1Role Statements 2=============== 3 4role 5---- 6 7Declares a role identifier in the current namespace. 8 9**Statement definition:** 10 11 (role role_id) 12 13**Where:** 14 15<table> 16<colgroup> 17<col width="25%" /> 18<col width="75%" /> 19</colgroup> 20<tbody> 21<tr class="odd"> 22<td align="left"><p><code>role</code></p></td> 23<td align="left"><p>The <code>role</code> keyword.</p></td> 24</tr> 25<tr class="even"> 26<td align="left"><p><code>role_id</code></p></td> 27<td align="left"><p>The <code>role</code> identifier.</p></td> 28</tr> 29</tbody> 30</table> 31 32**Example:** 33 34This example declares two roles: `object_r` in the global namespace and `unconfined.role`: 35 36 (role object_r) 37 38 (block unconfined 39 (role role) 40 ) 41 42roletype 43-------- 44 45Authorises a [`role`](cil_role_statements.md#role) to access a [`type`](cil_type_statements.md#type) identifier. 46 47**Statement definition:** 48 49 (role role_id type_id) 50 51**Where:** 52 53<table> 54<colgroup> 55<col width="25%" /> 56<col width="75%" /> 57</colgroup> 58<tbody> 59<tr class="odd"> 60<td align="left"><p><code>roletype</code></p></td> 61<td align="left"><p>The <code>roletype</code> keyword.</p></td> 62</tr> 63<tr class="even"> 64<td align="left"><p><code>role_id</code></p></td> 65<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td> 66</tr> 67<tr class="odd"> 68<td align="left"><p><code>type_id</code></p></td> 69<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 70</tr> 71</tbody> 72</table> 73 74**Example:** 75 76This example will declare [`role`](cil_role_statements.md#role) and [`type`](cil_type_statements.md#type) identifiers, then associate them: 77 78 (block unconfined 79 (role role) 80 (type process) 81 (roletype role process) 82 ) 83 84roleattribute 85------------- 86 87Declares a role attribute identifier in the current namespace. The identifier may have zero or more [`role`](cil_role_statements.md#role) and [`roleattribute`](cil_role_statements.md#roleattribute) identifiers associated to it via the [`roleattributeset`](cil_role_statements.md#roleattributeset) statement. 88 89**Statement definition:** 90 91 (roleattribute roleattribute_id) 92 93**Where:** 94 95<table> 96<colgroup> 97<col width="25%" /> 98<col width="75%" /> 99</colgroup> 100<tbody> 101<tr class="odd"> 102<td align="left"><p><code>roleattribute</code></p></td> 103<td align="left"><p>The <code>roleattribute</code> keyword.</p></td> 104</tr> 105<tr class="even"> 106<td align="left"><p><code>roleattribute_id</code></p></td> 107<td align="left"><p>The <code>roleattribute</code> identifier.</p></td> 108</tr> 109</tbody> 110</table> 111 112**Example:** 113 114This example will declare a role attribute `roles.role_holder` that will have an empty set: 115 116 (block roles 117 (roleattribute role_holder) 118 ) 119 120roleattributeset 121---------------- 122 123Allows the association of one or more previously declared [`role`](cil_role_statements.md#role) identifiers to a [`roleattribute`](cil_role_statements.md#roleattribute) identifier. Expressions may be used to refine the associations as shown in the examples. 124 125**Statement definition:** 126 127 (roleattributeset roleattribute_id (role_id ... | expr ...)) 128 129**Where:** 130 131<table> 132<colgroup> 133<col width="25%" /> 134<col width="75%" /> 135</colgroup> 136<tbody> 137<tr class="odd"> 138<td align="left"><p><code>roleattributeset</code></p></td> 139<td align="left"><p>The <code>roleattributeset</code> keyword.</p></td> 140</tr> 141<tr class="even"> 142<td align="left"><p><code>roleattribute_id</code></p></td> 143<td align="left"><p>A single previously declared <code>roleattribute</code> identifier.</p></td> 144</tr> 145<tr class="odd"> 146<td align="left"><p><code>role_id</code></p></td> 147<td align="left"><p>Zero or more previously declared <code>role</code> or <code>roleattribute</code> identifiers.</p> 148<p>Note that there must be at least one <code>role_id</code> or <code>expr</code> parameter declared.</p></td> 149</tr> 150<tr class="even"> 151<td align="left"><p><code>expr</code></p></td> 152<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 153<p><code> (and (role_id ...) (role_id ...))</code></p> 154<p><code> (or (role_id ...) (role_id ...))</code></p> 155<p><code> (xor (role_id ...) (role_id ...))</code></p> 156<p><code> (not (role_id ...))</code></p> 157<p><code> (all)</code></p></td> 158</tr> 159</tbody> 160</table> 161 162**Example:** 163 164This example will declare three roles and two role attributes, then associate all the roles to them as shown: 165 166 (block roles 167 (role role_1) 168 (role role_2) 169 (role role_3) 170 171 (roleattribute role_holder) 172 (roleattributeset role_holder (role_1 role_2 role_3)) 173 174 (roleattribute role_holder_all) 175 (roleattributeset role_holder_all (all)) 176 ) 177 178roleallow 179--------- 180 181Authorise the current role to assume a new role. 182 183Notes: 184 185- May require a [`roletransition`](cil_role_statements.md#roletransition) rule to ensure transition to the new role. 186 187- This rule is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) statements. 188 189**Statement definition:** 190 191 (roleallow current_role_id new_role_id) 192 193**Where:** 194 195<table> 196<colgroup> 197<col width="25%" /> 198<col width="75%" /> 199</colgroup> 200<tbody> 201<tr class="odd"> 202<td align="left"><p><code>roleallow</code></p></td> 203<td align="left"><p>The <code>roleallow</code> keyword.</p></td> 204</tr> 205<tr class="even"> 206<td align="left"><p><code>current_role_id</code></p></td> 207<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td> 208</tr> 209<tr class="odd"> 210<td align="left"><p><code>new_role_id</code></p></td> 211<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td> 212</tr> 213</tbody> 214</table> 215 216**Example:** 217 218See the [`roletransition`](cil_role_statements.md#roletransition) statement for an example. 219 220roletransition 221-------------- 222 223Specify a role transition from the current role to a new role when computing a context for the target type. The [`class`](cil_class_and_permission_statements.md#class) identifier would normally be `process`, however for kernel versions 2.6.39 with policy version \>= 25 and above, any valid class may be used. Note that a [`roleallow`](cil_role_statements.md#roleallow) rule must be used to authorise the transition. 224 225**Statement definition:** 226 227 (roletransition current_role_id target_type_id class_id new_role_id) 228 229**Where:** 230 231<table> 232<colgroup> 233<col width="25%" /> 234<col width="75%" /> 235</colgroup> 236<tbody> 237<tr class="odd"> 238<td align="left"><p><code>roletransition</code></p></td> 239<td align="left"><p>The <code>roletransition</code> keyword.</p></td> 240</tr> 241<tr class="even"> 242<td align="left"><p><code>current_role_id</code></p></td> 243<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td> 244</tr> 245<tr class="odd"> 246<td align="left"><p><code>target_type_id</code></p></td> 247<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 248</tr> 249<tr class="even"> 250<td align="left"><p><code>class_id</code></p></td> 251<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 252</tr> 253<tr class="odd"> 254<td align="left"><p><code>new_role_id</code></p></td> 255<td align="left"><p>A single previously declared <code>role</code> identifier to be set on transition.</p></td> 256</tr> 257</tbody> 258</table> 259 260**Example:** 261 262This example will authorise the `unconfined.role` to assume the `msg_filter.role` role, and then transition to that role: 263 264 (block ext_gateway 265 (type process) 266 (type exec) 267 268 (roletype msg_filter.role process) 269 (roleallow unconfined.role msg_filter.role) 270 (roletransition unconfined.role exec process msg_filter.role) 271 ) 272 273rolebounds 274---------- 275 276Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent. 277 278Notes: 279 280- It is not possible to bind the parent role to more than one child role. 281 282- While this is added to the binary policy, it is not enforced by the SELinux kernel services. 283 284**Statement definition:** 285 286 (rolebounds parent_role_id child_role_id) 287 288**Where:** 289 290<table> 291<colgroup> 292<col width="25%" /> 293<col width="75%" /> 294</colgroup> 295<tbody> 296<tr class="odd"> 297<td align="left"><p><code>rolebounds</code></p></td> 298<td align="left"><p>The <code>rolebounds</code> keyword.</p></td> 299</tr> 300<tr class="even"> 301<td align="left"><p><code>parent_role_id</code></p></td> 302<td align="left"><p>A single previously declared <code>role</code> identifier.</p></td> 303</tr> 304<tr class="odd"> 305<td align="left"><p><code>child_role_id</code></p></td> 306<td align="left"><p>A single previously declared <code>role</code> identifier.</p></td> 307</tr> 308</tbody> 309</table> 310 311**Example:** 312 313In this example the role `test` cannot have greater privileges than `unconfined.role`: 314 315 (role test) 316 317 (unconfined 318 (role role) 319 (rolebounds role .test) 320 ) 321