http://www.selinuxproject.org/w/?title=RoleRules&limit=50&action=history&feed=atomRoleRules - Revision history2024-03-29T14:15:58ZRevision history for this page on the wikiMediaWiki 1.23.13http://www.selinuxproject.org/w/?title=RoleRules&diff=840&oldid=prevRichardHaines: New page: = Role Rules = == Role allow Rule == The role allow rule checks whether a request to change roles is allowed, if it is, then there may be a further request for a role_transition so that th...2009-11-29T15:43:58Z<p>New page: = Role Rules = == Role allow Rule == The role allow rule checks whether a request to change roles is allowed, if it is, then there may be a further request for a role_transition so that th...</p>
<p><b>New page</b></p><div>= Role Rules =<br />
== Role allow Rule ==<br />
The role allow rule checks whether a request to change roles is allowed, if it is, then there may be a further request for a role_transition so that the process runs with the new role or role set. <br />
<br />
Important Notes: <br />
<br />
# The role allow rule has the same keyword as the allow AV rule.<br />
# The role allow rule is used in the Reference Policy sources, however there are no corresponding role_transition rules. This is because the policy expects users to either keep the same role as when they logged onto the system, or use the newrole(1) command to change roles.<br />
# The Reference Policy uses the constrain Statement to manage role relationships.<br />
<br />
<br />
'''The statement definition is:'''<br />
<pre><br />
allow from_role_id to_role_id; <br />
</pre><br />
<br />
<br />
'''Where:'''<br />
{|border="1"<br />
|allow<br />
|The role allow rule keyword.<br />
<br />
|-<br />
|from_role_id<br />
|One or more role identifiers that identify the current role. Multiple entries consist of a space separated list enclosed in braces ({}).<br />
<br />
|-<br />
|to_role_id<br />
|One or more role identifiers that identify the new role to be granted on the transition. Multiple entries consist of a space separated list enclosed in braces ({}).<br />
<br />
|}<br />
<br />
<br />
'''The statement is valid in:'''<br />
{|border="1"<br />
|<center>'''Monolithic Policy'''</center><br />
|<center>'''Base Policy'''</center><br />
|<center>'''Module Policy'''</center><br />
<br />
|-<br />
|<center>Yes</center><br />
|<center>Yes</center><br />
|<center>Yes</center><br />
<br />
|-<br />
|<center>'''Conditional Policy (if) Statement'''</center><br />
|<center>'''optional Statement'''</center><br />
|<center>'''require Statement'''</center><br />
<br />
|-<br />
|<center>No</center><br />
|<center>Yes</center><br />
|<center>No</center><br />
<br />
|}<br />
<br />
<br />
'''Example:'''<br />
<pre><br />
<nowiki># Using the </nowiki>role allow rule to define authorised role<br />
<nowiki># transitions in the Reference Policy. The current role </nowiki><br />
<nowiki># </nowiki>sysadm_r is granted permission to transition to the secadm_r<br />
<nowiki># role in the MLS policy.</nowiki><br />
<br />
allow sysadm_r secadm_r;<br />
</pre><br />
<br />
<br />
== role_transition Rule ==<br />
The role_transition rule specifies that a role transition is required, and if allowed, the process will run under the new role. <br />
<br />
<br />
'''The statement definition is:'''<br />
<pre><br />
role_transition current_role_id type_id new_role_id; <br />
</pre><br />
<br />
<br />
'''Where:'''<br />
{|border="1"<br />
|role_transition<br />
|The role_transition keyword.<br />
<br />
|-<br />
|current_role_id<br />
|One or more role identifiers that identify the current role. Multiple entries consist of a space separated list enclosed in braces ({}).<br />
<br />
|-<br />
|type_id<br />
|One or more type or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). Entries can be excluded from the list by using the negative operator (-). Only 'domain' types make sense within the policy.<br />
<br />
|-<br />
|new_role_id<br />
|The new role to be granted on transition.<br />
<br />
|}<br />
<br />
<br />
'''The statement is valid in:'''<br />
{|border="1"<br />
|<center>'''Monolithic Policy'''</center><br />
|<center>'''Base Policy'''</center><br />
|<center>'''Module Policy'''</center><br />
<br />
|-<br />
|<center>Yes</center><br />
|<center>Yes</center><br />
|<center>Yes</center><br />
<br />
|-<br />
|<center>'''Conditional Policy (if) Statement'''</center><br />
|<center>'''optional Statement'''</center><br />
|<center>'''require Statement'''</center><br />
<br />
|-<br />
|<center>No</center><br />
|<center>Yes</center><br />
|<center>No</center><br />
<br />
|}<br />
<br />
<br />
'''Example:'''<br />
<pre><br />
<nowiki># This is a role_transition used in the ext_gateway.conf</nowiki><br />
<nowiki># loadable module to allow the secure client / server process to</nowiki><br />
<nowiki># run under the </nowiki>message_filter_r role. The role needs to be<br />
<nowiki># declared, allowed to transition from its current role of </nowiki><br />
<nowiki># </nowiki>unconfined_r and it then transitions when the process <br />
<nowiki># transitions via the type_transition statement (not shown).</nowiki><br />
<nowiki># Note that the role needs to be associated to a user by either:</nowiki><br />
<nowiki># 1) An embedded user statement in the policy. This is not</nowiki><br />
<nowiki># </nowiki>recommended as it makes the policy fixed to either <br />
<nowiki># </nowiki>standard, MCS or MLS.<br />
<nowiki># 2) Using the semanage(8) command to add the role. This will </nowiki><br />
<nowiki># </nowiki>allow the module to be used by MCS/MLS policies as well.<br />
<nowiki>#</nowiki><br />
<nowiki># The secure client / server will run in this domain:</nowiki><br />
<br />
type ext_gateway_t;<br />
<br />
<nowiki># The binaries will be labeled:</nowiki><br />
<br />
type secure_services_exec_t;<br />
<br />
<nowiki># Use message_filter_r role and then transition</nowiki><br />
<br />
role message_filter_r types ext_gatway_t;<br />
allow unconfined_r message_filter_r;<br />
role_transition unconfined_r secure_services_exec_t message_filter_r;<br />
</pre><br />
<br />
<br />
=== Role dominance Rule ===<br />
This rule has been deprecated and therefore should not be used. The role dominance rule allows the dom_role_id to dominate the role_id (consisting of one or more roles). The dominant role will automatically inherit all the type associations of the other roles. <br />
<br />
Notes:<br />
<br />
# There is another dominance rule for MLS (see the MLS dominance Statement).<br />
# The role dominance rule is not used by the Reference Policy as the policy manages role dominance using the constrain Statement.<br />
# Note the usage of braces '{}' and the '<nowiki>;</nowiki>' in the statement.<br />
<br />
<br />
'''The statement definition is:'''<br />
<pre><br />
dominance { role dom_role_id { role role_id; } }<br />
</pre><br />
<br />
<br />
'''Where:'''<br />
{|border="1"<br />
|dominance<br />
|The dominance keyword.<br />
<br />
|-<br />
|role<br />
|The role keyword.<br />
<br />
|-<br />
|dom_role_id<br />
|The dominant role identifier.<br />
<br />
|-<br />
|role_id<br />
|For the simple case each { role role_id; } pair defines the role_id that will be dominated by the dom_role_id. More complex rules can be defined but as the statement is depreciated !!!. <br />
<br />
|}<br />
<br />
<br />
'''The statement is valid in:'''<br />
{|border="1"<br />
|<center>'''Monolithic Policy'''</center><br />
|<center>'''Base Policy'''</center><br />
|<center>'''Module Policy'''</center><br />
<br />
|-<br />
|<center>Yes</center><br />
|<center>Yes</center><br />
|<center>Yes</center><br />
<br />
|-<br />
|<center>'''Conditional Policy (if) Statement'''</center><br />
|<center>'''optional Statement'''</center><br />
|<center>'''require Statement'''</center><br />
<br />
|-<br />
|<center>No</center><br />
|<center>Yes</center><br />
|<center>No</center><br />
<br />
|}<br />
<br />
<br />
'''Example:'''<br />
<pre><br />
<nowiki># This shows the dominance role rule note however that it</nowiki><br />
<nowiki># has been depreciated and should not be used.</nowiki><br />
<br />
dominance { role message_filter_r { role unconfined_r };}<br />
</pre></div>RichardHaines