1 Type Statements 2 =============== 3 4 type 5 ---- 6 7 Declares a type identifier in the current namespace. 8 9 **Statement definition:** 10 11 (type type_id) 12 13 **Where:** 14 15 <table> 16 <colgroup> 17 <col width="25%" /> 18 <col width="75%" /> 19 </colgroup> 20 <tbody> 21 <tr class="odd"> 22 <td align="left"><p><code>type</code></p></td> 23 <td align="left"><p>The <code>type</code> keyword.</p></td> 24 </tr> 25 <tr class="even"> 26 <td align="left"><p><code>type_id</code></p></td> 27 <td align="left"><p>The <code>type</code> identifier.</p></td> 28 </tr> 29 </tbody> 30 </table> 31 32 **Example:** 33 34 This example declares a type identifier `bluetooth.process`: 35 36 (block bluetooth 37 (type process) 38 ) 39 40 typealias 41 --------- 42 43 Declares a type alias in the current namespace. 44 45 **Statement definition:** 46 47 (typealias typealias_id) 48 49 **Where:** 50 51 <table> 52 <colgroup> 53 <col width="25%" /> 54 <col width="75%" /> 55 </colgroup> 56 <tbody> 57 <tr class="odd"> 58 <td align="left"><p><code>typealias</code></p></td> 59 <td align="left"><p>The <code>typealias</code> keyword.</p></td> 60 </tr> 61 <tr class="even"> 62 <td align="left"><p><code>typealias_id</code></p></td> 63 <td align="left"><p>The <code>typealias</code> identifier.</p></td> 64 </tr> 65 </tbody> 66 </table> 67 68 **Example:** 69 70 See the [`typealiasactual`](cil_type_statements.md#typealiasactual) statement for an example that associates the [`typealias`](cil_type_statements.md#typealias) identifier. 71 72 typealiasactual 73 --------------- 74 75 Associates a previously declared [`typealias`](cil_type_statements.md#typealias) identifier to a previously declared [`type`](cil_type_statements.md#type) identifier. 76 77 **Statement definition:** 78 79 (typealiasactual typealias_id type_id) 80 81 **Where:** 82 83 <table> 84 <colgroup> 85 <col width="25%" /> 86 <col width="75%" /> 87 </colgroup> 88 <tbody> 89 <tr class="odd"> 90 <td align="left"><p><code>typealiasactual</code></p></td> 91 <td align="left"><p>The <code>typealiasactual</code> keyword.</p></td> 92 </tr> 93 <tr class="even"> 94 <td align="left"><p><code>typealias_id</code></p></td> 95 <td align="left"><p>A single previously declared <code>typealias</code> identifier.</p></td> 96 </tr> 97 <tr class="odd"> 98 <td align="left"><p><code>type_id</code></p></td> 99 <td align="left"><p>A single previously declared <code>type</code> identifier.</p></td> 100 </tr> 101 </tbody> 102 </table> 103 104 **Example:** 105 106 This example will alias `unconfined.process` as `unconfined_t` in the global namespace: 107 108 (typealias unconfined_t) 109 (typealiasactual unconfined_t unconfined.process) 110 111 (block unconfined 112 (type process) 113 ) 114 115 typeattribute 116 ------------- 117 118 Declares a type attribute identifier in the current namespace. The identifier may have zero or more [`type`](cil_type_statements.md#type), [`typealias`](cil_type_statements.md#typealias) and [`typeattribute`](cil_type_statements.md#typeattribute) identifiers associated to it via the [`typeattributeset`](cil_type_statements.md#typeattributeset) statement. 119 120 **Statement definition:** 121 122 (typeattribute typeattribute_id) 123 124 **Where:** 125 126 <table> 127 <colgroup> 128 <col width="25%" /> 129 <col width="75%" /> 130 </colgroup> 131 <tbody> 132 <tr class="odd"> 133 <td align="left"><p><code>typeattribute</code></p></td> 134 <td align="left"><p>The <code>typeattribute</code> keyword.</p></td> 135 </tr> 136 <tr class="even"> 137 <td align="left"><p><code>typeattribute_id</code></p></td> 138 <td align="left"><p>The <code>typeattribute</code> identifier.</p></td> 139 </tr> 140 </tbody> 141 </table> 142 143 **Example:** 144 145 This example declares a type attribute `domain` in global namespace that will have an empty set: 146 147 (typeattribute domain) 148 149 typeattributeset 150 ---------------- 151 152 Allows the association of one or more previously declared [`type`](cil_type_statements.md#type), [`typealias`](cil_type_statements.md#typealias) or [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to a [`typeattribute`](cil_type_statements.md#typeattribute) identifier. Expressions may be used to refine the associations as shown in the examples. 153 154 **Statement definition:** 155 156 (typeattributeset typeattribute_id (type_id ... | expr ...)) 157 158 **Where:** 159 160 <table> 161 <colgroup> 162 <col width="25%" /> 163 <col width="75%" /> 164 </colgroup> 165 <tbody> 166 <tr class="odd"> 167 <td align="left"><p><code>typeattributeset</code></p></td> 168 <td align="left"><p>The <code>typeattributeset</code> keyword.</p></td> 169 </tr> 170 <tr class="even"> 171 <td align="left"><p><code>typeattribute_id</code></p></td> 172 <td align="left"><p>A single previously declared <code>typeattribute</code> identifier.</p></td> 173 </tr> 174 <tr class="odd"> 175 <td align="left"><p><code>type_id</code></p></td> 176 <td align="left"><p>Zero or more previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifiers.</p> 177 <p>Note that there must be at least one <code>type_id</code> or <code>expr</code> parameter declared.</p></td> 178 </tr> 179 <tr class="even"> 180 <td align="left"><p><code>expr</code></p></td> 181 <td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 182 <p><code> (and (type_id ...) (type_id ...))</code></p> 183 <p><code> (or (type_id ...) (type_id ...))</code></p> 184 <p><code> (xor (type_id ...) (type_id ...))</code></p> 185 <p><code> (not (type_id ...))</code></p> 186 <p><code> (all)</code></p></td> 187 </tr> 188 </tbody> 189 </table> 190 191 **Examples:** 192 193 This example will take all the policy types and exclude those in `appdomain`. It is equivalent to `~appdomain` in the kernel policy language. 194 195 (typeattribute not_in_appdomain) 196 197 (typeattributeset not_in_appdomain (not (appdomain))) 198 199 This example is equivalent to `{ domain -kernel.process -ueventd.process -init.process }` in the kernel policy language: 200 201 (typeattribute na_kernel_or_ueventd_or_init_in_domain) 202 203 (typeattributeset na_kernel_or_ueventd_or_init_in_domain 204 (and 205 (and 206 (and 207 (domain) 208 (not (kernel.process)) 209 ) 210 (not (ueventd.process)) 211 ) 212 (not (init.process)) 213 ) 214 ) 215 216 typebounds 217 ---------- 218 219 This defines a hierarchical relationship between domains where the bounded domain cannot have more permissions than its bounding domain (the parent). 220 221 Requires kernel 2.6.28 and above to control the security context associated to threads in multi-threaded applications. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the bounding. 222 223 **Statement definition:** 224 225 (typebounds parent_type_id child_type_id) 226 227 **Where:** 228 229 <table> 230 <colgroup> 231 <col width="25%" /> 232 <col width="75%" /> 233 </colgroup> 234 <tbody> 235 <tr class="odd"> 236 <td align="left"><p><code>typebounds</code></p></td> 237 <td align="left"><p>The <code>typebounds</code> keyword.</p></td> 238 </tr> 239 <tr class="even"> 240 <td align="left"><p><code>parent_type_id</code></p></td> 241 <td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier that is the parent domain.</p></td> 242 </tr> 243 <tr class="odd"> 244 <td align="left"><p><code>child_type_id</code></p></td> 245 <td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier that is the bound (child) domain.</p></td> 246 </tr> 247 </tbody> 248 </table> 249 250 **Example:** 251 252 In this example the `httpd.child.process` cannot have `file (write)` due to lack of permissions on `httpd.process` which is the parent. It means the child domain will always have equal or less privileges than the parent: 253 254 (class file (getattr read write)) 255 256 (block httpd 257 (type process) 258 (type object) 259 260 (typebounds process child.process) 261 ; The parent is allowed file 'getattr' and 'read': 262 (allow process object (file (getattr read))) 263 264 (block child 265 (type process) 266 (type object) 267 268 ; However the child process has been given 'write' access that will be denied. 269 (allow process httpd.object (file (read write))) 270 ) 271 ) 272 273 typechange 274 ---------- 275 276 The type change rule is used to define a different label of an object for userspace SELinux-aware applications. These applications would use **`security_compute_relabel`**`(3)` and [`typechange`](cil_type_statements.md#typechange) rules in the policy to determine the new context to be applied. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the change. 277 278 **Statement definition:** 279 280 (typechange source_type_id target_type_id class_id change_type_id) 281 282 **Where:** 283 284 <table> 285 <colgroup> 286 <col width="25%" /> 287 <col width="75%" /> 288 </colgroup> 289 <tbody> 290 <tr class="odd"> 291 <td align="left"><p><code>typechange</code></p></td> 292 <td align="left"><p>The <code>typechange</code> keyword.</p></td> 293 </tr> 294 <tr class="even"> 295 <td align="left"><p><code>source_type_id</code></p></td> 296 <td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 297 </tr> 298 <tr class="odd"> 299 <td align="left"><p><code>target_type_id</code></p></td> 300 <td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 301 </tr> 302 <tr class="even"> 303 <td align="left"><p><code>class_id</code></p></td> 304 <td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 305 </tr> 306 <tr class="odd"> 307 <td align="left"><p><code>change_type_id</code></p></td> 308 <td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier that will become the new type.</p></td> 309 </tr> 310 </tbody> 311 </table> 312 313 **Example:** 314 315 Whenever **`security_compute_relabel`**`(3)` is called with the following parameters: 316 317 ` scon=unconfined.object tcon=unconfined.object class=file` 318 319 the function will return a context of: 320 321 ` unconfined.object:object_r:unconfined.change_label:s0` 322 323 (class file (getattr read write)) 324 325 (block unconfined 326 (type process) 327 (type object) 328 (type change_label) 329 330 (typechange object object file change_label) 331 ) 332 333 typemember 334 ---------- 335 336 The type member rule is used to define a new polyinstantiated label of an object for SELinux-aware applications. These applications would use **`avc_compute_member`**`(3)` or **`security_compute_member`**`(3)` with the [`typemember`](cil_type_statements.md#typemember) rules in the policy to determine the context to be applied. The application would then manage any required polyinstantiation. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the membership. 337 338 **Statement definition:** 339 340 (typemember source_type_id target_type_id class_id member_type_id) 341 342 **Where:** 343 344 <table> 345 <colgroup> 346 <col width="25%" /> 347 <col width="75%" /> 348 </colgroup> 349 <tbody> 350 <tr class="odd"> 351 <td align="left"><p><code>typemember</code></p></td> 352 <td align="left"><p>The <code>typemember</code> keyword.</p></td> 353 </tr> 354 <tr class="even"> 355 <td align="left"><p><code>source_type_id</code></p></td> 356 <td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 357 </tr> 358 <tr class="odd"> 359 <td align="left"><p><code>target_type_id</code></p></td> 360 <td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 361 </tr> 362 <tr class="even"> 363 <td align="left"><p><code>class_id</code></p></td> 364 <td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 365 </tr> 366 <tr class="odd"> 367 <td align="left"><p><code>member_type_id</code></p></td> 368 <td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier that will become the new member type.</p></td> 369 </tr> 370 </tbody> 371 </table> 372 373 **Example:** 374 375 Whenever **`avc_compute_member`**`(3)` or **`security_compute_member`**`(3)` is called with the following parameters: 376 377 ` scon=unconfined.object tcon=unconfined.object class=file` 378 379 the function will return a context of: 380 381 ` unconfined.object:object_r:unconfined.member_label:s0` 382 383 (class file (getattr read write)) 384 385 (block unconfined 386 (type process) 387 (type object) 388 (type change_label) 389 390 (typemember object object file member_label) 391 ) 392 393 typetransition 394 -------------- 395 396 The type transition rule specifies the labeling and object creation allowed between the `source_type` and `target`\_type when a domain transition is requested. Kernels from 2.6.39 with policy versions from 25 and above also support a 'name transition' rule, however this is not allowed inside conditionals and currently only supports the file classes. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the transition. 397 398 **Statement definition:** 399 400 (typetransition source_type_id target_type_id class_id [object_name] default_type_id) 401 402 **Where:** 403 404 <table> 405 <colgroup> 406 <col width="25%" /> 407 <col width="75%" /> 408 </colgroup> 409 <tbody> 410 <tr class="odd"> 411 <td align="left"><p><code>typetransition</code></p></td> 412 <td align="left"><p>The <code>typetransition</code> keyword.</p></td> 413 </tr> 414 <tr class="even"> 415 <td align="left"><p><code>source_type_id</code></p></td> 416 <td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 417 </tr> 418 <tr class="odd"> 419 <td align="left"><p><code>target_type_id</code></p></td> 420 <td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 421 </tr> 422 <tr class="even"> 423 <td align="left"><p><code>class_id</code></p></td> 424 <td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 425 </tr> 426 <tr class="odd"> 427 <td align="left"><p><code>object_name</code></p></td> 428 <td align="left"><p>A optional string within double quotes representing an object name for the 'name transition' rule. This string will be matched against the objects name (if a path then the last component of that path). If the string matches exactly, the <code>default_type_id</code> will then become the new type.</p></td> 429 </tr> 430 <tr class="even"> 431 <td align="left"><p><code>default_type_id</code></p></td> 432 <td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier that will become the new type.</p></td> 433 </tr> 434 </tbody> 435 </table> 436 437 **Examples:** 438 439 This example shows a process transition rule with its supporting [`allow`](cil_access_vector_rules.md#allow) rule: 440 441 (macro domain_auto_trans ((type ARG1) (type ARG2) (type ARG3)) 442 ; Allow the necessary permissions. 443 (call domain_trans (ARG1 ARG2 ARG3)) 444 ; Make the transition occur by default. 445 (typetransition ARG1 ARG2 process ARG3) 446 ) 447 448 This example shows a file object transition rule with its supporting [`allow`](cil_access_vector_rules.md#allow) rule: 449 450 (macro tmpfs_domain ((type ARG1)) 451 (type tmpfs) 452 (typeattributeset file_type (tmpfs)) 453 (typetransition ARG1 file.tmpfs file tmpfs) 454 (allow ARG1 tmpfs (file (read write execute execmod))) 455 ) 456 457 This example shows the 'name transition' rule with its supporting [`allow`](cil_access_vector_rules.md#allow) rule: 458 459 (macro write_klog ((type ARG1)) 460 (typetransition ARG1 device.device chr_file "__kmsg__" device.klog_device) 461 (allow ARG1 device.klog_device (chr_file (create open write unlink))) 462 (allow ARG1 device.device (dir (write add_name remove_name))) 463 ) 464 465 typepermissive 466 -------------- 467 468 Policy database version 23 introduced the permissive statement to allow the named domain to run in permissive mode instead of running all SELinux domains in permissive mode (that was the only option prior to version 23). Note that the permissive statement only tests the source context for any policy denial. 469 470 **Statement definition:** 471 472 (typepermissive source_type_id) 473 474 **Where:** 475 476 <table> 477 <colgroup> 478 <col width="25%" /> 479 <col width="75%" /> 480 </colgroup> 481 <tbody> 482 <tr class="odd"> 483 <td align="left"><p><code>typepermissive</code></p></td> 484 <td align="left"><p>The <code>typepermissive</code> keyword.</p></td> 485 </tr> 486 <tr class="even"> 487 <td align="left"><p><code>source_type_id</code></p></td> 488 <td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier.</p></td> 489 </tr> 490 </tbody> 491 </table> 492 493 **Example:** 494 495 This example will allow SELinux to run the `healthd.process` domain in permissive mode even when enforcing is enabled: 496 497 (block healthd 498 (type process) 499 (typepermissive process) 500 501 (allow ...) 502 ) 503
