Declares a role identifier in the current namespace.
Statement definition:
(role role_id)
Where:
Example:
This example declares two roles: object_r
in the global namespace and unconfined.role
:
(role object_r) (block unconfined (role role) )
Authorises a role
to access a type
identifier.
Statement definition:
(role role_id type_id)
Where:
Example:
This example will declare role
and type
identifiers, then associate them:
(block unconfined (role role) (type process) (roletype role process) )
Declares a role attribute identifier in the current namespace. The identifier may have zero or more role
and roleattribute
identifiers associated to it via the roleattributeset
statement.
Statement definition:
(roleattribute roleattribute_id)
Where:
Example:
This example will declare a role attribute roles.role_holder
that will have an empty set:
(block roles (roleattribute role_holder) )
Allows the association of one or more previously declared role
identifiers to a roleattribute
identifier. Expressions may be used to refine the associations as shown in the examples.
Statement definition:
(roleattributeset roleattribute_id (role_id ... | expr ...))
Where:
Example:
This example will declare three roles and two role attributes, then associate all the roles to them as shown:
(block roles (role role_1) (role role_2) (role role_3) (roleattribute role_holder) (roleattributeset role_holder (role_1 role_2 role_3)) (roleattribute role_holder_all) (roleattributeset role_holder_all (all)) )
Authorise the current role to assume a new role.
Notes:
May require a roletransition
rule to ensure transition to the new role.
This rule is not allowed in booleanif
statements.
Statement definition:
(roleallow current_role_id new_role_id)
Where:
Example:
See the roletransition
statement for an example.
Specify a role transition from the current role to a new role when computing a context for the target type. The class
identifier would normally be process
, however for kernel versions 2.6.39 with policy version >= 25 and above, any valid class may be used. Note that a roleallow
rule must be used to authorise the transition.
Statement definition:
(roletransition current_role_id target_type_id class_id new_role_id)
Where:
Example:
This example will authorise the unconfined.role
to assume the msg_filter.role
role, and then transition to that role:
(block ext_gateway (type process) (type exec) (roletype msg_filter.role process) (roleallow unconfined.role msg_filter.role) (roletransition unconfined.role exec process msg_filter.role) )
Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent.
Notes:
It is not possible to bind the parent role to more than one child role.
While this is added to the binary policy, it is not enforced by the SELinux kernel services.
Statement definition:
(rolebounds parent_role_id child_role_id)
Where:
Example:
In this example the role test
cannot have greater privileges than unconfined.role
:
(role test) (block unconfined (role role) (rolebounds role .test) )