Declares a common identifier in the current namespace with a set of common permissions that can be used by one or more class identifiers. The classcommon statement is used to associate a common identifier to a specific class identifier. Statement definition: Where: common The common keyword. common_id The common identifier. permission_id One or more permissions. Example: This common statement will associate the common identifier 'file' with the list of permissions: Associate a class identifier to a one or more permissions declared by a common identifier. Statement definition: Where: classcommon The classcommon keyword. class_id A single previously declared class identifier. common_id A single previously declared common identifier that defines the common permissions for that class. Example: This associates the dir class with the list of permissions declared by the file common identifier: Declares a class and zero or more permissions in the current namespace. Statement definition: Where: class The class keyword. class_id The class identifier. permission_id Zero or more permissions declared for the class. Note that if zero permissions, an empty list is required as shown in the example. Examples: This example defines a set of permissions for the binder class indentifier: This example defines a common set of permissions to be used by the sem class, the (class sem ()) does not define any other permissions (i.e. an empty list): and will produce the following set of permissions for the sem class identifier of: This example, with the following combination of the common, classcommon and class statements: will produce a set of permissions for the dir class identifier of: Defines the order of class's. This is a mandatory statement. Multiple classorder statements declared in the policy will form an ordered list. Statement definition: Where: classorder The classorder keyword. class_id One or more class identifiers. Example: This will produce an ordered list of "file dir process" Declares a class permission set identifier in the current namespace that can be used by one or more classpermissionsets to associate one or more classes and permissions to form a named set. Statement definition: Where: classpermission The classpermission keyword. classpermissionset_id The classpermissionset identifier. Example: See the classpermissionset statement for examples. Defines a class permission set identifier in the current namespace that associates a class and one or more permissions to form a named set. Nested expressions may be used to determine the required permissions as shown in the examples. Anonymous classpermissionsets may be used in av rules and constraints. Statement definition: Where: classpermissionset The classpermissionset keyword. classpermissionset_id The classpermissionset identifier. class_id A single previously declared class identifier. permission_id Zero or more permissions required by the class. Note that there must be at least one permission identifier or expr declared). expr Zero or more expr's, the valid operators and syntax are: (and (permission_id ...) (permission_id ...)) (or (permission_id ...) (permission_id ...)) (xor (permission_id ...) (permission_id ...)) (not (permission_id ...)) (all) Examples: These class permission set statements will resolve to the permission sets shown in the kernel policy language allow rules: Declares a class map identifier in the current namespace and one or more class mapping identifiers. This will allow: Multiple classpermissionsets to be linked to a pair of classmap / classmapping identifiers. Multiple classs to be associated to statements and rules that support a list of classes: typetransition typechange typemember rangetransition roletransition defaultuser defaultrole defaulttype defaultrange validatetrans mlsvalidatetrans Statement definition: Where: classmap The classmap keyword. classmap_id The classmap identifier. classmapping_id One or more classmapping identifiers. Example: See the classmapping statement for examples. Define sets of classpermissionsets (named or anonymous) to form a consolidated classmapping set. Generally there are multiple classmapping statements with the same classmap and classmapping identifiers that form a set of different classpermissionset's. This is useful when multiple class / permissions are required in rules such as the allow rules (as shown in the examples). Statement definition: Where: classmapping The classmapping keyword. classmap_id A single previously declared classmap identifier. classmapping_id The classmapping identifier. classpermissionset_id A single named classpermissionset identifier or a single anonymous classpermissionset using expr's as required (see the classpermissionset statement). Examples: These class mapping statements will resolve to the permission sets shown in the kernel policy language allow rules: