http://www.selinuxproject.org/w/?title=RoleRules&limit=50&action=history&feed=atom RoleRules - Revision history 2024-03-29T14:15:58Z Revision history for this page on the wiki MediaWiki 1.23.13 http://www.selinuxproject.org/w/?title=RoleRules&diff=840&oldid=prev RichardHaines: New page: = Role Rules = == Role allow Rule == The role allow rule checks whether a request to change roles is allowed, if it is, then there may be a further request for a role_transition so that th... 2009-11-29T15:43:58Z <p>New page: = Role Rules = == Role allow Rule == The role allow rule checks whether a request to change roles is allowed, if it is, then there may be a further request for a role_transition so that th...</p> <p><b>New page</b></p><div>= Role Rules =<br /> == Role allow Rule ==<br /> The role allow rule checks whether a request to change roles is allowed, if it is, then there may be a further request for a role_transition so that the process runs with the new role or role set. <br /> <br /> Important Notes: <br /> <br /> # The role allow rule has the same keyword as the allow AV rule.<br /> # The role allow rule is used in the Reference Policy sources, however there are no corresponding role_transition rules. This is because the policy expects users to either keep the same role as when they logged onto the system, or use the newrole(1) command to change roles.<br /> # The Reference Policy uses the constrain Statement to manage role relationships.<br /> <br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> allow from_role_id to_role_id; <br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |allow<br /> |The role allow rule keyword.<br /> <br /> |-<br /> |from_role_id<br /> |One or more role identifiers that identify the current role. Multiple entries consist of a space separated list enclosed in braces ({}).<br /> <br /> |-<br /> |to_role_id<br /> |One or more role identifiers that identify the new role to be granted on the transition. Multiple entries consist of a space separated list enclosed in braces ({}).<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# Using the &lt;/nowiki&gt;role allow rule to define authorised role<br /> &lt;nowiki&gt;# transitions in the Reference Policy. The current role &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;sysadm_r is granted permission to transition to the secadm_r<br /> &lt;nowiki&gt;# role in the MLS policy.&lt;/nowiki&gt;<br /> <br /> allow sysadm_r secadm_r;<br /> &lt;/pre&gt;<br /> <br /> <br /> == role_transition Rule ==<br /> The role_transition rule specifies that a role transition is required, and if allowed, the process will run under the new role. <br /> <br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> role_transition current_role_id type_id new_role_id; <br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |role_transition<br /> |The role_transition keyword.<br /> <br /> |-<br /> |current_role_id<br /> |One or more role identifiers that identify the current role. Multiple entries consist of a space separated list enclosed in braces ({}).<br /> <br /> |-<br /> |type_id<br /> |One or more type or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). Entries can be excluded from the list by using the negative operator (-). Only 'domain' types make sense within the policy.<br /> <br /> |-<br /> |new_role_id<br /> |The new role to be granted on transition.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This is a role_transition used in the ext_gateway.conf&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# loadable module to allow the secure client / server process to&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# run under the &lt;/nowiki&gt;message_filter_r role. The role needs to be<br /> &lt;nowiki&gt;# declared, allowed to transition from its current role of &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;unconfined_r and it then transitions when the process <br /> &lt;nowiki&gt;# transitions via the type_transition statement (not shown).&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# Note that the role needs to be associated to a user by either:&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# 1) An embedded user statement in the policy. This is not&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;recommended as it makes the policy fixed to either <br /> &lt;nowiki&gt;# &lt;/nowiki&gt;standard, MCS or MLS.<br /> &lt;nowiki&gt;# 2) Using the semanage(8) command to add the role. This will &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;allow the module to be used by MCS/MLS policies as well.<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# The secure client / server will run in this domain:&lt;/nowiki&gt;<br /> <br /> type ext_gateway_t;<br /> <br /> &lt;nowiki&gt;# The binaries will be labeled:&lt;/nowiki&gt;<br /> <br /> type secure_services_exec_t;<br /> <br /> &lt;nowiki&gt;# Use message_filter_r role and then transition&lt;/nowiki&gt;<br /> <br /> role message_filter_r types ext_gatway_t;<br /> allow unconfined_r message_filter_r;<br /> role_transition unconfined_r secure_services_exec_t message_filter_r;<br /> &lt;/pre&gt;<br /> <br /> <br /> === Role dominance Rule ===<br /> This rule has been deprecated and therefore should not be used. The role dominance rule allows the dom_role_id to dominate the role_id (consisting of one or more roles). The dominant role will automatically inherit all the type associations of the other roles. <br /> <br /> Notes:<br /> <br /> # There is another dominance rule for MLS (see the MLS dominance Statement).<br /> # The role dominance rule is not used by the Reference Policy as the policy manages role dominance using the constrain Statement.<br /> # Note the usage of braces '{}' and the '&lt;nowiki&gt;;&lt;/nowiki&gt;' in the statement.<br /> <br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> dominance { role dom_role_id { role role_id; } }<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |dominance<br /> |The dominance keyword.<br /> <br /> |-<br /> |role<br /> |The role keyword.<br /> <br /> |-<br /> |dom_role_id<br /> |The dominant role identifier.<br /> <br /> |-<br /> |role_id<br /> |For the simple case each { role role_id; } pair defines the role_id that will be dominated by the dom_role_id. More complex rules can be defined but as the statement is depreciated !!!. <br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This shows the dominance role rule note however that it&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# has been depreciated and should not be used.&lt;/nowiki&gt;<br /> <br /> dominance { role message_filter_r { role unconfined_r };}<br /> &lt;/pre&gt;</div> RichardHaines