http://selinuxproject.org/w/?title=DefaultRules&action=history&feed=atom 2013-05-20T06:09:28Z Revision history for this page on the wiki MediaWiki 1.10.4 http://selinuxproject.org/w/?title=DefaultRules&diff=1297&oldid=prev 2012-11-18T14:44:09Z

<p>New page: = Default Rules = These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or ...</p> <p><b>New page</b></p><div>= Default Rules =<br /> These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.<br /> <br /> == default_user Rule ==<br /> Allows the default user to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> default_user class default;<br /> &lt;/pre&gt;<br /> <br /> '''Where:'''<br /> <br /> {|border=&quot;1&quot;<br /> | default_user<br /> | The default_user rule keyword.<br /> <br /> |-<br /> | class<br /> <br /> <br /> <br /> | One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). <br /> <br /> Entries can be excluded from the list by using the negative operator (-).<br /> <br /> |-<br /> | default<br /> | A single keyword consisting of either &lt;tt&gt;source&lt;/tt&gt; or &lt;tt&gt;target&lt;/tt&gt; that will state whether the default user should be obtained from the source or target context.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> <br /> {|border=&quot;1&quot;<br /> | &lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> | &lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> | &lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;Yes&lt;/center&gt;<br /> | &lt;center&gt;Yes&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> | &lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> | &lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;No&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# When computing the context for a new file object, the user&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# will be obtained from the target context.&lt;/nowiki&gt;<br /> <br /> default_user file target;<br /> <br /> &lt;nowiki&gt;# When computing the context for a new x_selection or x_property&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# object, the user will be obtained from the source context.&lt;/nowiki&gt;<br /> <br /> default_user { x_selection x_property } source;<br /> &lt;/pre&gt;<br /> <br /> <br /> == default_role Rule ==<br /> Allows the default role to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> default_role class default;<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> <br /> {|border=&quot;1&quot;<br /> | default_role<br /> | The default_role rule keyword.<br /> <br /> |-<br /> | class<br /> <br /> <br /> <br /> | One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). <br /> <br /> Entries can be excluded from the list by using the negative operator (-).<br /> <br /> |-<br /> | default<br /> | A single keyword consisting of either &lt;tt&gt;source&lt;/tt&gt; or &lt;tt&gt;target&lt;/tt&gt; that will state whether the default role should be obtained from the source or target context.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> <br /> {|border=&quot;1&quot;<br /> | &lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> | &lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> | &lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;Yes&lt;/center&gt;<br /> | &lt;center&gt;Yes&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> | &lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> | &lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;No&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# When computing the context for a new file object, the role&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# will be obtained from the target context.&lt;/nowiki&gt;<br /> <br /> default_role file target;<br /> <br /> &lt;nowiki&gt;# When computing the context for a new x_selection or x_property&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# object, the role will be obtained from the source context.&lt;/nowiki&gt;<br /> <br /> default_role { x_selection x_property } source;<br /> &lt;/pre&gt;<br /> <br /> <br /> == default_type Rule ==<br /> Allows the default type to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 28.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> default_type class default;<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> <br /> {|border=&quot;1&quot;<br /> | default_type<br /> | The default_type rule keyword.<br /> <br /> |-<br /> | class<br /> <br /> <br /> <br /> | One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). <br /> <br /> Entries can be excluded from the list by using the negative operator (-).<br /> <br /> |-<br /> | default<br /> | A single keyword consisting of either &lt;tt&gt;source&lt;/tt&gt; or &lt;tt&gt;target&lt;/tt&gt; that will state whether the default type should be obtained from the source or target context.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> <br /> {|border=&quot;1&quot;<br /> | &lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> | &lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> | &lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;Yes&lt;/center&gt;<br /> | &lt;center&gt;Yes&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> | &lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> | &lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;No&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# When computing the context for a new file object, the type&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# will be obtained from the target context.&lt;/nowiki&gt;<br /> <br /> default_type file target;<br /> <br /> &lt;nowiki&gt;# When computing the context for a new x_selection or x_property&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# object, the type will be obtained from the source context.&lt;/nowiki&gt;<br /> <br /> default_type { x_selection x_property } source;<br /> &lt;/pre&gt;<br /> <br /> <br /> == default_range Rule ==<br /> Allows the default range or level to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> default_range class default entry;<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> <br /> {|border=&quot;1&quot;<br /> | default_range<br /> | The default_range rule keyword.<br /> <br /> |-<br /> | class<br /> <br /> <br /> <br /> | One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). <br /> <br /> Entries can be excluded from the list by using the negative operator (-).<br /> <br /> |-<br /> | default<br /> | A single keyword consisting of either &lt;tt&gt;source&lt;/tt&gt; or &lt;tt&gt;target&lt;/tt&gt; that will state whether the default level or range should be obtained from the source or target context.<br /> <br /> |-<br /> | entry<br /> | A single keyword consisting of either: &lt;tt&gt;low&lt;/tt&gt;, &lt;tt&gt;high&lt;/tt&gt; or &lt;tt&gt;low_high&lt;/tt&gt; that will state whether the default level or range should be obtained from the source or target context.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> <br /> {|border=&quot;1&quot;<br /> | &lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> | &lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> | &lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;Yes&lt;/center&gt;<br /> | &lt;center&gt;Yes&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> | &lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> | &lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;No&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> | &lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# When computing the context for a new file object, the lower&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# level will be taken from the target context range.&lt;/nowiki&gt;<br /> <br /> default_range file target low;<br /> <br /> &lt;nowiki&gt;# When computing the context for a new x_selection or x_property&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# object, the range will be obtained from the source context.&lt;/nowiki&gt;<br /> <br /> default_type { x_selection x_property } source low_high;<br /> &lt;/pre&gt;<br /> <br /> <br /> ----<br /> &lt;references/&gt;<br /> <br /> [[Category:Notebook]]</div>

RichardHaines