These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.
defaultuser
-----------
Allows the default user to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.
<tdalign="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
</tr>
<trclass="odd">
<tdalign="left"><p><code>default</code></p></td>
<tdalign="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
</tr>
</tbody>
</table>
**Example:**
When creating new `binder`, `property_service`, `zygote` or `memprotect` objects the [`user`](cil_user_statements.md#user) component of the new security context will be taken from the `source` context:
(class binder (impersonate call set_context_mgr transfer receive))
; Will produce the following in the binary policy file:
;; default_user binder source;
;; default_user zygote source;
;; default_user property_service source;
;; default_user memprotect source;
defaultrole
-----------
Allows the default role to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.
<tdalign="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
</tr>
<trclass="odd">
<tdalign="left"><p><code>default</code></p></td>
<tdalign="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
</tr>
</tbody>
</table>
**Example:**
When creating new `binder`, `property_service` or `zygote` objects the [`role`](cil_role_statements.md#role) component of the new security context will be taken from the `target` context:
(class binder (impersonate call set_context_mgr transfer receive))
; Will produce the following in the binary policy file:
;; default_role binder target;
;; default_role zygote target;
;; default_role property_service target;
defaulttype
-----------
Allows the default type to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 28.
<tdalign="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
</tr>
<trclass="odd">
<tdalign="left"><p><code>default</code></p></td>
<tdalign="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
</tr>
</tbody>
</table>
**Example:**
When creating a new `socket` object, the [`type`](cil_type_statements.md#type) component of the new security context will be taken from the `source` context:
Allows the default level or range to be taken from the source, target, or both contexts when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. glblub as the default requires policy version 32.
<tdalign="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
MLS userspace object managers may need to compute the common parts of a range such that the object is created with the range common to the subject and containing object: