http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&limit=500&action=history&feed=atom
RefpolicyBasicRoleCreation - Revision history
2024-03-29T11:44:57Z
Revision history for this page on the wiki
MediaWiki 1.23.13
http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=803&oldid=prev
JoshuaBrindle: /* Roles Similar to Existing Roles */
2009-11-19T16:12:58Z
<p><span dir="auto"><span class="autocomment">Roles Similar to Existing Roles</span></span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:12, 19 November 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 36:</td>
<td colspan="2" class="diff-lineno">Line 36:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Roles Similar to Existing Roles ==</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Roles Similar to Existing Roles ==</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>If the role's user domain should be similar to user_r or staff_r, the userdom_unpriv_user_template() template should be used.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>If the role's user domain should be similar to <ins class="diffchange diffchange-inline">''</ins>user_r<ins class="diffchange diffchange-inline">'' </ins>or <ins class="diffchange diffchange-inline">''</ins>staff_r<ins class="diffchange diffchange-inline">''</ins>, the <ins class="diffchange diffchange-inline">''</ins>userdom_unpriv_user_template()<ins class="diffchange diffchange-inline">'' </ins>template should be used.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  userdom_unpriv_user_template(myrole)</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  userdom_unpriv_user_template(myrole)</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>If the role's user domain should be similar to sysadm_r, the userdom_admin_user_template() template should be used.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>If the role's user domain should be similar to <ins class="diffchange diffchange-inline">''</ins>sysadm_r<ins class="diffchange diffchange-inline">''</ins>, the <ins class="diffchange diffchange-inline">''</ins>userdom_admin_user_template()<ins class="diffchange diffchange-inline">'' </ins>template should be used.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  userdom_admin_user_template(myrole)</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  userdom_admin_user_template(myrole)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
</table>
JoshuaBrindle
http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=802&oldid=prev
JoshuaBrindle: /* Roles Similar to Existing Roles */
2009-11-19T16:12:18Z
<p><span dir="auto"><span class="autocomment">Roles Similar to Existing Roles</span></span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:12, 19 November 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 41:</td>
<td colspan="2" class="diff-lineno">Line 41:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  userdom_admin_user_template(myrole)</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  userdom_admin_user_template(myrole)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>These both will create role myrole_r and user domain myrole_t.  Then rules can subsequently be added to myrole_t to customize it.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>These both will create role <ins class="diffchange diffchange-inline">''</ins>myrole_r<ins class="diffchange diffchange-inline">'' </ins>and user domain <ins class="diffchange diffchange-inline">''</ins>myrole_t<ins class="diffchange diffchange-inline">''</ins>.  Then rules can subsequently be added to <ins class="diffchange diffchange-inline">''</ins>myrole_t<ins class="diffchange diffchange-inline">'' </ins>to customize it.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Configuring Userland Programs for the New Role =</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Configuring Userland Programs for the New Role =</div></td></tr>
</table>
JoshuaBrindle
http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=801&oldid=prev
JoshuaBrindle: /* Default Contexts */
2009-11-19T16:11:46Z
<p><span dir="auto"><span class="autocomment">Default Contexts</span></span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:11, 19 November 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 53:</td>
<td colspan="2" class="diff-lineno">Line 53:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Default Contexts ==</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Default Contexts ==</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The default_contexts files configure SELinux-aware programs behavior when selecting a context for a user.  Typically this is used when logging in, but there are a few other uses.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The <ins class="diffchange diffchange-inline">''</ins>default_contexts<ins class="diffchange diffchange-inline">'' </ins>files configure SELinux-aware programs behavior when selecting a context for a user.  Typically this is used when logging in, but there are a few other uses.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Add the new role and user domain to services where login is desired.  For example, the local_login_t is for local logins, whereas xdm_t is for logins via a X display manager, such as GDM or KDM.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Add the new role and user domain to services where login is desired.  For example, the <ins class="diffchange diffchange-inline">''</ins>local_login_t<ins class="diffchange diffchange-inline">'' </ins>is for local logins, whereas <ins class="diffchange diffchange-inline">''</ins>xdm_t<ins class="diffchange diffchange-inline">'' </ins>is for logins via a X display manager, such as GDM or KDM.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  system_r:local_login_t user_r:user_t '''myrole_r:myrole_t''' staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  system_r:local_login_t user_r:user_t '''myrole_r:myrole_t''' staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 62:</td>
<td colspan="2" class="diff-lineno">Line 62:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  system_r:xdm_t user_r:user_t '''myrole_r:myrole_t''' staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  system_r:xdm_t user_r:user_t '''myrole_r:myrole_t''' staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>For each service, the order matters.  The service will test to see which role:domain combination is valid for the user logging in, and use the first available choice (left to right).  So if the SELinux user is allowed user_r and myrole_r, the default will be user_r:user_t when logging in.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>For each service, the order matters.  The service will test to see which role:domain combination is valid for the user logging in, and use the first available choice (left to right).  So if the SELinux user is allowed <ins class="diffchange diffchange-inline">''</ins>user_r<ins class="diffchange diffchange-inline">'' </ins>and <ins class="diffchange diffchange-inline">''</ins>myrole_r<ins class="diffchange diffchange-inline">''</ins>, the default will be <ins class="diffchange diffchange-inline">''</ins>user_r:user_t<ins class="diffchange diffchange-inline">'' </ins>when logging in.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>You should notice that <del class="diffchange diffchange-inline">'</del>''myrole_r:myrole_t<del class="diffchange diffchange-inline">'</del>'' was not added to the remote_login_t or sshd_t lines. This means that if a user with only myrole_t tries to log in via login apps running as remote_login_t or sshd_t it will fail.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>You should notice that ''myrole_r:myrole_t'' was not added to the <ins class="diffchange diffchange-inline">''</ins>remote_login_t<ins class="diffchange diffchange-inline">'' </ins>or <ins class="diffchange diffchange-inline">''</ins>sshd_t<ins class="diffchange diffchange-inline">'' </ins>lines. This means that if a user with only <ins class="diffchange diffchange-inline">''</ins>myrole_t<ins class="diffchange diffchange-inline">'' </ins>tries to log in via login apps running as <ins class="diffchange diffchange-inline">''</ins>remote_login_t<ins class="diffchange diffchange-inline">'' </ins>or <ins class="diffchange diffchange-inline">''</ins>sshd_t<ins class="diffchange diffchange-inline">'' </ins>it will fail.</div></td></tr>
</table>
JoshuaBrindle
http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=800&oldid=prev
JoshuaBrindle: /* Default Contexts */
2009-11-19T16:10:12Z
<p><span dir="auto"><span class="autocomment">Default Contexts</span></span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:10, 19 November 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 57:</td>
<td colspan="2" class="diff-lineno">Line 57:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Add the new role and user domain to services where login is desired.  For example, the local_login_t is for local logins, whereas xdm_t is for logins via a X display manager, such as GDM or KDM.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Add the new role and user domain to services where login is desired.  For example, the local_login_t is for local logins, whereas xdm_t is for logins via a X display manager, such as GDM or KDM.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>  system_r:local_login_t user_r:user_t myrole_r:myrole_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>  system_r:local_login_t user_r:user_t <ins class="diffchange diffchange-inline">'''</ins>myrole_r:myrole_t<ins class="diffchange diffchange-inline">''' </ins>staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>  system_r:xdm_t user_r:user_t myrole_r:myrole_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>  system_r:xdm_t user_r:user_t <ins class="diffchange diffchange-inline">'''</ins>myrole_r:myrole_t<ins class="diffchange diffchange-inline">''' </ins>staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>For each service, the order matters.  The service will test to see which role:domain combination is valid for the user logging in, and use the first available choice (left to right).  So if the SELinux user is allowed user_r and myrole_r, the default will be user_r:user_t when logging in.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>For each service, the order matters.  The service will test to see which role:domain combination is valid for the user logging in, and use the first available choice (left to right).  So if the SELinux user is allowed user_r and myrole_r, the default will be user_r:user_t when logging in.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">You should notice that '''myrole_r:myrole_t''' was not added to the remote_login_t or sshd_t lines. This means that if a user with only myrole_t tries to log in via login apps running as remote_login_t or sshd_t it will fail.</ins></div></td></tr>
</table>
JoshuaBrindle
http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=799&oldid=prev
JoshuaBrindle: /* Default Type */
2009-11-19T16:07:35Z
<p><span dir="auto"><span class="autocomment">Default Type</span></span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:07, 19 November 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 50:</td>
<td colspan="2" class="diff-lineno">Line 50:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  unconfined_r:unconfined_t</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  unconfined_r:unconfined_t</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  user_r:user_t</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  user_r:user_t</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>  myrole_r:myrole_t</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>  <ins class="diffchange diffchange-inline">'''</ins>myrole_r:myrole_t<ins class="diffchange diffchange-inline">'''</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Default Contexts ==</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Default Contexts ==</div></td></tr>
</table>
JoshuaBrindle
http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=755&oldid=prev
ChrisPeBenito at 12:11, 22 October 2009
2009-10-22T12:11:49Z
<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 12:11, 22 October 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 41:</td>
<td colspan="2" class="diff-lineno">Line 41:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  userdom_admin_user_template(myrole)</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>  userdom_admin_user_template(myrole)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>These both will create role myrole_r and user domain myrole_t.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>These both will create role myrole_r and user domain myrole_t<ins class="diffchange diffchange-inline">.  Then rules can subsequently be added to myrole_t to customize it</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Configuring Userland Programs for the New Role =</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Configuring Userland Programs for the New Role =</div></td></tr>
</table>
ChrisPeBenito
http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=753&oldid=prev
ChrisPeBenito: New page: = Roles in Reference Policy = Reference policy consists of several user roles for typical system operation. Rules for each role are contained in individual Reference Policy modules, which...
2009-10-21T15:16:02Z
<p>New page: = Roles in Reference Policy = Reference policy consists of several user roles for typical system operation. Rules for each role are contained in individual Reference Policy modules, which...</p>
<p><b>New page</b></p><div>= Roles in Reference Policy =<br />
Reference policy consists of several user roles for typical system operation. Rules for each role are contained in individual Reference Policy modules, which allow flexibility in role separation.<br />
<br />
{| border="1"<br />
! Role<br />
! Module<br />
!Description<br />
|-<br />
||user_r||unprivuser||Basic user role. This role can do most things a non UID 0 linux user can do.<br />
|-<br />
||staff_r||staff||Administrator's unprivileged user role. This role is basically the same as user_r, but is meant for administrators.<br />
|-<br />
||sysadm_r||sysadm||General system administration role.<br />
|-<br />
||secadm_r||secadm||Security administrator role. Administrates security policy.<br />
|-<br />
||auditadm_r||auditadm||Audit system and audit log administration role. Configures the auditing policy and manages audit logs.<br />
|-<br />
||logadm_r||logadm||Syslog administration role. Configures syslog and manages system logs.<br />
|-<br />
||webadm_r||webadm||Web server administration role. Configures Apache and can optionally manage user web content.<br />
|-<br />
||guest_r||guest||Highly confined user. No X windows support.<br />
|-<br />
||xguest_r||xguest||Highly confined X windows user.<br />
|-<br />
||unconfined_r||unconfined||This role is not confined by SELinux except by memory protections (for example executable memory protections).<br />
|}<br />
<br />
This guide will discuss creation of new roles when these roles do not meet needs.<br />
<br />
= Creating the Policy for the New Role =<br />
This section of the guide discusses the creation of the policy for the roles. These statements should be added to a policy module. See GettingStarted for more information on creating policy modules.<br />
<br />
There are several methods for creating roles in Reference Policy. It is best to use Reference Policy templates, as there are several requirements for a user to log in, but they are beyond the scope of this guide.<br />
<br />
== Roles Similar to Existing Roles ==<br />
If the role's user domain should be similar to user_r or staff_r, the userdom_unpriv_user_template() template should be used.<br />
userdom_unpriv_user_template(myrole)<br />
If the role's user domain should be similar to sysadm_r, the userdom_admin_user_template() template should be used.<br />
userdom_admin_user_template(myrole)<br />
<br />
These both will create role myrole_r and user domain myrole_t.<br />
<br />
= Configuring Userland Programs for the New Role =<br />
== Default Type ==<br />
The default_type file configure SELinux-aware programs behavior when constructing a context. When the program only is provided with a role, the domain for the new context is selected based on this file. Typically this file is only used by the newrole program. Add the new role:domain combination to the end of this file.<br />
sysadm_r:sysadm_t<br />
staff_r:staff_t<br />
unconfined_r:unconfined_t<br />
user_r:user_t<br />
myrole_r:myrole_t<br />
<br />
== Default Contexts ==<br />
The default_contexts files configure SELinux-aware programs behavior when selecting a context for a user. Typically this is used when logging in, but there are a few other uses.<br />
<br />
Add the new role and user domain to services where login is desired. For example, the local_login_t is for local logins, whereas xdm_t is for logins via a X display manager, such as GDM or KDM.<br />
<br />
system_r:local_login_t user_r:user_t myrole_r:myrole_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t<br />
system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t<br />
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t<br />
system_r:xdm_t user_r:user_t myrole_r:myrole_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t<br />
<br />
For each service, the order matters. The service will test to see which role:domain combination is valid for the user logging in, and use the first available choice (left to right). So if the SELinux user is allowed user_r and myrole_r, the default will be user_r:user_t when logging in.</div>
ChrisPeBenito