mirror of
https://github.com/SELinuxProject/selinux
synced 2025-02-02 10:52:04 +00:00
36f62b78f1
Since the secilc compiler is independent of libsepol, move secilc out of libsepol. Linke secilc dynamically rather than statically with libsepol. - Move secilc source, test policies, docs, and secilc manpage to secilc directory. - Remove unneeded Makefile from libsepol/cil. To build secilc, run make in the secilc directory. - Add target to install the secilc binary to /usr/bin/. - Create an Android makefile for secilc and move secilc out of libsepol Android makefile. - Add cil_set_mls to libsepol public API as it is needed by secilc. - Remove policy.conf from testing since it is no longer used. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
280 lines
14 KiB
XML
280 lines
14 KiB
XML
<!-- Common Interface Language (CIL) Reference Guide -->
|
|
<!-- access_vector_rules.xml -->
|
|
|
|
<sect1 id="av_rules">
|
|
<title>Access Vector Rules</title>
|
|
<sect2 id="allow">
|
|
<title>allow</title>
|
|
<para>Specifies the access allowed between a source and target type. Note that access may be refined by constraint rules based on the source, target and class (<literal><link linkend="validatetrans">validatetrans</link></literal> or <literal><link linkend="mlsvalidatetrans">mlsvalidatetrans</link></literal>) or source, target class and permissions (<literal><link linkend="constrain">constrain</link></literal> or <literal><link linkend="mlsconstrain">mlsconstrain</link></literal> statements).</para>
|
|
<para><emphasis role="bold">Rule definition:</emphasis></para>
|
|
<programlisting><![CDATA[(allow source_id target_id|self classpermissionset_id ...)]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2.25 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal><link linkend="allow">allow</link></literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal><link linkend="allow">allow</link></literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>source_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>target_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para>
|
|
<para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>classpermissionset_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Examples:</emphasis></para>
|
|
<para>These examples show a selection of possible permutations of <literal><link linkend="allow">allow</link></literal> rules:</para>
|
|
<programlisting><![CDATA[
|
|
(class binder (impersonate call set_context_mgr transfer receive))
|
|
(class property_service (set))
|
|
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
|
|
|
|
(classpermission cps_zygote)
|
|
(classpermissionset cps_zygote (zygote (not (specifyids))))
|
|
|
|
(classmap android_classes (set_1 set_2 set_3))
|
|
|
|
(classmapping android_classes set_1 (binder (all)))
|
|
(classmapping android_classes set_1 (property_service (set)))
|
|
(classmapping android_classes set_1 (zygote (not (specifycapabilities))))
|
|
|
|
(classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer)))
|
|
(classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith)))
|
|
|
|
(classmapping android_classes set_3 cps_zygote)
|
|
(classmapping android_classes set_3 (binder (impersonate call set_context_mgr)))
|
|
|
|
(block av_rules
|
|
(type type_1)
|
|
(type type_2)
|
|
(type type_3)
|
|
(type type_4)
|
|
(type type_5)
|
|
|
|
(typeattribute all_types)
|
|
(typeattributeset all_types (all))
|
|
|
|
; These examples have named and anonymous classpermissionset's and
|
|
; classmap/classmapping statements
|
|
(allow type_1 self (property_service (set))) ; anonymous
|
|
(allow type_2 self (zygote (specifyids))) ; anonymous
|
|
(allow type_3 self cps_zygote) ; named
|
|
(allow type_4 self (android_classes (set_3))) ; classmap/classmapping
|
|
(allow all_types all_types (android_classes (set_2))) ; classmap/classmapping
|
|
|
|
;; This rule will cause the build to fail unless --disable-neverallow
|
|
; (neverallow type_5 all_types (property_service (set)))
|
|
(allow type_5 type_5 (property_service (set)))
|
|
(allow type_1 all_types (property_service (set)))
|
|
)]]>
|
|
</programlisting>
|
|
</sect2>
|
|
|
|
<sect2 id="auditallow">
|
|
<title>auditallow</title>
|
|
<para>Audit the access rights defined if there is a valid allow rule. Note: It does NOT allow access, it only audits the event.</para>
|
|
<para><emphasis role="bold">Rule definition:</emphasis></para>
|
|
<programlisting><![CDATA[(auditallow source_id target_id|self classpermissionset_id ...)]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2.5 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal>auditallow</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>auditallow</literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>source_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>target_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para>
|
|
<para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>classpermissionset_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
<para>This example will log an audit event whenever the corresponding <literal><link linkend="allow">allow</link></literal> rule grants access to the specified permissions:</para>
|
|
<programlisting><![CDATA[
|
|
(allow release_app.process secmark_demo.browser_packet (packet (send recv append bind)))
|
|
|
|
(auditallow release_app.process secmark_demo.browser_packet (packet (send recv)))
|
|
]]>
|
|
</programlisting>
|
|
</sect2>
|
|
|
|
<sect2 id="dontaudit">
|
|
<title>dontaudit</title>
|
|
<para>Do not audit the access rights defined when access denied. This stops excessive log entries for known events.</para>
|
|
<para>Note that these rules can be omitted by the CIL compiler command line parameter <literal>-D</literal> or <literal>--disable-dontaudit</literal> flags.</para>
|
|
<para><emphasis role="bold">Rule definition:</emphasis></para>
|
|
<programlisting><![CDATA[(dontaudit source_id target_id|self classpermissionset_id ...)]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2.25 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal>dontaudit</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>dontaudit</literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>source_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>target_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para>
|
|
<para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>classpermissionset_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
<para>This example will not audit the denied access:</para>
|
|
<programlisting><![CDATA[(dontaudit zygote.process self (capability (fsetid)))]]>
|
|
</programlisting>
|
|
</sect2>
|
|
|
|
<sect2 id="neverallow">
|
|
<title>neverallow</title>
|
|
<para>Never allow access rights defined. This is a compiler enforced action that will stop compilation until the offending rules are modified.</para>
|
|
<para>Note that these rules can be over-ridden by the CIL compiler command line parameter <literal>-N</literal> or <literal>--disable-neverallow</literal> flags.</para>
|
|
<para><emphasis role="bold">Rule definition:</emphasis></para>
|
|
<programlisting><![CDATA[(neverallow source_id target_id|self classpermissionset_id ...)]]></programlisting>
|
|
<para><emphasis role="bold">Where:</emphasis></para>
|
|
<informaltable frame="all">
|
|
<tgroup cols="2">
|
|
<colspec colwidth="2.25 *"/>
|
|
<colspec colwidth="6 *"/>
|
|
<tbody>
|
|
<row>
|
|
<entry>
|
|
<para><literal>neverallow</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>The <literal>neverallow</literal> keyword.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>source_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>target_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para>
|
|
<para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para>
|
|
</entry>
|
|
</row>
|
|
<row>
|
|
<entry>
|
|
<para><literal>classpermissionset_id</literal></para>
|
|
</entry>
|
|
<entry>
|
|
<para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
|
|
</entry>
|
|
</row>
|
|
</tbody></tgroup>
|
|
</informaltable>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
<para>This example will not compile as <literal>type_3</literal> is not allowed to be a source type for the <literal><link linkend="allow">allow</link></literal> rule:</para>
|
|
<programlisting><![CDATA[
|
|
(class property_service (set))
|
|
|
|
(block av_rules
|
|
(type type_1)
|
|
(type type_2)
|
|
(type type_3)
|
|
(typeattribute all_types)
|
|
(typeattributeset all_types ((all)))
|
|
|
|
(neverallow type_3 all_types (property_service (set)))
|
|
; This rule will fail compilation:
|
|
(allow type_3 self (property_service (set)))
|
|
)]]>
|
|
</programlisting>
|
|
</sect2>
|
|
|
|
</sect1>
|