1Default Object Statements 2========================= 3 4These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater. 5 6defaultuser 7----------- 8 9Allows the default user to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. 10 11**Statement definition:** 12 13 (defaultuser class_id default) 14 15**Where:** 16 17<table> 18<colgroup> 19<col width="25%" /> 20<col width="75%" /> 21</colgroup> 22<tbody> 23<tr class="odd"> 24<td align="left"><p><code>defaultuser</code></p></td> 25<td align="left"><p>The <code>defaultuser</code> keyword.</p></td> 26</tr> 27<tr class="even"> 28<td align="left"><p><code>class_id</code></p></td> 29<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td> 30</tr> 31<tr class="odd"> 32<td align="left"><p><code>default</code></p></td> 33<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td> 34</tr> 35</tbody> 36</table> 37 38**Example:** 39 40When creating new `binder`, `property_service`, `zygote` or `memprotect` objects the [`user`](cil_user_statements.md#user) component of the new security context will be taken from the `source` context: 41 42 (class binder (impersonate call set_context_mgr transfer receive)) 43 (class property_service (set)) 44 (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 45 (class memprotect (mmap_zero)) 46 47 (classmap android_classes (android)) 48 (classmapping android_classes android (binder (all))) 49 (classmapping android_classes android (property_service (set))) 50 (classmapping android_classes android (zygote (not (specifycapabilities)))) 51 52 (defaultuser (android_classes memprotect) source) 53 54 ; Will produce the following in the binary policy file: 55 ;; default_user binder source; 56 ;; default_user zygote source; 57 ;; default_user property_service source; 58 ;; default_user memprotect source; 59 60defaultrole 61----------- 62 63Allows the default role to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. 64 65 (defaultrole class_id default) 66 67**Where:** 68 69<table> 70<colgroup> 71<col width="25%" /> 72<col width="75%" /> 73</colgroup> 74<tbody> 75<tr class="odd"> 76<td align="left"><p><code>defaultrole</code></p></td> 77<td align="left"><p>The <code>defaultrole</code> keyword.</p></td> 78</tr> 79<tr class="even"> 80<td align="left"><p><code>class_id</code></p></td> 81<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td> 82</tr> 83<tr class="odd"> 84<td align="left"><p><code>default</code></p></td> 85<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td> 86</tr> 87</tbody> 88</table> 89 90**Example:** 91 92When creating new `binder`, `property_service` or `zygote` objects the [`role`](cil_role_statements.md#role) component of the new security context will be taken from the `target` context: 93 94 (class binder (impersonate call set_context_mgr transfer receive)) 95 (class property_service (set)) 96 (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 97 98 (defaultrole (binder property_service zygote) target) 99 100 ; Will produce the following in the binary policy file: 101 ;; default_role binder target; 102 ;; default_role zygote target; 103 ;; default_role property_service target; 104 105defaulttype 106----------- 107 108Allows the default type to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 28. 109 110**Statement definition:** 111 112 (defaulttype class_id default) 113 114**Where:** 115 116<table> 117<colgroup> 118<col width="25%" /> 119<col width="75%" /> 120</colgroup> 121<tbody> 122<tr class="odd"> 123<td align="left"><p><code>defaulttype</code></p></td> 124<td align="left"><p>The <code>defaulttype</code> keyword.</p></td> 125</tr> 126<tr class="even"> 127<td align="left"><p><code>class_id</code></p></td> 128<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td> 129</tr> 130<tr class="odd"> 131<td align="left"><p><code>default</code></p></td> 132<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td> 133</tr> 134</tbody> 135</table> 136 137**Example:** 138 139When creating a new `socket` object, the [`type`](cil_type_statements.md#type) component of the new security context will be taken from the `source` context: 140 141 (defaulttype socket source) 142 143defaultrange 144------------ 145 146Allows the default level or range to be taken from the source, target, or both contexts when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. glblub as the default requires policy version 32. 147 148**Statement definition:** 149 150 (defaultrange class_id default <range>) 151 152**Where:** 153 154<table> 155<colgroup> 156<col width="25%" /> 157<col width="75%" /> 158</colgroup> 159<tbody> 160<tr class="odd"> 161<td align="left"><p><code>defaultrange</code></p></td> 162<td align="left"><p>The <code>defaultrange</code> keyword.</p></td> 163</tr> 164<tr class="even"> 165<td align="left"><p><code>class_id</code></p></td> 166<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td> 167</tr> 168<tr class="odd"> 169<td align="left"><p><code>default</code></p></td> 170<td align="left"><p>A keyword of either <code>source</code>, <code>target</code>, or <code>glblub</code>.</p></td> 171</tr> 172<tr class="even"> 173<td align="left"><p><code>range</code></p></td> 174<td align="left"><p>A keyword of either <code>low</code>, <code>high</code>, or <code>low-high</code>.</p></td> 175</tr> 176</tbody> 177</table> 178 179**Example:** 180 181When creating a new `file` object, the appropriate `range` component of the new security context will be taken from the `target` context: 182 183 (defaultrange file target low_high) 184 185MLS userspace object managers may need to compute the common parts of a range such that the object is created with the range common to the subject and containing object: 186 187 (defaultrange db_table glblub) 188