1Default Object Statements 2========================= 3 4These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater. 5 6defaultuser 7----------- 8 9Allows the default user to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. 10 11**Statement definition:** 12 13```secil 14 (defaultuser class_id default) 15``` 16 17**Where:** 18 19<table> 20<colgroup> 21<col width="25%" /> 22<col width="75%" /> 23</colgroup> 24<tbody> 25<tr class="odd"> 26<td align="left"><p><code>defaultuser</code></p></td> 27<td align="left"><p>The <code>defaultuser</code> keyword.</p></td> 28</tr> 29<tr class="even"> 30<td align="left"><p><code>class_id</code></p></td> 31<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td> 32</tr> 33<tr class="odd"> 34<td align="left"><p><code>default</code></p></td> 35<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td> 36</tr> 37</tbody> 38</table> 39 40**Example:** 41 42When creating new `binder`, `property_service`, `zygote` or `memprotect` objects the [`user`](cil_user_statements.md#user) component of the new security context will be taken from the `source` context: 43 44```secil 45 (class binder (impersonate call set_context_mgr transfer receive)) 46 (class property_service (set)) 47 (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 48 (class memprotect (mmap_zero)) 49 50 (classmap android_classes (android)) 51 (classmapping android_classes android (binder (all))) 52 (classmapping android_classes android (property_service (set))) 53 (classmapping android_classes android (zygote (not (specifycapabilities)))) 54 55 (defaultuser (android_classes memprotect) source) 56 57 ; Will produce the following in the binary policy file: 58 ;; default_user binder source; 59 ;; default_user zygote source; 60 ;; default_user property_service source; 61 ;; default_user memprotect source; 62``` 63 64defaultrole 65----------- 66 67Allows the default role to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. 68 69```secil 70 (defaultrole class_id default) 71``` 72 73**Where:** 74 75<table> 76<colgroup> 77<col width="25%" /> 78<col width="75%" /> 79</colgroup> 80<tbody> 81<tr class="odd"> 82<td align="left"><p><code>defaultrole</code></p></td> 83<td align="left"><p>The <code>defaultrole</code> keyword.</p></td> 84</tr> 85<tr class="even"> 86<td align="left"><p><code>class_id</code></p></td> 87<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td> 88</tr> 89<tr class="odd"> 90<td align="left"><p><code>default</code></p></td> 91<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td> 92</tr> 93</tbody> 94</table> 95 96**Example:** 97 98When creating new `binder`, `property_service` or `zygote` objects the [`role`](cil_role_statements.md#role) component of the new security context will be taken from the `target` context: 99 100```secil 101 (class binder (impersonate call set_context_mgr transfer receive)) 102 (class property_service (set)) 103 (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 104 105 (defaultrole (binder property_service zygote) target) 106 107 ; Will produce the following in the binary policy file: 108 ;; default_role binder target; 109 ;; default_role zygote target; 110 ;; default_role property_service target; 111``` 112 113defaulttype 114----------- 115 116Allows the default type to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 28. 117 118**Statement definition:** 119 120```secil 121 (defaulttype class_id default) 122``` 123 124**Where:** 125 126<table> 127<colgroup> 128<col width="25%" /> 129<col width="75%" /> 130</colgroup> 131<tbody> 132<tr class="odd"> 133<td align="left"><p><code>defaulttype</code></p></td> 134<td align="left"><p>The <code>defaulttype</code> keyword.</p></td> 135</tr> 136<tr class="even"> 137<td align="left"><p><code>class_id</code></p></td> 138<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td> 139</tr> 140<tr class="odd"> 141<td align="left"><p><code>default</code></p></td> 142<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td> 143</tr> 144</tbody> 145</table> 146 147**Example:** 148 149When creating a new `socket` object, the [`type`](cil_type_statements.md#type) component of the new security context will be taken from the `source` context: 150 151```secil 152 (defaulttype socket source) 153``` 154 155defaultrange 156------------ 157 158Allows the default level or range to be taken from the source, target, or both contexts when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. glblub as the default requires policy version 32. 159 160**Statement definition:** 161 162```secil 163 (defaultrange class_id default <range>) 164``` 165 166**Where:** 167 168<table> 169<colgroup> 170<col width="25%" /> 171<col width="75%" /> 172</colgroup> 173<tbody> 174<tr class="odd"> 175<td align="left"><p><code>defaultrange</code></p></td> 176<td align="left"><p>The <code>defaultrange</code> keyword.</p></td> 177</tr> 178<tr class="even"> 179<td align="left"><p><code>class_id</code></p></td> 180<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td> 181</tr> 182<tr class="odd"> 183<td align="left"><p><code>default</code></p></td> 184<td align="left"><p>A keyword of either <code>source</code>, <code>target</code>, or <code>glblub</code>.</p></td> 185</tr> 186<tr class="even"> 187<td align="left"><p><code>range</code></p></td> 188<td align="left"><p>A keyword of either <code>low</code>, <code>high</code>, or <code>low-high</code>.</p></td> 189</tr> 190</tbody> 191</table> 192 193**Example:** 194 195When creating a new `file` object, the appropriate `range` component of the new security context will be taken from the `target` context: 196 197```secil 198 (defaultrange file target low_high) 199``` 200 201MLS userspace object managers may need to compute the common parts of a range such that the object is created with the range common to the subject and containing object: 202 203```secil 204 (defaultrange db_table glblub) 205``` 206