• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Role Statements
2===============
3
4role
5----
6
7Declares a role identifier in the current namespace.
8
9**Statement definition:**
10
11```secil
12    (role role_id)
13```
14
15**Where:**
16
17<table>
18<colgroup>
19<col width="25%" />
20<col width="75%" />
21</colgroup>
22<tbody>
23<tr class="odd">
24<td align="left"><p><code>role</code></p></td>
25<td align="left"><p>The <code>role</code> keyword.</p></td>
26</tr>
27<tr class="even">
28<td align="left"><p><code>role_id</code></p></td>
29<td align="left"><p>The <code>role</code> identifier.</p></td>
30</tr>
31</tbody>
32</table>
33
34**Example:**
35
36This example declares two roles: `object_r` in the global namespace and `unconfined.role`:
37
38```secil
39    (role object_r)
40
41    (block unconfined
42        (role role)
43    )
44```
45
46roletype
47--------
48
49Authorises a [`role`](cil_role_statements.md#role) to access a [`type`](cil_type_statements.md#type) identifier.
50
51**Statement definition:**
52
53```secil
54    (role role_id type_id)
55```
56
57**Where:**
58
59<table>
60<colgroup>
61<col width="25%" />
62<col width="75%" />
63</colgroup>
64<tbody>
65<tr class="odd">
66<td align="left"><p><code>roletype</code></p></td>
67<td align="left"><p>The <code>roletype</code> keyword.</p></td>
68</tr>
69<tr class="even">
70<td align="left"><p><code>role_id</code></p></td>
71<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
72</tr>
73<tr class="odd">
74<td align="left"><p><code>type_id</code></p></td>
75<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
76</tr>
77</tbody>
78</table>
79
80**Example:**
81
82This example will declare [`role`](cil_role_statements.md#role) and [`type`](cil_type_statements.md#type) identifiers, then associate them:
83
84```secil
85    (block unconfined
86        (role role)
87        (type process)
88        (roletype role process)
89    )
90```
91
92roleattribute
93-------------
94
95Declares a role attribute identifier in the current namespace. The identifier may have zero or more [`role`](cil_role_statements.md#role) and [`roleattribute`](cil_role_statements.md#roleattribute) identifiers associated to it via the [`roleattributeset`](cil_role_statements.md#roleattributeset) statement.
96
97**Statement definition:**
98
99```secil
100    (roleattribute roleattribute_id)
101```
102
103**Where:**
104
105<table>
106<colgroup>
107<col width="25%" />
108<col width="75%" />
109</colgroup>
110<tbody>
111<tr class="odd">
112<td align="left"><p><code>roleattribute</code></p></td>
113<td align="left"><p>The <code>roleattribute</code> keyword.</p></td>
114</tr>
115<tr class="even">
116<td align="left"><p><code>roleattribute_id</code></p></td>
117<td align="left"><p>The <code>roleattribute</code> identifier.</p></td>
118</tr>
119</tbody>
120</table>
121
122**Example:**
123
124This example will declare a role attribute `roles.role_holder` that will have an empty set:
125
126```secil
127    (block roles
128        (roleattribute role_holder)
129    )
130```
131
132roleattributeset
133----------------
134
135Allows the association of one or more previously declared [`role`](cil_role_statements.md#role) identifiers to a [`roleattribute`](cil_role_statements.md#roleattribute) identifier. Expressions may be used to refine the associations as shown in the examples.
136
137**Statement definition:**
138
139```secil
140    (roleattributeset roleattribute_id (role_id ... | expr ...))
141```
142
143**Where:**
144
145<table>
146<colgroup>
147<col width="25%" />
148<col width="75%" />
149</colgroup>
150<tbody>
151<tr class="odd">
152<td align="left"><p><code>roleattributeset</code></p></td>
153<td align="left"><p>The <code>roleattributeset</code> keyword.</p></td>
154</tr>
155<tr class="even">
156<td align="left"><p><code>roleattribute_id</code></p></td>
157<td align="left"><p>A single previously declared <code>roleattribute</code> identifier.</p></td>
158</tr>
159<tr class="odd">
160<td align="left"><p><code>role_id</code></p></td>
161<td align="left"><p>Zero or more previously declared <code>role</code> or <code>roleattribute</code> identifiers.</p>
162<p>Note that there must be at least one <code>role_id</code> or <code>expr</code> parameter declared.</p></td>
163</tr>
164<tr class="even">
165<td align="left"><p><code>expr</code></p></td>
166<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
167<p><code>    (and (role_id ...) (role_id ...))</code></p>
168<p><code>    (or  (role_id ...) (role_id ...))</code></p>
169<p><code>    (xor (role_id ...) (role_id ...))</code></p>
170<p><code>    (not (role_id ...))</code></p>
171<p><code>    (all)</code></p></td>
172</tr>
173</tbody>
174</table>
175
176**Example:**
177
178This example will declare three roles and two role attributes, then associate all the roles to them as shown:
179
180```secil
181    (block roles
182        (role role_1)
183        (role role_2)
184        (role role_3)
185
186        (roleattribute role_holder)
187        (roleattributeset role_holder (role_1 role_2 role_3))
188
189        (roleattribute role_holder_all)
190        (roleattributeset role_holder_all (all))
191    )
192```
193
194roleallow
195---------
196
197Authorise the current role to assume a new role.
198
199Notes:
200
201-   May require a [`roletransition`](cil_role_statements.md#roletransition) rule to ensure transition to the new role.
202
203-   This rule is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) statements.
204
205**Statement definition:**
206
207```secil
208    (roleallow current_role_id new_role_id)
209```
210
211**Where:**
212
213<table>
214<colgroup>
215<col width="25%" />
216<col width="75%" />
217</colgroup>
218<tbody>
219<tr class="odd">
220<td align="left"><p><code>roleallow</code></p></td>
221<td align="left"><p>The <code>roleallow</code> keyword.</p></td>
222</tr>
223<tr class="even">
224<td align="left"><p><code>current_role_id</code></p></td>
225<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
226</tr>
227<tr class="odd">
228<td align="left"><p><code>new_role_id</code></p></td>
229<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
230</tr>
231</tbody>
232</table>
233
234**Example:**
235
236See the [`roletransition`](cil_role_statements.md#roletransition) statement for an example.
237
238roletransition
239--------------
240
241Specify a role transition from the current role to a new role when computing a context for the target type. The [`class`](cil_class_and_permission_statements.md#class) identifier would normally be `process`, however for kernel versions 2.6.39 with policy version \>= 25 and above, any valid class may be used. Note that a [`roleallow`](cil_role_statements.md#roleallow) rule must be used to authorise the transition.
242
243**Statement definition:**
244
245```secil
246    (roletransition current_role_id target_type_id class_id new_role_id)
247```
248
249**Where:**
250
251<table>
252<colgroup>
253<col width="25%" />
254<col width="75%" />
255</colgroup>
256<tbody>
257<tr class="odd">
258<td align="left"><p><code>roletransition</code></p></td>
259<td align="left"><p>The <code>roletransition</code> keyword.</p></td>
260</tr>
261<tr class="even">
262<td align="left"><p><code>current_role_id</code></p></td>
263<td align="left"><p>A single previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
264</tr>
265<tr class="odd">
266<td align="left"><p><code>target_type_id</code></p></td>
267<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
268</tr>
269<tr class="even">
270<td align="left"><p><code>class_id</code></p></td>
271<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td>
272</tr>
273<tr class="odd">
274<td align="left"><p><code>new_role_id</code></p></td>
275<td align="left"><p>A single previously declared <code>role</code> identifier to be set on transition.</p></td>
276</tr>
277</tbody>
278</table>
279
280**Example:**
281
282This example will authorise the `unconfined.role` to assume the `msg_filter.role` role, and then transition to that role:
283
284```secil
285    (block ext_gateway
286        (type process)
287        (type exec)
288
289        (roletype msg_filter.role process)
290        (roleallow unconfined.role msg_filter.role)
291        (roletransition unconfined.role exec process msg_filter.role)
292    )
293```
294
295rolebounds
296----------
297
298Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent.
299
300Notes:
301
302-   It is not possible to bind the parent role to more than one child role.
303
304-   While this is added to the binary policy, it is not enforced by the SELinux kernel services.
305
306**Statement definition:**
307
308```secil
309    (rolebounds parent_role_id child_role_id)
310```
311
312**Where:**
313
314<table>
315<colgroup>
316<col width="25%" />
317<col width="75%" />
318</colgroup>
319<tbody>
320<tr class="odd">
321<td align="left"><p><code>rolebounds</code></p></td>
322<td align="left"><p>The <code>rolebounds</code> keyword.</p></td>
323</tr>
324<tr class="even">
325<td align="left"><p><code>parent_role_id</code></p></td>
326<td align="left"><p>A single previously declared <code>role</code> identifier.</p></td>
327</tr>
328<tr class="odd">
329<td align="left"><p><code>child_role_id</code></p></td>
330<td align="left"><p>A single previously declared <code>role</code> identifier.</p></td>
331</tr>
332</tbody>
333</table>
334
335**Example:**
336
337In this example the role `test` cannot have greater privileges than `unconfined.role`:
338
339```secil
340    (role test)
341
342    (block unconfined
343        (role role)
344        (rolebounds role .test)
345    )
346```
347