tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_external_selinux/secilc/docs/cil_constraint_statements.md
Yuli Khodorkovskiy 12c7dfc553 secilc/docs: Convert DocBook documentation into github markdown 
Converting to github markdown allows for easier integration with the
SELinux project wiki and viewing of documentation directly on github without
creating PDFs or reading through DocBook XML.

The conversion of DocBook to github markdown would not format tables or
keyword links properly. By maintaining the documentation in github
markdown in the repository, the content is well formatted with a table of
contents when viewing in the github wiki or in the repository.

The migration from DocBook to github markdown was done using Pandoc and
manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook
conversion were added back. An introduction and design philosphy was
also pulled from the SELinux project wiki to provide more cohesion
to the current documentation.

Running make will now convert the github markdown into PDF and HTML.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 16:18:34 -05:00

11 KiB
Raw Blame History

Constraint Statements

constrain

Enable constraints to be placed on the specified permissions of the object class based on the source and target security context components.

Statement definition:

(constrain classpermissionset_id ... expression | expr ...)

Where:

constrain

The constrain keyword.

classpermissionset_id

A single named or anonymous classpermissionset or a single set of classmap/classmapping identifiers.

expression

There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:

(op u1 u2)

(role_op r1 r2)

(op t1 t2)

(op u1 user_id)

(op u2 user_id)

(op r1 role_id)

(op r2 role_id)

(op t1 type_id)

(op t2 type_id)

where:

u1, r1, t1 = Source context: user, role or type

u2, r2, t2 = Target context: user, role or type

and:

op : eq neq

role_op : eq neq dom domby incomp

user_id : A single user or userattribute identifier.

role_id : A single role or roleattribute identifier.

type_id : A single type, typealias or typeattribute identifier.

expr

Zero or more expr's, the valid operators and syntax are:

(and expression expression)

(or expression expression)

(not expression)

Examples:

Two constrain statements are shown with their equivalent kernel policy language statements:

;; constrain { file } { write }
;;    (( t1 == unconfined.process  ) and ( t2 == unconfined.object  ) or ( r1 eq r2 ));
(constrain (file (write))
    (or
        (and
            (eq t1 unconfined.process)
            (eq t2 unconfined.object)
        )
        (eq r1 r2)
    )
)

;; constrain { file } { read }
;;    (not( t1 == unconfined.process  ) and ( t2 == unconfined.object  ) or ( r1 eq r2 ));
(constrain (file (read))
    (not
        (or
            (and
                (eq t1 unconfined.process)
                (eq t2 unconfined.object)
            )
            (eq r1 r2)
        )
    )
)

validatetrans

The validatetrans statement is only used for file related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context.

Statement definition:

(validatetrans class_id expression | expr ...)

Where:

validatetrans

The validatetrans keyword.

class_id

A single previously declared class or classmap identifier.

expression

There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:

(op u1 u2)

(role_op r1 r2)

(op t1 t2)

(op u1 user_id)

(op u2 user_id)

(op u3 user_id)

(op r1 role_id)

(op r2 role_id)

(op r3 role_id)

(op t1 type_id)

(op t2 type_id)

(op t3 type_id)

where:

u1, r1, t1 = Old context: user, role or type

u2, r2, t2 = New context: user, role or type

u3, r3, t3 = Process context: user, role or type

and:

op : eq neq

role_op : eq neq dom domby incomp

user_id : A single user or userattribute identifier.

role_id : A single role or roleattribute identifier.

type_id : A single type, typealias or typeattribute identifier.

expr

Zero or more expr's, the valid operators and syntax are:

(and expression expression)

(or expression expression)

(not expression)

Example:

A validate transition statement with the equivalent kernel policy language statement:

; validatetrans { file } ( t1 == unconfined.process  );

(validatetrans file (eq t1 unconfined.process))

mlsconstrain

Enable MLS constraints to be placed on the specified permissions of the object class based on the source and target security context components.

Statement definition:

(mlsconstrain classpermissionset_id ... expression | expr ...)

Where:

mlsconstrain

The mlsconstrain keyword.

classpermissionset_id

A single named or anonymous classpermissionset or a single set of classmap/classmapping identifiers.

expression

There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:

(op u1 u2)

(mls_role_op r1 r2)

(op t1 t2)

(mls_role_op l1 l2)

(mls_role_op l1 h2)

(mls_role_op h1 l2)

(mls_role_op h1 h2)

(mls_role_op l1 h1)

(mls_role_op l2 h2)

(op u1 user_id)

(op u2 user_id)

(op r1 role_id)

(op r2 role_id)

(op t1 type_id)

(op t2 type_id)

where:

u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level

u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level

and:

op : eq neq

mls_role_op : eq neq dom domby incomp

user_id : A single user or userattribute identifier.

role_id : A single role or roleattribute identifier.

type_id : A single type, typealias or typeattribute identifier.

expr

Zero or more expr's, the valid operators and syntax are:

(and expression expression)

(or expression expression)

(not expression)

Example:

An MLS constrain statement with the equivalent kernel policy language statement:

;; mlsconstrain { file } { open }
;;     (( l1 eq l2 ) and ( u1 == u2 ) or ( r1 != r2 ));

(mlsconstrain (file (open))
    (or
        (and
            (eq l1 l2)
            (eq u1 u2)
        )
        (neq r1 r2)
    )
)

mlsvalidatetrans

The mlsvalidatetrans statement is only used for file related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context.

Statement definition:

(mlsvalidatetrans class_id expression | expr ...)

Where:

mlsvalidatetrans

The mlsvalidatetrans keyword.

class_id

A single previously declared class or classmap identifier.

expression

There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:

(op u1 u2)

(mls_role_op r1 r2)

(op t1 t2)

(mls_role_op l1 l2)

(mls_role_op l1 h2)

(mls_role_op h1 l2)

(mls_role_op h1 h2)

(mls_role_op l1 h1)

(mls_role_op l2 h2)

(op u1 user_id)

(op u2 user_id)

(op u3 user_id)

(op r1 role_id)

(op r2 role_id)

(op r3 role_id)

(op t1 type_id)

(op t2 type_id)

(op t3 type_id)

where:

u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level

u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level

u3, r3, t3 = Process context: user, role or type

and:

op : eq neq

mls_role_op : eq neq dom domby incomp

user_id : A single user or userattribute identifier.

role_id : A single role or roleattribute identifier.

type_id : A single type, typealias or typeattribute identifier.

expr

Zero or more expr's, the valid operators and syntax are:

(and expression expression)

(or expression expression)

(not expression)

Example:

An MLS validate transition statement with the equivalent kernel policy language statement:

;; mlsvalidatetrans { file } ( l1 domby h2 );

(mlsvalidatetrans file (domby l1 h2))