Difference between revisions of "ConditionalStatements"

From SELinux Wiki
Jump to: navigation, search
(New page: = Conditional Policy Statements = Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rule...)
 
 
Line 1: Line 1:
 
= Conditional Policy Statements =
 
= Conditional Policy Statements =
 
Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rules are valid under the condition as shown in the example below:
 
Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rules are valid under the condition as shown in the example below:
 
  
 
<pre>
 
<pre>
Line 7: Line 6:
  
 
if (allow_daemons_use_tty) {
 
if (allow_daemons_use_tty) {
<nowiki>      # Rules if condition is </nowiki>true<nowiki>;</nowiki>
+
    # Rules if condition is true;
 
+
} else {
  } else {
+
     # Rules if condition is false;
<nowiki>     # Rules if condition is </nowiki>false<nowiki>;</nowiki>
+
 
}
 
}
 
</pre>
 
</pre>
  
 +
Table 3 in the [[PolicyLanguage#Kernel_Policy_Language | Kernel Policy Language]] section shows what policy statements or rules are valid within the if / else construct under the "Conditional Statements" column.
  
 
The bool statement default value can be changed when a policy is active by using the setsebool command as follows:
 
The bool statement default value can be changed when a policy is active by using the setsebool command as follows:
 
<pre>
 
<pre>
<nowiki># This command will set the allow_daemons_use_tty bool to </nowiki>false,
+
# This command will set the allow_daemons_use_tty bool to false,
<nowiki># however it will only remain false until the next system </nowiki>
+
# however it will only remain false until the next system  
<nowiki># re-boot where it will then revert back to its default state</nowiki>
+
# re-boot where it will then revert back to its default state
<nowiki># (in the above case, this would be </nowiki>true).
+
# (in the above case, this would be true).
  
 
setsebool allow_daemons_use_tty false
 
setsebool allow_daemons_use_tty false
 
</pre>
 
</pre>
 
 
<pre>
 
<pre>
<nowiki># This command will set the allow_daemons_use_tty bool to false,</nowiki>
+
# This command will set the allow_daemons_use_tty bool to false,
<nowiki># and because the -P option is used (for persistent), the value </nowiki>
+
# and because the -P option is used (for persistent), the value  
<nowiki># will remain across system re-boots. Note however that all </nowiki>
+
# will remain across system re-boots. Note however that all  
<nowiki># other pending bool values will become persistent across </nowiki>
+
# other pending bool values will become persistent across  
<nowiki># re-boots as well (see the setsebool (8) man page). </nowiki>
+
# re-boots as well (see setsebool(8) man page).  
  
 
setsebool -P allow_daemons_use_tty false
 
setsebool -P allow_daemons_use_tty false
Line 37: Line 35:
 
The getsebool command can be used to query the current bool statement value as follows:  
 
The getsebool command can be used to query the current bool statement value as follows:  
 
<pre>
 
<pre>
<nowiki># This command will list all bool values in the active policy:</nowiki>
+
# This command will list all bool values in the active policy:
  
 
getsebool -a
 
getsebool -a
 
</pre>
 
</pre>
 
 
<pre>
 
<pre>
<nowiki># This command will show the current allow_daemons_use_tty bool </nowiki>
+
# This command will show the current allow_daemons_use_tty bool  
<nowiki># value in the active policy:</nowiki>
+
# value in the active policy:
  
 
getsebool allow_daemons_use_tty
 
getsebool allow_daemons_use_tty
 
</pre>
 
</pre>
  
 
+
== bool ==
== bool Statement ==
+
The bool statement is used to specify a boolean identifier and its initial state (true or false) that can then be used with the <tt>[[#if | if]]</tt> statement to form a 'conditional policy' as described in the [[NB_PolicyType#Conditional_Policy | Conditional Policy]] section.
The bool statement is used to specify a boolean identifier and its initial state (true or false) that can then be used with the if Statement to form a 'conditional policy' as described in the Conditional Policy section.
+
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
Line 57: Line 53:
 
bool bool_id default_value;
 
bool bool_id default_value;
 
</pre>
 
</pre>
 
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|bool
+
{| border="1"
|The bool keyword.
+
| bool
 +
| The bool keyword.
  
 
|-
 
|-
|bool_id
+
| bool_id
|The boolean identifier.
+
| The boolean identifier.
  
 
|-
 
|-
|default_value
+
| default_value
|Either true or false.
+
| Either true or false.
  
 
|}
 
|}
Line 76: Line 72:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 82: Line 79:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
  
 
|}
 
|}
Line 101: Line 98:
 
'''Examples:'''
 
'''Examples:'''
 
<pre>
 
<pre>
<nowiki># Using the </nowiki>bool statement to allow unconfined executables to
+
# Using the bool statement to allow unconfined executables to
<nowiki># make their memory heap executable or not. As the value is</nowiki>
+
# make their memory heap executable or not. As the value is
<nowiki># </nowiki>false, then by default they cannot make their heap executable.
+
# false, then by default they cannot make their heap executable.
  
 
bool allow_execheap false;
 
bool allow_execheap false;
 
</pre>
 
</pre>
 
 
<pre>
 
<pre>
<nowiki># Using the </nowiki>bool statement to allow unconfined executables to  
+
# Using the bool statement to allow unconfined executables to  
<nowiki># make their stack executable or not. As the value is </nowiki>true,
+
# make their stack executable or not. As the value is true,
<nowiki># then by default their stacks are executable.</nowiki>
+
# then by default their stacks are executable.
  
 
bool allow_execstack true;
 
bool allow_execstack true;
 
</pre>
 
</pre>
  
 
+
== if ==
== if Statement ==
+
The if statement is used to form a 'conditional block' of statements and rules that are enforced depending on whether one or more boolean identifiers (defined by the <tt>[[#bool | bool]]</tt> statement) evaluate to TRUE or FALSE. An if / else construct is also supported.
The if statement is used to form a 'conditional block' of statements and rules that are enforced depending on whether one or more boolean identifiers (defined by the bool Statement) evaluate to TRUE or FALSE. An if / else construct is also supported.
+
  
 
The only statements and rules allowed within the if / else construct are:
 
The only statements and rules allowed within the if / else construct are:
  
allow, auditallow, auditdeny, dontaudit, type_member, type_transition, type_change and require.
+
<tt>allow</tt>, <tt>auditallow</tt>, <tt>auditdeny</tt>, <tt>dontaudit</tt>, <tt>type_member</tt>, <tt>type_transition</tt>, <tt>type_change</tt> and <tt>require</tt>.
 
+
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
 
<pre>
 
<pre>
<nowiki>if (conditional_expression) { true_list } [ else { false_list } ]</nowiki>
+
if (conditional_expression) { true_list } [ else { false_list } ]
 
</pre>
 
</pre>
  
 +
'''Where:'''
  
'''Where:'''
+
{| border="1"
{|border="1"
+
| if
|if
+
| The if keyword.
|The if keyword.
+
  
 
|-
 
|-
|conditional_expression
+
| conditional_expression
|One or more bool_name identifiers that have been previously defined by the bool Statement. Multiple identifiers must be separated by the following logical operators: &&, ¦¦, ^, !, ==, !=.  
+
| One or more bool_name identifiers that have been previously defined by the <tt>[[#bool | bool]]</tt> statement. Multiple identifiers must be separated by the following logical operators: &&, ¦¦, ^, !, ==, !=.  
  
 
The conditional_expression is enclosed in brackets ().
 
The conditional_expression is enclosed in brackets ().
  
 
|-
 
|-
|true_list
+
| true_list
|A list of rules enclosed within braces '{}' that will be executed when the conditional_expression is 'true'.
+
| A list of rules enclosed within braces '{}' that will be executed when the conditional_expression is 'true'.
  
 
Valid statements and rules are highlighted within each language definition statement.
 
Valid statements and rules are highlighted within each language definition statement.
  
 
|-
 
|-
|else
+
| else
|Optional else keyword.
+
| Optional else keyword.
  
 
|-
 
|-
|false_list
+
| false_list
|A list of rules enclosed within braces '{}' that will be executed when the optional 'else' keyword is present and the conditional_expression is 'false'.
+
| A list of rules enclosed within braces '{}' that will be executed when the optional 'else' keyword is present and the conditional_expression is 'false'.
  
 
Valid statements and rules are highlighted within each language definition statement.
 
Valid statements and rules are highlighted within each language definition statement.
Line 162: Line 156:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 168: Line 163:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No - As this is a Conditional Statement and cannot be nested.</center>
+
| <center>'''No'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 187: Line 182:
 
'''Examples:'''
 
'''Examples:'''
 
<pre>
 
<pre>
<nowiki># An example showing a </nowiki>boolean and supporting if statement.
+
# An example showing a boolean and supporting if statement.
  
 
bool allow_execmem false;
 
bool allow_execmem false;
  
 
+
# The bool allow_execmem is FALSE therefore the allow statement  
<nowiki># The bool </nowiki>allow_execmem is FALSE therefore the allow statement  
+
# is not executed:
<nowiki># is not executed:</nowiki>
+
  
 
if (allow_execmem) {  
 
if (allow_execmem) {  
      allow sysadm_t self:process execmem;  
+
    allow sysadm_t self:process execmem;  
 
}
 
}
 
</pre>
 
</pre>
 
 
<pre>
 
<pre>
<nowiki># An example showing two </nowiki>booleans and a supporting if statement.
+
# An example showing two booleans and a supporting if statement.
  
 
bool allow_execmem false;
 
bool allow_execmem false;
 
bool allow_execstack true;
 
bool allow_execstack true;
  
<nowiki># The bool </nowiki>allow_execmem is FALSE and allow_execstack is TRUE  
+
# The bool allow_execmem is FALSE and allow_execstack is TRUE  
<nowiki># therefore the allow statement is not executed:</nowiki>
+
# therefore the allow statement is not executed:
  
 
if (allow_execmem && allow_execstack) {
 
if (allow_execmem && allow_execstack) {
      allow sysadm_t self:process execstack;
+
    allow sysadm_t self:process execstack;
 
}
 
}
 
</pre>
 
</pre>
 
 
<pre>
 
<pre>
<nowiki># An example of an IF - ELSE statement where t</nowiki>he bool statement
+
# An example of an IF - ELSE statement where the bool statement
<nowiki># is FALSE, therefore the ELSE statements will be executed.</nowiki>
+
# is FALSE, therefore the ELSE statements will be executed.
<nowiki>#</nowiki>
+
#
 
+
 
bool read_untrusted_content false;
 
bool read_untrusted_content false;
  
 
if (read_untrusted_content) {
 
if (read_untrusted_content) {
      allow sysadm_t { sysadm_untrusted_content_t  
+
    allow sysadm_t { sysadm_untrusted_content_t  
      sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };
+
    sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };
      .....
+
    .....
 
+
} else {
  } else {
+
    dontaudit sysadm_t { sysadm_untrusted_content_t  
      dontaudit sysadm_t { sysadm_untrusted_content_t  
+
    sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };
      sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };
+
    ...
      ...
+
 
}
 
}
 
</pre>
 
</pre>
 +
 +
 +
 +
{| style="width: 100%;" border="0"
 +
|-
 +
| [[ObjectClassStatements | '''Previous''']]
 +
| <center>[[NewUsers | '''Home''']]</center>
 +
| <center>[[ConstraintStatements | '''Next''']]</center>
 +
|}
 +
 +
 +
----
 +
<references/>
 +
 +
[[Category:Notebook]]

Latest revision as of 13:43, 13 December 2014

Conditional Policy Statements

Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rules are valid under the condition as shown in the example below:

bool allow_daemons_use_tty true;

if (allow_daemons_use_tty) {
    # Rules if condition is true;
} else {
    # Rules if condition is false;
}

Table 3 in the Kernel Policy Language section shows what policy statements or rules are valid within the if / else construct under the "Conditional Statements" column.

The bool statement default value can be changed when a policy is active by using the setsebool command as follows:

# This command will set the allow_daemons_use_tty bool to false,
# however it will only remain false until the next system 
# re-boot where it will then revert back to its default state
# (in the above case, this would be true).

setsebool allow_daemons_use_tty false
# This command will set the allow_daemons_use_tty bool to false,
# and because the -P option is used (for persistent), the value 
# will remain across system re-boots. Note however that all 
# other pending bool values will become persistent across 
# re-boots as well (see setsebool(8) man page). 

setsebool -P allow_daemons_use_tty false

The getsebool command can be used to query the current bool statement value as follows:

# This command will list all bool values in the active policy:

getsebool -a
# This command will show the current allow_daemons_use_tty bool 
# value in the active policy:

getsebool allow_daemons_use_tty

bool

The bool statement is used to specify a boolean identifier and its initial state (true or false) that can then be used with the if statement to form a 'conditional policy' as described in the Conditional Policy section.

The statement definition is:

bool bool_id default_value;

Where:

bool The bool keyword.
bool_id The boolean identifier.
default_value Either true or false.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
Yes
if Statement
optional Statement
require Statement
No
Yes
Yes


Examples:

# Using the bool statement to allow unconfined executables to
# make their memory heap executable or not. As the value is
# false, then by default they cannot make their heap executable.

bool allow_execheap false;
# Using the bool statement to allow unconfined executables to 
# make their stack executable or not. As the value is true,
# then by default their stacks are executable.

bool allow_execstack true;

if

The if statement is used to form a 'conditional block' of statements and rules that are enforced depending on whether one or more boolean identifiers (defined by the bool statement) evaluate to TRUE or FALSE. An if / else construct is also supported.

The only statements and rules allowed within the if / else construct are:

allow, auditallow, auditdeny, dontaudit, type_member, type_transition, type_change and require.

The statement definition is:

if (conditional_expression) { true_list } [ else { false_list } ]

Where:

if The if keyword.
conditional_expression One or more bool_name identifiers that have been previously defined by the bool statement. Multiple identifiers must be separated by the following logical operators: &&, ¦¦, ^, !, ==, !=.

The conditional_expression is enclosed in brackets ().

true_list A list of rules enclosed within braces '{}' that will be executed when the conditional_expression is 'true'.

Valid statements and rules are highlighted within each language definition statement.

else Optional else keyword.
false_list A list of rules enclosed within braces '{}' that will be executed when the optional 'else' keyword is present and the conditional_expression is 'false'.

Valid statements and rules are highlighted within each language definition statement.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
Yes
if Statement
optional Statement
require Statement
No
Yes
No


Examples:

# An example showing a boolean and supporting if statement.

bool allow_execmem false;

# The bool allow_execmem is FALSE therefore the allow statement 
# is not executed:

if (allow_execmem) { 
    allow sysadm_t self:process execmem; 
}
# An example showing two booleans and a supporting if statement.

bool allow_execmem false;
bool allow_execstack true;

# The bool allow_execmem is FALSE and allow_execstack is TRUE 
# therefore the allow statement is not executed:

if (allow_execmem && allow_execstack) {
    allow sysadm_t self:process execstack;
}
# An example of an IF - ELSE statement where the bool statement
# is FALSE, therefore the ELSE statements will be executed.
#
bool read_untrusted_content false;

if (read_untrusted_content) {
    allow sysadm_t { sysadm_untrusted_content_t 
    sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };
    .....
} else {
    dontaudit sysadm_t { sysadm_untrusted_content_t 
    sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };
    ...
}


Previous
Home
Next