DefaultRules

From SELinux Wiki
Revision as of 14:11, 11 December 2014 by RichardHaines (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Default Object Rules

These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.

default_user

Allows the default user to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.

The statement definition is:

default_user class default;

Where:

default_user The default_user rule keyword.
class


One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).

Entries can be excluded from the list by using the negative operator (-).

default A single keyword consisting of either source or target that will state whether the default user should be obtained from the source or target context.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

# When computing the context for a new file object, the user
# will be obtained from the target context.

default_user file target;

# When computing the context for a new x_selection or x_property
# object, the user will be obtained from the source context.

default_user { x_selection x_property } source;


default_role

Allows the default role to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.

The statement definition is:

default_role class default;


Where:

default_role The default_role rule keyword.
class


One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).

Entries can be excluded from the list by using the negative operator (-).

default A single keyword consisting of either source or target that will state whether the default role should be obtained from the source or target context.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

# When computing the context for a new file object, the role
# will be obtained from the target context.

default_role file target;

# When computing the context for a new x_selection or x_property
# object, the role will be obtained from the source context.

default_role { x_selection x_property } source;


default_type

Allows the default type to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 28.

The statement definition is:

default_type class default;


Where:

default_type The default_type rule keyword.
class


One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).

Entries can be excluded from the list by using the negative operator (-).

default A single keyword consisting of either source or target that will state whether the default type should be obtained from the source or target context.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

# When computing the context for a new file object, the type
# will be obtained from the target context.

default_type file target;

# When computing the context for a new x_selection or x_property
# object, the type will be obtained from the source context.

default_type { x_selection x_property } source;


default_range

Allows the default range or level to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.

The statement definition is:

default_range class default range;


Where:

default_range The default_range rule keyword.
class


One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).

Entries can be excluded from the list by using the negative operator (-).

default A single keyword consisting of either source or target that will state whether the default level or range should be obtained from the source or target context.
range A single keyword consisting of either: low, high or low_high that will state whether the default level or range should be obtained from the source or target context.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No

|}


Example:

# When computing the context for a new file object, the lower
# level will be taken from the target context range.

default_range file target low;

# When computing the context for a new x_selection or x_property
# object, the range will be obtained from the source context.

default_type { x_selection x_property } source low_high;


Previous
Home
Next