1<!-- Common Interface Language (CIL) Reference Guide --> 2 <!-- user_statements.xml --> 3 4 <sect1> 5 <title>User Statements</title> 6 <sect2 id="user"> 7 <title>user</title> 8 <para>Declares an SELinux user identifier in the current namespace.</para> 9 <para><emphasis role="bold">Statement definition:</emphasis></para> 10 <programlisting><![CDATA[(user user_id)]]></programlisting> 11 <para><emphasis role="bold">Where:</emphasis></para> 12 <informaltable frame="all"> 13 <tgroup cols="2"> 14 <colspec colwidth="2 *"/> 15 <colspec colwidth="6 *"/> 16 <tbody> 17 <row> 18 <entry> 19 <para><literal>user</literal></para> 20 </entry> 21 <entry> 22 <para>The <literal>user</literal> keyword.</para> 23 </entry> 24 </row> 25 <row> 26 <entry> 27 <para><literal>user_id</literal></para> 28 </entry> 29 <entry> 30 <para>The SELinux <literal>user</literal> identifier.</para> 31 </entry> 32 </row> 33 </tbody></tgroup> 34 </informaltable> 35 36 <para><emphasis role="bold">Example:</emphasis></para> 37 <para>This will declare an SELinux user as <literal>unconfined.user</literal>:</para> 38 <programlisting><![CDATA[ 39(block unconfined 40 (user user) 41)]]> 42 </programlisting> 43 </sect2> 44 45 <sect2 id="userrole"> 46 <title>userrole</title> 47 <para>Associates a previously declared <literal><link linkend="user">user</link></literal> identifier with a previously declared <literal><link linkend="role">role</link></literal> identifier.</para> 48 <para><emphasis role="bold">Statement definition:</emphasis></para> 49 <programlisting><![CDATA[(userrole user_id role_id)]]></programlisting> 50 <para><emphasis role="bold">Where:</emphasis></para> 51 <informaltable frame="all"> 52 <tgroup cols="2"> 53 <colspec colwidth="2 *"/> 54 <colspec colwidth="6 *"/> 55 <tbody> 56 <row> 57 <entry> 58 <para><literal>userrole</literal></para> 59 </entry> 60 <entry> 61 <para>The <literal>userrole</literal> keyword.</para> 62 </entry> 63 </row> 64 <row> 65 <entry> 66 <para><literal>user_id</literal></para> 67 </entry> 68 <entry> 69 <para>A previously declared SELinux <literal><link linkend="user">user</link></literal> identifier.</para> 70 </entry> 71 </row> 72 <row> 73 <entry> 74 <para><literal>role_id</literal></para> 75 </entry> 76 <entry> 77 <para>A previously declared <literal><link linkend="role">role</link></literal> or <literal><link linkend="roleattribute">roleattribute</link></literal> identifier.</para> 78 </entry> 79 </row> 80 </tbody></tgroup> 81 </informaltable> 82 83 <para><emphasis role="bold">Example:</emphasis></para> 84 <para>This example will associate <literal>unconfined.user</literal> to <literal>unconfined.role</literal>:</para> 85 <programlisting><![CDATA[ 86(block unconfined 87 (user user) 88 (role role) 89 (userrole user role) 90)]]> 91 </programlisting> 92 </sect2> 93 94 <sect2 id="userlevel"> 95 <title>userlevel</title> 96 <para>Associates a previously declared <literal><link linkend="user">user</link></literal> identifier with a previously declared <literal><link linkend="level">level</link></literal> identifier. The <literal><link linkend="level">level</link></literal> may be named or anonymous.</para> 97 <para><emphasis role="bold">Statement definition:</emphasis></para> 98 <programlisting><![CDATA[(userlevel user_id level_id)]]></programlisting> 99 <para><emphasis role="bold">Where:</emphasis></para> 100 <informaltable frame="all"> 101 <tgroup cols="2"> 102 <colspec colwidth="2 *"/> 103 <colspec colwidth="6 *"/> 104 <tbody> 105 <row> 106 <entry> 107 <para><literal>userlevel</literal></para> 108 </entry> 109 <entry> 110 <para>The <literal>userlevel</literal> keyword.</para> 111 </entry> 112 </row> 113 <row> 114 <entry> 115 <para><literal>user_id</literal></para> 116 </entry> 117 <entry> 118 <para>A previously declared SELinux <literal><link linkend="user">user</link></literal> identifier.</para> 119 </entry> 120 </row> 121 <row> 122 <entry> 123 <para><literal>level_id</literal></para> 124 </entry> 125 <entry> 126 <para>A previously declared <literal><link linkend="level">level</link></literal> identifier. This may consist of a single <literal><link linkend="sensitivity">sensitivity</link></literal> with zero or more mixed named and anonymous <literal><link linkend="category">category</link></literal>'s as discussed in the <literal><link linkend="level">level</link></literal> statement.</para> 127 </entry> 128 </row> 129 </tbody></tgroup> 130 </informaltable> 131 132 <para><emphasis role="bold">Example:</emphasis></para> 133 <para>This example will associate <literal>unconfined.user</literal> with a named <literal><link linkend="level">level</link></literal> of <literal>systemlow</literal>:</para> 134 <programlisting><![CDATA[ 135(sensitivity s0) 136(level systemlow (s0)) 137 138(block unconfined 139 (user user) 140 (userlevel user systemlow) 141 ; An anonymous example: 142 ;(userlevel user (s0)) 143)]]> 144 </programlisting> 145 </sect2> 146 147 <sect2 id="userrange"> 148 <title>userrange</title> 149 <para>Associates a previously declared <literal><link linkend="user">user</link></literal> identifer with a previously declared <literal><link linkend="levelrange">levelrange</link></literal> identifier. The <literal><link linkend="levelrange">levelrange</link></literal> may be named or anonymous.</para> 150 <para><emphasis role="bold">Statement definition:</emphasis></para> 151 <programlisting><![CDATA[(userrange user_id levelrange_id)]]></programlisting> 152 <para><emphasis role="bold">Where:</emphasis></para> 153 <informaltable frame="all"> 154 <tgroup cols="2"> 155 <colspec colwidth="2 *"/> 156 <colspec colwidth="6 *"/> 157 <tbody> 158 <row> 159 <entry> 160 <para><literal>userrange</literal></para> 161 </entry> 162 <entry> 163 <para>The <literal>userrange</literal> keyword.</para> 164 </entry> 165 </row> 166 <row> 167 <entry> 168 <para><literal>user_id</literal></para> 169 </entry> 170 <entry> 171 <para>A previously declared SELinux <literal><link linkend="user">user</link></literal> identifier.</para> 172 </entry> 173 </row> 174 <row> 175 <entry> 176 <para><literal>levelrange_id</literal></para> 177 </entry> 178 <entry> 179 <para>A previously declared <literal><link linkend="levelrange">levelrange</link></literal> identifier. This may be formed by named or anonymous components as discussed in the <literal><link linkend="levelrange">levelrange</link></literal> statement and shown in the examples.</para> 180 </entry> 181 </row> 182 </tbody></tgroup> 183 </informaltable> 184 185 <para><emphasis role="bold">Example:</emphasis></para> 186 <para>This example will associate <literal>unconfined.user</literal> with a named <literal><link linkend="levelrange">levelrange</link></literal> of <literal>low_high</literal>, other anonymous examples are also shown:</para> 187 <programlisting><![CDATA[ 188(category c0) 189(category c1) 190(categoryorder (c0 c1)) 191(sensitivity s0) 192(sensitivity s1) 193(dominance (s0 s1)) 194(sensitivitycategory s0 (c0 c1)) 195(level systemLow (s0)) 196(level systemHigh (s0 (c0 c1))) 197(levelrange low_high (systemLow systemHigh)) 198 199(block unconfined 200 (user user) 201 (role role) 202 (userrole user role) 203 ; Named example: 204 (userrange user low_high) 205 ; Anonymous examples: 206 ;(userrange user (systemLow systemHigh)) 207 ;(userrange user (systemLow (s0 (c0 c1)))) 208 ;(userrange user ((s0) (s0 (c0 c1)))) 209)]]> 210 </programlisting> 211 </sect2> 212 213 <sect2 id="userbounds"> 214 <title>userbounds</title> 215 <para>Defines a hierarchical relationship between users where the child user cannot have more priviledges than the parent.</para> 216 <para>Notes:</para> 217 <itemizedlist> 218 <listitem><para>It is not possible to bind the parent to more than one child.</para></listitem> 219 <listitem><para>While this is added to the binary policy, it is not enforced by the SELinux kernel services.</para></listitem> 220 </itemizedlist> 221 <para><emphasis role="bold">Statement definition:</emphasis></para> 222 <programlisting><![CDATA[(userbounds parent_user_id child_user_id)]]></programlisting> 223 <para><emphasis role="bold">Where:</emphasis></para> 224 <informaltable frame="all"> 225 <tgroup cols="2"> 226 <colspec colwidth="2 *"/> 227 <colspec colwidth="6 *"/> 228 <tbody> 229 <row> 230 <entry> 231 <para><literal>userbounds</literal></para> 232 </entry> 233 <entry> 234 <para>The <literal>userbounds</literal> keyword.</para> 235 </entry> 236 </row> 237 <row> 238 <entry> 239 <para><literal>parent_user_id</literal></para> 240 </entry> 241 <entry> 242 <para>A previously declared SELinux <literal><link linkend="user">user</link></literal> identifier.</para> 243 </entry> 244 </row> 245 <row> 246 <entry> 247 <para><literal>child_user_id</literal></para> 248 </entry> 249 <entry> 250 <para>A previously declared SELinux <literal><link linkend="user">user</link></literal> identifier.</para> 251 </entry> 252 </row> 253 </tbody></tgroup> 254 </informaltable> 255 256 <para><emphasis role="bold">Example:</emphasis></para> 257 <para>The user <literal>test</literal> cannot have greater priviledges than <literal>unconfined.user</literal>:</para> 258 <programlisting><![CDATA[ 259(user test) 260 261(unconfined 262 (user user) 263 (userbounds user .test) 264)]]> 265 </programlisting> 266 </sect2> 267 268 <sect2 id="userprefix"> 269 <title>userprefix</title> 270 <para>Declare a user prefix that will be replaced by the file labeling utilities described at <ulink url="http://selinuxproject.org/page/PolicyStoreConfigurationFiles#file_contexts.template_File">http://selinuxproject.org/page/PolicyStoreConfigurationFiles</ulink> that details the <filename>file_contexts</filename> entries.</para> 271 <para><emphasis role="bold">Statement definition:</emphasis></para> 272 <programlisting><![CDATA[(userprefix user_id prefix)]]></programlisting> 273 <para><emphasis role="bold">Where:</emphasis></para> 274 <informaltable frame="all"> 275 <tgroup cols="2"> 276 <colspec colwidth="2 *"/> 277 <colspec colwidth="6 *"/> 278 <tbody> 279 <row> 280 <entry> 281 <para><literal>userprefix</literal></para> 282 </entry> 283 <entry> 284 <para>The <literal>userprefix</literal> keyword.</para> 285 </entry> 286 </row> 287 <row> 288 <entry> 289 <para><literal>user_id</literal></para> 290 </entry> 291 <entry> 292 <para>A previously declared SELinux <literal><link linkend="user">user</link></literal> identifier.</para> 293 </entry> 294 </row> 295 <row> 296 <entry> 297 <para><literal>prefix</literal></para> 298 </entry> 299 <entry> 300 <para>The string to be used by the file labeling utilities.</para> 301 </entry> 302 </row> 303 </tbody></tgroup> 304 </informaltable> 305 306 <para><emphasis role="bold">Example:</emphasis></para> 307 <para>This example will associate <literal>unconfined.admin</literal> user with a prefix of "<literal>user</literal>":</para> 308 <programlisting><![CDATA[ 309(block unconfined 310 (user admin 311 (userprefix admin user) 312)]]> 313 </programlisting> 314 </sect2> 315 316 <sect2 id="selinuxuser"> 317 <title>selinuxuser</title> 318 <para>Associates a GNU/Linux user to a previously declared <literal><link linkend="user">user</link></literal> identifier with a previously declared MLS <literal><link linkend="userrange">userrange</link></literal>. Note that the <literal><link linkend="userrange">userrange</link></literal> is required even if the policy is non-MCS/MLS.</para> 319 <para><emphasis role="bold">Statement definition:</emphasis></para> 320 <programlisting><![CDATA[(selinuxuser user_name user_id userrange_id)]]></programlisting> 321 <para><emphasis role="bold">Where:</emphasis></para> 322 <informaltable frame="all"> 323 <tgroup cols="2"> 324 <colspec colwidth="2 *"/> 325 <colspec colwidth="6 *"/> 326 <tbody> 327 <row> 328 <entry> 329 <para><literal>selinuxuser</literal></para> 330 </entry> 331 <entry> 332 <para>The <literal>selinuxuser</literal> keyword.</para> 333 </entry> 334 </row> 335 <row> 336 <entry> 337 <para><literal>user_name</literal></para> 338 </entry> 339 <entry> 340 <para>A string representing the GNU/Linux user name</para> 341 </entry> 342 </row> 343 <row> 344 <entry> 345 <para><literal>user_id</literal></para> 346 </entry> 347 <entry> 348 <para>A previously declared SELinux <literal><link linkend="user">user</link></literal> identifier.</para> 349 </entry> 350 </row> 351 <row> 352 <entry> 353 <para><literal>userrange_id</literal></para> 354 </entry> 355 <entry> 356 <para>A previously declared <literal><link linkend="userrange">userrange</link></literal> identifier that has been associated to the <literal>user</literal> identifier. This may be formed by named or anonymous components as discussed in the <literal><link linkend="userrange">userrange</link></literal> statement and shown in the examples.</para> 357 </entry> 358 </row> 359 </tbody></tgroup> 360 </informaltable> 361 362 <para><emphasis role="bold">Example:</emphasis></para> 363 <para>This example will associate <literal>unconfined.admin</literal> user with a GNU / Linux user "<literal>admin_1</literal>":</para> 364 <programlisting><![CDATA[ 365(block unconfined 366 (user admin) 367 (selinuxuser admin_1 admin low_low) 368)]]> 369 </programlisting> 370 </sect2> 371 372 <sect2 id="selinuxuserdefault"> 373 <title>selinuxuserdefault</title> 374 <para>Declares the default SELinux user. Only one <literal>selinuxuserdefault</literal> statement is allowed in the policy. Note that the <literal><link linkend="userrange">userrange</link></literal> identifier is required even if the policy is non-MCS/MLS.</para> 375 <para><emphasis role="bold">Statement definition:</emphasis></para> 376 <programlisting><![CDATA[(selinuxuserdefault user_id userrange_id)]]></programlisting> 377 <para><emphasis role="bold">Where:</emphasis></para> 378 <informaltable frame="all"> 379 <tgroup cols="2"> 380 <colspec colwidth="2 *"/> 381 <colspec colwidth="6 *"/> 382 <tbody> 383 <row> 384 <entry> 385 <para><literal>selinuxuserdefault</literal></para> 386 </entry> 387 <entry> 388 <para>The <literal>selinuxuserdefault</literal> keyword.</para> 389 </entry> 390 </row> 391 <row> 392 <entry> 393 <para><literal>user_id</literal></para> 394 </entry> 395 <entry> 396 <para>A previously declared SELinux <literal><link linkend="user">user</link></literal> identifier.</para> 397 </entry> 398 </row> 399 <row> 400 <entry> 401 <para><literal>userrange_id</literal></para> 402 </entry> 403 <entry> 404 <para>A previously declared <literal><link linkend="userrange">userrange</link></literal> identifier that has been associated to the <literal><link linkend="user">user</link></literal> identifier. This may be formed by named or anonymous components as discussed in the <literal><link linkend="userrange">userrange</link></literal> statement and shown in the examples.</para> 405 </entry> 406 </row> 407 </tbody></tgroup> 408 </informaltable> 409 410 <para><emphasis role="bold">Example:</emphasis></para> 411 <para>This example will define the <literal>unconfined.user</literal> as the default SELinux user:</para> 412 <programlisting><![CDATA[ 413(block unconfined 414 (user user) 415 (selinuxuserdefault user low_low) 416)]]> 417 </programlisting> 418 </sect2> 419 420 </sect1> 421