1 Conditional Statements 2 ====================== 3 4 boolean 5 ------- 6 7 Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file. 8 9 **Statement definition:** 10 11 (boolean boolean_id true|false) 12 13 **Where:** 14 15 <table> 16 <colgroup> 17 <col width="25%" /> 18 <col width="75%" /> 19 </colgroup> 20 <tbody> 21 <tr class="odd"> 22 <td align="left"><p><code>boolean</code></p></td> 23 <td align="left"><p>The <code>boolean</code> keyword.</p></td> 24 </tr> 25 <tr class="even"> 26 <td align="left"><p><code>boolean_id</code></p></td> 27 <td align="left"><p>The <code>boolean</code> identifier.</p></td> 28 </tr> 29 <tr class="odd"> 30 <td align="left"><p><code>true | false</code></p></td> 31 <td align="left"><p>The initial state of the boolean. This can be changed at run time using <strong><code>setsebool</code></strong><code>(8)</code> and its status queried using <strong><code>getsebool</code></strong><code>(8)</code>.</p></td> 32 </tr> 33 </tbody> 34 </table> 35 36 **Example:** 37 38 See the [`booleanif`](cil_conditional_statements.md#booleanif) statement for an example. 39 40 booleanif 41 --------- 42 43 Contains the run time conditional statements that are instantiated in the binary policy according to the computed boolean identifier(s) state. 44 45 [`call`](cil_call_macro_statements.md#call) statements are allowed within a [`booleanif`](cil_conditional_statements.md#booleanif), however the contents of the resulting macro must be limited to those of the [`booleanif`](cil_conditional_statements.md#booleanif) statement (i.e. [`allow`](cil_access_vector_rules.md#allow), [`auditallow`](cil_access_vector_rules.md#auditallow), [`dontaudit`](cil_access_vector_rules.md#dontaudit), [`typemember`](cil_type_statements.md#typemember), [`typetransition`](cil_type_statements.md#typetransition), [`typechange`](cil_type_statements.md#typechange) and the compile time [`tunableif`](cil_conditional_statements.md#tunableif) statement)). 46 47 **Statement definition:** 48 49 (booleanif boolean_id | expr ...) 50 (true 51 cil_statements 52 ...) 53 (false 54 cil_statements 55 ...) 56 ) 57 58 **Where:** 59 60 <table> 61 <colgroup> 62 <col width="25%" /> 63 <col width="75%" /> 64 </colgroup> 65 <tbody> 66 <tr class="odd"> 67 <td align="left"><p><code>booleanif</code></p></td> 68 <td align="left"><p>The <code>booleanif</code> keyword.</p></td> 69 </tr> 70 <tr class="even"> 71 <td align="left"><p><code>boolean_id</code></p></td> 72 <td align="left"><p>Either a single <code>boolean</code> identifier or one or more <code>expr</code>'s.</p></td> 73 </tr> 74 <tr class="odd"> 75 <td align="left"><p><code>expr</code></p></td> 76 <td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 77 <p><code> (and (boolean_id boolean_id))</code></p> 78 <p><code> (or (boolean_id boolean_id))</code></p> 79 <p><code> (xor (boolean_id boolean_id))</code></p> 80 <p><code> (eq (boolean_id boolean_id))</code></p> 81 <p><code> (neq (boolean_id boolean_id))</code></p> 82 <p><code> (not (boolean_id))</code></p></td> 83 </tr> 84 <tr class="even"> 85 <td align="left"><p><code>true</code></p></td> 86 <td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>boolean</code> is evaluated as <code>true</code>.</p></td> 87 </tr> 88 <tr class="odd"> 89 <td align="left"><p><code>false</code></p></td> 90 <td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>boolean</code> is evaluated as <code>false</code>.</p></td> 91 </tr> 92 </tbody> 93 </table> 94 95 **Examples:** 96 97 The second example also shows the kernel policy language equivalent: 98 99 (boolean disableAudio false) 100 101 (booleanif disableAudio 102 (false 103 (allow process mediaserver.audio_device (chr_file_set (rw_file_perms))) 104 ) 105 ) 106 107 (boolean disableAudioCapture false) 108 109 ;;; if(!disableAudio && !disableAudioCapture) { 110 (booleanif (and (not disableAudio) (not disableAudioCapture)) 111 (true 112 (allow process mediaserver.audio_capture_device (chr_file_set (rw_file_perms))) 113 ) 114 ) 115 116 tunable 117 ------- 118 119 Tunables are similar to booleans, however they are used to manage areas of CIL statements that may or may not be in the final CIL policy that will be compiled (whereas booleans are embedded in the binary policy and can be enabled or disabled during run-time). 120 121 Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags. 122 123 **Statement definition:** 124 125 (tunable tunable_id true|false) 126 127 **Where:** 128 129 <table> 130 <colgroup> 131 <col width="25%" /> 132 <col width="75%" /> 133 </colgroup> 134 <tbody> 135 <tr class="odd"> 136 <td align="left"><p><code>tunable</code></p></td> 137 <td align="left"><p>The <code>tunable</code> keyword.</p></td> 138 </tr> 139 <tr class="even"> 140 <td align="left"><p><code>tunable_id</code></p></td> 141 <td align="left"><p>The <code>tunable</code> identifier.</p></td> 142 </tr> 143 <tr class="odd"> 144 <td align="left"><p><code>true | false</code></p></td> 145 <td align="left"><p>The initial state of the <code>tunable</code>.</p></td> 146 </tr> 147 </tbody> 148 </table> 149 150 **Example:** 151 152 See the [`tunableif`](cil_conditional_statements.md#tunableif) statement for an example. 153 154 tunableif 155 --------- 156 157 Compile time conditional statement that may or may not add CIL statements to be compiled. 158 159 **Statement definition:** 160 161 (tunableif tunable_id | expr ...) 162 (true 163 cil_statements 164 ...) 165 (false 166 cil_statements 167 ...) 168 ) 169 170 **Where:** 171 172 <table> 173 <colgroup> 174 <col width="25%" /> 175 <col width="75%" /> 176 </colgroup> 177 <tbody> 178 <tr class="odd"> 179 <td align="left"><p><code>tunableif</code></p></td> 180 <td align="left"><p>The <code>tunableif</code> keyword.</p></td> 181 </tr> 182 <tr class="even"> 183 <td align="left"><p><code>tunable_id</code></p></td> 184 <td align="left"><p>Either a single <code>tunable</code> identifier or one or more <code>expr</code>'s.</p></td> 185 </tr> 186 <tr class="odd"> 187 <td align="left"><p><code>expr</code></p></td> 188 <td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 189 <p><code> (and (tunable_id tunable_id))</code></p> 190 <p><code> (or (tunable_id tunable_id))</code></p> 191 <p><code> (xor (tunable_id tunable_id))</code></p> 192 <p><code> (eq (tunable_id tunable_id))</code></p> 193 <p><code> (neq (tunable_id tunable_id))</code></p> 194 <p><code> (not (tunable_id))</code></p></td> 195 </tr> 196 <tr class="even"> 197 <td align="left"><p><code>true</code></p></td> 198 <td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>tunable</code> is evaluated as <code>true</code>.</p></td> 199 </tr> 200 <tr class="odd"> 201 <td align="left"><p><code>false</code></p></td> 202 <td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>tunable</code> is evaluated as <code>false</code>.</p></td> 203 </tr> 204 </tbody> 205 </table> 206 207 **Example:** 208 209 This example will not add the range transition rule to the binary policy: 210 211 (tunable range_trans_rule false) 212 213 (block init 214 (class process (process)) 215 (type process) 216 217 (tunableif range_trans_rule 218 (true 219 (rangetransition process sshd.exec process low_high) 220 ) 221 ) ; End tunableif 222 ) ; End block 223