Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> Acked-by: James Carter <jwcart2@gmail.com>
9.0 KiB
Role Statements
role
Declares a role identifier in the current namespace.
Statement definition:
(role role_id)
Where:
|
The |
|
The |
Example:
This example declares two roles: object_r
in the global namespace and unconfined.role
:
(role object_r)
(block unconfined
(role role)
)
roletype
Authorises a role
to access a type
identifier.
Statement definition:
(role role_id type_id)
Where:
|
The |
|
A single previously declared |
|
A single previously declared |
Example:
This example will declare role
and type
identifiers, then associate them:
(block unconfined
(role role)
(type process)
(roletype role process)
)
roleattribute
Declares a role attribute identifier in the current namespace. The identifier may have zero or more role
and roleattribute
identifiers associated to it via the roleattributeset
statement.
Statement definition:
(roleattribute roleattribute_id)
Where:
|
The |
|
The |
Example:
This example will declare a role attribute roles.role_holder
that will have an empty set:
(block roles
(roleattribute role_holder)
)
roleattributeset
Allows the association of one or more previously declared role
identifiers to a roleattribute
identifier. Expressions may be used to refine the associations as shown in the examples.
Statement definition:
(roleattributeset roleattribute_id (role_id ... | expr ...))
Where:
|
The |
|
A single previously declared |
|
Zero or more previously declared Note that there must be at least one |
|
Zero or more
|
Example:
This example will declare three roles and two role attributes, then associate all the roles to them as shown:
(block roles
(role role_1)
(role role_2)
(role role_3)
(roleattribute role_holder)
(roleattributeset role_holder (role_1 role_2 role_3))
(roleattribute role_holder_all)
(roleattributeset role_holder_all (all))
)
roleallow
Authorise the current role to assume a new role.
Notes:
-
May require a
roletransition
rule to ensure transition to the new role. -
This rule is not allowed in
booleanif
statements.
Statement definition:
(roleallow current_role_id new_role_id)
Where:
|
The |
|
A single previously declared |
|
A single previously declared |
Example:
See the roletransition
statement for an example.
roletransition
Specify a role transition from the current role to a new role when computing a context for the target type. The class
identifier would normally be process
, however for kernel versions 2.6.39 with policy version >= 25 and above, any valid class may be used. Note that a roleallow
rule must be used to authorise the transition.
Statement definition:
(roletransition current_role_id target_type_id class_id new_role_id)
Where:
|
The |
|
A single previously declared |
|
A single previously declared |
|
A single previously declared |
|
A single previously declared |
Example:
This example will authorise the unconfined.role
to assume the msg_filter.role
role, and then transition to that role:
(block ext_gateway
(type process)
(type exec)
(roletype msg_filter.role process)
(roleallow unconfined.role msg_filter.role)
(roletransition unconfined.role exec process msg_filter.role)
)
rolebounds
Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent.
Notes:
-
It is not possible to bind the parent role to more than one child role.
-
While this is added to the binary policy, it is not enforced by the SELinux kernel services.
Statement definition:
(rolebounds parent_role_id child_role_id)
Where:
|
The |
|
A single previously declared |
|
A single previously declared |
Example:
In this example the role test
cannot have greater privileges than unconfined.role
:
(role test)
(block unconfined
(role role)
(rolebounds role .test)
)