• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Type Statements
2===============
3
4type
5----
6
7Declares a type identifier in the current namespace.
8
9**Statement definition:**
10
11    (type type_id)
12
13**Where:**
14
15<table>
16<colgroup>
17<col width="25%" />
18<col width="75%" />
19</colgroup>
20<tbody>
21<tr class="odd">
22<td align="left"><p><code>type</code></p></td>
23<td align="left"><p>The <code>type</code> keyword.</p></td>
24</tr>
25<tr class="even">
26<td align="left"><p><code>type_id</code></p></td>
27<td align="left"><p>The <code>type</code> identifier.</p></td>
28</tr>
29</tbody>
30</table>
31
32**Example:**
33
34This example declares a type identifier `bluetooth.process`:
35
36    (block bluetooth
37        (type process)
38    )
39
40typealias
41---------
42
43Declares a type alias in the current namespace.
44
45**Statement definition:**
46
47    (typealias typealias_id)
48
49**Where:**
50
51<table>
52<colgroup>
53<col width="25%" />
54<col width="75%" />
55</colgroup>
56<tbody>
57<tr class="odd">
58<td align="left"><p><code>typealias</code></p></td>
59<td align="left"><p>The <code>typealias</code> keyword.</p></td>
60</tr>
61<tr class="even">
62<td align="left"><p><code>typealias_id</code></p></td>
63<td align="left"><p>The <code>typealias</code> identifier.</p></td>
64</tr>
65</tbody>
66</table>
67
68**Example:**
69
70See the [`typealiasactual`](cil_type_statements.md#typealiasactual) statement for an example that associates the [`typealias`](cil_type_statements.md#typealias) identifier.
71
72typealiasactual
73---------------
74
75Associates a previously declared [`typealias`](cil_type_statements.md#typealias) identifier to a previously declared [`type`](cil_type_statements.md#type) identifier.
76
77**Statement definition:**
78
79    (typealiasactual typealias_id type_id)
80
81**Where:**
82
83<table>
84<colgroup>
85<col width="25%" />
86<col width="75%" />
87</colgroup>
88<tbody>
89<tr class="odd">
90<td align="left"><p><code>typealiasactual</code></p></td>
91<td align="left"><p>The <code>typealiasactual</code> keyword.</p></td>
92</tr>
93<tr class="even">
94<td align="left"><p><code>typealias_id</code></p></td>
95<td align="left"><p>A single previously declared <code>typealias</code> identifier.</p></td>
96</tr>
97<tr class="odd">
98<td align="left"><p><code>type_id</code></p></td>
99<td align="left"><p>A single previously declared <code>type</code> identifier.</p></td>
100</tr>
101</tbody>
102</table>
103
104**Example:**
105
106This example will alias `unconfined.process` as `unconfined_t` in the global namespace:
107
108    (typealias unconfined_t)
109    (typealiasactual unconfined_t unconfined.process)
110
111    (block unconfined
112        (type process)
113    )
114
115typeattribute
116-------------
117
118Declares a type attribute identifier in the current namespace. The identifier may have zero or more [`type`](cil_type_statements.md#type), [`typealias`](cil_type_statements.md#typealias) and [`typeattribute`](cil_type_statements.md#typeattribute) identifiers associated to it via the [`typeattributeset`](cil_type_statements.md#typeattributeset) statement.
119
120**Statement definition:**
121
122    (typeattribute typeattribute_id)
123
124**Where:**
125
126<table>
127<colgroup>
128<col width="25%" />
129<col width="75%" />
130</colgroup>
131<tbody>
132<tr class="odd">
133<td align="left"><p><code>typeattribute</code></p></td>
134<td align="left"><p>The <code>typeattribute</code> keyword.</p></td>
135</tr>
136<tr class="even">
137<td align="left"><p><code>typeattribute_id</code></p></td>
138<td align="left"><p>The <code>typeattribute</code> identifier.</p></td>
139</tr>
140</tbody>
141</table>
142
143**Example:**
144
145This example declares a type attribute `domain` in global namespace that will have an empty set:
146
147    (typeattribute domain)
148
149typeattributeset
150----------------
151
152Allows the association of one or more previously declared [`type`](cil_type_statements.md#type), [`typealias`](cil_type_statements.md#typealias) or [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to a [`typeattribute`](cil_type_statements.md#typeattribute) identifier. Expressions may be used to refine the associations as shown in the examples.
153
154**Statement definition:**
155
156    (typeattributeset typeattribute_id (type_id ... | expr ...))
157
158**Where:**
159
160<table>
161<colgroup>
162<col width="25%" />
163<col width="75%" />
164</colgroup>
165<tbody>
166<tr class="odd">
167<td align="left"><p><code>typeattributeset</code></p></td>
168<td align="left"><p>The <code>typeattributeset</code> keyword.</p></td>
169</tr>
170<tr class="even">
171<td align="left"><p><code>typeattribute_id</code></p></td>
172<td align="left"><p>A single previously declared <code>typeattribute</code> identifier.</p></td>
173</tr>
174<tr class="odd">
175<td align="left"><p><code>type_id</code></p></td>
176<td align="left"><p>Zero or more previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifiers.</p>
177<p>Note that there must be at least one <code>type_id</code> or <code>expr</code> parameter declared.</p></td>
178</tr>
179<tr class="even">
180<td align="left"><p><code>expr</code></p></td>
181<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
182<p><code>    (and (type_id ...) (type_id ...))</code></p>
183<p><code>    (or  (type_id ...) (type_id ...))</code></p>
184<p><code>    (xor (type_id ...) (type_id ...))</code></p>
185<p><code>    (not (type_id ...))</code></p>
186<p><code>    (all)</code></p></td>
187</tr>
188</tbody>
189</table>
190
191**Examples:**
192
193This example will take all the policy types and exclude those in `appdomain`. It is equivalent to `~appdomain` in the kernel policy language.
194
195    (typeattribute not_in_appdomain)
196
197    (typeattributeset not_in_appdomain (not (appdomain)))
198
199This example is equivalent to `{ domain -kernel.process -ueventd.process -init.process }` in the kernel policy language:
200
201    (typeattribute na_kernel_or_ueventd_or_init_in_domain)
202
203    (typeattributeset na_kernel_or_ueventd_or_init_in_domain
204        (and
205            (and
206                (and
207                    (domain)
208                    (not (kernel.process))
209                )
210                (not (ueventd.process))
211            )
212            (not (init.process))
213        )
214    )
215
216typebounds
217----------
218
219This defines a hierarchical relationship between domains where the bounded domain cannot have more permissions than its bounding domain (the parent).
220
221Requires kernel 2.6.28 and above to control the security context associated to threads in multi-threaded applications. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the bounding.
222
223**Statement definition:**
224
225    (typebounds parent_type_id child_type_id)
226
227**Where:**
228
229<table>
230<colgroup>
231<col width="25%" />
232<col width="75%" />
233</colgroup>
234<tbody>
235<tr class="odd">
236<td align="left"><p><code>typebounds</code></p></td>
237<td align="left"><p>The <code>typebounds</code> keyword.</p></td>
238</tr>
239<tr class="even">
240<td align="left"><p><code>parent_type_id</code></p></td>
241<td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier that is the parent domain.</p></td>
242</tr>
243<tr class="odd">
244<td align="left"><p><code>child_type_id</code></p></td>
245<td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier that is the bound (child) domain.</p></td>
246</tr>
247</tbody>
248</table>
249
250**Example:**
251
252In this example the `httpd.child.process` cannot have `file (write)` due to lack of permissions on `httpd.process` which is the parent. It means the child domain will always have equal or less privileges than the parent:
253
254    (class file (getattr read write))
255
256    (block httpd
257        (type process)
258        (type object)
259
260        (typebounds process child.process)
261        ; The parent is allowed file 'getattr' and 'read':
262        (allow process object (file (getattr read)))
263
264        (block child
265            (type process)
266            (type object)
267
268            ; However the child process has been given 'write' access that will be denied.
269            (allow process httpd.object (file (read write)))
270        )
271    )
272
273typechange
274----------
275
276The type change rule is used to define a different label of an object for userspace SELinux-aware applications. These applications would use **`security_compute_relabel`**`(3)` and [`typechange`](cil_type_statements.md#typechange) rules in the policy to determine the new context to be applied. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the change.
277
278**Statement definition:**
279
280    (typechange source_type_id target_type_id class_id change_type_id)
281
282**Where:**
283
284<table>
285<colgroup>
286<col width="25%" />
287<col width="75%" />
288</colgroup>
289<tbody>
290<tr class="odd">
291<td align="left"><p><code>typechange</code></p></td>
292<td align="left"><p>The <code>typechange</code> keyword.</p></td>
293</tr>
294<tr class="even">
295<td align="left"><p><code>source_type_id</code></p></td>
296<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
297</tr>
298<tr class="odd">
299<td align="left"><p><code>target_type_id</code></p></td>
300<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
301</tr>
302<tr class="even">
303<td align="left"><p><code>class_id</code></p></td>
304<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td>
305</tr>
306<tr class="odd">
307<td align="left"><p><code>change_type_id</code></p></td>
308<td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier that will become the new type.</p></td>
309</tr>
310</tbody>
311</table>
312
313**Example:**
314
315Whenever **`security_compute_relabel`**`(3)` is called with the following parameters:
316
317`    scon=unconfined.object tcon=unconfined.object class=file`
318
319the function will return a context of:
320
321`    unconfined.object:object_r:unconfined.change_label:s0`
322
323    (class file (getattr read write))
324
325    (block unconfined
326        (type process)
327        (type object)
328        (type change_label)
329
330        (typechange object object file change_label)
331    )
332
333typemember
334----------
335
336The type member rule is used to define a new polyinstantiated label of an object for SELinux-aware applications. These applications would use **`avc_compute_member`**`(3)` or **`security_compute_member`**`(3)` with the [`typemember`](cil_type_statements.md#typemember) rules in the policy to determine the context to be applied. The application would then manage any required polyinstantiation. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the membership.
337
338**Statement definition:**
339
340    (typemember source_type_id target_type_id class_id member_type_id)
341
342**Where:**
343
344<table>
345<colgroup>
346<col width="25%" />
347<col width="75%" />
348</colgroup>
349<tbody>
350<tr class="odd">
351<td align="left"><p><code>typemember</code></p></td>
352<td align="left"><p>The <code>typemember</code> keyword.</p></td>
353</tr>
354<tr class="even">
355<td align="left"><p><code>source_type_id</code></p></td>
356<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
357</tr>
358<tr class="odd">
359<td align="left"><p><code>target_type_id</code></p></td>
360<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
361</tr>
362<tr class="even">
363<td align="left"><p><code>class_id</code></p></td>
364<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td>
365</tr>
366<tr class="odd">
367<td align="left"><p><code>member_type_id</code></p></td>
368<td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier that will become the new member type.</p></td>
369</tr>
370</tbody>
371</table>
372
373**Example:**
374
375Whenever **`avc_compute_member`**`(3)` or **`security_compute_member`**`(3)` is called with the following parameters:
376
377`    scon=unconfined.object tcon=unconfined.object class=file`
378
379the function will return a context of:
380
381`    unconfined.object:object_r:unconfined.member_label:s0`
382
383    (class file (getattr read write))
384
385    (block unconfined
386        (type process)
387        (type object)
388        (type change_label)
389
390        (typemember object object file member_label)
391    )
392
393typetransition
394--------------
395
396The type transition rule specifies the labeling and object creation allowed between the `source_type` and `target`\_type when a domain transition is requested. Kernels from 2.6.39 with policy versions from 25 and above also support a 'name transition' rule, however this is not allowed inside conditionals and currently only supports the file classes. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the transition.
397
398**Statement definition:**
399
400    (typetransition source_type_id target_type_id class_id [object_name] default_type_id)
401
402**Where:**
403
404<table>
405<colgroup>
406<col width="25%" />
407<col width="75%" />
408</colgroup>
409<tbody>
410<tr class="odd">
411<td align="left"><p><code>typetransition</code></p></td>
412<td align="left"><p>The <code>typetransition</code> keyword.</p></td>
413</tr>
414<tr class="even">
415<td align="left"><p><code>source_type_id</code></p></td>
416<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
417</tr>
418<tr class="odd">
419<td align="left"><p><code>target_type_id</code></p></td>
420<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
421</tr>
422<tr class="even">
423<td align="left"><p><code>class_id</code></p></td>
424<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td>
425</tr>
426<tr class="odd">
427<td align="left"><p><code>object_name</code></p></td>
428<td align="left"><p>A optional string within double quotes representing an object name for the 'name transition' rule. This string will be matched against the objects name (if a path then the last component of that path). If the string matches exactly, the <code>default_type_id</code> will then become the new type.</p></td>
429</tr>
430<tr class="even">
431<td align="left"><p><code>default_type_id</code></p></td>
432<td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier that will become the new type.</p></td>
433</tr>
434</tbody>
435</table>
436
437**Examples:**
438
439This example shows a process transition rule with its supporting [`allow`](cil_access_vector_rules.md#allow) rule:
440
441    (macro domain_auto_trans ((type ARG1) (type ARG2) (type ARG3))
442        ; Allow the necessary permissions.
443        (call domain_trans (ARG1 ARG2 ARG3))
444        ; Make the transition occur by default.
445        (typetransition ARG1 ARG2 process ARG3)
446    )
447
448This example shows a file object transition rule with its supporting [`allow`](cil_access_vector_rules.md#allow) rule:
449
450    (macro tmpfs_domain ((type ARG1))
451        (type tmpfs)
452        (typeattributeset file_type (tmpfs))
453        (typetransition ARG1 file.tmpfs file tmpfs)
454        (allow ARG1 tmpfs (file (read write execute execmod)))
455    )
456
457This example shows the 'name transition' rule with its supporting [`allow`](cil_access_vector_rules.md#allow) rule:
458
459    (macro write_klog ((type ARG1))
460        (typetransition ARG1 device.device chr_file "__kmsg__" device.klog_device)
461        (allow ARG1 device.klog_device (chr_file (create open write unlink)))
462        (allow ARG1 device.device (dir (write add_name remove_name)))
463    )
464
465typepermissive
466--------------
467
468Policy database version 23 introduced the permissive statement to allow the named domain to run in permissive mode instead of running all SELinux domains in permissive mode (that was the only option prior to version 23). Note that the permissive statement only tests the source context for any policy denial.
469
470**Statement definition:**
471
472    (typepermissive source_type_id)
473
474**Where:**
475
476<table>
477<colgroup>
478<col width="25%" />
479<col width="75%" />
480</colgroup>
481<tbody>
482<tr class="odd">
483<td align="left"><p><code>typepermissive</code></p></td>
484<td align="left"><p>The <code>typepermissive</code> keyword.</p></td>
485</tr>
486<tr class="even">
487<td align="left"><p><code>source_type_id</code></p></td>
488<td align="left"><p>A single previously declared <code>type</code> or <code>typealias</code> identifier.</p></td>
489</tr>
490</tbody>
491</table>
492
493**Example:**
494
495This example will allow SELinux to run the `healthd.process` domain in permissive mode even when enforcing is enabled:
496
497    (block healthd
498        (type process)
499        (typepermissive process)
500
501        (allow ...)
502    )
503