Role Statements =============== role ---- Declares a role identifier in the current namespace. **Statement definition:** ```secil (role role_id) ``` **Where:**

role

The role keyword.

role_id

The role identifier.

**Example:** This example declares two roles: `object_r` in the global namespace and `unconfined.role`: ```secil (role object_r) (block unconfined (role role) ) ``` roletype -------- Authorises a [`role`](cil_role_statements.md#role) to access a [`type`](cil_type_statements.md#type) identifier. **Statement definition:** ```secil (role role_id type_id) ``` **Where:**

roletype

The roletype keyword.

role_id

A single previously declared role or roleattribute identifier.

type_id

A single previously declared type, typealias or typeattribute identifier.

**Example:** This example will declare [`role`](cil_role_statements.md#role) and [`type`](cil_type_statements.md#type) identifiers, then associate them: ```secil (block unconfined (role role) (type process) (roletype role process) ) ``` roleattribute ------------- Declares a role attribute identifier in the current namespace. The identifier may have zero or more [`role`](cil_role_statements.md#role) and [`roleattribute`](cil_role_statements.md#roleattribute) identifiers associated to it via the [`roleattributeset`](cil_role_statements.md#roleattributeset) statement. **Statement definition:** ```secil (roleattribute roleattribute_id) ``` **Where:**

roleattribute

The roleattribute keyword.

roleattribute_id

The roleattribute identifier.

**Example:** This example will declare a role attribute `roles.role_holder` that will have an empty set: ```secil (block roles (roleattribute role_holder) ) ``` roleattributeset ---------------- Allows the association of one or more previously declared [`role`](cil_role_statements.md#role) identifiers to a [`roleattribute`](cil_role_statements.md#roleattribute) identifier. Expressions may be used to refine the associations as shown in the examples. **Statement definition:** ```secil (roleattributeset roleattribute_id (role_id ... | expr ...)) ``` **Where:**

roleattributeset

The roleattributeset keyword.

roleattribute_id

A single previously declared roleattribute identifier.

role_id

Zero or more previously declared role or roleattribute identifiers.

Note that there must be at least one role_id or expr parameter declared.

expr

Zero or more expr's, the valid operators and syntax are:

(and (role_id ...) (role_id ...))

(or (role_id ...) (role_id ...))

(xor (role_id ...) (role_id ...))

(not (role_id ...))

(all)

**Example:** This example will declare three roles and two role attributes, then associate all the roles to them as shown: ```secil (block roles (role role_1) (role role_2) (role role_3) (roleattribute role_holder) (roleattributeset role_holder (role_1 role_2 role_3)) (roleattribute role_holder_all) (roleattributeset role_holder_all (all)) ) ``` roleallow --------- Authorise the current role to assume a new role. Notes: - May require a [`roletransition`](cil_role_statements.md#roletransition) rule to ensure transition to the new role. - This rule is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) statements. **Statement definition:** ```secil (roleallow current_role_id new_role_id) ``` **Where:**

roleallow

The roleallow keyword.

current_role_id

A single previously declared role or roleattribute identifier.

new_role_id

A single previously declared role or roleattribute identifier.

**Example:** See the [`roletransition`](cil_role_statements.md#roletransition) statement for an example. roletransition -------------- Specify a role transition from the current role to a new role when computing a context for the target type. The [`class`](cil_class_and_permission_statements.md#class) identifier would normally be `process`, however for kernel versions 2.6.39 with policy version \>= 25 and above, any valid class may be used. Note that a [`roleallow`](cil_role_statements.md#roleallow) rule must be used to authorise the transition. **Statement definition:** ```secil (roletransition current_role_id target_type_id class_id new_role_id) ``` **Where:**

roletransition

The roletransition keyword.

current_role_id

A single previously declared role or roleattribute identifier.

target_type_id

A single previously declared type, typealias or typeattribute identifier.

class_id

A single previously declared class or classmap identifier.

new_role_id

A single previously declared role identifier to be set on transition.

**Example:** This example will authorise the `unconfined.role` to assume the `msg_filter.role` role, and then transition to that role: ```secil (block ext_gateway (type process) (type exec) (roletype msg_filter.role process) (roleallow unconfined.role msg_filter.role) (roletransition unconfined.role exec process msg_filter.role) ) ``` rolebounds ---------- Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent. Notes: - It is not possible to bind the parent role to more than one child role. - While this is added to the binary policy, it is not enforced by the SELinux kernel services. **Statement definition:** ```secil (rolebounds parent_role_id child_role_id) ``` **Where:**

rolebounds

The rolebounds keyword.

parent_role_id

A single previously declared role identifier.

child_role_id

A single previously declared role identifier.

**Example:** In this example the role `test` cannot have greater privileges than `unconfined.role`: ```secil (role test) (block unconfined (role role) (rolebounds role .test) ) ```