• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Role Statements
2===============
3
4role
5----
6
7Declares a role identifier in the current namespace.
8
9**Statement definition:**
10
11    (role role_id)
12
13**Where:**
14
15<table>
16<colgroup>
17<col width="25%" />
18<col width="75%" />
19</colgroup>
20<tbody>
21<tr class="odd">
22<td align="left"><p><code>role</code></p></td>
23<td align="left"><p>The <code>role</code> keyword.</p></td>
24</tr>
25<tr class="even">
26<td align="left"><p><code>role_id</code></p></td>
27<td align="left"><p>The <code>role</code> identifier.</p></td>
28</tr>
29</tbody>
30</table>
31
32**Example:**
33
34This example declares two roles: `object_r` in the global namespace and `unconfined.role`:
35
36    (role object_r)
37
38    (block unconfined
39        (role role)
40    )
41
42roletype
43--------
44
45Authorises a [`role`](cil_role_statements.md#role) to access a [`type`](cil_type_statements.md#type) identifier.
46
47**Statement definition:**
48
49    (role role_id type_id)
50
51**Where:**
52
53<table>
54<colgroup>
55<col width="25%" />
56<col width="75%" />
57</colgroup>
58<tbody>
59<tr class="odd">
60<td align="left"><p><code>roletype</code></p></td>
61<td align="left"><p>The <code>roletype</code> keyword.</p></td>
62</tr>
63<tr class="even">
64<td align="left"><p><code>role_id</code></p></td>
65<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
66</tr>
67<tr class="odd">
68<td align="left"><p><code>type_id</code></p></td>
69<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
70</tr>
71</tbody>
72</table>
73
74**Example:**
75
76This example will declare [`role`](cil_role_statements.md#role) and [`type`](cil_type_statements.md#type) identifiers, then associate them:
77
78    (block unconfined
79        (role role)
80        (type process)
81        (roletype role process)
82    )
83
84roleattribute
85-------------
86
87Declares a role attribute identifier in the current namespace. The identifier may have zero or more [`role`](cil_role_statements.md#role) and [`roleattribute`](cil_role_statements.md#roleattribute) identifiers associated to it via the [`roleattributeset`](cil_role_statements.md#roleattributeset) statement.
88
89**Statement definition:**
90
91    (roleattribute roleattribute_id)
92
93**Where:**
94
95<table>
96<colgroup>
97<col width="25%" />
98<col width="75%" />
99</colgroup>
100<tbody>
101<tr class="odd">
102<td align="left"><p><code>roleattribute</code></p></td>
103<td align="left"><p>The <code>roleattribute</code> keyword.</p></td>
104</tr>
105<tr class="even">
106<td align="left"><p><code>roleattribute_id</code></p></td>
107<td align="left"><p>The <code>roleattribute</code> identifier.</p></td>
108</tr>
109</tbody>
110</table>
111
112**Example:**
113
114This example will declare a role attribute `roles.role_holder` that will have an empty set:
115
116    (block roles
117        (roleattribute role_holder)
118    )
119
120roleattributeset
121----------------
122
123Allows the association of one or more previously declared [`role`](cil_role_statements.md#role) identifiers to a [`roleattribute`](cil_role_statements.md#roleattribute) identifier. Expressions may be used to refine the associations as shown in the examples.
124
125**Statement definition:**
126
127    (roleattributeset roleattribute_id (role_id ... | expr ...))
128
129**Where:**
130
131<table>
132<colgroup>
133<col width="25%" />
134<col width="75%" />
135</colgroup>
136<tbody>
137<tr class="odd">
138<td align="left"><p><code>roleattributeset</code></p></td>
139<td align="left"><p>The <code>roleattributeset</code> keyword.</p></td>
140</tr>
141<tr class="even">
142<td align="left"><p><code>roleattribute_id</code></p></td>
143<td align="left"><p>A single previously declared <code>roleattribute</code> identifier.</p></td>
144</tr>
145<tr class="odd">
146<td align="left"><p><code>role_id</code></p></td>
147<td align="left"><p>Zero or more previously declared <code>role</code> or <code>roleattribute</code> identifiers.</p>
148<p>Note that there must be at least one <code>role_id</code> or <code>expr</code> parameter declared.</p></td>
149</tr>
150<tr class="even">
151<td align="left"><p><code>expr</code></p></td>
152<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
153<p><code>    (and (role_id ...) (role_id ...))</code></p>
154<p><code>    (or  (role_id ...) (role_id ...))</code></p>
155<p><code>    (xor (role_id ...) (role_id ...))</code></p>
156<p><code>    (not (role_id ...))</code></p>
157<p><code>    (all)</code></p></td>
158</tr>
159</tbody>
160</table>
161
162**Example:**
163
164This example will declare three roles and two role attributes, then associate all the roles to them as shown:
165
166    (block roles
167        (role role_1)
168        (role role_2)
169        (role role_3)
170
171        (roleattribute role_holder)
172        (roleattributeset role_holder (role_1 role_2 role_3))
173
174        (roleattribute role_holder_all)
175        (roleattributeset role_holder_all (all))
176    )
177
178roleallow
179---------
180
181Authorise the current role to assume a new role.
182
183Notes:
184
185-   May require a [`roletransition`](cil_role_statements.md#roletransition) rule to ensure transition to the new role.
186
187-   This rule is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) statements.
188
189**Statement definition:**
190
191    (roleallow current_role_id new_role_id)
192
193**Where:**
194
195<table>
196<colgroup>
197<col width="25%" />
198<col width="75%" />
199</colgroup>
200<tbody>
201<tr class="odd">
202<td align="left"><p><code>roleallow</code></p></td>
203<td align="left"><p>The <code>roleallow</code> keyword.</p></td>
204</tr>
205<tr class="even">
206<td align="left"><p><code>current_role_id</code></p></td>
207<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
208</tr>
209<tr class="odd">
210<td align="left"><p><code>new_role_id</code></p></td>
211<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
212</tr>
213</tbody>
214</table>
215
216**Example:**
217
218See the [`roletransition`](cil_role_statements.md#roletransition) statement for an example.
219
220roletransition
221--------------
222
223Specify a role transition from the current role to a new role when computing a context for the target type. The [`class`](cil_class_and_permission_statements.md#class) identifier would normally be `process`, however for kernel versions 2.6.39 with policy version \>= 25 and above, any valid class may be used. Note that a [`roleallow`](cil_role_statements.md#roleallow) rule must be used to authorise the transition.
224
225**Statement definition:**
226
227    (roletransition current_role_id target_type_id class_id new_role_id)
228
229**Where:**
230
231<table>
232<colgroup>
233<col width="25%" />
234<col width="75%" />
235</colgroup>
236<tbody>
237<tr class="odd">
238<td align="left"><p><code>roletransition</code></p></td>
239<td align="left"><p>The <code>roletransition</code> keyword.</p></td>
240</tr>
241<tr class="even">
242<td align="left"><p><code>current_role_id</code></p></td>
243<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
244</tr>
245<tr class="odd">
246<td align="left"><p><code>target_type_id</code></p></td>
247<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
248</tr>
249<tr class="even">
250<td align="left"><p><code>class_id</code></p></td>
251<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td>
252</tr>
253<tr class="odd">
254<td align="left"><p><code>new_role_id</code></p></td>
255<td align="left"><p>A single previously declared <code>role</code> identifier to be set on transition.</p></td>
256</tr>
257</tbody>
258</table>
259
260**Example:**
261
262This example will authorise the `unconfined.role` to assume the `msg_filter.role` role, and then transition to that role:
263
264    (block ext_gateway
265        (type process)
266        (type exec)
267
268        (roletype msg_filter.role process)
269        (roleallow unconfined.role msg_filter.role)
270        (roletransition unconfined.role exec process msg_filter.role)
271    )
272
273rolebounds
274----------
275
276Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent.
277
278Notes:
279
280-   It is not possible to bind the parent role to more than one child role.
281
282-   While this is added to the binary policy, it is not enforced by the SELinux kernel services.
283
284**Statement definition:**
285
286    (rolebounds parent_role_id child_role_id)
287
288**Where:**
289
290<table>
291<colgroup>
292<col width="25%" />
293<col width="75%" />
294</colgroup>
295<tbody>
296<tr class="odd">
297<td align="left"><p><code>rolebounds</code></p></td>
298<td align="left"><p>The <code>rolebounds</code> keyword.</p></td>
299</tr>
300<tr class="even">
301<td align="left"><p><code>parent_role_id</code></p></td>
302<td align="left"><p>A single previously declared <code>role</code> identifier.</p></td>
303</tr>
304<tr class="odd">
305<td align="left"><p><code>child_role_id</code></p></td>
306<td align="left"><p>A single previously declared <code>role</code> identifier.</p></td>
307</tr>
308</tbody>
309</table>
310
311**Example:**
312
313In this example the role `test` cannot have greater privileges than `unconfined.role`:
314
315    (role test)
316
317    (unconfined
318        (role role)
319        (rolebounds role .test)
320    )
321