13 KiB

Raw Blame History

User Statements

user

Declares an SELinux user identifier in the current namespace.

Statement definition:

(user user_id)

Where:

`user`	The `user` keyword.
`user_id`	The SELinux `user` identifier.

Example:

This will declare an SELinux user as unconfined.user:

(block unconfined
    (user user)
)

userrole

Associates a previously declared user identifier with a previously declared role identifier.

Statement definition:

(userrole user_id role_id)

Where:

`userrole`	The `userrole` keyword.
`user_id`	A previously declared SELinux `user` or `userattribute` identifier.
`role_id`	A previously declared `role` or `roleattribute` identifier.

Example:

This example will associate unconfined.user to unconfined.role:

(block unconfined
    (user user)
    (role role)
    (userrole user role)
)

userattribute

Declares a user attribute identifier in the current namespace. The identifier may have zero or more user and userattribute identifiers associated to it via the userattributeset statement.

Statement definition:

(userattribute userattribute_id)

Where:

`userattribute`	The `userattribute` keyword.
`userattribute_id`	The `userattribute` identifier.

Example:

This example will declare a user attribute users.user_holder that will have an empty set:

(block users
    (userattribute user_holder)
)

userattributeset

Allows the association of one or more previously declared user or userattribute identifiers to a userattribute identifier. Expressions may be used to refine the associations as shown in the examples.

Statement definition:

(userattributeset userattribute_id (user_id ... | expr ...))

Where:

`userattributeset`	The `userattributeset` keyword.
`userattribute_id`	A single previously declared `userattribute` identifier.
`user_id`	Zero or more previously declared `user` or `userattribute` identifiers. Note that there must be at least one `user_id` or `expr` parameter declared.
`expr`	Zero or more `expr`'s, the valid operators and syntax are: `(and (user_id ...) (user_id ...))` `(or (user_id ...) (user_id ...))` `(xor (user_id ...) (user_id ...))` `(not (user_id ...))` `(all)`

Example:

This example will declare three users and two user attributes, then associate all the users to them as shown:

(block users
    (user user_1)
    (user user_2)
    (user user_3)

    (userattribute user_holder)
    (userattributeset user_holder (user_1 user_2 user_3))

    (userattribute user_holder_all)
    (userattributeset user_holder_all (all))
)

userlevel

Associates a previously declared user identifier with a previously declared level identifier. The level may be named or anonymous.

Statement definition:

(userlevel user_id level_id)

Where:

`userlevel`	The `userlevel` keyword.
`user_id`	A previously declared SELinux `user` identifier.
`level_id`	A previously declared `level` identifier. This may consist of a single `sensitivity` with zero or more mixed named and anonymous `category`'s as discussed in the `level` statement.

Example:

This example will associate unconfined.user with a named level of systemlow:

(sensitivity s0)
(level systemlow (s0))

(block unconfined
    (user user)
     (userlevel user systemlow)
    ; An anonymous example:
    ;(userlevel user (s0))
)

userrange

Associates a previously declared user identifer with a previously declared levelrange identifier. The levelrange may be named or anonymous.

Statement definition:

(userrange user_id levelrange_id)

Where:

`userrange`	The `userrange` keyword.
`user_id`	A previously declared SELinux `user` identifier.
`levelrange_id`	A previously declared `levelrange` identifier. This may be formed by named or anonymous components as discussed in the `levelrange` statement and shown in the examples.

Example:

This example will associate unconfined.user with a named levelrange of low_high, other anonymous examples are also shown:

(category c0)
(category c1)
(categoryorder (c0 c1))
(sensitivity s0)
(sensitivity s1)
(dominance (s0 s1))
(sensitivitycategory s0 (c0 c1))
(level systemLow (s0))
(level systemHigh (s0 (c0 c1)))
(levelrange low_high (systemLow systemHigh))

(block unconfined
    (user user)
    (role role)
    (userrole user role)
    ; Named example:
    (userrange user low_high)
    ; Anonymous examples:
    ;(userrange user (systemLow systemHigh))
    ;(userrange user (systemLow (s0 (c0 c1))))
    ;(userrange user ((s0) (s0 (c0 c1))))
)

userbounds

Defines a hierarchical relationship between users where the child user cannot have more priviledges than the parent.

Notes:

It is not possible to bind the parent to more than one child.
While this is added to the binary policy, it is not enforced by the SELinux kernel services.

Statement definition:

(userbounds parent_user_id child_user_id)

Where:

`userbounds`	The `userbounds` keyword.
`parent_user_id`	A previously declared SELinux `user` identifier.
`child_user_id`	A previously declared SELinux `user` identifier.

Example:

The user test cannot have greater priviledges than unconfined.user:

(user test)

(unconfined
    (user user)
    (userbounds user .test)
)

userprefix

Declare a user prefix that will be replaced by the file labeling utilities described at http://selinuxproject.org/page/PolicyStoreConfigurationFiles that details the file_contexts entries.

Statement definition:

(userprefix user_id prefix)

Where:

`userprefix`	The `userprefix` keyword.
`user_id`	A previously declared SELinux `user` identifier.
`prefix`	The string to be used by the file labeling utilities.

Example:

This example will associate unconfined.admin user with a prefix of "user":

(block unconfined
    (user admin
    (userprefix admin user)
)

selinuxuser

Associates a GNU/Linux user to a previously declared user identifier with a previously declared MLS userrange. Note that the userrange is required even if the policy is non-MCS/MLS.

Statement definition:

(selinuxuser user_name user_id userrange_id)

Where:

`selinuxuser`	The `selinuxuser` keyword.
`user_name`	A string representing the GNU/Linux user name
`user_id`	A previously declared SELinux `user` identifier.
`userrange_id`	A previously declared `userrange` identifier that has been associated to the `user` identifier. This may be formed by named or anonymous components as discussed in the `userrange` statement and shown in the examples.

Example:

This example will associate unconfined.admin user with a GNU / Linux user "admin_1":

(block unconfined
    (user admin)
    (selinuxuser admin_1 admin low_low)
)

selinuxuserdefault

Declares the default SELinux user. Only one selinuxuserdefault statement is allowed in the policy. Note that the userrange identifier is required even if the policy is non-MCS/MLS.

Statement definition:

(selinuxuserdefault user_id userrange_id)

Where:

`selinuxuserdefault`	The `selinuxuserdefault` keyword.
`user_id`	A previously declared SELinux `user` identifier.
`userrange_id`	A previously declared `userrange` identifier that has been associated to the `user` identifier. This may be formed by named or anonymous components as discussed in the `userrange` statement and shown in the examples.

Example:

This example will define the unconfined.user as the default SELinux user:

(block unconfined
    (user user)
    (selinuxuserdefault user low_low)
)

13 KiB Raw Blame History

User Statements

user

userrole

userattribute

userattributeset

userlevel

userrange

userbounds

userprefix

selinuxuser

selinuxuserdefault

13 KiB

Raw Blame History