Home | History | Annotate | Download | only in docs 
      1 Role Statements
      2 ===============
      3 
      4 role
      5 ----
      6 
      7 Declares a role identifier in the current namespace.
      8 
      9 **Statement definition:**
     10 
     11     (role role_id)
     12 
     13 **Where:**
     14 
     15 <table>
     16 <colgroup>
     17 <col width="25%" />
     18 <col width="75%" />
     19 </colgroup>
     20 <tbody>
     21 <tr class="odd">
     22 <td align="left"><p><code>role</code></p></td>
     23 <td align="left"><p>The <code>role</code> keyword.</p></td>
     24 </tr>
     25 <tr class="even">
     26 <td align="left"><p><code>role_id</code></p></td>
     27 <td align="left"><p>The <code>role</code> identifier.</p></td>
     28 </tr>
     29 </tbody>
     30 </table>
     31 
     32 **Example:**
     33 
     34 This example declares two roles: `object_r` in the global namespace and `unconfined.role`:
     35 
     36     (role object_r)
     37 
     38     (block unconfined
     39         (role role)
     40     )
     41 
     42 roletype
     43 --------
     44 
     45 Authorises a [`role`](cil_role_statements.md#role) to access a [`type`](cil_type_statements.md#type) identifier.
     46 
     47 **Statement definition:**
     48 
     49     (role role_id type_id)
     50 
     51 **Where:**
     52 
     53 <table>
     54 <colgroup>
     55 <col width="25%" />
     56 <col width="75%" />
     57 </colgroup>
     58 <tbody>
     59 <tr class="odd">
     60 <td align="left"><p><code>roletype</code></p></td>
     61 <td align="left"><p>The <code>roletype</code> keyword.</p></td>
     62 </tr>
     63 <tr class="even">
     64 <td align="left"><p><code>role_id</code></p></td>
     65 <td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
     66 </tr>
     67 <tr class="odd">
     68 <td align="left"><p><code>type_id</code></p></td>
     69 <td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
     70 </tr>
     71 </tbody>
     72 </table>
     73 
     74 **Example:**
     75 
     76 This example will declare [`role`](cil_role_statements.md#role) and [`type`](cil_type_statements.md#type) identifiers, then associate them:
     77 
     78     (block unconfined
     79         (role role)
     80         (type process)
     81         (roletype role process)
     82     )
     83 
     84 roleattribute
     85 -------------
     86 
     87 Declares a role attribute identifier in the current namespace. The identifier may have zero or more [`role`](cil_role_statements.md#role) and [`roleattribute`](cil_role_statements.md#roleattribute) identifiers associated to it via the [`typeattributeset`](cil_type_statements.md#typeattributeset) statement.
     88 
     89 **Statement definition:**
     90 
     91     (roleattribute roleattribute_id)
     92 
     93 **Where:**
     94 
     95 <table>
     96 <colgroup>
     97 <col width="25%" />
     98 <col width="75%" />
     99 </colgroup>
    100 <tbody>
    101 <tr class="odd">
    102 <td align="left"><p><code>roleattribute</code></p></td>
    103 <td align="left"><p>The <code>roleattribute</code> keyword.</p></td>
    104 </tr>
    105 <tr class="even">
    106 <td align="left"><p><code>roleattribute_id</code></p></td>
    107 <td align="left"><p>The <code>roleattribute</code> identifier.</p></td>
    108 </tr>
    109 </tbody>
    110 </table>
    111 
    112 **Example:**
    113 
    114 This example will declare a role attribute `roles.role_holder` that will have an empty set:
    115 
    116     (block roles
    117         (roleattribute role_holder)
    118     )
    119 
    120 roleattributeset
    121 ----------------
    122 
    123 Allows the association of one or more previously declared [`role`](cil_role_statements.md#role) identifiers to a [`roleattribute`](cil_role_statements.md#roleattribute) identifier. Expressions may be used to refine the associations as shown in the examples.
    124 
    125 **Statement definition:**
    126 
    127     (roleattributeset roleattribute_id (role_id ... | expr ...))
    128 
    129 **Where:**
    130 
    131 <table>
    132 <colgroup>
    133 <col width="25%" />
    134 <col width="75%" />
    135 </colgroup>
    136 <tbody>
    137 <tr class="odd">
    138 <td align="left"><p><code>roleattributeset</code></p></td>
    139 <td align="left"><p>The <code>roleattributeset</code> keyword.</p></td>
    140 </tr>
    141 <tr class="even">
    142 <td align="left"><p><code>roleattribute_id</code></p></td>
    143 <td align="left"><p>A single previously declared <code>roleattribute</code> identifier.</p></td>
    144 </tr>
    145 <tr class="odd">
    146 <td align="left"><p><code>role_id</code></p></td>
    147 <td align="left"><p>Zero or more previously declared <code>role</code> or <code>roleattribute</code> identifiers.</p>
    148 <p>Note that there must be at least one <code>role_id</code> or <code>expr</code> parameter declared.</p></td>
    149 </tr>
    150 <tr class="even">
    151 <td align="left"><p><code>expr</code></p></td>
    152 <td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
    153 <p><code>    (and (role_id ...) (role_id ...))</code></p>
    154 <p><code>    (or  (role_id ...) (role_id ...))</code></p>
    155 <p><code>    (xor (role_id ...) (role_id ...))</code></p>
    156 <p><code>    (not (role_id ...))</code></p>
    157 <p><code>    (all)</code></p></td>
    158 </tr>
    159 </tbody>
    160 </table>
    161 
    162 **Example:**
    163 
    164 This example will declare three roles and two role attributes, then associate all the roles to them as shown:
    165 
    166     (block roles
    167         (role role_1)
    168         (role role_2)
    169         (role role_3)
    170 
    171         (roleattribute role_holder)
    172         (roleattributeset role_holder (role_1 role_2 role_3))
    173 
    174         (roleattribute role_holder_all)
    175         (roleattributeset role_holder_all (all))
    176     )
    177 
    178 roleallow
    179 ---------
    180 
    181 Authorise the current role to assume a new role.
    182 
    183 Notes:
    184 
    185 -   May require a [`roletransition`](cil_role_statements.md#roletransition) rule to ensure transition to the new role.
    186 
    187 -   This rule is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) statements.
    188 
    189 **Statement definition:**
    190 
    191     (roleallow current_role_id new_role_id)
    192 
    193 **Where:**
    194 
    195 <table>
    196 <colgroup>
    197 <col width="25%" />
    198 <col width="75%" />
    199 </colgroup>
    200 <tbody>
    201 <tr class="odd">
    202 <td align="left"><p><code>roleallow</code></p></td>
    203 <td align="left"><p>The <code>roleallow</code> keyword.</p></td>
    204 </tr>
    205 <tr class="even">
    206 <td align="left"><p><code>current_role_id</code></p></td>
    207 <td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
    208 </tr>
    209 <tr class="odd">
    210 <td align="left"><p><code>new_role_id</code></p></td>
    211 <td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
    212 </tr>
    213 </tbody>
    214 </table>
    215 
    216 **Example:**
    217 
    218 See the [`roletransition`](cil_role_statements.md#roletransition) statement for an example.
    219 
    220 roletransition
    221 --------------
    222 
    223 Specify a role transition from the current role to a new role when computing a context for the target type. The [`class`](cil_class_and_permission_statements.md#class) identifier would normally be `process`, however for kernel versions 2.6.39 with policy version \>= 25 and above, any valid class may be used. Note that a [`roleallow`](cil_role_statements.md#roleallow) rule must be used to authorise the transition.
    224 
    225 **Statement definition:**
    226 
    227     (roletransition current_role_id target_type_id class_id new_role_id)
    228 
    229 **Where:**
    230 
    231 <table>
    232 <colgroup>
    233 <col width="25%" />
    234 <col width="75%" />
    235 </colgroup>
    236 <tbody>
    237 <tr class="odd">
    238 <td align="left"><p><code>roletransition</code></p></td>
    239 <td align="left"><p>The <code>roletransition</code> keyword.</p></td>
    240 </tr>
    241 <tr class="even">
    242 <td align="left"><p><code>current_role_id</code></p></td>
    243 <td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
    244 </tr>
    245 <tr class="odd">
    246 <td align="left"><p><code>target_type_id</code></p></td>
    247 <td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
    248 </tr>
    249 <tr class="even">
    250 <td align="left"><p><code>class_id</code></p></td>
    251 <td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td>
    252 </tr>
    253 <tr class="odd">
    254 <td align="left"><p><code>new_role_id</code></p></td>
    255 <td align="left"><p>A single previously declared <code>role</code> identifier to be set on transition.</p></td>
    256 </tr>
    257 </tbody>
    258 </table>
    259 
    260 **Example:**
    261 
    262 This example will authorise the `unconfined.role` to assume the `msg_filter.role` role, and then transition to that role:
    263 
    264     (block ext_gateway
    265         (type process)
    266         (type exec)
    267 
    268         (roletype msg_filter.role process)
    269         (roleallow unconfined.role msg_filter.role)
    270         (roletransition unconfined.role exec process msg_filter.role)
    271     )
    272 
    273 rolebounds
    274 ----------
    275 
    276 Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent.
    277 
    278 Notes:
    279 
    280 -   It is not possible to bind the parent role to more than one child role.
    281 
    282 -   While this is added to the binary policy, it is not enforced by the SELinux kernel services.
    283 
    284 **Statement definition:**
    285 
    286     (rolebounds parent_role_id child_role_id)
    287 
    288 **Where:**
    289 
    290 <table>
    291 <colgroup>
    292 <col width="25%" />
    293 <col width="75%" />
    294 </colgroup>
    295 <tbody>
    296 <tr class="odd">
    297 <td align="left"><p><code>rolebounds</code></p></td>
    298 <td align="left"><p>The <code>rolebounds</code> keyword.</p></td>
    299 </tr>
    300 <tr class="even">
    301 <td align="left"><p><code>parent_role_id</code></p></td>
    302 <td align="left"><p>A single previously declared <code>role</code> identifier.</p></td>
    303 </tr>
    304 <tr class="odd">
    305 <td align="left"><p><code>child_role_id</code></p></td>
    306 <td align="left"><p>A single previously declared <code>role</code> identifier.</p></td>
    307 </tr>
    308 </tbody>
    309 </table>
    310 
    311 **Example:**
    312 
    313 In this example the role `test` cannot have greater priviledges than `unconfined.role`:
    314 
    315     (role test)
    316 
    317     (unconfined
    318         (role role)
    319         (rolebounds role .test)
    320     )
    321