http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&limit=500&action=history&feed=atom RefpolicyBasicRoleCreation - Revision history 2024-03-29T11:44:57Z Revision history for this page on the wiki MediaWiki 1.23.13 http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=803&oldid=prev JoshuaBrindle: /* Roles Similar to Existing Roles */ 2009-11-19T16:12:58Z <p>‎<span dir="auto"><span class="autocomment">Roles Similar to Existing Roles</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:12, 19 November 2009</td> </tr><tr><td colspan="2" class="diff-lineno">Line 36:</td> <td colspan="2" class="diff-lineno">Line 36:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Roles Similar to Existing Roles ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Roles Similar to Existing Roles ==</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>If the role's user domain should be similar to user_r or staff_r, the userdom_unpriv_user_template() template should be used.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>If the role's user domain should be similar to <ins class="diffchange diffchange-inline">''</ins>user_r<ins class="diffchange diffchange-inline">'' </ins>or <ins class="diffchange diffchange-inline">''</ins>staff_r<ins class="diffchange diffchange-inline">''</ins>, the <ins class="diffchange diffchange-inline">''</ins>userdom_unpriv_user_template()<ins class="diffchange diffchange-inline">'' </ins>template should be used.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; userdom_unpriv_user_template(myrole)</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; userdom_unpriv_user_template(myrole)</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>If the role's user domain should be similar to sysadm_r, the userdom_admin_user_template() template should be used.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>If the role's user domain should be similar to <ins class="diffchange diffchange-inline">''</ins>sysadm_r<ins class="diffchange diffchange-inline">''</ins>, the <ins class="diffchange diffchange-inline">''</ins>userdom_admin_user_template()<ins class="diffchange diffchange-inline">'' </ins>template should be used.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; userdom_admin_user_template(myrole)</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; userdom_admin_user_template(myrole)</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> </table> JoshuaBrindle http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=802&oldid=prev JoshuaBrindle: /* Roles Similar to Existing Roles */ 2009-11-19T16:12:18Z <p>‎<span dir="auto"><span class="autocomment">Roles Similar to Existing Roles</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:12, 19 November 2009</td> </tr><tr><td colspan="2" class="diff-lineno">Line 41:</td> <td colspan="2" class="diff-lineno">Line 41:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; userdom_admin_user_template(myrole)</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; userdom_admin_user_template(myrole)</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>These both will create role myrole_r and user domain myrole_t.&#160; Then rules can subsequently be added to myrole_t to customize it.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>These both will create role <ins class="diffchange diffchange-inline">''</ins>myrole_r<ins class="diffchange diffchange-inline">'' </ins>and user domain <ins class="diffchange diffchange-inline">''</ins>myrole_t<ins class="diffchange diffchange-inline">''</ins>.&#160; Then rules can subsequently be added to <ins class="diffchange diffchange-inline">''</ins>myrole_t<ins class="diffchange diffchange-inline">'' </ins>to customize it.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Configuring Userland Programs for the New Role =</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Configuring Userland Programs for the New Role =</div></td></tr> </table> JoshuaBrindle http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=801&oldid=prev JoshuaBrindle: /* Default Contexts */ 2009-11-19T16:11:46Z <p>‎<span dir="auto"><span class="autocomment">Default Contexts</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:11, 19 November 2009</td> </tr><tr><td colspan="2" class="diff-lineno">Line 53:</td> <td colspan="2" class="diff-lineno">Line 53:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Default Contexts ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Default Contexts ==</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The default_contexts files configure SELinux-aware programs behavior when selecting a context for a user.&#160; Typically this is used when logging in, but there are a few other uses.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The <ins class="diffchange diffchange-inline">''</ins>default_contexts<ins class="diffchange diffchange-inline">'' </ins>files configure SELinux-aware programs behavior when selecting a context for a user.&#160; Typically this is used when logging in, but there are a few other uses.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Add the new role and user domain to services where login is desired.&#160; For example, the local_login_t is for local logins, whereas xdm_t is for logins via a X display manager, such as GDM or KDM.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Add the new role and user domain to services where login is desired.&#160; For example, the <ins class="diffchange diffchange-inline">''</ins>local_login_t<ins class="diffchange diffchange-inline">'' </ins>is for local logins, whereas <ins class="diffchange diffchange-inline">''</ins>xdm_t<ins class="diffchange diffchange-inline">'' </ins>is for logins via a X display manager, such as GDM or KDM.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:local_login_t user_r:user_t '''myrole_r:myrole_t''' staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:local_login_t user_r:user_t '''myrole_r:myrole_t''' staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 62:</td> <td colspan="2" class="diff-lineno">Line 62:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:xdm_t user_r:user_t '''myrole_r:myrole_t''' staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:xdm_t user_r:user_t '''myrole_r:myrole_t''' staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>For each service, the order matters.&#160; The service will test to see which role:domain combination is valid for the user logging in, and use the first available choice (left to right).&#160; So if the SELinux user is allowed user_r and myrole_r, the default will be user_r:user_t when logging in.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>For each service, the order matters.&#160; The service will test to see which role:domain combination is valid for the user logging in, and use the first available choice (left to right).&#160; So if the SELinux user is allowed <ins class="diffchange diffchange-inline">''</ins>user_r<ins class="diffchange diffchange-inline">'' </ins>and <ins class="diffchange diffchange-inline">''</ins>myrole_r<ins class="diffchange diffchange-inline">''</ins>, the default will be <ins class="diffchange diffchange-inline">''</ins>user_r:user_t<ins class="diffchange diffchange-inline">'' </ins>when logging in.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>You should notice that <del class="diffchange diffchange-inline">'</del>''myrole_r:myrole_t<del class="diffchange diffchange-inline">'</del>'' was not added to the remote_login_t or sshd_t lines. This means that if a user with only myrole_t tries to log in via login apps running as remote_login_t or sshd_t it will fail.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>You should notice that ''myrole_r:myrole_t'' was not added to the <ins class="diffchange diffchange-inline">''</ins>remote_login_t<ins class="diffchange diffchange-inline">'' </ins>or <ins class="diffchange diffchange-inline">''</ins>sshd_t<ins class="diffchange diffchange-inline">'' </ins>lines. This means that if a user with only <ins class="diffchange diffchange-inline">''</ins>myrole_t<ins class="diffchange diffchange-inline">'' </ins>tries to log in via login apps running as <ins class="diffchange diffchange-inline">''</ins>remote_login_t<ins class="diffchange diffchange-inline">'' </ins>or <ins class="diffchange diffchange-inline">''</ins>sshd_t<ins class="diffchange diffchange-inline">'' </ins>it will fail.</div></td></tr> </table> JoshuaBrindle http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=800&oldid=prev JoshuaBrindle: /* Default Contexts */ 2009-11-19T16:10:12Z <p>‎<span dir="auto"><span class="autocomment">Default Contexts</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:10, 19 November 2009</td> </tr><tr><td colspan="2" class="diff-lineno">Line 57:</td> <td colspan="2" class="diff-lineno">Line 57:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Add the new role and user domain to services where login is desired.&#160; For example, the local_login_t is for local logins, whereas xdm_t is for logins via a X display manager, such as GDM or KDM.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Add the new role and user domain to services where login is desired.&#160; For example, the local_login_t is for local logins, whereas xdm_t is for logins via a X display manager, such as GDM or KDM.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:local_login_t user_r:user_t myrole_r:myrole_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:local_login_t user_r:user_t <ins class="diffchange diffchange-inline">'''</ins>myrole_r:myrole_t<ins class="diffchange diffchange-inline">''' </ins>staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:xdm_t user_r:user_t myrole_r:myrole_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&#160; system_r:xdm_t user_r:user_t <ins class="diffchange diffchange-inline">'''</ins>myrole_r:myrole_t<ins class="diffchange diffchange-inline">''' </ins>staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>For each service, the order matters.&#160; The service will test to see which role:domain combination is valid for the user logging in, and use the first available choice (left to right).&#160; So if the SELinux user is allowed user_r and myrole_r, the default will be user_r:user_t when logging in.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>For each service, the order matters.&#160; The service will test to see which role:domain combination is valid for the user logging in, and use the first available choice (left to right).&#160; So if the SELinux user is allowed user_r and myrole_r, the default will be user_r:user_t when logging in.</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">You should notice that '''myrole_r:myrole_t''' was not added to the remote_login_t or sshd_t lines. This means that if a user with only myrole_t tries to log in via login apps running as remote_login_t or sshd_t it will fail.</ins></div></td></tr> </table> JoshuaBrindle http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=799&oldid=prev JoshuaBrindle: /* Default Type */ 2009-11-19T16:07:35Z <p>‎<span dir="auto"><span class="autocomment">Default Type</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:07, 19 November 2009</td> </tr><tr><td colspan="2" class="diff-lineno">Line 50:</td> <td colspan="2" class="diff-lineno">Line 50:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; unconfined_r:unconfined_t</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; unconfined_r:unconfined_t</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; user_r:user_t</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; user_r:user_t</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160; myrole_r:myrole_t</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&#160; <ins class="diffchange diffchange-inline">'''</ins>myrole_r:myrole_t<ins class="diffchange diffchange-inline">'''</ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Default Contexts ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Default Contexts ==</div></td></tr> </table> JoshuaBrindle http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=755&oldid=prev ChrisPeBenito at 12:11, 22 October 2009 2009-10-22T12:11:49Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 12:11, 22 October 2009</td> </tr><tr><td colspan="2" class="diff-lineno">Line 41:</td> <td colspan="2" class="diff-lineno">Line 41:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; userdom_admin_user_template(myrole)</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; userdom_admin_user_template(myrole)</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>These both will create role myrole_r and user domain myrole_t.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>These both will create role myrole_r and user domain myrole_t<ins class="diffchange diffchange-inline">.&#160; Then rules can subsequently be added to myrole_t to customize it</ins>.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Configuring Userland Programs for the New Role =</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Configuring Userland Programs for the New Role =</div></td></tr> </table> ChrisPeBenito http://selinuxproject.org/w/?title=RefpolicyBasicRoleCreation&diff=753&oldid=prev ChrisPeBenito: New page: = Roles in Reference Policy = Reference policy consists of several user roles for typical system operation. Rules for each role are contained in individual Reference Policy modules, which... 2009-10-21T15:16:02Z <p>New page: = Roles in Reference Policy = Reference policy consists of several user roles for typical system operation. Rules for each role are contained in individual Reference Policy modules, which...</p> <p><b>New page</b></p><div>= Roles in Reference Policy =<br /> Reference policy consists of several user roles for typical system operation. Rules for each role are contained in individual Reference Policy modules, which allow flexibility in role separation.<br /> <br /> {| border=&quot;1&quot;<br /> ! Role<br /> ! Module<br /> !Description<br /> |-<br /> ||user_r||unprivuser||Basic user role. This role can do most things a non UID 0 linux user can do.<br /> |-<br /> ||staff_r||staff||Administrator's unprivileged user role. This role is basically the same as user_r, but is meant for administrators.<br /> |-<br /> ||sysadm_r||sysadm||General system administration role.<br /> |-<br /> ||secadm_r||secadm||Security administrator role. Administrates security policy.<br /> |-<br /> ||auditadm_r||auditadm||Audit system and audit log administration role. Configures the auditing policy and manages audit logs.<br /> |-<br /> ||logadm_r||logadm||Syslog administration role. Configures syslog and manages system logs.<br /> |-<br /> ||webadm_r||webadm||Web server administration role. Configures Apache and can optionally manage user web content.<br /> |-<br /> ||guest_r||guest||Highly confined user. No X windows support.<br /> |-<br /> ||xguest_r||xguest||Highly confined X windows user.<br /> |-<br /> ||unconfined_r||unconfined||This role is not confined by SELinux except by memory protections (for example executable memory protections).<br /> |}<br /> <br /> This guide will discuss creation of new roles when these roles do not meet needs.<br /> <br /> = Creating the Policy for the New Role =<br /> This section of the guide discusses the creation of the policy for the roles. These statements should be added to a policy module. See GettingStarted for more information on creating policy modules.<br /> <br /> There are several methods for creating roles in Reference Policy. It is best to use Reference Policy templates, as there are several requirements for a user to log in, but they are beyond the scope of this guide.<br /> <br /> == Roles Similar to Existing Roles ==<br /> If the role's user domain should be similar to user_r or staff_r, the userdom_unpriv_user_template() template should be used.<br /> userdom_unpriv_user_template(myrole)<br /> If the role's user domain should be similar to sysadm_r, the userdom_admin_user_template() template should be used.<br /> userdom_admin_user_template(myrole)<br /> <br /> These both will create role myrole_r and user domain myrole_t.<br /> <br /> = Configuring Userland Programs for the New Role =<br /> == Default Type ==<br /> The default_type file configure SELinux-aware programs behavior when constructing a context. When the program only is provided with a role, the domain for the new context is selected based on this file. Typically this file is only used by the newrole program. Add the new role:domain combination to the end of this file.<br /> sysadm_r:sysadm_t<br /> staff_r:staff_t<br /> unconfined_r:unconfined_t<br /> user_r:user_t<br /> myrole_r:myrole_t<br /> <br /> == Default Contexts ==<br /> The default_contexts files configure SELinux-aware programs behavior when selecting a context for a user. Typically this is used when logging in, but there are a few other uses.<br /> <br /> Add the new role and user domain to services where login is desired. For example, the local_login_t is for local logins, whereas xdm_t is for logins via a X display manager, such as GDM or KDM.<br /> <br /> system_r:local_login_t user_r:user_t myrole_r:myrole_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t<br /> system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t<br /> system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t<br /> system_r:xdm_t user_r:user_t myrole_r:myrole_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t<br /> <br /> For each service, the order matters. The service will test to see which role:domain combination is valid for the user logging in, and use the first available choice (left to right). So if the SELinux user is allowed user_r and myrole_r, the default will be user_r:user_t when logging in.</div> ChrisPeBenito