454466e2e4
Revert^2 "Use cil_write_build_ast" bde09de39feec91cf8220f0f798a6e52154d69e9 Change-Id: I3ab19bda9c1968409ad5a4f4d0866649036c683c
9 KiB
Role Statements
role
Declares a role identifier in the current namespace.
Statement definition:
(role role_id)
Where:
|
The |
|
The |
Example:
This example declares two roles: object_r in the global namespace and unconfined.role:
(role object_r)
(block unconfined
(role role)
)
roletype
Authorises a role to access a type identifier.
Statement definition:
(role role_id type_id)
Where:
|
The |
|
A single previously declared |
|
A single previously declared |
Example:
This example will declare role and type identifiers, then associate them:
(block unconfined
(role role)
(type process)
(roletype role process)
)
roleattribute
Declares a role attribute identifier in the current namespace. The identifier may have zero or more role and roleattribute identifiers associated to it via the roleattributeset statement.
Statement definition:
(roleattribute roleattribute_id)
Where:
|
The |
|
The |
Example:
This example will declare a role attribute roles.role_holder that will have an empty set:
(block roles
(roleattribute role_holder)
)
roleattributeset
Allows the association of one or more previously declared role identifiers to a roleattribute identifier. Expressions may be used to refine the associations as shown in the examples.
Statement definition:
(roleattributeset roleattribute_id (role_id ... | expr ...))
Where:
|
The |
|
A single previously declared |
|
Zero or more previously declared Note that there must be at least one |
|
Zero or more
|
Example:
This example will declare three roles and two role attributes, then associate all the roles to them as shown:
(block roles
(role role_1)
(role role_2)
(role role_3)
(roleattribute role_holder)
(roleattributeset role_holder (role_1 role_2 role_3))
(roleattribute role_holder_all)
(roleattributeset role_holder_all (all))
)
roleallow
Authorise the current role to assume a new role.
Notes:
-
May require a
roletransitionrule to ensure transition to the new role. -
This rule is not allowed in
booleanifstatements.
Statement definition:
(roleallow current_role_id new_role_id)
Where:
|
The |
|
A single previously declared |
|
A single previously declared |
Example:
See the roletransition statement for an example.
roletransition
Specify a role transition from the current role to a new role when computing a context for the target type. The class identifier would normally be process, however for kernel versions 2.6.39 with policy version >= 25 and above, any valid class may be used. Note that a roleallow rule must be used to authorise the transition.
Statement definition:
(roletransition current_role_id target_type_id class_id new_role_id)
Where:
|
The |
|
A single previously declared |
|
A single previously declared |
|
A single previously declared |
|
A single previously declared |
Example:
This example will authorise the unconfined.role to assume the msg_filter.role role, and then transition to that role:
(block ext_gateway
(type process)
(type exec)
(roletype msg_filter.role process)
(roleallow unconfined.role msg_filter.role)
(roletransition unconfined.role exec process msg_filter.role)
)
rolebounds
Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent.
Notes:
-
It is not possible to bind the parent role to more than one child role.
-
While this is added to the binary policy, it is not enforced by the SELinux kernel services.
Statement definition:
(rolebounds parent_role_id child_role_id)
Where:
|
The |
|
A single previously declared |
|
A single previously declared |
Example:
In this example the role test cannot have greater privileges than unconfined.role:
(role test)
(block unconfined
(role role)
(rolebounds role .test)
)