Difference between revisions of "DefaultRules"
(New page: = Default Rules = These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or ...) |
|||
Line 1: | Line 1: | ||
− | = Default Rules = | + | = Default Object Rules = |
These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater. | These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater. | ||
Line 34: | Line 34: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | {| border="1" |
− | | <center> | + | | <center>Monolithic Policy</center> |
− | | <center> | + | | <center>Base Policy</center> |
− | | <center> | + | | <center>Module Policy</center> |
|- | |- | ||
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | | <center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | | <center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | | <center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 59: | Line 59: | ||
'''Example:''' | '''Example:''' | ||
<pre> | <pre> | ||
− | + | # When computing the context for a new file object, the user | |
− | + | # will be obtained from the target context. | |
default_user file target; | default_user file target; | ||
− | + | # When computing the context for a new x_selection or x_property | |
− | + | # object, the user will be obtained from the source context. | |
default_user { x_selection x_property } source; | default_user { x_selection x_property } source; | ||
Line 104: | Line 104: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | {| border="1" |
− | | <center> | + | | <center>Monolithic Policy</center> |
− | | <center> | + | | <center>Base Policy</center> |
− | | <center> | + | | <center>Module Policy</center> |
|- | |- | ||
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | | <center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | | <center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | | <center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 129: | Line 129: | ||
'''Example:''' | '''Example:''' | ||
<pre> | <pre> | ||
− | + | # When computing the context for a new file object, the role | |
− | + | # will be obtained from the target context. | |
default_role file target; | default_role file target; | ||
− | + | # When computing the context for a new x_selection or x_property | |
− | + | # object, the role will be obtained from the source context. | |
default_role { x_selection x_property } source; | default_role { x_selection x_property } source; | ||
Line 174: | Line 174: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | {| border="1" |
− | | <center> | + | | <center>Monolithic Policy</center> |
− | | <center> | + | | <center>Base Policy</center> |
− | | <center> | + | | <center>Module Policy</center> |
|- | |- | ||
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | | <center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | | <center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | | <center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 199: | Line 199: | ||
'''Example:''' | '''Example:''' | ||
<pre> | <pre> | ||
− | + | # When computing the context for a new file object, the type | |
− | + | # will be obtained from the target context. | |
default_type file target; | default_type file target; | ||
− | + | # When computing the context for a new x_selection or x_property | |
− | + | # object, the type will be obtained from the source context. | |
default_type { x_selection x_property } source; | default_type { x_selection x_property } source; | ||
Line 216: | Line 216: | ||
'''The statement definition is:''' | '''The statement definition is:''' | ||
<pre> | <pre> | ||
− | default_range class default | + | default_range class default range; |
</pre> | </pre> | ||
Line 240: | Line 240: | ||
|- | |- | ||
− | | | + | | range |
| A single keyword consisting of either: <tt>low</tt>, <tt>high</tt> or <tt>low_high</tt> that will state whether the default level or range should be obtained from the source or target context. | | A single keyword consisting of either: <tt>low</tt>, <tt>high</tt> or <tt>low_high</tt> that will state whether the default level or range should be obtained from the source or target context. | ||
Line 248: | Line 248: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | {| border="1" |
− | | <center> | + | | <center>Monolithic Policy</center> |
− | | <center> | + | | <center>Base Policy</center> |
− | | <center> | + | | <center>Module Policy</center> |
|- | |- | ||
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>Yes</center> | + | | <center>'''Yes'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | | <center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | | <center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | | <center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
− | | <center>No</center> | + | | <center>'''No'''</center> |
+ | |||
+ | |} | ||
|} | |} | ||
Line 273: | Line 275: | ||
'''Example:''' | '''Example:''' | ||
<pre> | <pre> | ||
− | + | # When computing the context for a new file object, the lower | |
− | + | # level will be taken from the target context range. | |
default_range file target low; | default_range file target low; | ||
− | + | # When computing the context for a new x_selection or x_property | |
− | + | # object, the range will be obtained from the source context. | |
default_type { x_selection x_property } source low_high; | default_type { x_selection x_property } source low_high; | ||
</pre> | </pre> | ||
+ | |||
+ | {| style="width: 100%;" border="0" | ||
+ | |- | ||
+ | | [[Policy Configuration Statements | '''Previous''']] | ||
+ | | <center>[[NewUsers | '''Home''']]</center> | ||
+ | | <center>[[UserStatements | '''Next''']]</center> | ||
+ | |} | ||
---- | ---- |
Revision as of 13:47, 11 December 2014
Contents
Default Object Rules
These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.
default_user Rule
Allows the default user to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.
The statement definition is:
default_user class default;
Where:
default_user | The default_user rule keyword. |
class
|
One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).
Entries can be excluded from the list by using the negative operator (-). |
default | A single keyword consisting of either source or target that will state whether the default user should be obtained from the source or target context. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
|
|
|
Example:
# When computing the context for a new file object, the user # will be obtained from the target context. default_user file target; # When computing the context for a new x_selection or x_property # object, the user will be obtained from the source context. default_user { x_selection x_property } source;
default_role Rule
Allows the default role to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.
The statement definition is:
default_role class default;
Where:
default_role | The default_role rule keyword. |
class
|
One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).
Entries can be excluded from the list by using the negative operator (-). |
default | A single keyword consisting of either source or target that will state whether the default role should be obtained from the source or target context. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
|
|
|
Example:
# When computing the context for a new file object, the role # will be obtained from the target context. default_role file target; # When computing the context for a new x_selection or x_property # object, the role will be obtained from the source context. default_role { x_selection x_property } source;
default_type Rule
Allows the default type to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 28.
The statement definition is:
default_type class default;
Where:
default_type | The default_type rule keyword. |
class
|
One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).
Entries can be excluded from the list by using the negative operator (-). |
default | A single keyword consisting of either source or target that will state whether the default type should be obtained from the source or target context. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
|
|
|
Example:
# When computing the context for a new file object, the type # will be obtained from the target context. default_type file target; # When computing the context for a new x_selection or x_property # object, the type will be obtained from the source context. default_type { x_selection x_property } source;
default_range Rule
Allows the default range or level to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.
The statement definition is:
default_range class default range;
Where:
default_range | The default_range rule keyword. |
class
|
One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).
Entries can be excluded from the list by using the negative operator (-). |
default | A single keyword consisting of either source or target that will state whether the default level or range should be obtained from the source or target context. |
range | A single keyword consisting of either: low, high or low_high that will state whether the default level or range should be obtained from the source or target context. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
|
|
|
|}
Example:
# When computing the context for a new file object, the lower # level will be taken from the target context range. default_range file target low; # When computing the context for a new x_selection or x_property # object, the range will be obtained from the source context. default_type { x_selection x_property } source low_high;
Previous | |
|