s15) and 1024 categories (c0 through
c1023). Multiple categories can be separated with commas (c0,c1,c3,c5)
and a range of categories can be shortened using dot notation
(c0.c3,c5).
Keywords
Base once a base is declared, subsequent sensitivity label defini‐
tions will have all modifiers applied to them during transla‐
tion. Sensitivity labels defined before the base declaration
are immediately cached and no modifiers will be applied these
are used as direct translations.
Default
defines the category bit range that will be used for inverse
bits.
Domain creates a new domain with the supplied name.
Include
read and process the contents of the specified configuration
file.
Join defines a character used to separate members of a modifier group
when more than one is specified (ex. USA/AUS).
ModifierGroup
a means of grouping category bit definitions by how they modify
the sensitivity label.
Prefix word(s) that may proceed member(s) of a modifier group (ex. REL
USA).
Suffix word(s) that may follow member(s) of a modifier group (ex. USA
EYES ONLY).
Whitespace
defines the set of acceptable white space characters that may be
used in label being translated.
Sensitivity Level Definition Examples
s0=SystemLow
defines a translation of s0 (the lowest sensitivity level) with
no categories to SystemLow.
s15:c0.c1023=SystemHigh
defines a translation of s15:c0.c1023 to SystemHigh. c0.c1023 is
shorthand for all categories. A colon separates the sensitivity
level and categories.
s0-s15:c0.c1023=SystemLow-SystemHigh
defines a range translation of of s0-s15:c0.c1023 to System‐
Low-SystemHigh. The two range components are separated by a
dash.
s0:c0=PatientRecord
defines a translation of sensitivity s0 with category c0 to
PatientRecord.
s0:c1=Accounting
defines a translation of sensitivity s0 with category c1 to
Accounting.
s2:c1,c2,c3=Confidential3Categories
s2:c1.c3=Confidential3Categories
both define a translation of sensitivity s2 with categories c1,
c2 and c3 to Confidential3Categories.
s5=TopSecret
defines a translation of sensitivity s5 with no categories to
TopSecret.
Constraint Examples
c0!c1 if category bits 0 and 1 are both set, the constraint will fail
and the original context will be returned.
c5.c9>c1
if category bits 5 through 9 are set, bit 1 must also be set or
the constraint will fail and the original context will be
returned.
s1!c5,c9
if category bits 5 and 9 are set and the sensitivity level is
s1, the constraint will fail and the original context will be
returned.
AUTHOR
Written by Joe Nall <joe@nall.com>.
Updated by Ted X. Toth <txtoth@gmail.com>.
SEE ALSOselinux(8), mcs(8), mls(8), chcon(1)FILES
/etc/selinux/{SELINUXTYPE}/setrans.conf
/usr/share/mcstrans/examples
txtoth@gmail.com 13 July 2010 setrans.conf(8)
