mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-11 16:09:47 +00:00
12c7dfc553
Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
314 lines
11 KiB
Markdown
314 lines
11 KiB
Markdown
Constraint Statements
|
|
=====================
|
|
|
|
constrain
|
|
---------
|
|
|
|
Enable constraints to be placed on the specified permissions of the object class based on the source and target security context components.
|
|
|
|
**Statement definition:**
|
|
|
|
(constrain classpermissionset_id ... expression | expr ...)
|
|
|
|
**Where:**
|
|
|
|
<table>
|
|
<colgroup>
|
|
<col width="27%" />
|
|
<col width="72%" />
|
|
</colgroup>
|
|
<tbody>
|
|
<tr class="odd">
|
|
<td align="left"><p><code>constrain</code></p></td>
|
|
<td align="left"><p>The <code>constrain</code> keyword.</p></td>
|
|
</tr>
|
|
<tr class="even">
|
|
<td align="left"><p><code>classpermissionset_id</code></p></td>
|
|
<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
|
|
</tr>
|
|
<tr class="odd">
|
|
<td align="left"><p><code>expression</code></p></td>
|
|
<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p>
|
|
<p><code> (op u1 u2)</code></p>
|
|
<p><code> (role_op r1 r2)</code></p>
|
|
<p><code> (op t1 t2)</code></p>
|
|
<p><code> (op u1 user_id)</code></p>
|
|
<p><code> (op u2 user_id)</code></p>
|
|
<p><code> (op r1 role_id)</code></p>
|
|
<p><code> (op r2 role_id)</code></p>
|
|
<p><code> (op t1 type_id)</code></p>
|
|
<p><code> (op t2 type_id)</code></p>
|
|
<p>where:</p>
|
|
<p><code> u1, r1, t1 = Source context: user, role or type</code></p>
|
|
<p><code> u2, r2, t2 = Target context: user, role or type</code></p>
|
|
<p>and:</p>
|
|
<p><code> op : eq neq</code></p>
|
|
<p><code> role_op : eq neq dom domby incomp</code></p>
|
|
<p><code> user_id : A single user or userattribute identifier.</code></p>
|
|
<p><code> role_id : A single role or roleattribute identifier.</code></p>
|
|
<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td>
|
|
</tr>
|
|
<tr class="even">
|
|
<td align="left"><p><code>expr</code></p></td>
|
|
<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
|
|
<p><code> (and expression expression)</code></p>
|
|
<p><code> (or expression expression)</code></p>
|
|
<p><code> (not expression)</code></p></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
**Examples:**
|
|
|
|
Two constrain statements are shown with their equivalent kernel policy language statements:
|
|
|
|
;; constrain { file } { write }
|
|
;; (( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 ));
|
|
(constrain (file (write))
|
|
(or
|
|
(and
|
|
(eq t1 unconfined.process)
|
|
(eq t2 unconfined.object)
|
|
)
|
|
(eq r1 r2)
|
|
)
|
|
)
|
|
|
|
;; constrain { file } { read }
|
|
;; (not( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 ));
|
|
(constrain (file (read))
|
|
(not
|
|
(or
|
|
(and
|
|
(eq t1 unconfined.process)
|
|
(eq t2 unconfined.object)
|
|
)
|
|
(eq r1 r2)
|
|
)
|
|
)
|
|
)
|
|
|
|
validatetrans
|
|
-------------
|
|
|
|
The [`validatetrans`](cil_constraint_statements.md#validatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context.
|
|
|
|
**Statement definition:**
|
|
|
|
(validatetrans class_id expression | expr ...)
|
|
|
|
**Where:**
|
|
|
|
<table>
|
|
<colgroup>
|
|
<col width="25%" />
|
|
<col width="75%" />
|
|
</colgroup>
|
|
<tbody>
|
|
<tr class="odd">
|
|
<td align="left"><p><code>validatetrans</code></p></td>
|
|
<td align="left"><p>The <code>validatetrans</code> keyword.</p></td>
|
|
</tr>
|
|
<tr class="even">
|
|
<td align="left"><p><code>class_id</code></p></td>
|
|
<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td>
|
|
</tr>
|
|
<tr class="odd">
|
|
<td align="left"><p><code>expression</code></p></td>
|
|
<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p>
|
|
<p><code> (op u1 u2)</code></p>
|
|
<p><code> (role_op r1 r2)</code></p>
|
|
<p><code> (op t1 t2)</code></p>
|
|
<p><code> (op u1 user_id)</code></p>
|
|
<p><code> (op u2 user_id)</code></p>
|
|
<p><code> (op u3 user_id)</code></p>
|
|
<p><code> (op r1 role_id)</code></p>
|
|
<p><code> (op r2 role_id)</code></p>
|
|
<p><code> (op r3 role_id)</code></p>
|
|
<p><code> (op t1 type_id)</code></p>
|
|
<p><code> (op t2 type_id)</code></p>
|
|
<p><code> (op t3 type_id)</code></p>
|
|
<p>where:</p>
|
|
<p><code> u1, r1, t1 = Old context: user, role or type</code></p>
|
|
<p><code> u2, r2, t2 = New context: user, role or type</code></p>
|
|
<p><code> u3, r3, t3 = Process context: user, role or type</code></p>
|
|
<p>and:</p>
|
|
<p><code> op : eq neq</code></p>
|
|
<p><code> role_op : eq neq dom domby incomp</code></p>
|
|
<p><code> user_id : A single user or userattribute identifier.</code></p>
|
|
<p><code> role_id : A single role or roleattribute identifier.</code></p>
|
|
<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td>
|
|
</tr>
|
|
<tr class="even">
|
|
<td align="left"><p><code>expr</code></p></td>
|
|
<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
|
|
<p><code> (and expression expression)</code></p>
|
|
<p><code> (or expression expression)</code></p>
|
|
<p><code> (not expression)</code></p></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
**Example:**
|
|
|
|
A validate transition statement with the equivalent kernel policy language statement:
|
|
|
|
; validatetrans { file } ( t1 == unconfined.process );
|
|
|
|
(validatetrans file (eq t1 unconfined.process))
|
|
|
|
mlsconstrain
|
|
------------
|
|
|
|
Enable MLS constraints to be placed on the specified permissions of the object class based on the source and target security context components.
|
|
|
|
**Statement definition:**
|
|
|
|
(mlsconstrain classpermissionset_id ... expression | expr ...)
|
|
|
|
**Where:**
|
|
|
|
<table>
|
|
<colgroup>
|
|
<col width="27%" />
|
|
<col width="72%" />
|
|
</colgroup>
|
|
<tbody>
|
|
<tr class="odd">
|
|
<td align="left"><p><code>mlsconstrain</code></p></td>
|
|
<td align="left"><p>The <code>mlsconstrain</code> keyword.</p></td>
|
|
</tr>
|
|
<tr class="even">
|
|
<td align="left"><p><code>classpermissionset_id</code></p></td>
|
|
<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
|
|
</tr>
|
|
<tr class="odd">
|
|
<td align="left"><p><code>expression</code></p></td>
|
|
<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p>
|
|
<p><code> (op u1 u2)</code></p>
|
|
<p><code> (mls_role_op r1 r2)</code></p>
|
|
<p><code> (op t1 t2)</code></p>
|
|
<p><code> (mls_role_op l1 l2)</code></p>
|
|
<p><code> (mls_role_op l1 h2)</code></p>
|
|
<p><code> (mls_role_op h1 l2)</code></p>
|
|
<p><code> (mls_role_op h1 h2)</code></p>
|
|
<p><code> (mls_role_op l1 h1)</code></p>
|
|
<p><code> (mls_role_op l2 h2)</code></p>
|
|
<p><code> (op u1 user_id)</code></p>
|
|
<p><code> (op u2 user_id)</code></p>
|
|
<p><code> (op r1 role_id)</code></p>
|
|
<p><code> (op r2 role_id)</code></p>
|
|
<p><code> (op t1 type_id)</code></p>
|
|
<p><code> (op t2 type_id)</code></p>
|
|
<p>where:</p>
|
|
<p><code> u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p>
|
|
<p><code> u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p>
|
|
<p>and:</p>
|
|
<p><code> op : eq neq</code></p>
|
|
<p><code> mls_role_op : eq neq dom domby incomp</code></p>
|
|
<p><code> user_id : A single user or userattribute identifier.</code></p>
|
|
<p><code> role_id : A single role or roleattribute identifier.</code></p>
|
|
<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td>
|
|
</tr>
|
|
<tr class="even">
|
|
<td align="left"><p><code>expr</code></p></td>
|
|
<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
|
|
<p><code> (and expression expression)</code></p>
|
|
<p><code> (or expression expression)</code></p>
|
|
<p><code> (not expression)</code></p></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
**Example:**
|
|
|
|
An MLS constrain statement with the equivalent kernel policy language statement:
|
|
|
|
;; mlsconstrain { file } { open }
|
|
;; (( l1 eq l2 ) and ( u1 == u2 ) or ( r1 != r2 ));
|
|
|
|
(mlsconstrain (file (open))
|
|
(or
|
|
(and
|
|
(eq l1 l2)
|
|
(eq u1 u2)
|
|
)
|
|
(neq r1 r2)
|
|
)
|
|
)
|
|
|
|
mlsvalidatetrans
|
|
----------------
|
|
|
|
The [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context.
|
|
|
|
**Statement definition:**
|
|
|
|
(mlsvalidatetrans class_id expression | expr ...)
|
|
|
|
**Where:**
|
|
|
|
<table>
|
|
<colgroup>
|
|
<col width="25%" />
|
|
<col width="75%" />
|
|
</colgroup>
|
|
<tbody>
|
|
<tr class="odd">
|
|
<td align="left"><p><code>mlsvalidatetrans</code></p></td>
|
|
<td align="left"><p>The <code>mlsvalidatetrans</code> keyword.</p></td>
|
|
</tr>
|
|
<tr class="even">
|
|
<td align="left"><p><code>class_id</code></p></td>
|
|
<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td>
|
|
</tr>
|
|
<tr class="odd">
|
|
<td align="left"><p><code>expression</code></p></td>
|
|
<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p>
|
|
<p><code> (op u1 u2)</code></p>
|
|
<p><code> (mls_role_op r1 r2)</code></p>
|
|
<p><code> (op t1 t2)</code></p>
|
|
<p><code> (mls_role_op l1 l2)</code></p>
|
|
<p><code> (mls_role_op l1 h2)</code></p>
|
|
<p><code> (mls_role_op h1 l2)</code></p>
|
|
<p><code> (mls_role_op h1 h2)</code></p>
|
|
<p><code> (mls_role_op l1 h1)</code></p>
|
|
<p><code> (mls_role_op l2 h2)</code></p>
|
|
<p><code> (op u1 user_id)</code></p>
|
|
<p><code> (op u2 user_id)</code></p>
|
|
<p><code> (op u3 user_id)</code></p>
|
|
<p><code> (op r1 role_id)</code></p>
|
|
<p><code> (op r2 role_id)</code></p>
|
|
<p><code> (op r3 role_id)</code></p>
|
|
<p><code> (op t1 type_id)</code></p>
|
|
<p><code> (op t2 type_id)</code></p>
|
|
<p><code> (op t3 type_id)</code></p>
|
|
<p>where:</p>
|
|
<p><code> u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p>
|
|
<p><code> u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p>
|
|
<p><code> u3, r3, t3 = Process context: user, role or type</code></p>
|
|
<p>and:</p>
|
|
<p><code> op : eq neq</code></p>
|
|
<p><code> mls_role_op : eq neq dom domby incomp</code></p>
|
|
<p><code> user_id : A single user or userattribute identifier.</code></p>
|
|
<p><code> role_id : A single role or roleattribute identifier.</code></p>
|
|
<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td>
|
|
</tr>
|
|
<tr class="even">
|
|
<td align="left"><p><code>expr</code></p></td>
|
|
<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
|
|
<p><code> (and expression expression)</code></p>
|
|
<p><code> (or expression expression)</code></p>
|
|
<p><code> (not expression)</code></p></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
**Example:**
|
|
|
|
An MLS validate transition statement with the equivalent kernel policy language statement:
|
|
|
|
;; mlsvalidatetrans { file } ( l1 domby h2 );
|
|
|
|
(mlsvalidatetrans file (domby l1 h2))
|