• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1User Statements
2===============
3
4user
5----
6
7Declares an SELinux user identifier in the current namespace.
8
9**Statement definition:**
10
11    (user user_id)
12
13**Where:**
14
15<table>
16<colgroup>
17<col width="25%" />
18<col width="75%" />
19</colgroup>
20<tbody>
21<tr class="odd">
22<td align="left"><p><code>user</code></p></td>
23<td align="left"><p>The <code>user</code> keyword.</p></td>
24</tr>
25<tr class="even">
26<td align="left"><p><code>user_id</code></p></td>
27<td align="left"><p>The SELinux <code>user</code> identifier.</p></td>
28</tr>
29</tbody>
30</table>
31
32**Example:**
33
34This will declare an SELinux user as `unconfined.user`:
35
36    (block unconfined
37        (user user)
38    )
39
40userrole
41--------
42
43Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`role`](cil_role_statements.md#role) identifier.
44
45**Statement definition:**
46
47    (userrole user_id role_id)
48
49**Where:**
50
51<table>
52<colgroup>
53<col width="25%" />
54<col width="75%" />
55</colgroup>
56<tbody>
57<tr class="odd">
58<td align="left"><p><code>userrole</code></p></td>
59<td align="left"><p>The <code>userrole</code> keyword.</p></td>
60</tr>
61<tr class="even">
62<td align="left"><p><code>user_id</code></p></td>
63<td align="left"><p>A previously declared SELinux <code>user</code> or <code>userattribute</code> identifier.</p></td>
64</tr>
65<tr class="odd">
66<td align="left"><p><code>role_id</code></p></td>
67<td align="left"><p>A previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td>
68</tr>
69</tbody>
70</table>
71
72**Example:**
73
74This example will associate `unconfined.user` to `unconfined.role`:
75
76    (block unconfined
77        (user user)
78        (role role)
79        (userrole user role)
80    )
81
82userattribute
83-------------
84
85Declares a user attribute identifier in the current namespace. The identifier may have zero or more [`user`](cil_user_statements.md#user) and [`userattribute`](cil_user_statements.md#userattribute) identifiers associated to it via the [`userattributeset`](cil_user_statements.md#userattributeset) statement.
86
87**Statement definition:**
88
89    (userattribute userattribute_id)
90
91**Where:**
92
93<table>
94<colgroup>
95<col width="25%" />
96<col width="75%" />
97</colgroup>
98<tbody>
99<tr class="odd">
100<td align="left"><p><code>userattribute</code></p></td>
101<td align="left"><p>The <code>userattribute</code> keyword.</p></td>
102</tr>
103<tr class="even">
104<td align="left"><p><code>userattribute_id</code></p></td>
105<td align="left"><p>The <code>userattribute</code> identifier.</p></td>
106</tr>
107</tbody>
108</table>
109
110**Example:**
111
112This example will declare a user attribute `users.user_holder` that will have an empty set:
113
114    (block users
115        (userattribute user_holder)
116    )
117
118userattributeset
119----------------
120
121Allows the association of one or more previously declared [`user`](cil_user_statements.md#user) or [`userattribute`](cil_user_statements.md#userattribute) identifiers to a [`userattribute`](cil_user_statements.md#userattribute) identifier. Expressions may be used to refine the associations as shown in the examples.
122
123**Statement definition:**
124
125    (userattributeset userattribute_id (user_id ... | expr ...))
126
127**Where:**
128
129<table>
130<colgroup>
131<col width="25%" />
132<col width="75%" />
133</colgroup>
134<tbody>
135<tr class="odd">
136<td align="left"><p><code>userattributeset</code></p></td>
137<td align="left"><p>The <code>userattributeset</code> keyword.</p></td>
138</tr>
139<tr class="even">
140<td align="left"><p><code>userattribute_id</code></p></td>
141<td align="left"><p>A single previously declared <code>userattribute</code> identifier.</p></td>
142</tr>
143<tr class="odd">
144<td align="left"><p><code>user_id</code></p></td>
145<td align="left"><p>Zero or more previously declared <code>user</code> or <code>userattribute</code> identifiers.</p>
146<p>Note that there must be at least one <code>user_id</code> or <code>expr</code> parameter declared.</p></td>
147</tr>
148<tr class="even">
149<td align="left"><p><code>expr</code></p></td>
150<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
151<p><code>    (and (user_id ...) (user_id ...))</code></p>
152<p><code>    (or  (user_id ...) (user_id ...))</code></p>
153<p><code>    (xor (user_id ...) (user_id ...))</code></p>
154<p><code>    (not (user_id ...))</code></p>
155<p><code>    (all)</code></p></td>
156</tr>
157</tbody>
158</table>
159
160**Example:**
161
162This example will declare three users and two user attributes, then associate all the users to them as shown:
163
164    (block users
165        (user user_1)
166        (user user_2)
167        (user user_3)
168
169        (userattribute user_holder)
170        (userattributeset user_holder (user_1 user_2 user_3))
171
172        (userattribute user_holder_all)
173        (userattributeset user_holder_all (all))
174    )
175
176userlevel
177---------
178
179Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`level`](cil_mls_labeling_statements.md#level) identifier. The [`level`](cil_mls_labeling_statements.md#level) may be named or anonymous.
180
181**Statement definition:**
182
183    (userlevel user_id level_id)
184
185**Where:**
186
187<table>
188<colgroup>
189<col width="25%" />
190<col width="75%" />
191</colgroup>
192<tbody>
193<tr class="odd">
194<td align="left"><p><code>userlevel</code></p></td>
195<td align="left"><p>The <code>userlevel</code> keyword.</p></td>
196</tr>
197<tr class="even">
198<td align="left"><p><code>user_id</code></p></td>
199<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
200</tr>
201<tr class="odd">
202<td align="left"><p><code>level_id</code></p></td>
203<td align="left"><p>A previously declared <code>level</code> identifier. This may consist of a single <code>sensitivity</code> with zero or more mixed named and anonymous <code>category</code>'s as discussed in the <code>level</code> statement.</p></td>
204</tr>
205</tbody>
206</table>
207
208**Example:**
209
210This example will associate `unconfined.user` with a named [`level`](cil_mls_labeling_statements.md#level) of `systemlow`:
211
212    (sensitivity s0)
213    (level systemlow (s0))
214
215    (block unconfined
216        (user user)
217         (userlevel user systemlow)
218        ; An anonymous example:
219        ;(userlevel user (s0))
220    )
221
222userrange
223---------
224
225Associates a previously declared [`user`](cil_user_statements.md#user) identifer with a previously declared [`levelrange`](cil_mls_labeling_statements.md#levelrange) identifier. The [`levelrange`](cil_mls_labeling_statements.md#levelrange) may be named or anonymous.
226
227**Statement definition:**
228
229    (userrange user_id levelrange_id)
230
231**Where:**
232
233<table>
234<colgroup>
235<col width="25%" />
236<col width="75%" />
237</colgroup>
238<tbody>
239<tr class="odd">
240<td align="left"><p><code>userrange</code></p></td>
241<td align="left"><p>The <code>userrange</code> keyword.</p></td>
242</tr>
243<tr class="even">
244<td align="left"><p><code>user_id</code></p></td>
245<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
246</tr>
247<tr class="odd">
248<td align="left"><p><code>levelrange_id</code></p></td>
249<td align="left"><p>A previously declared <code>levelrange</code> identifier. This may be formed by named or anonymous components as discussed in the <code>levelrange</code> statement and shown in the examples.</p></td>
250</tr>
251</tbody>
252</table>
253
254**Example:**
255
256This example will associate `unconfined.user` with a named [`levelrange`](cil_mls_labeling_statements.md#levelrange) of `low_high`, other anonymous examples are also shown:
257
258    (category c0)
259    (category c1)
260    (categoryorder (c0 c1))
261    (sensitivity s0)
262    (sensitivity s1)
263    (dominance (s0 s1))
264    (sensitivitycategory s0 (c0 c1))
265    (level systemLow (s0))
266    (level systemHigh (s0 (c0 c1)))
267    (levelrange low_high (systemLow systemHigh))
268
269    (block unconfined
270        (user user)
271        (role role)
272        (userrole user role)
273        ; Named example:
274        (userrange user low_high)
275        ; Anonymous examples:
276        ;(userrange user (systemLow systemHigh))
277        ;(userrange user (systemLow (s0 (c0 c1))))
278        ;(userrange user ((s0) (s0 (c0 c1))))
279    )
280
281userbounds
282----------
283
284Defines a hierarchical relationship between users where the child user cannot have more priviledges than the parent.
285
286Notes:
287
288-   It is not possible to bind the parent to more than one child.
289
290-   While this is added to the binary policy, it is not enforced by the SELinux kernel services.
291
292**Statement definition:**
293
294    (userbounds parent_user_id child_user_id)
295
296**Where:**
297
298<table>
299<colgroup>
300<col width="25%" />
301<col width="75%" />
302</colgroup>
303<tbody>
304<tr class="odd">
305<td align="left"><p><code>userbounds</code></p></td>
306<td align="left"><p>The <code>userbounds</code> keyword.</p></td>
307</tr>
308<tr class="even">
309<td align="left"><p><code>parent_user_id</code></p></td>
310<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
311</tr>
312<tr class="odd">
313<td align="left"><p><code>child_user_id</code></p></td>
314<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
315</tr>
316</tbody>
317</table>
318
319**Example:**
320
321The user `test` cannot have greater priviledges than `unconfined.user`:
322
323    (user test)
324
325    (unconfined
326        (user user)
327        (userbounds user .test)
328    )
329
330userprefix
331----------
332
333Declare a user prefix that will be replaced by the file labeling utilities described at [http://selinuxproject.org/page/PolicyStoreConfigurationFiles](http://selinuxproject.org/page/PolicyStoreConfigurationFiles#file_contexts.template_File) that details the `file_contexts` entries.
334
335**Statement definition:**
336
337    (userprefix user_id prefix)
338
339**Where:**
340
341<table>
342<colgroup>
343<col width="25%" />
344<col width="75%" />
345</colgroup>
346<tbody>
347<tr class="odd">
348<td align="left"><p><code>userprefix</code></p></td>
349<td align="left"><p>The <code>userprefix</code> keyword.</p></td>
350</tr>
351<tr class="even">
352<td align="left"><p><code>user_id</code></p></td>
353<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
354</tr>
355<tr class="odd">
356<td align="left"><p><code>prefix</code></p></td>
357<td align="left"><p>The string to be used by the file labeling utilities.</p></td>
358</tr>
359</tbody>
360</table>
361
362**Example:**
363
364This example will associate `unconfined.admin` user with a prefix of "[`user`](cil_user_statements.md#user)":
365
366    (block unconfined
367        (user admin
368        (userprefix admin user)
369    )
370
371selinuxuser
372-----------
373
374Associates a GNU/Linux user to a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared MLS [`userrange`](cil_user_statements.md#userrange). Note that the [`userrange`](cil_user_statements.md#userrange) is required even if the policy is non-MCS/MLS.
375
376**Statement definition:**
377
378    (selinuxuser user_name user_id userrange_id)
379
380**Where:**
381
382<table>
383<colgroup>
384<col width="25%" />
385<col width="75%" />
386</colgroup>
387<tbody>
388<tr class="odd">
389<td align="left"><p><code>selinuxuser</code></p></td>
390<td align="left"><p>The <code>selinuxuser</code> keyword.</p></td>
391</tr>
392<tr class="even">
393<td align="left"><p><code>user_name</code></p></td>
394<td align="left"><p>A string representing the GNU/Linux user name</p></td>
395</tr>
396<tr class="odd">
397<td align="left"><p><code>user_id</code></p></td>
398<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
399</tr>
400<tr class="even">
401<td align="left"><p><code>userrange_id</code></p></td>
402<td align="left"><p>A previously declared <code>userrange</code> identifier that has been associated to the <code>user</code> identifier. This may be formed by named or anonymous components as discussed in the <code>userrange</code> statement and shown in the examples.</p></td>
403</tr>
404</tbody>
405</table>
406
407**Example:**
408
409This example will associate `unconfined.admin` user with a GNU / Linux user "`admin_1`":
410
411    (block unconfined
412        (user admin)
413        (selinuxuser admin_1 admin low_low)
414    )
415
416selinuxuserdefault
417------------------
418
419Declares the default SELinux user. Only one [`selinuxuserdefault`](cil_user_statements.md#selinuxuserdefault) statement is allowed in the policy. Note that the [`userrange`](cil_user_statements.md#userrange) identifier is required even if the policy is non-MCS/MLS.
420
421**Statement definition:**
422
423    (selinuxuserdefault user_id userrange_id)
424
425**Where:**
426
427<table>
428<colgroup>
429<col width="25%" />
430<col width="75%" />
431</colgroup>
432<tbody>
433<tr class="odd">
434<td align="left"><p><code>selinuxuserdefault</code></p></td>
435<td align="left"><p>The <code>selinuxuserdefault</code> keyword.</p></td>
436</tr>
437<tr class="even">
438<td align="left"><p><code>user_id</code></p></td>
439<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
440</tr>
441<tr class="odd">
442<td align="left"><p><code>userrange_id</code></p></td>
443<td align="left"><p>A previously declared <code>userrange</code> identifier that has been associated to the <code>user</code> identifier. This may be formed by named or anonymous components as discussed in the <code>userrange</code> statement and shown in the examples.</p></td>
444</tr>
445</tbody>
446</table>
447
448**Example:**
449
450This example will define the `unconfined.user` as the default SELinux user:
451
452    (block unconfined
453        (user user)
454        (selinuxuserdefault user low_low)
455    )
456