RoleStatements

From SELinux Wiki

Revision as of 15:31, 29 November 2009 by RichardHaines (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

Role Statement

role Statement

The role statement associates a role identifier to one or more types (i.e. authorise the role to access the domain or domains). Where there are multiple role statements declaring the same role, the compiler will associate the additional types with the role.


The statement definition is:

role role_id;

Or

role role_id types type_id;


Where:

role The role keyword.
role_id The identifier of the role being declared. The same role identifier can be declared more than once in a policy, in which case the type_id entries will be amalgamated by the compiler.
types The optional types keyword.
type_id When used with the types keyword, one or more type or attribute identifiers associated with the role_id. Multiple entries consist of a space separated list enclosed in braces ({}). Entries can be excluded from the list by using the negative operator (-).

For role statements, only type or attribute identifiers associated to domains have any meaning within SELinux.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
Yes
Conditional Policy (if) Statement
optional Statement
require Statement
No
Yes
Yes


Examples:

# Using the role statement to define standard roles in the
# Reference Policy. Note that there are no domains associated 
# with them yet.

role system_r;
role sysadm_r;
role staff_r;
role user_r;
role secadm_r;
role auditadm_r;

# Within the policy the roles are then associated to the 
# required domains with this example showing the user_r role 
# being associated to two domains:

role user_r types user_t;
role user_r types chfn_t;
Personal tools