RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2024-12-13 09:34:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
15a7553d22
selinux/secilc/docs/cil_default_object_statements.xml
Yuli Khodorkovskiy 36f62b78f1 libsepol: Move secilc out of libsepol 
Since the secilc compiler is independent of libsepol, move secilc out of
libsepol. Linke secilc dynamically rather than statically with libsepol.

- Move secilc source, test policies, docs, and secilc manpage to secilc
  directory.
- Remove unneeded Makefile from libsepol/cil. To build secilc, run make
  in the secilc directory.
- Add target to install the secilc binary to /usr/bin/.
- Create an Android makefile for secilc and move secilc out of libsepol
  Android makefile.
- Add cil_set_mls to libsepol public API as it is needed by secilc.
- Remove policy.conf from testing since it is no longer used.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-03-31 12:31:38 -04:00

216 lines
11 KiB
XML
Raw Blame History

<!-- Common Interface Language (CIL) Reference Guide -->
<!-- default_object_statements.xml -->
<sect1>
<title>Default Object Statements</title>
<para>These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.</para>
<sect2 id="defaultuser">
<title>defaultuser</title>
<para>Allows the default user to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 27.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(defaultuser class_id default)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal>defaultuser</literal></para>
</entry>
<entry>
<para>The <literal>defaultuser</literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>class_id</literal></para>
</entry>
<entry>
<para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para>
</entry>
</row>
<row>
<entry>
<para><literal>default</literal></para>
</entry>
<entry>
<para>A keyword of either <literal>source</literal> or <literal>target</literal>.</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Example:</emphasis></para>
<para>When creating new <literal>binder</literal>, <literal>property_service</literal>, <literal>zygote</literal> or <literal>memprotect</literal> objects the <literal><link linkend="user">user</link></literal> component of the new security context will be taken from the <literal>source</literal> context:</para>
<programlisting><![CDATA[
(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
(class memprotect (mmap_zero))
(classmap android_classes (android))
(classmapping android_classes android (binder (all)))
(classmapping android_classes android (property_service (set)))
(classmapping android_classes android (zygote (not (specifycapabilities))))
(defaultuser (android_classes memprotect) source)
; Will produce the following in the binary policy file:
;; default_user binder source;
;; default_user zygote source;
;; default_user property_service source;
;; default_user memprotect source;]]>
</programlisting>
</sect2>
<sect2 id="defaultrole">
<title>defaultrole</title>
<para>Allows the default role to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 27.</para>
<programlisting><![CDATA[(defaultrole class_id default)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal>defaultrole</literal></para>
</entry>
<entry>
<para>The <literal>defaultrole</literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>class_id</literal></para>
</entry>
<entry>
<para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para>
</entry>
</row>
<row>
<entry>
<para><literal>default</literal></para>
</entry>
<entry>
<para>A keyword of either <literal>source</literal> or <literal>target</literal>.</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Example:</emphasis></para>
<para>When creating new <literal>binder</literal>, <literal>property_service</literal> or <literal>zygote</literal> objects the <literal><link linkend="role">role</link></literal> component of the new security context will be taken from the <literal>target</literal> context:</para>
<programlisting><![CDATA[
(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
(defaultrole (binder property_service zygote) target)
; Will produce the following in the binary policy file:
;; default_role binder target;
;; default_role zygote target;
;; default_role property_service target;]]>
</programlisting>
</sect2>
<sect2 id="defaulttype">
<title>defaulttype</title>
<para>Allows the default type to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 28.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(defaulttype class_id default)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal>defaulttype</literal></para>
</entry>
<entry>
<para>The <literal>defaulttype</literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>class_id</literal></para>
</entry>
<entry>
<para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para>
</entry>
</row>
<row>
<entry>
<para><literal>default</literal></para>
</entry>
<entry>
<para>A keyword of either <literal>source</literal> or <literal>target</literal>.</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Example:</emphasis></para>
<para>When creating a new <literal>socket</literal> object, the <literal><link linkend="type">type</link></literal> component of the new security context will be taken from the <literal>source</literal> context:</para>
<programlisting><![CDATA[(defaulttype socket source)]]></programlisting>
</sect2>
<sect2 id="defaultrange">
<title>defaultrange</title>
<para>Allows the default level or range to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 27.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(defaultrange class_id default range)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
<colspec colwidth="2 *"/>
<colspec colwidth="6 *"/>
<tbody>
<row>
<entry>
<para><literal>defaultrange</literal></para>
</entry>
<entry>
<para>The <literal>defaultrange</literal> keyword.</para>
</entry>
</row>
<row>
<entry>
<para><literal>class_id</literal></para>
</entry>
<entry>
<para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para>
</entry>
</row>
<row>
<entry>
<para><literal>default</literal></para>
</entry>
<entry>
<para>A keyword of either <literal>source</literal> or <literal>target</literal>.</para>
</entry>
</row>
<row>
<entry>
<para><literal>range</literal></para>
</entry>
<entry>
<para>A keyword of either <literal>low</literal>, <literal>high</literal> or <literal>low-high</literal>.</para>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<para><emphasis role="bold">Example:</emphasis></para>
<para>When creating a new <literal>file</literal> object, the appropriate <literal><link linkend="levelrange">range</link></literal> component of the new security context will be taken from the <literal>target</literal> context:</para>
<programlisting><![CDATA[(defaultrange file target low_high)]]></programlisting>
</sect2>
</sect1>
Reference in New Issue View Git Blame Copy Permalink