ConditionalStatements - Revision history http://selinuxproject.org/w/?title=ConditionalStatements&action=history Revision history for this page on the wiki en MediaWiki 1.23.13 Thu, 28 Mar 2024 11:29:12 GMT RichardHaines at 13:43, 13 December 2014 http://selinuxproject.org/w/?title=ConditionalStatements&diff=1742&oldid=prev http://selinuxproject.org/w/?title=ConditionalStatements&diff=1742&oldid=prev <p></p> <a href="http://selinuxproject.org/w/?title=ConditionalStatements&amp;diff=1742&amp;oldid=841">Show changes</a> Sat, 13 Dec 2014 13:43:09 GMT RichardHaines http://selinuxproject.org/page/Talk:ConditionalStatements RichardHaines: New page: = Conditional Policy Statements = Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rule... http://selinuxproject.org/w/?title=ConditionalStatements&diff=841&oldid=prev http://selinuxproject.org/w/?title=ConditionalStatements&diff=841&oldid=prev <p>New page: = Conditional Policy Statements = Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rule...</p> <p><b>New page</b></p><div>= Conditional Policy Statements =<br /> Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rules are valid under the condition as shown in the example below:<br /> <br /> <br /> &lt;pre&gt;<br /> bool allow_daemons_use_tty true;<br /> <br /> if (allow_daemons_use_tty) {<br /> &lt;nowiki&gt; # Rules if condition is &lt;/nowiki&gt;true&lt;nowiki&gt;;&lt;/nowiki&gt;<br /> <br /> } else {<br /> &lt;nowiki&gt; # Rules if condition is &lt;/nowiki&gt;false&lt;nowiki&gt;;&lt;/nowiki&gt;<br /> }<br /> &lt;/pre&gt;<br /> <br /> <br /> The bool statement default value can be changed when a policy is active by using the setsebool command as follows:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This command will set the allow_daemons_use_tty bool to &lt;/nowiki&gt;false,<br /> &lt;nowiki&gt;# however it will only remain false until the next system &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# re-boot where it will then revert back to its default state&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# (in the above case, this would be &lt;/nowiki&gt;true).<br /> <br /> setsebool allow_daemons_use_tty false<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This command will set the allow_daemons_use_tty bool to false,&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# and because the -P option is used (for persistent), the value &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# will remain across system re-boots. Note however that all &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# other pending bool values will become persistent across &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# re-boots as well (see the setsebool (8) man page). &lt;/nowiki&gt;<br /> <br /> setsebool -P allow_daemons_use_tty false<br /> &lt;/pre&gt;<br /> <br /> The getsebool command can be used to query the current bool statement value as follows: <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This command will list all bool values in the active policy:&lt;/nowiki&gt;<br /> <br /> getsebool -a<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This command will show the current allow_daemons_use_tty bool &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# value in the active policy:&lt;/nowiki&gt;<br /> <br /> getsebool allow_daemons_use_tty<br /> &lt;/pre&gt;<br /> <br /> <br /> == bool Statement ==<br /> The bool statement is used to specify a boolean identifier and its initial state (true or false) that can then be used with the if Statement to form a 'conditional policy' as described in the Conditional Policy section.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> bool bool_id default_value;<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |bool<br /> |The bool keyword.<br /> <br /> |-<br /> |bool_id<br /> |The boolean identifier.<br /> <br /> |-<br /> |default_value<br /> |Either true or false.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Examples:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# Using the &lt;/nowiki&gt;bool statement to allow unconfined executables to<br /> &lt;nowiki&gt;# make their memory heap executable or not. As the value is&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;false, then by default they cannot make their heap executable.<br /> <br /> bool allow_execheap false;<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# Using the &lt;/nowiki&gt;bool statement to allow unconfined executables to <br /> &lt;nowiki&gt;# make their stack executable or not. As the value is &lt;/nowiki&gt;true,<br /> &lt;nowiki&gt;# then by default their stacks are executable.&lt;/nowiki&gt;<br /> <br /> bool allow_execstack true;<br /> &lt;/pre&gt;<br /> <br /> <br /> == if Statement ==<br /> The if statement is used to form a 'conditional block' of statements and rules that are enforced depending on whether one or more boolean identifiers (defined by the bool Statement) evaluate to TRUE or FALSE. An if / else construct is also supported.<br /> <br /> The only statements and rules allowed within the if / else construct are:<br /> <br /> allow, auditallow, auditdeny, dontaudit, type_member, type_transition, type_change and require.<br /> <br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;if (conditional_expression) { true_list } [ else { false_list } ]&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |if<br /> |The if keyword.<br /> <br /> |-<br /> |conditional_expression<br /> |One or more bool_name identifiers that have been previously defined by the bool Statement. Multiple identifiers must be separated by the following logical operators: &amp;&amp;, ¦¦, ^, !, ==, !=. <br /> <br /> The conditional_expression is enclosed in brackets ().<br /> <br /> |-<br /> |true_list<br /> |A list of rules enclosed within braces '{}' that will be executed when the conditional_expression is 'true'.<br /> <br /> Valid statements and rules are highlighted within each language definition statement.<br /> <br /> |-<br /> |else<br /> |Optional else keyword.<br /> <br /> |-<br /> |false_list<br /> |A list of rules enclosed within braces '{}' that will be executed when the optional 'else' keyword is present and the conditional_expression is 'false'.<br /> <br /> Valid statements and rules are highlighted within each language definition statement.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No - As this is a Conditional Statement and cannot be nested.&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Examples:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# An example showing a &lt;/nowiki&gt;boolean and supporting if statement.<br /> <br /> bool allow_execmem false;<br /> <br /> <br /> &lt;nowiki&gt;# The bool &lt;/nowiki&gt;allow_execmem is FALSE therefore the allow statement <br /> &lt;nowiki&gt;# is not executed:&lt;/nowiki&gt;<br /> <br /> if (allow_execmem) { <br /> allow sysadm_t self:process execmem; <br /> }<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# An example showing two &lt;/nowiki&gt;booleans and a supporting if statement.<br /> <br /> bool allow_execmem false;<br /> bool allow_execstack true;<br /> <br /> &lt;nowiki&gt;# The bool &lt;/nowiki&gt;allow_execmem is FALSE and allow_execstack is TRUE <br /> &lt;nowiki&gt;# therefore the allow statement is not executed:&lt;/nowiki&gt;<br /> <br /> if (allow_execmem &amp;&amp; allow_execstack) {<br /> allow sysadm_t self:process execstack;<br /> }<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# An example of an IF - ELSE statement where t&lt;/nowiki&gt;he bool statement<br /> &lt;nowiki&gt;# is FALSE, therefore the ELSE statements will be executed.&lt;/nowiki&gt;<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> <br /> bool read_untrusted_content false;<br /> <br /> if (read_untrusted_content) {<br /> allow sysadm_t { sysadm_untrusted_content_t <br /> sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };<br /> .....<br /> <br /> } else {<br /> dontaudit sysadm_t { sysadm_untrusted_content_t <br /> sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };<br /> ...<br /> }<br /> &lt;/pre&gt;</div> Sun, 29 Nov 2009 16:09:34 GMT RichardHaines http://selinuxproject.org/page/Talk:ConditionalStatements