RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-29 00:32:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
f4e741a144
selinux/secilc/docs/cil_default_object_statements.md
Joshua Brindle 9ba35fe8c2 Add default_range glblub support 
Policy developers can set a default_range default to glblub and
computed contexts will be the intersection of the ranges of the
source and target contexts. This can be used by MLS userspace
object managers to find the range of clearances that two contexts
have in common. An example usage is computing a transition between
the network context and the context of a user logging into an MLS
application.

For example, one can add a default with
this cil:

(defaultrange db_table glblub)

or in te (base module only):

default_range db_table glblub;

and then test using the compute_create utility:

$ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20

Some example range transitions are:

User Permitted Range | Network Device Label | Computed Label
---------------------|----------------------|----------------
s0-s1:c0.c12         | s0                   | s0
s0-s1:c0.c12         | s0-s1:c0.c1023       | s0-s1:c0.c12
s0-s4:c0.c512        | s1-s1:c0.c1023       | s1-s1:c0.c512
s0-s15:c0,c2         | s4-s6:c0.c128        | s4-s6:c0,c2
s0-s4                | s2-s6                | s2-s4
s0-s4                | s5-s8                | INVALID
s5-s8                | s0-s4                | INVALID

Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2019-09-10 12:30:29 -04:00

188 lines
6.7 KiB
Markdown
Raw Blame History

Default Object Statements
=========================
These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.
defaultuser
-----------
Allows the default user to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.
**Statement definition:**
(defaultuser class_id default)
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>defaultuser</code></p></td>
<td align="left"><p>The <code>defaultuser</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>class_id</code></p></td>
<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>default</code></p></td>
<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
</tr>
</tbody>
</table>
**Example:**
When creating new `binder`, `property_service`, `zygote` or `memprotect` objects the [`user`](cil_user_statements.md#user) component of the new security context will be taken from the `source` context:
(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
(class memprotect (mmap_zero))
(classmap android_classes (android))
(classmapping android_classes android (binder (all)))
(classmapping android_classes android (property_service (set)))
(classmapping android_classes android (zygote (not (specifycapabilities))))
(defaultuser (android_classes memprotect) source)
; Will produce the following in the binary policy file:
;; default_user binder source;
;; default_user zygote source;
;; default_user property_service source;
;; default_user memprotect source;
defaultrole
-----------
Allows the default role to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.
(defaultrole class_id default)
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>defaultrole</code></p></td>
<td align="left"><p>The <code>defaultrole</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>class_id</code></p></td>
<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>default</code></p></td>
<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
</tr>
</tbody>
</table>
**Example:**
When creating new `binder`, `property_service` or `zygote` objects the [`role`](cil_role_statements.md#role) component of the new security context will be taken from the `target` context:
(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
(defaultrole (binder property_service zygote) target)
; Will produce the following in the binary policy file:
;; default_role binder target;
;; default_role zygote target;
;; default_role property_service target;
defaulttype
-----------
Allows the default type to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 28.
**Statement definition:**
(defaulttype class_id default)
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>defaulttype</code></p></td>
<td align="left"><p>The <code>defaulttype</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>class_id</code></p></td>
<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>default</code></p></td>
<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
</tr>
</tbody>
</table>
**Example:**
When creating a new `socket` object, the [`type`](cil_type_statements.md#type) component of the new security context will be taken from the `source` context:
(defaulttype socket source)
defaultrange
------------
Allows the default level or range to be taken from the source, target, or both contexts when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. glblub as the default requires policy version 32.
**Statement definition:**
(defaultrange class_id default <range>)
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>defaultrange</code></p></td>
<td align="left"><p>The <code>defaultrange</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>class_id</code></p></td>
<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>default</code></p></td>
<td align="left"><p>A keyword of either <code>source</code>, <code>target</code>, or <code>glblub</code>.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>range</code></p></td>
<td align="left"><p>A keyword of either <code>low</code>, <code>high</code>, or <code>low-high</code>.</p></td>
</tr>
</tbody>
</table>
**Example:**
When creating a new `file` object, the appropriate `range` component of the new security context will be taken from the `target` context:
(defaultrange file target low_high)
MLS userspace object managers may need to compute the common parts of a range such that the object is created with the range common to the subject and containing object:
(defaultrange db_table glblub)
Reference in New Issue View Git Blame Copy Permalink