selinux/secilc/docs/cil_default_object_statements.md
Yuli Khodorkovskiy 12c7dfc553 secilc/docs: Convert DocBook documentation into github markdown
Converting to github markdown allows for easier integration with the
SELinux project wiki and viewing of documentation directly on github without
creating PDFs or reading through DocBook XML.

The conversion of DocBook to github markdown would not format tables or
keyword links properly. By maintaining the documentation in github
markdown in the repository, the content is well formatted with a table of
contents when viewing in the github wiki or in the repository.

The migration from DocBook to github markdown was done using Pandoc and
manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook
conversion were added back. An introduction and design philosphy was
also pulled from the SELinux project wiki to provide more cohesion
to the current documentation.

Running make will now convert the github markdown into PDF and HTML.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 16:18:34 -05:00

6.4 KiB

Default Object Statements

These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.

defaultuser

Allows the default user to be taken from the source or target context when computing a new context for the object class identifier. Requires policy version 27.

Statement definition:

(defaultuser class_id default)

Where:

defaultuser

The defaultuser keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source or target.

Example:

When creating new binder, property_service, zygote or memprotect objects the user component of the new security context will be taken from the source context:

(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
(class memprotect (mmap_zero))

(classmap android_classes (android))
(classmapping android_classes android (binder (all)))
(classmapping android_classes android (property_service (set)))
(classmapping android_classes android (zygote (not (specifycapabilities))))

(defaultuser (android_classes memprotect) source)

; Will produce the following in the binary policy file:
;; default_user binder source;
;; default_user zygote source;
;; default_user property_service source;
;; default_user memprotect source;

defaultrole

Allows the default role to be taken from the source or target context when computing a new context for the object class identifier. Requires policy version 27.

(defaultrole class_id default)

Where:

defaultrole

The defaultrole keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source or target.

Example:

When creating new binder, property_service or zygote objects the role component of the new security context will be taken from the target context:

(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))

(defaultrole (binder property_service zygote) target)

; Will produce the following in the binary policy file:
;; default_role binder target;
;; default_role zygote target;
;; default_role property_service target;

defaulttype

Allows the default type to be taken from the source or target context when computing a new context for the object class identifier. Requires policy version 28.

Statement definition:

(defaulttype class_id default)

Where:

defaulttype

The defaulttype keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source or target.

Example:

When creating a new socket object, the type component of the new security context will be taken from the source context:

(defaulttype socket source)

defaultrange

Allows the default level or range to be taken from the source or target context when computing a new context for the object class identifier. Requires policy version 27.

Statement definition:

(defaultrange class_id default range)

Where:

defaultrange

The defaultrange keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source or target.

range

A keyword of either low, high or low-high.

Example:

When creating a new file object, the appropriate range component of the new security context will be taken from the target context:

(defaultrange file target low_high)