DefaultRules

From SELinux Wiki

1 Default Rules

[edit] Default Rules

These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.

[edit] default_user Rule

Allows the default user to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.

The statement definition is:

default_user class default;

Where:

default_user	The default_user rule keyword.
class	One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). Entries can be excluded from the list by using the negative operator (-).
default	A single keyword consisting of either `source` or `target` that will state whether the default user should be obtained from the source or target context.

The statement is valid in:

Monolithic Policy	Base Policy	Module Policy
Yes	Yes	No
Conditional Policy (if) Statement	optional Statement	require Statement
No	No	No

Example:

# When computing the context for a new file object, the user
# will be obtained from the target context.

default_user file target;

# When computing the context for a new x_selection or x_property
# object, the user will be obtained from the source context.

default_user { x_selection x_property } source;

[edit] default_role Rule

Allows the default role to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.

The statement definition is:

default_role class default;

Where:

default_role	The default_role rule keyword.
class	One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). Entries can be excluded from the list by using the negative operator (-).
default	A single keyword consisting of either `source` or `target` that will state whether the default role should be obtained from the source or target context.

The statement is valid in:

Monolithic Policy	Base Policy	Module Policy
Yes	Yes	No
Conditional Policy (if) Statement	optional Statement	require Statement
No	No	No

Example:

# When computing the context for a new file object, the role
# will be obtained from the target context.

default_role file target;

# When computing the context for a new x_selection or x_property
# object, the role will be obtained from the source context.

default_role { x_selection x_property } source;

[edit] default_type Rule

Allows the default type to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 28.

The statement definition is:

default_type class default;

Where:

default_type	The default_type rule keyword.
class	One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). Entries can be excluded from the list by using the negative operator (-).
default	A single keyword consisting of either `source` or `target` that will state whether the default type should be obtained from the source or target context.

The statement is valid in:

Monolithic Policy	Base Policy	Module Policy
Yes	Yes	No
Conditional Policy (if) Statement	optional Statement	require Statement
No	No	No

Example:

# When computing the context for a new file object, the type
# will be obtained from the target context.

default_type file target;

# When computing the context for a new x_selection or x_property
# object, the type will be obtained from the source context.

default_type { x_selection x_property } source;

[edit] default_range Rule

Allows the default range or level to be taken from the source or target context when computing a new context for an object of the defined class. Requires policy version 27.

The statement definition is:

default_range class default entry;

Where:

default_range	The default_range rule keyword.
class	One or more class identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). Entries can be excluded from the list by using the negative operator (-).
default	A single keyword consisting of either `source` or `target` that will state whether the default level or range should be obtained from the source or target context.
entry	A single keyword consisting of either: `low`, `high` or `low_high` that will state whether the default level or range should be obtained from the source or target context.

The statement is valid in:

Monolithic Policy	Base Policy	Module Policy
Yes	Yes	No
Conditional Policy (if) Statement	optional Statement	require Statement
No	No	No

Example:

# When computing the context for a new file object, the lower
# level will be taken from the target context range.

default_range file target low;

# When computing the context for a new x_selection or x_property
# object, the range will be obtained from the source context.

default_type { x_selection x_property } source low_high;

Retrieved from "http://selinuxproject.org/page/DefaultRules"

Category: Notebook

DefaultRules

From SELinux Wiki

Contents

[edit] Default Rules

[edit] default_user Rule

[edit] default_role Rule

[edit] default_type Rule

[edit] default_range Rule

Views

Personal tools

Navigation

Search

Toolbox