selinux/secilc/docs/cil_role_statements.md
Dominick Grift 49ff851c98 secilc: fixes cil_role_statements.md example
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Acked-by: James Carter <jwcart2@gmail.com>
2021-02-19 15:19:50 +01:00

9.0 KiB

Role Statements

role

Declares a role identifier in the current namespace.

Statement definition:

    (role role_id)

Where:

role

The role keyword.

role_id

The role identifier.

Example:

This example declares two roles: object_r in the global namespace and unconfined.role:

    (role object_r)

    (block unconfined
        (role role)
    )

roletype

Authorises a role to access a type identifier.

Statement definition:

    (role role_id type_id)

Where:

roletype

The roletype keyword.

role_id

A single previously declared role or roleattribute identifier.

type_id

A single previously declared type, typealias or typeattribute identifier.

Example:

This example will declare role and type identifiers, then associate them:

    (block unconfined
        (role role)
        (type process)
        (roletype role process)
    )

roleattribute

Declares a role attribute identifier in the current namespace. The identifier may have zero or more role and roleattribute identifiers associated to it via the roleattributeset statement.

Statement definition:

    (roleattribute roleattribute_id)

Where:

roleattribute

The roleattribute keyword.

roleattribute_id

The roleattribute identifier.

Example:

This example will declare a role attribute roles.role_holder that will have an empty set:

    (block roles
        (roleattribute role_holder)
    )

roleattributeset

Allows the association of one or more previously declared role identifiers to a roleattribute identifier. Expressions may be used to refine the associations as shown in the examples.

Statement definition:

    (roleattributeset roleattribute_id (role_id ... | expr ...))

Where:

roleattributeset

The roleattributeset keyword.

roleattribute_id

A single previously declared roleattribute identifier.

role_id

Zero or more previously declared role or roleattribute identifiers.

Note that there must be at least one role_id or expr parameter declared.

expr

Zero or more expr's, the valid operators and syntax are:

(and (role_id ...) (role_id ...))

(or (role_id ...) (role_id ...))

(xor (role_id ...) (role_id ...))

(not (role_id ...))

(all)

Example:

This example will declare three roles and two role attributes, then associate all the roles to them as shown:

    (block roles
        (role role_1)
        (role role_2)
        (role role_3)

        (roleattribute role_holder)
        (roleattributeset role_holder (role_1 role_2 role_3))

        (roleattribute role_holder_all)
        (roleattributeset role_holder_all (all))
    )

roleallow

Authorise the current role to assume a new role.

Notes:

  • May require a roletransition rule to ensure transition to the new role.

  • This rule is not allowed in booleanif statements.

Statement definition:

    (roleallow current_role_id new_role_id)

Where:

roleallow

The roleallow keyword.

current_role_id

A single previously declared role or roleattribute identifier.

new_role_id

A single previously declared role or roleattribute identifier.

Example:

See the roletransition statement for an example.

roletransition

Specify a role transition from the current role to a new role when computing a context for the target type. The class identifier would normally be process, however for kernel versions 2.6.39 with policy version >= 25 and above, any valid class may be used. Note that a roleallow rule must be used to authorise the transition.

Statement definition:

    (roletransition current_role_id target_type_id class_id new_role_id)

Where:

roletransition

The roletransition keyword.

current_role_id

A single previously declared role or roleattribute identifier.

target_type_id

A single previously declared type, typealias or typeattribute identifier.

class_id

A single previously declared class or classmap identifier.

new_role_id

A single previously declared role identifier to be set on transition.

Example:

This example will authorise the unconfined.role to assume the msg_filter.role role, and then transition to that role:

    (block ext_gateway
        (type process)
        (type exec)

        (roletype msg_filter.role process)
        (roleallow unconfined.role msg_filter.role)
        (roletransition unconfined.role exec process msg_filter.role)
    )

rolebounds

Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent.

Notes:

  • It is not possible to bind the parent role to more than one child role.

  • While this is added to the binary policy, it is not enforced by the SELinux kernel services.

Statement definition:

    (rolebounds parent_role_id child_role_id)

Where:

rolebounds

The rolebounds keyword.

parent_role_id

A single previously declared role identifier.

child_role_id

A single previously declared role identifier.

Example:

In this example the role test cannot have greater privileges than unconfined.role:

    (role test)

    (block unconfined
        (role role)
        (rolebounds role .test)
    )