selinux/secilc/docs/cil_default_object_statemen...

6.8 KiB

Default Object Statements

These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.

defaultuser

Allows the default user to be taken from the source or target context when computing a new context for the object class identifier. Requires policy version 27.

Statement definition:

    (defaultuser class_id default)

Where:

defaultuser

The defaultuser keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source or target.

Example:

When creating new binder, property_service, zygote or memprotect objects the user component of the new security context will be taken from the source context:

    (class binder (impersonate call set_context_mgr transfer receive))
    (class property_service (set))
    (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
    (class memprotect (mmap_zero))

    (classmap android_classes (android))
    (classmapping android_classes android (binder (all)))
    (classmapping android_classes android (property_service (set)))
    (classmapping android_classes android (zygote (not (specifycapabilities))))

    (defaultuser (android_classes memprotect) source)

    ; Will produce the following in the binary policy file:
    ;; default_user binder source;
    ;; default_user zygote source;
    ;; default_user property_service source;
    ;; default_user memprotect source;

defaultrole

Allows the default role to be taken from the source or target context when computing a new context for the object class identifier. Requires policy version 27.

    (defaultrole class_id default)

Where:

defaultrole

The defaultrole keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source or target.

Example:

When creating new binder, property_service or zygote objects the role component of the new security context will be taken from the target context:

    (class binder (impersonate call set_context_mgr transfer receive))
    (class property_service (set))
    (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))

    (defaultrole (binder property_service zygote) target)

    ; Will produce the following in the binary policy file:
    ;; default_role binder target;
    ;; default_role zygote target;
    ;; default_role property_service target;

defaulttype

Allows the default type to be taken from the source or target context when computing a new context for the object class identifier. Requires policy version 28.

Statement definition:

    (defaulttype class_id default)

Where:

defaulttype

The defaulttype keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source or target.

Example:

When creating a new socket object, the type component of the new security context will be taken from the source context:

    (defaulttype socket source)

defaultrange

Allows the default level or range to be taken from the source, target, or both contexts when computing a new context for the object class identifier. Requires policy version 27. glblub as the default requires policy version 32.

Statement definition:

    (defaultrange class_id default <range>)

Where:

defaultrange

The defaultrange keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source, target, or glblub.

range

A keyword of either low, high, or low-high.

Example:

When creating a new file object, the appropriate range component of the new security context will be taken from the target context:

    (defaultrange file target low_high)

MLS userspace object managers may need to compute the common parts of a range such that the object is created with the range common to the subject and containing object:

    (defaultrange db_table glblub)