057d72af2d
Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
6.8 KiB
Default Object Statements
These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.
defaultuser
Allows the default user to be taken from the source or target context when computing a new context for the object class identifier. Requires policy version 27.
Statement definition:
(defaultuser class_id default)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
Example:
When creating new binder, property_service, zygote or memprotect objects the user component of the new security context will be taken from the source context:
(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
(class memprotect (mmap_zero))
(classmap android_classes (android))
(classmapping android_classes android (binder (all)))
(classmapping android_classes android (property_service (set)))
(classmapping android_classes android (zygote (not (specifycapabilities))))
(defaultuser (android_classes memprotect) source)
; Will produce the following in the binary policy file:
;; default_user binder source;
;; default_user zygote source;
;; default_user property_service source;
;; default_user memprotect source;
defaultrole
Allows the default role to be taken from the source or target context when computing a new context for the object class identifier. Requires policy version 27.
(defaultrole class_id default)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
Example:
When creating new binder, property_service or zygote objects the role component of the new security context will be taken from the target context:
(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
(defaultrole (binder property_service zygote) target)
; Will produce the following in the binary policy file:
;; default_role binder target;
;; default_role zygote target;
;; default_role property_service target;
defaulttype
Allows the default type to be taken from the source or target context when computing a new context for the object class identifier. Requires policy version 28.
Statement definition:
(defaulttype class_id default)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
Example:
When creating a new socket object, the type component of the new security context will be taken from the source context:
(defaulttype socket source)
defaultrange
Allows the default level or range to be taken from the source, target, or both contexts when computing a new context for the object class identifier. Requires policy version 27. glblub as the default requires policy version 32.
Statement definition:
(defaultrange class_id default <range>)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
|
A keyword of either |
Example:
When creating a new file object, the appropriate range component of the new security context will be taken from the target context:
(defaultrange file target low_high)
MLS userspace object managers may need to compute the common parts of a range such that the object is created with the range common to the subject and containing object:
(defaultrange db_table glblub)