RichardHaines: New page: = Conditional Policy Statements = Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rule...

RichardHaines — Sun, 29 Nov 2009 16:09:34 GMT

New page: = Conditional Policy Statements = Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rule...

New page

= Conditional Policy Statements =
Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rules are valid under the condition as shown in the example below:

<pre>
bool allow_daemons_use_tty true;

if (allow_daemons_use_tty) {
<nowiki> # Rules if condition is </nowiki>true<nowiki>;</nowiki>

} else {
<nowiki> # Rules if condition is </nowiki>false<nowiki>;</nowiki>
}
</pre>

The bool statement default value can be changed when a policy is active by using the setsebool command as follows:
<pre>
<nowiki># This command will set the allow_daemons_use_tty bool to </nowiki>false,
<nowiki># however it will only remain false until the next system </nowiki>
<nowiki># re-boot where it will then revert back to its default state</nowiki>
<nowiki># (in the above case, this would be </nowiki>true).

setsebool allow_daemons_use_tty false
</pre>

<pre>
<nowiki># This command will set the allow_daemons_use_tty bool to false,</nowiki>
<nowiki># and because the -P option is used (for persistent), the value </nowiki>
<nowiki># will remain across system re-boots. Note however that all </nowiki>
<nowiki># other pending bool values will become persistent across </nowiki>
<nowiki># re-boots as well (see the setsebool (8) man page). </nowiki>

setsebool -P allow_daemons_use_tty false
</pre>

The getsebool command can be used to query the current bool statement value as follows:
<pre>
<nowiki># This command will list all bool values in the active policy:</nowiki>

getsebool -a
</pre>

<pre>
<nowiki># This command will show the current allow_daemons_use_tty bool </nowiki>
<nowiki># value in the active policy:</nowiki>

getsebool allow_daemons_use_tty
</pre>

== bool Statement ==
The bool statement is used to specify a boolean identifier and its initial state (true or false) that can then be used with the if Statement to form a 'conditional policy' as described in the Conditional Policy section.

'''The statement definition is:'''
<pre>
bool bool_id default_value;
</pre>

'''Where:'''
{|border="1"
|bool
|The bool keyword.

|-
|bool_id
|The boolean identifier.

|-
|default_value
|Either true or false.

|}

'''The statement is valid in:'''
{|border="1"
|<center>'''Monolithic Policy'''</center>
|<center>'''Base Policy'''</center>
|<center>'''Module Policy'''</center>

|-
|<center>Yes</center>
|<center>Yes</center>
|<center>Yes</center>

|-
|<center>'''Conditional Policy (if) Statement'''</center>
|<center>'''optional Statement'''</center>
|<center>'''require Statement'''</center>

|-
|<center>No</center>
|<center>Yes</center>
|<center>Yes</center>

|}

'''Examples:'''
<pre>
<nowiki># Using the </nowiki>bool statement to allow unconfined executables to
<nowiki># make their memory heap executable or not. As the value is</nowiki>
<nowiki># </nowiki>false, then by default they cannot make their heap executable.

bool allow_execheap false;
</pre>

<pre>
<nowiki># Using the </nowiki>bool statement to allow unconfined executables to
<nowiki># make their stack executable or not. As the value is </nowiki>true,
<nowiki># then by default their stacks are executable.</nowiki>

bool allow_execstack true;
</pre>

== if Statement ==
The if statement is used to form a 'conditional block' of statements and rules that are enforced depending on whether one or more boolean identifiers (defined by the bool Statement) evaluate to TRUE or FALSE. An if / else construct is also supported.

The only statements and rules allowed within the if / else construct are:

allow, auditallow, auditdeny, dontaudit, type_member, type_transition, type_change and require.

'''The statement definition is:'''
<pre>
<nowiki>if (conditional_expression) { true_list } [ else { false_list } ]</nowiki>
</pre>

'''Where:'''
{|border="1"
|if
|The if keyword.

|-
|conditional_expression
|One or more bool_name identifiers that have been previously defined by the bool Statement. Multiple identifiers must be separated by the following logical operators: &&, ¦¦, ^, !, ==, !=.

The conditional_expression is enclosed in brackets ().

|-
|true_list
|A list of rules enclosed within braces '{}' that will be executed when the conditional_expression is 'true'.

Valid statements and rules are highlighted within each language definition statement.

|-
|else
|Optional else keyword.

|-
|false_list
|A list of rules enclosed within braces '{}' that will be executed when the optional 'else' keyword is present and the conditional_expression is 'false'.

Valid statements and rules are highlighted within each language definition statement.

|}

'''The statement is valid in:'''
{|border="1"
|<center>'''Monolithic Policy'''</center>
|<center>'''Base Policy'''</center>
|<center>'''Module Policy'''</center>

|-
|<center>Yes</center>
|<center>Yes</center>
|<center>Yes</center>

|-
|<center>'''Conditional Policy (if) Statement'''</center>
|<center>'''optional Statement'''</center>
|<center>'''require Statement'''</center>

|-
|<center>No - As this is a Conditional Statement and cannot be nested.</center>
|<center>Yes</center>
|<center>No</center>

|}

'''Examples:'''
<pre>
<nowiki># An example showing a </nowiki>boolean and supporting if statement.

bool allow_execmem false;

<nowiki># The bool </nowiki>allow_execmem is FALSE therefore the allow statement
<nowiki># is not executed:</nowiki>

if (allow_execmem) {
allow sysadm_t self:process execmem;
}
</pre>

<pre>
<nowiki># An example showing two </nowiki>booleans and a supporting if statement.

bool allow_execmem false;
bool allow_execstack true;

<nowiki># The bool </nowiki>allow_execmem is FALSE and allow_execstack is TRUE
<nowiki># therefore the allow statement is not executed:</nowiki>

if (allow_execmem && allow_execstack) {
allow sysadm_t self:process execstack;
}
</pre>

<pre>
<nowiki># An example of an IF - ELSE statement where t</nowiki>he bool statement
<nowiki># is FALSE, therefore the ELSE statements will be executed.</nowiki>
<nowiki>#</nowiki>

bool read_untrusted_content false;

if (read_untrusted_content) {
allow sysadm_t { sysadm_untrusted_content_t
sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };
.....

} else {
dontaudit sysadm_t { sysadm_untrusted_content_t
sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };
...
}
</pre>

ConditionalStatements - Revision history

RichardHaines: New page: = Conditional Policy Statements = Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rule...