Difference between revisions of "DefaultRules"

From SELinux Wiki
Jump to: navigation, search
(New page: = Default Rules = These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or ...)
 
Line 1: Line 1:
= Default Rules =
+
= Default Object Rules =
 
These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.
 
These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.
  
Line 34: Line 34:
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
  
{|border="1"
+
{| border="1"
| <center>'''Monolithic Policy'''</center>
+
| <center>Monolithic Policy</center>
| <center>'''Base Policy'''</center>
+
| <center>Base Policy</center>
| <center>'''Module Policy'''</center>
+
| <center>Module Policy</center>
  
 
|-
 
|-
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
| <center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
| <center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
| <center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 59: Line 59:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
<nowiki># When computing the context for a new file object, the user</nowiki>
+
# When computing the context for a new file object, the user
<nowiki># will be obtained from the target context.</nowiki>
+
# will be obtained from the target context.
  
 
default_user file target;
 
default_user file target;
  
<nowiki># When computing the context for a new x_selection or x_property</nowiki>
+
# When computing the context for a new x_selection or x_property
<nowiki># object, the user will be obtained from the source context.</nowiki>
+
# object, the user will be obtained from the source context.
  
 
default_user { x_selection x_property } source;
 
default_user { x_selection x_property } source;
Line 104: Line 104:
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
  
{|border="1"
+
{| border="1"
| <center>'''Monolithic Policy'''</center>
+
| <center>Monolithic Policy</center>
| <center>'''Base Policy'''</center>
+
| <center>Base Policy</center>
| <center>'''Module Policy'''</center>
+
| <center>Module Policy</center>
  
 
|-
 
|-
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
| <center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
| <center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
| <center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 129: Line 129:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
<nowiki># When computing the context for a new file object, the role</nowiki>
+
# When computing the context for a new file object, the role
<nowiki># will be obtained from the target context.</nowiki>
+
# will be obtained from the target context.
  
 
default_role file target;
 
default_role file target;
  
<nowiki># When computing the context for a new x_selection or x_property</nowiki>
+
# When computing the context for a new x_selection or x_property
<nowiki># object, the role will be obtained from the source context.</nowiki>
+
# object, the role will be obtained from the source context.
  
 
default_role { x_selection x_property } source;
 
default_role { x_selection x_property } source;
Line 174: Line 174:
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
  
{|border="1"
+
{| border="1"
| <center>'''Monolithic Policy'''</center>
+
| <center>Monolithic Policy</center>
| <center>'''Base Policy'''</center>
+
| <center>Base Policy</center>
| <center>'''Module Policy'''</center>
+
| <center>Module Policy</center>
  
 
|-
 
|-
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
| <center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
| <center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
| <center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 199: Line 199:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
<nowiki># When computing the context for a new file object, the type</nowiki>
+
# When computing the context for a new file object, the type
<nowiki># will be obtained from the target context.</nowiki>
+
# will be obtained from the target context.
  
 
default_type file target;
 
default_type file target;
  
<nowiki># When computing the context for a new x_selection or x_property</nowiki>
+
# When computing the context for a new x_selection or x_property
<nowiki># object, the type will be obtained from the source context.</nowiki>
+
# object, the type will be obtained from the source context.
  
 
default_type { x_selection x_property } source;
 
default_type { x_selection x_property } source;
Line 216: Line 216:
 
'''The statement definition is:'''
 
'''The statement definition is:'''
 
<pre>
 
<pre>
default_range class default entry;
+
default_range class default range;
 
</pre>
 
</pre>
  
Line 240: Line 240:
  
 
|-
 
|-
| entry
+
| range
 
| A single keyword consisting of either: <tt>low</tt>, <tt>high</tt> or <tt>low_high</tt> that will state whether the default level or range should be obtained from the source or target context.
 
| A single keyword consisting of either: <tt>low</tt>, <tt>high</tt> or <tt>low_high</tt> that will state whether the default level or range should be obtained from the source or target context.
  
Line 248: Line 248:
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
  
{|border="1"
+
{| border="1"
| <center>'''Monolithic Policy'''</center>
+
| <center>Monolithic Policy</center>
| <center>'''Base Policy'''</center>
+
| <center>Base Policy</center>
| <center>'''Module Policy'''</center>
+
| <center>Module Policy</center>
  
 
|-
 
|-
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>Yes</center>
+
| <center>'''Yes'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
| <center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
| <center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
| <center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
| <center>No</center>
+
| <center>'''No'''</center>
 +
 
 +
|}
  
 
|}
 
|}
Line 273: Line 275:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
<nowiki># When computing the context for a new file object, the lower</nowiki>
+
# When computing the context for a new file object, the lower
<nowiki># level will be taken from the target context range.</nowiki>
+
# level will be taken from the target context range.
  
 
default_range file target low;
 
default_range file target low;
  
<nowiki># When computing the context for a new x_selection or x_property</nowiki>
+
# When computing the context for a new x_selection or x_property
<nowiki># object, the range will be obtained from the source context.</nowiki>
+
# object, the range will be obtained from the source context.
  
 
default_type { x_selection x_property } source low_high;
 
default_type { x_selection x_property } source low_high;
 
</pre>
 
</pre>
  
 +
 +
{| style="width: 100%;" border="0"
 +
|-
 +
| [[Policy Configuration Statements | '''Previous''']]
 +
| <center>[[NewUsers | '''Home''']]</center>
 +
| <center>[[UserStatements | '''Next''']]</center>
 +
|}
  
 
----
 
----

Revision as of 13:47, 11 December 2014

Default Object Rules

These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.

default_user Rule

Allows the default user to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.

The statement definition is: 

default_user class default;

Where:

default_user The default_user rule keyword.
class


One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).

Entries can be excluded from the list by using the negative operator (-).

default A single keyword consisting of either source or target that will state whether the default user should be obtained from the source or target context.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example: 

# When computing the context for a new file object, the user
# will be obtained from the target context.

default_user file target;

# When computing the context for a new x_selection or x_property
# object, the user will be obtained from the source context.

default_user { x_selection x_property } source;


default_role Rule

Allows the default role to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.

The statement definition is: 

default_role class default;


Where:

default_role The default_role rule keyword.
class


One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).

Entries can be excluded from the list by using the negative operator (-).

default A single keyword consisting of either source or target that will state whether the default role should be obtained from the source or target context.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example: 

# When computing the context for a new file object, the role
# will be obtained from the target context.

default_role file target;

# When computing the context for a new x_selection or x_property
# object, the role will be obtained from the source context.

default_role { x_selection x_property } source;


default_type Rule

Allows the default type to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 28.

The statement definition is: 

default_type class default;


Where:

default_type The default_type rule keyword.
class


One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).

Entries can be excluded from the list by using the negative operator (-).

default A single keyword consisting of either source or target that will state whether the default type should be obtained from the source or target context.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example: 

# When computing the context for a new file object, the type
# will be obtained from the target context.

default_type file target;

# When computing the context for a new x_selection or x_property
# object, the type will be obtained from the source context.

default_type { x_selection x_property } source;


default_range Rule

Allows the default range or level to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.

The statement definition is: 

default_range class default range;


Where:

default_range The default_range rule keyword.
class


One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).

Entries can be excluded from the list by using the negative operator (-).

default A single keyword consisting of either source or target that will state whether the default level or range should be obtained from the source or target context.
range A single keyword consisting of either: low, high or low_high that will state whether the default level or range should be obtained from the source or target context.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No

|}


Example: 

# When computing the context for a new file object, the lower
# level will be taken from the target context range.

default_range file target low;

# When computing the context for a new x_selection or x_property
# object, the range will be obtained from the source context.

default_type { x_selection x_property } source low_high;


Previous
Home
Next
Retrieved from "http://www.selinuxproject.org/w/?title=DefaultRules&oldid=1731"