Difference between revisions of "ObjectClassStatements"

From SELinux Wiki
Jump to: navigation, search
(New page: = Object Class and Permission Statements = For those who write or manager SELinux policy, there is no need to define new objects and their associated permissions as these would be done by ...)
 
Line 2: Line 2:
 
For those who write or manager SELinux policy, there is no need to define new objects and their associated permissions as these would be done by those who actually design and/or write object managers.
 
For those who write or manager SELinux policy, there is no need to define new objects and their associated permissions as these would be done by those who actually design and/or write object managers.
  
== Object Classes ==
+
A list of object classes used by the Reference Policy can be found in the <tt>./policy/flask/security_classes</tt> file.
A list of object classes used by Fedora can be found in the Reference Policy source in the ./policy/flask/security_classes file.
+
  
Object classes are defined within a policy as follows:
+
There are two variants of the class statement for writing policy:
 +
# There is the <tt>class</tt> statement that declares the actual class identifier or name.
 +
# There is a further refinement of the <tt>class</tt> statement that associates permissions to the class as discussed in the [[#Associating Permissions to a Class | Associating Permissions to a Class]] section.
 +
 
 +
== class ==
 +
Object classes are declared within a policy as follows:
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
Line 13: Line 17:
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|class
+
{| border="1"
|The class keyword.
+
| class
 +
| The class keyword.
  
 
|-
 
|-
|class_id
+
| class_id
|The class identifier.  
+
| The class identifier.  
  
 
|}
 
|}
Line 26: Line 31:
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
  
 
+
{| border="1"
{|border="1"
+
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 33: Line 37:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
  
 
|}
 
|}
Line 52: Line 56:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
<nowiki># Define the </nowiki>PostgreSQL db_tuple object class
+
# Define the PostgreSQL db_tuple object class
<nowiki>#</nowiki>
+
#
 
+
 
class db_tuple
 
class db_tuple
 
</pre>
 
</pre>
  
== Permissions ==
+
== Associating Permissions to a Class ==
A list of permissions can be found in the Reference Policy source in the ./policy/flask/access_vectors file.
+
 
+
 
Permissions can be defined within policy in two ways:
 
Permissions can be defined within policy in two ways:
 +
# Define a set of common permissions that can then be inherited by one or more object classes using further <tt>class</tt> statements.
 +
# Define <tt>class</tt> specific permissions. This is where permissions are declared for a specific object class only (i.e. the permission is not inherited by any other object class).
  
# Define class specific permissions. This is where permissions are declared for a specific object class only (i.e. the permission is not inherited by any other object class).
+
A list of classes and their permissions used by the Reference Policy can be found in the <tt>./policy/flask/access_vectors</tt> file.
# Define a set of common permissions that can then be inherited by one or more object classes. The statement for creating a set of common permissions is shown in the Defining common Permissions section.
+
  
'''The permission (or AVC) statement definition is:'''
+
== common ==
 +
Declare a common identifier and associate one or more common permissions.
 +
 
 +
'''The statement definition is:'''
 
<pre>
 
<pre>
<nowiki>class class_id [ inherits common_set ] [ { perm_set } ]</nowiki>
+
common common_id { perm_set }
 
</pre>
 
</pre>
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
 
|class
 
|The class keyword.
 
  
|-
+
{| border="1"
|class_id
+
| common
|The previously declared class identifier.  
+
| The common keyword.
  
 
|-
 
|-
|inherits
+
| common_id
|The optional inherits keyword that allows a set of common permissions to be inherited.
+
| The common identifier.  
  
 
|-
 
|-
|common_set
+
| perm_set
|A previously declared common identifier as described in the Defining common Permissions section.
+
| One or more permission identifiers in a space separated list enclosed within braces ({}).
 
+
|-
+
|perm_set
+
|One or more optional permission identifiers in a space separated list enclosed within braces ({}).
+
  
 
|}
 
|}
  
  
'''Note:'''
+
'''The statement is valid in:'''
  
* There must be at least one common_set or one perm_set defined within the statement.
+
{| border="1"
 
+
'''The statement is valid in:'''
+
{|border="1"
+
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 106: Line 101:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>Yes</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
  
  
'''Examples:'''
+
'''Example:'''
 
<pre>
 
<pre>
<nowiki># The following example shows the </nowiki>db_tuple object class being
+
# Define the common PostgreSQL permissions
<nowiki># allocated two permissions: </nowiki>
+
#
 
+
common database { create drop getattr setattr relabelfrom relabelto }
class db_tuple { relabelfrom relabelto }
+
 
</pre>
 
</pre>
  
<pre>
+
== class ==
<nowiki># The following example shows the </nowiki>db_blob object class inheriting
+
Inherit and / or associate permissions to a previously declared class identifier.
<nowiki># permissions from the </nowiki>database set of common permissions:
+
 
+
class db_blob inherits database
+
</pre>
+
  
 +
'''The statement definition is:'''
 
<pre>
 
<pre>
<nowiki># The following example (from the </nowiki>access_vector file) shows the
+
class class_id [ inherits common_set ] [ { perm_set } ]
<nowiki># </nowiki>db_blob object class inheriting permissions from the database
+
<nowiki># set of common permissions and adding a further four </nowiki>
+
<nowiki># permissions: </nowiki>
+
 
+
class db_blob inherits database { read write import export }
+
 
</pre>
 
</pre>
  
 +
'''Where:'''
  
=== Defining common Permissions ===
+
{| border="1"
A list of common permissions can be found in the Reference Policy source in the ./policy/flask/access_vectors file.
+
| class
 +
| The class keyword.
  
New or updated common permissions would only be updated by those who produce kernel or user space object managers.
+
|-
 +
| class_id
 +
| The previously declared class identifier.  
  
'''The statement definition is:'''
+
|-
<pre>
+
| inherits
common common_id { perm_set }
+
| The optional inherits keyword that allows a set of common permissions to be inherited.
</pre>
+
 
+
'''Where:'''
+
{|border="1"
+
|common
+
|The common keyword.
+
  
 
|-
 
|-
|common_id
+
| common_set
|The common identifier.  
+
| A previously declared common identifier.
  
 
|-
 
|-
|perm_set
+
| perm_set
|One or more permission identifiers in a space separated list enclosed within braces ({}).
+
| One or more optional permission identifiers in a space separated list enclosed within braces ({}).
  
 
|}
 
|}
  
 +
 +
'''Note:'''
 +
: There must be at least one <tt>common_set</tt> or one <tt>perm_set</tt> defined within the statement.
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 181: Line 169:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''Yes'''</center>
  
 
|}
 
|}
  
  
'''Example:'''
+
'''Examples:'''
 
<pre>
 
<pre>
<nowiki># Define the common </nowiki>PostgreSQL permissions
+
# The following example shows the db_tuple object class being
<nowiki>#</nowiki>
+
# allocated two permissions:
  
common database { create drop getattr setattr relabelfrom relabelto }
+
class db_tuple { relabelfrom relabelto }
 +
 
 +
# The following example shows the db_blob object class
 +
# inheriting permissions from the database set of common
 +
# permissions (as described in the "Associating Permissions
 +
# to a Class" section):
 +
 
 +
class db_blob inherits database
 
</pre>
 
</pre>
 +
<pre>
 +
# The following example (from the access_vector file) shows the
 +
# db_blob object class inheriting permissions from the database
 +
# set of common permissions and adding a further four permissions:
 +
 +
class db_blob inherits database { read write import export }
 +
</pre>
 +
 +
 +
{| style="width: 100%;" border="0"
 +
|-
 +
| [[AVCRules | '''Previous''']]
 +
| <center>[[NewUsers | '''Home''']]</center>
 +
| <center>[[ConditionalStatements | '''Next''']]</center>
 +
|}
 +
 +
 +
----
 +
<references/>
 +
 +
[[Category:Notebook]]

Revision as of 12:04, 13 December 2014

Object Class and Permission Statements

For those who write or manager SELinux policy, there is no need to define new objects and their associated permissions as these would be done by those who actually design and/or write object managers.

A list of object classes used by the Reference Policy can be found in the ./policy/flask/security_classes file.

There are two variants of the class statement for writing policy:

  1. There is the class statement that declares the actual class identifier or name.
  2. There is a further refinement of the class statement that associates permissions to the class as discussed in the Associating Permissions to a Class section.

class

Object classes are declared within a policy as follows:

The statement definition is:

class class_id

Where:

class The class keyword.
class_id The class identifier.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
Yes


Example:

# Define the PostgreSQL db_tuple object class
#
class db_tuple

Associating Permissions to a Class

Permissions can be defined within policy in two ways:

  1. Define a set of common permissions that can then be inherited by one or more object classes using further class statements.
  2. Define class specific permissions. This is where permissions are declared for a specific object class only (i.e. the permission is not inherited by any other object class).

A list of classes and their permissions used by the Reference Policy can be found in the ./policy/flask/access_vectors file.

common

Declare a common identifier and associate one or more common permissions.

The statement definition is:

common common_id { perm_set }

Where:

common The common keyword.
common_id The common identifier.
perm_set One or more permission identifiers in a space separated list enclosed within braces ({}).


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

# Define the common PostgreSQL permissions
#
common database { create drop getattr setattr relabelfrom relabelto }

class

Inherit and / or associate permissions to a previously declared class identifier.

The statement definition is:

class class_id [ inherits common_set ] [ { perm_set } ]

Where:

class The class keyword.
class_id The previously declared class identifier.
inherits The optional inherits keyword that allows a set of common permissions to be inherited.
common_set A previously declared common identifier.
perm_set One or more optional permission identifiers in a space separated list enclosed within braces ({}).


Note:

There must be at least one common_set or one perm_set defined within the statement.

The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
Yes


Examples:

# The following example shows the db_tuple object class being 
# allocated two permissions: 

class db_tuple { relabelfrom relabelto }

# The following example shows the db_blob object class
# inheriting permissions from the database set of common
# permissions (as described in the "Associating Permissions
# to a Class" section): 

class db_blob inherits database
# The following example (from the access_vector file) shows the 
# db_blob object class inheriting permissions from the database 
# set of common permissions and adding a further four permissions: 

class db_blob inherits database { read write import export }


Previous
Home
Next