1 <!-- Common Interface Language (CIL) Reference Guide --> 2 <!-- context_statement.xml --> 3 4 <sect1> 5 <title>Context Statement</title> 6 <para>Contexts are formed using previously declared parameters and may be named or anonymous where:</para> 7 <itemizedlist mark="none"> 8 <listitem><para>Named - The context is declared with a context identifer that is used as a reference.</para></listitem> 9 <listitem><para>Anonymous - They are defined within the CIL labeling statement using user, role etc. identifiers.</para></listitem> 10 </itemizedlist> 11 <para>Each type is shown in the examples.</para> 12 13 <sect2 id="context"> 14 <title>context</title> 15 <para>Declare an SELinux security context identifier for labeling. The range (or current and clearance levels) MUST be defined whether the policy is MLS/MCS enabled or not.</para> 16 <para><emphasis role="bold">Statement definition:</emphasis></para> 17 <programlisting><![CDATA[(context context_id (user_id role_id type_id levelrange_id)))]]></programlisting> 18 <para><emphasis role="bold">Where:</emphasis></para> 19 <informaltable frame="all"> 20 <tgroup cols="2"> 21 <colspec colwidth="2 *"/> 22 <colspec colwidth="6 *"/> 23 <tbody> 24 <row> 25 <entry> 26 <para><literal><link linkend="context">context</link></literal></para> 27 </entry> 28 <entry> 29 <para>The <literal><link linkend="context">context</link></literal> keyword.</para> 30 </entry> 31 </row> 32 <row> 33 <entry> 34 <para><literal>context_id</literal></para> 35 </entry> 36 <entry> 37 <para>The <literal><link linkend="context">context</link></literal> identifier.</para> 38 </entry> 39 </row> 40 <row> 41 <entry> 42 <para><literal>user_id</literal></para> 43 </entry> 44 <entry> 45 <para>A single previously declared <literal><link linkend="user">user</link></literal> identifier.</para> 46 </entry> 47 </row> 48 <row> 49 <entry> 50 <para><literal>role_id</literal></para> 51 </entry> 52 <entry> 53 <para>A single previously declared <literal><link linkend="role">role</link></literal> identifier.</para> 54 </entry> 55 </row> 56 <row> 57 <entry> 58 <para><literal>type_id</literal></para> 59 </entry> 60 <entry> 61 <para>A single previously declared <literal><link linkend="type">type</link></literal> or <literal><link linkend="typealias">typealias</link></literal> identifier.</para> 62 </entry> 63 </row> 64 <row> 65 <entry> 66 <para><literal>levelrange_id</literal></para> 67 </entry> 68 <entry> 69 <para>A single previously declared <literal><link linkend="levelrange">levelrange</link></literal> identifier. This entry may also be defined by anonymous or named <literal><link linkend="level">level</link></literal>, <literal><link linkend="sensitivity">sensitivity</link></literal>, <literal><link linkend="sensitivityalias">sensitivityalias</link></literal>, <literal><link linkend="category">category</link></literal>, <literal><link linkend="categoryalias">categoryalias</link></literal> or <literal><link linkend="categoryset">categoryset</link></literal> as discussed in the <link linkend="mls_labeling_statements">Multi-Level Security Labeling Statements</link> section and shown in the examples.</para> 70 </entry> 71 </row> 72 </tbody></tgroup> 73 </informaltable> 74 75 <para><emphasis role="bold">Examples:</emphasis></para> 76 <para>This example uses a named context definition:</para> 77 <programlisting><![CDATA[ 78 (context runas_exec_context (u object_r exec low_low)) 79 80 (filecon "/system/bin/run-as" file runas_exec_context)]]> 81 </programlisting> 82 <simpara>to resolve/build a <literal>file_contexts</literal> entry of (assuming MLS enabled policy):</simpara> 83 <programlisting><![CDATA[/system/bin/run-as -- u:object_r:runas.exec:s0-s0]]></programlisting> 84 85 <para>This example uses an anonymous context where the previously declared <literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal> identifiers are used to specifiy two <literal><link linkend="portcon">portcon</link></literal> statements:</para> 86 <programlisting><![CDATA[ 87 (portcon udp 1024 (test.user object_r test.process ((s0) (s1)))) 88 (portcon tcp 1024 (test.user object_r test.process (system_low system_high)))]]> 89 </programlisting> 90 91 <para>This example uses an anonymous context for the first and named context for the second in a <literal><link linkend="netifcon">netifcon</link></literal> statement:</para> 92 <programlisting><![CDATA[ 93 (context netif_context (test.user object_r test.process ((s0 (c0)) (s1 (c0))))) 94 95 (netifcon eth04 (test.user object_r test.process ((s0 (c0)) (s1 (c0)))) netif_context)]]> 96 </programlisting> 97 98 </sect2> 99 100 </sect1> 101
