selinux/secilc/docs/cil_user_statements.md
Yuli Khodorkovskiy 12c7dfc553 secilc/docs: Convert DocBook documentation into github markdown
Converting to github markdown allows for easier integration with the
SELinux project wiki and viewing of documentation directly on github without
creating PDFs or reading through DocBook XML.

The conversion of DocBook to github markdown would not format tables or
keyword links properly. By maintaining the documentation in github
markdown in the repository, the content is well formatted with a table of
contents when viewing in the github wiki or in the repository.

The migration from DocBook to github markdown was done using Pandoc and
manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook
conversion were added back. An introduction and design philosphy was
also pulled from the SELinux project wiki to provide more cohesion
to the current documentation.

Running make will now convert the github markdown into PDF and HTML.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 16:18:34 -05:00

13 KiB

User Statements

user

Declares an SELinux user identifier in the current namespace.

Statement definition:

(user user_id)

Where:

user

The user keyword.

user_id

The SELinux user identifier.

Example:

This will declare an SELinux user as unconfined.user:

(block unconfined
    (user user)
)

userrole

Associates a previously declared user identifier with a previously declared role identifier.

Statement definition:

(userrole user_id role_id)

Where:

userrole

The userrole keyword.

user_id

A previously declared SELinux user or userattribute identifier.

role_id

A previously declared role or roleattribute identifier.

Example:

This example will associate unconfined.user to unconfined.role:

(block unconfined
    (user user)
    (role role)
    (userrole user role)
)

userattribute

Declares a user attribute identifier in the current namespace. The identifier may have zero or more user and userattribute identifiers associated to it via the userattributeset statement.

Statement definition:

(userattribute userattribute_id)

Where:

userattribute

The userattribute keyword.

userattribute_id

The userattribute identifier.

Example:

This example will declare a user attribute users.user_holder that will have an empty set:

(block users
    (userattribute user_holder)
)

userattributeset

Allows the association of one or more previously declared user or userattribute identifiers to a userattribute identifier. Expressions may be used to refine the associations as shown in the examples.

Statement definition:

(userattributeset userattribute_id (user_id ... | expr ...))

Where:

userattributeset

The userattributeset keyword.

userattribute_id

A single previously declared userattribute identifier.

user_id

Zero or more previously declared user or userattribute identifiers.

Note that there must be at least one user_id or expr parameter declared.

expr

Zero or more expr's, the valid operators and syntax are:

(and (user_id ...) (user_id ...))

(or (user_id ...) (user_id ...))

(xor (user_id ...) (user_id ...))

(not (user_id ...))

(all)

Example:

This example will declare three users and two user attributes, then associate all the users to them as shown:

(block users
    (user user_1)
    (user user_2)
    (user user_3)

    (userattribute user_holder)
    (userattributeset user_holder (user_1 user_2 user_3))

    (userattribute user_holder_all)
    (userattributeset user_holder_all (all))
)

userlevel

Associates a previously declared user identifier with a previously declared level identifier. The level may be named or anonymous.

Statement definition:

(userlevel user_id level_id)

Where:

userlevel

The userlevel keyword.

user_id

A previously declared SELinux user identifier.

level_id

A previously declared level identifier. This may consist of a single sensitivity with zero or more mixed named and anonymous category's as discussed in the level statement.

Example:

This example will associate unconfined.user with a named level of systemlow:

(sensitivity s0)
(level systemlow (s0))

(block unconfined
    (user user)
     (userlevel user systemlow)
    ; An anonymous example:
    ;(userlevel user (s0))
)

userrange

Associates a previously declared user identifer with a previously declared levelrange identifier. The levelrange may be named or anonymous.

Statement definition:

(userrange user_id levelrange_id)

Where:

userrange

The userrange keyword.

user_id

A previously declared SELinux user identifier.

levelrange_id

A previously declared levelrange identifier. This may be formed by named or anonymous components as discussed in the levelrange statement and shown in the examples.

Example:

This example will associate unconfined.user with a named levelrange of low_high, other anonymous examples are also shown:

(category c0)
(category c1)
(categoryorder (c0 c1))
(sensitivity s0)
(sensitivity s1)
(dominance (s0 s1))
(sensitivitycategory s0 (c0 c1))
(level systemLow (s0))
(level systemHigh (s0 (c0 c1)))
(levelrange low_high (systemLow systemHigh))

(block unconfined
    (user user)
    (role role)
    (userrole user role)
    ; Named example:
    (userrange user low_high)
    ; Anonymous examples:
    ;(userrange user (systemLow systemHigh))
    ;(userrange user (systemLow (s0 (c0 c1))))
    ;(userrange user ((s0) (s0 (c0 c1))))
)

userbounds

Defines a hierarchical relationship between users where the child user cannot have more priviledges than the parent.

Notes:

  • It is not possible to bind the parent to more than one child.

  • While this is added to the binary policy, it is not enforced by the SELinux kernel services.

Statement definition:

(userbounds parent_user_id child_user_id)

Where:

userbounds

The userbounds keyword.

parent_user_id

A previously declared SELinux user identifier.

child_user_id

A previously declared SELinux user identifier.

Example:

The user test cannot have greater priviledges than unconfined.user:

(user test)

(unconfined
    (user user)
    (userbounds user .test)
)

userprefix

Declare a user prefix that will be replaced by the file labeling utilities described at http://selinuxproject.org/page/PolicyStoreConfigurationFiles that details the file_contexts entries.

Statement definition:

(userprefix user_id prefix)

Where:

userprefix

The userprefix keyword.

user_id

A previously declared SELinux user identifier.

prefix

The string to be used by the file labeling utilities.

Example:

This example will associate unconfined.admin user with a prefix of "user":

(block unconfined
    (user admin
    (userprefix admin user)
)

selinuxuser

Associates a GNU/Linux user to a previously declared user identifier with a previously declared MLS userrange. Note that the userrange is required even if the policy is non-MCS/MLS.

Statement definition:

(selinuxuser user_name user_id userrange_id)

Where:

selinuxuser

The selinuxuser keyword.

user_name

A string representing the GNU/Linux user name

user_id

A previously declared SELinux user identifier.

userrange_id

A previously declared userrange identifier that has been associated to the user identifier. This may be formed by named or anonymous components as discussed in the userrange statement and shown in the examples.

Example:

This example will associate unconfined.admin user with a GNU / Linux user "admin_1":

(block unconfined
    (user admin)
    (selinuxuser admin_1 admin low_low)
)

selinuxuserdefault

Declares the default SELinux user. Only one selinuxuserdefault statement is allowed in the policy. Note that the userrange identifier is required even if the policy is non-MCS/MLS.

Statement definition:

(selinuxuserdefault user_id userrange_id)

Where:

selinuxuserdefault

The selinuxuserdefault keyword.

user_id

A previously declared SELinux user identifier.

userrange_id

A previously declared userrange identifier that has been associated to the user identifier. This may be formed by named or anonymous components as discussed in the userrange statement and shown in the examples.

Example:

This example will define the unconfined.user as the default SELinux user:

(block unconfined
    (user user)
    (selinuxuserdefault user low_low)
)