RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2024-12-13 01:24:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
794c9afe99
selinux/secilc/docs/cil_role_statements.md
Yuli Khodorkovskiy 12c7dfc553 secilc/docs: Convert DocBook documentation into github markdown 
Converting to github markdown allows for easier integration with the
SELinux project wiki and viewing of documentation directly on github without
creating PDFs or reading through DocBook XML.

The conversion of DocBook to github markdown would not format tables or
keyword links properly. By maintaining the documentation in github
markdown in the repository, the content is well formatted with a table of
contents when viewing in the github wiki or in the repository.

The migration from DocBook to github markdown was done using Pandoc and
manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook
conversion were added back. An introduction and design philosphy was
also pulled from the SELinux project wiki to provide more cohesion
to the current documentation.

Running make will now convert the github markdown into PDF and HTML.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 16:18:34 -05:00

8.8 KiB
Raw Blame History

Role Statements

role

Declares a role identifier in the current namespace.

Statement definition:

(role role_id)

Where:

role

The role keyword.

role_id

The role identifier.

Example:

This example declares two roles: object_r in the global namespace and unconfined.role:

(role object_r)

(block unconfined
    (role role)
)

roletype

Authorises a role to access a type identifier.

Statement definition:

(role role_id type_id)

Where:

roletype

The roletype keyword.

role_id

A single previously declared role or roleattribute identifier.

type_id

A single previously declared type, typealias or typeattribute identifier.

Example:

This example will declare role and type identifiers, then associate them:

(block unconfined
    (role role)
    (type process)
    (roletype role process)
)

roleattribute

Declares a role attribute identifier in the current namespace. The identifier may have zero or more role and roleattribute identifiers associated to it via the typeattributeset statement.

Statement definition:

(roleattribute roleattribute_id)

Where:

roleattribute

The roleattribute keyword.

roleattribute_id

The roleattribute identifier.

Example:

This example will declare a role attribute roles.role_holder that will have an empty set:

(block roles
    (roleattribute role_holder)
)

roleattributeset

Allows the association of one or more previously declared role identifiers to a roleattribute identifier. Expressions may be used to refine the associations as shown in the examples.

Statement definition:

(roleattributeset roleattribute_id (role_id ... | expr ...))

Where:

roleattributeset

The roleattributeset keyword.

roleattribute_id

A single previously declared roleattribute identifier.

role_id

Zero or more previously declared role or roleattribute identifiers.

Note that there must be at least one role_id or expr parameter declared.

expr

Zero or more expr's, the valid operators and syntax are:

(and (role_id ...) (role_id ...))

(or (role_id ...) (role_id ...))

(xor (role_id ...) (role_id ...))

(not (role_id ...))

(all)

Example:

This example will declare three roles and two role attributes, then associate all the roles to them as shown:

(block roles
    (role role_1)
    (role role_2)
    (role role_3)

    (roleattribute role_holder)
    (roleattributeset role_holder (role_1 role_2 role_3))

    (roleattribute role_holder_all)
    (roleattributeset role_holder_all (all))
)

roleallow

Authorise the current role to assume a new role.

Notes:

  • May require a roletransition rule to ensure transition to the new role.

  • This rule is not allowed in booleanif statements.

Statement definition:

(roleallow current_role_id new_role_id)

Where:

roleallow

The roleallow keyword.

current_role_id

A single previously declared role or roleattribute identifier.

new_role_id

A single previously declared role or roleattribute identifier.

Example:

See the roletransition statement for an example.

roletransition

Specify a role transition from the current role to a new role when computing a context for the target type. The class identifier would normally be process, however for kernel versions 2.6.39 with policy version >= 25 and above, any valid class may be used. Note that a roleallow rule must be used to authorise the transition.

Statement definition:

(roletransition current_role_id target_type_id class_id new_role_id)

Where:

roletransition

The roletransition keyword.

current_role_id

A single previously declared role or roleattribute identifier.

target_type_id

A single previously declared type, typealias or typeattribute identifier.

class_id

A single previously declared class or classmap identifier.

new_role_id

A single previously declared role identifier to be set on transition.

Example:

This example will authorise the unconfined.role to assume the msg_filter.role role, and then transition to that role:

(block ext_gateway
    (type process)
    (type exec)

    (roletype msg_filter.role process)
    (roleallow unconfined.role msg_filter.role)
    (roletransition unconfined.role exec process msg_filter.role)
)

rolebounds

Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent.

Notes:

  • It is not possible to bind the parent role to more than one child role.

  • While this is added to the binary policy, it is not enforced by the SELinux kernel services.

Statement definition:

(rolebounds parent_role_id child_role_id)

Where:

rolebounds

The rolebounds keyword.

parent_role_id

A single previously declared role identifier.

child_role_id

A single previously declared role identifier.

Example:

In this example the role test cannot have greater priviledges than unconfined.role:

(role test)

(unconfined
    (role role)
    (rolebounds role .test)
)