Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
6.4 KiB
Default Object Statements
These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.
defaultuser
Allows the default user to be taken from the source or target context when computing a new context for the object class
identifier. Requires policy version 27.
Statement definition:
(defaultuser class_id default)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
Example:
When creating new binder
, property_service
, zygote
or memprotect
objects the user
component of the new security context will be taken from the source
context:
(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
(class memprotect (mmap_zero))
(classmap android_classes (android))
(classmapping android_classes android (binder (all)))
(classmapping android_classes android (property_service (set)))
(classmapping android_classes android (zygote (not (specifycapabilities))))
(defaultuser (android_classes memprotect) source)
; Will produce the following in the binary policy file:
;; default_user binder source;
;; default_user zygote source;
;; default_user property_service source;
;; default_user memprotect source;
defaultrole
Allows the default role to be taken from the source or target context when computing a new context for the object class
identifier. Requires policy version 27.
(defaultrole class_id default)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
Example:
When creating new binder
, property_service
or zygote
objects the role
component of the new security context will be taken from the target
context:
(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
(defaultrole (binder property_service zygote) target)
; Will produce the following in the binary policy file:
;; default_role binder target;
;; default_role zygote target;
;; default_role property_service target;
defaulttype
Allows the default type to be taken from the source or target context when computing a new context for the object class
identifier. Requires policy version 28.
Statement definition:
(defaulttype class_id default)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
Example:
When creating a new socket
object, the type
component of the new security context will be taken from the source
context:
(defaulttype socket source)
defaultrange
Allows the default level or range to be taken from the source or target context when computing a new context for the object class
identifier. Requires policy version 27.
Statement definition:
(defaultrange class_id default range)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
|
A keyword of either |
Example:
When creating a new file
object, the appropriate range
component of the new security context will be taken from the target
context:
(defaultrange file target low_high)