1 User Statements 2 =============== 3 4 user 5 ---- 6 7 Declares an SELinux user identifier in the current namespace. 8 9 **Statement definition:** 10 11 (user user_id) 12 13 **Where:** 14 15 <table> 16 <colgroup> 17 <col width="25%" /> 18 <col width="75%" /> 19 </colgroup> 20 <tbody> 21 <tr class="odd"> 22 <td align="left"><p><code>user</code></p></td> 23 <td align="left"><p>The <code>user</code> keyword.</p></td> 24 </tr> 25 <tr class="even"> 26 <td align="left"><p><code>user_id</code></p></td> 27 <td align="left"><p>The SELinux <code>user</code> identifier.</p></td> 28 </tr> 29 </tbody> 30 </table> 31 32 **Example:** 33 34 This will declare an SELinux user as `unconfined.user`: 35 36 (block unconfined 37 (user user) 38 ) 39 40 userrole 41 -------- 42 43 Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`role`](cil_role_statements.md#role) identifier. 44 45 **Statement definition:** 46 47 (userrole user_id role_id) 48 49 **Where:** 50 51 <table> 52 <colgroup> 53 <col width="25%" /> 54 <col width="75%" /> 55 </colgroup> 56 <tbody> 57 <tr class="odd"> 58 <td align="left"><p><code>userrole</code></p></td> 59 <td align="left"><p>The <code>userrole</code> keyword.</p></td> 60 </tr> 61 <tr class="even"> 62 <td align="left"><p><code>user_id</code></p></td> 63 <td align="left"><p>A previously declared SELinux <code>user</code> or <code>userattribute</code> identifier.</p></td> 64 </tr> 65 <tr class="odd"> 66 <td align="left"><p><code>role_id</code></p></td> 67 <td align="left"><p>A previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td> 68 </tr> 69 </tbody> 70 </table> 71 72 **Example:** 73 74 This example will associate `unconfined.user` to `unconfined.role`: 75 76 (block unconfined 77 (user user) 78 (role role) 79 (userrole user role) 80 ) 81 82 userattribute 83 ------------- 84 85 Declares a user attribute identifier in the current namespace. The identifier may have zero or more [`user`](cil_user_statements.md#user) and [`userattribute`](cil_user_statements.md#userattribute) identifiers associated to it via the [`userattributeset`](cil_user_statements.md#userattributeset) statement. 86 87 **Statement definition:** 88 89 (userattribute userattribute_id) 90 91 **Where:** 92 93 <table> 94 <colgroup> 95 <col width="25%" /> 96 <col width="75%" /> 97 </colgroup> 98 <tbody> 99 <tr class="odd"> 100 <td align="left"><p><code>userattribute</code></p></td> 101 <td align="left"><p>The <code>userattribute</code> keyword.</p></td> 102 </tr> 103 <tr class="even"> 104 <td align="left"><p><code>userattribute_id</code></p></td> 105 <td align="left"><p>The <code>userattribute</code> identifier.</p></td> 106 </tr> 107 </tbody> 108 </table> 109 110 **Example:** 111 112 This example will declare a user attribute `users.user_holder` that will have an empty set: 113 114 (block users 115 (userattribute user_holder) 116 ) 117 118 userattributeset 119 ---------------- 120 121 Allows the association of one or more previously declared [`user`](cil_user_statements.md#user) or [`userattribute`](cil_user_statements.md#userattribute) identifiers to a [`userattribute`](cil_user_statements.md#userattribute) identifier. Expressions may be used to refine the associations as shown in the examples. 122 123 **Statement definition:** 124 125 (userattributeset userattribute_id (user_id ... | expr ...)) 126 127 **Where:** 128 129 <table> 130 <colgroup> 131 <col width="25%" /> 132 <col width="75%" /> 133 </colgroup> 134 <tbody> 135 <tr class="odd"> 136 <td align="left"><p><code>userattributeset</code></p></td> 137 <td align="left"><p>The <code>userattributeset</code> keyword.</p></td> 138 </tr> 139 <tr class="even"> 140 <td align="left"><p><code>userattribute_id</code></p></td> 141 <td align="left"><p>A single previously declared <code>userattribute</code> identifier.</p></td> 142 </tr> 143 <tr class="odd"> 144 <td align="left"><p><code>user_id</code></p></td> 145 <td align="left"><p>Zero or more previously declared <code>user</code> or <code>userattribute</code> identifiers.</p> 146 <p>Note that there must be at least one <code>user_id</code> or <code>expr</code> parameter declared.</p></td> 147 </tr> 148 <tr class="even"> 149 <td align="left"><p><code>expr</code></p></td> 150 <td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 151 <p><code> (and (user_id ...) (user_id ...))</code></p> 152 <p><code> (or (user_id ...) (user_id ...))</code></p> 153 <p><code> (xor (user_id ...) (user_id ...))</code></p> 154 <p><code> (not (user_id ...))</code></p> 155 <p><code> (all)</code></p></td> 156 </tr> 157 </tbody> 158 </table> 159 160 **Example:** 161 162 This example will declare three users and two user attributes, then associate all the users to them as shown: 163 164 (block users 165 (user user_1) 166 (user user_2) 167 (user user_3) 168 169 (userattribute user_holder) 170 (userattributeset user_holder (user_1 user_2 user_3)) 171 172 (userattribute user_holder_all) 173 (userattributeset user_holder_all (all)) 174 ) 175 176 userlevel 177 --------- 178 179 Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`level`](cil_mls_labeling_statements.md#level) identifier. The [`level`](cil_mls_labeling_statements.md#level) may be named or anonymous. 180 181 **Statement definition:** 182 183 (userlevel user_id level_id) 184 185 **Where:** 186 187 <table> 188 <colgroup> 189 <col width="25%" /> 190 <col width="75%" /> 191 </colgroup> 192 <tbody> 193 <tr class="odd"> 194 <td align="left"><p><code>userlevel</code></p></td> 195 <td align="left"><p>The <code>userlevel</code> keyword.</p></td> 196 </tr> 197 <tr class="even"> 198 <td align="left"><p><code>user_id</code></p></td> 199 <td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 200 </tr> 201 <tr class="odd"> 202 <td align="left"><p><code>level_id</code></p></td> 203 <td align="left"><p>A previously declared <code>level</code> identifier. This may consist of a single <code>sensitivity</code> with zero or more mixed named and anonymous <code>category</code>'s as discussed in the <code>level</code> statement.</p></td> 204 </tr> 205 </tbody> 206 </table> 207 208 **Example:** 209 210 This example will associate `unconfined.user` with a named [`level`](cil_mls_labeling_statements.md#level) of `systemlow`: 211 212 (sensitivity s0) 213 (level systemlow (s0)) 214 215 (block unconfined 216 (user user) 217 (userlevel user systemlow) 218 ; An anonymous example: 219 ;(userlevel user (s0)) 220 ) 221 222 userrange 223 --------- 224 225 Associates a previously declared [`user`](cil_user_statements.md#user) identifer with a previously declared [`levelrange`](cil_mls_labeling_statements.md#levelrange) identifier. The [`levelrange`](cil_mls_labeling_statements.md#levelrange) may be named or anonymous. 226 227 **Statement definition:** 228 229 (userrange user_id levelrange_id) 230 231 **Where:** 232 233 <table> 234 <colgroup> 235 <col width="25%" /> 236 <col width="75%" /> 237 </colgroup> 238 <tbody> 239 <tr class="odd"> 240 <td align="left"><p><code>userrange</code></p></td> 241 <td align="left"><p>The <code>userrange</code> keyword.</p></td> 242 </tr> 243 <tr class="even"> 244 <td align="left"><p><code>user_id</code></p></td> 245 <td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 246 </tr> 247 <tr class="odd"> 248 <td align="left"><p><code>levelrange_id</code></p></td> 249 <td align="left"><p>A previously declared <code>levelrange</code> identifier. This may be formed by named or anonymous components as discussed in the <code>levelrange</code> statement and shown in the examples.</p></td> 250 </tr> 251 </tbody> 252 </table> 253 254 **Example:** 255 256 This example will associate `unconfined.user` with a named [`levelrange`](cil_mls_labeling_statements.md#levelrange) of `low_high`, other anonymous examples are also shown: 257 258 (category c0) 259 (category c1) 260 (categoryorder (c0 c1)) 261 (sensitivity s0) 262 (sensitivity s1) 263 (dominance (s0 s1)) 264 (sensitivitycategory s0 (c0 c1)) 265 (level systemLow (s0)) 266 (level systemHigh (s0 (c0 c1))) 267 (levelrange low_high (systemLow systemHigh)) 268 269 (block unconfined 270 (user user) 271 (role role) 272 (userrole user role) 273 ; Named example: 274 (userrange user low_high) 275 ; Anonymous examples: 276 ;(userrange user (systemLow systemHigh)) 277 ;(userrange user (systemLow (s0 (c0 c1)))) 278 ;(userrange user ((s0) (s0 (c0 c1)))) 279 ) 280 281 userbounds 282 ---------- 283 284 Defines a hierarchical relationship between users where the child user cannot have more priviledges than the parent. 285 286 Notes: 287 288 - It is not possible to bind the parent to more than one child. 289 290 - While this is added to the binary policy, it is not enforced by the SELinux kernel services. 291 292 **Statement definition:** 293 294 (userbounds parent_user_id child_user_id) 295 296 **Where:** 297 298 <table> 299 <colgroup> 300 <col width="25%" /> 301 <col width="75%" /> 302 </colgroup> 303 <tbody> 304 <tr class="odd"> 305 <td align="left"><p><code>userbounds</code></p></td> 306 <td align="left"><p>The <code>userbounds</code> keyword.</p></td> 307 </tr> 308 <tr class="even"> 309 <td align="left"><p><code>parent_user_id</code></p></td> 310 <td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 311 </tr> 312 <tr class="odd"> 313 <td align="left"><p><code>child_user_id</code></p></td> 314 <td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 315 </tr> 316 </tbody> 317 </table> 318 319 **Example:** 320 321 The user `test` cannot have greater priviledges than `unconfined.user`: 322 323 (user test) 324 325 (unconfined 326 (user user) 327 (userbounds user .test) 328 ) 329 330 userprefix 331 ---------- 332 333 Declare a user prefix that will be replaced by the file labeling utilities described at [http://selinuxproject.org/page/PolicyStoreConfigurationFiles](http://selinuxproject.org/page/PolicyStoreConfigurationFiles#file_contexts.template_File) that details the `file_contexts` entries. 334 335 **Statement definition:** 336 337 (userprefix user_id prefix) 338 339 **Where:** 340 341 <table> 342 <colgroup> 343 <col width="25%" /> 344 <col width="75%" /> 345 </colgroup> 346 <tbody> 347 <tr class="odd"> 348 <td align="left"><p><code>userprefix</code></p></td> 349 <td align="left"><p>The <code>userprefix</code> keyword.</p></td> 350 </tr> 351 <tr class="even"> 352 <td align="left"><p><code>user_id</code></p></td> 353 <td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 354 </tr> 355 <tr class="odd"> 356 <td align="left"><p><code>prefix</code></p></td> 357 <td align="left"><p>The string to be used by the file labeling utilities.</p></td> 358 </tr> 359 </tbody> 360 </table> 361 362 **Example:** 363 364 This example will associate `unconfined.admin` user with a prefix of "[`user`](cil_user_statements.md#user)": 365 366 (block unconfined 367 (user admin 368 (userprefix admin user) 369 ) 370 371 selinuxuser 372 ----------- 373 374 Associates a GNU/Linux user to a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared MLS [`userrange`](cil_user_statements.md#userrange). Note that the [`userrange`](cil_user_statements.md#userrange) is required even if the policy is non-MCS/MLS. 375 376 **Statement definition:** 377 378 (selinuxuser user_name user_id userrange_id) 379 380 **Where:** 381 382 <table> 383 <colgroup> 384 <col width="25%" /> 385 <col width="75%" /> 386 </colgroup> 387 <tbody> 388 <tr class="odd"> 389 <td align="left"><p><code>selinuxuser</code></p></td> 390 <td align="left"><p>The <code>selinuxuser</code> keyword.</p></td> 391 </tr> 392 <tr class="even"> 393 <td align="left"><p><code>user_name</code></p></td> 394 <td align="left"><p>A string representing the GNU/Linux user name</p></td> 395 </tr> 396 <tr class="odd"> 397 <td align="left"><p><code>user_id</code></p></td> 398 <td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 399 </tr> 400 <tr class="even"> 401 <td align="left"><p><code>userrange_id</code></p></td> 402 <td align="left"><p>A previously declared <code>userrange</code> identifier that has been associated to the <code>user</code> identifier. This may be formed by named or anonymous components as discussed in the <code>userrange</code> statement and shown in the examples.</p></td> 403 </tr> 404 </tbody> 405 </table> 406 407 **Example:** 408 409 This example will associate `unconfined.admin` user with a GNU / Linux user "`admin_1`": 410 411 (block unconfined 412 (user admin) 413 (selinuxuser admin_1 admin low_low) 414 ) 415 416 selinuxuserdefault 417 ------------------ 418 419 Declares the default SELinux user. Only one [`selinuxuserdefault`](cil_user_statements.md#selinuxuserdefault) statement is allowed in the policy. Note that the [`userrange`](cil_user_statements.md#userrange) identifier is required even if the policy is non-MCS/MLS. 420 421 **Statement definition:** 422 423 (selinuxuserdefault user_id userrange_id) 424 425 **Where:** 426 427 <table> 428 <colgroup> 429 <col width="25%" /> 430 <col width="75%" /> 431 </colgroup> 432 <tbody> 433 <tr class="odd"> 434 <td align="left"><p><code>selinuxuserdefault</code></p></td> 435 <td align="left"><p>The <code>selinuxuserdefault</code> keyword.</p></td> 436 </tr> 437 <tr class="even"> 438 <td align="left"><p><code>user_id</code></p></td> 439 <td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 440 </tr> 441 <tr class="odd"> 442 <td align="left"><p><code>userrange_id</code></p></td> 443 <td align="left"><p>A previously declared <code>userrange</code> identifier that has been associated to the <code>user</code> identifier. This may be formed by named or anonymous components as discussed in the <code>userrange</code> statement and shown in the examples.</p></td> 444 </tr> 445 </tbody> 446 </table> 447 448 **Example:** 449 450 This example will define the `unconfined.user` as the default SELinux user: 451 452 (block unconfined 453 (user user) 454 (selinuxuserdefault user low_low) 455 ) 456