Declares a role identifier in the current namespace.
Statement definition:
(role role_id)
Where:
Example:
This example declares two roles: object_r in the global namespace and unconfined.role:
(role object_r)
(block unconfined
(role role)
)
Authorises a role to access a type identifier.
Statement definition:
(role role_id type_id)
Where:
Example:
This example will declare role and type identifiers, then associate them:
(block unconfined
(role role)
(type process)
(roletype role process)
)
Declares a role attribute identifier in the current namespace. The identifier may have zero or more role and roleattribute identifiers associated to it via the roleattributeset statement.
Statement definition:
(roleattribute roleattribute_id)
Where:
Example:
This example will declare a role attribute roles.role_holder that will have an empty set:
(block roles
(roleattribute role_holder)
)
Allows the association of one or more previously declared role identifiers to a roleattribute identifier. Expressions may be used to refine the associations as shown in the examples.
Statement definition:
(roleattributeset roleattribute_id (role_id ... | expr ...))
Where:
Example:
This example will declare three roles and two role attributes, then associate all the roles to them as shown:
(block roles
(role role_1)
(role role_2)
(role role_3)
(roleattribute role_holder)
(roleattributeset role_holder (role_1 role_2 role_3))
(roleattribute role_holder_all)
(roleattributeset role_holder_all (all))
)
Authorise the current role to assume a new role.
Notes:
May require a roletransition rule to ensure transition to the new role.
This rule is not allowed in booleanif statements.
Statement definition:
(roleallow current_role_id new_role_id)
Where:
Example:
See the roletransition statement for an example.
Specify a role transition from the current role to a new role when computing a context for the target type. The class identifier would normally be process, however for kernel versions 2.6.39 with policy version >= 25 and above, any valid class may be used. Note that a roleallow rule must be used to authorise the transition.
Statement definition:
(roletransition current_role_id target_type_id class_id new_role_id)
Where:
Example:
This example will authorise the unconfined.role to assume the msg_filter.role role, and then transition to that role:
(block ext_gateway
(type process)
(type exec)
(roletype msg_filter.role process)
(roleallow unconfined.role msg_filter.role)
(roletransition unconfined.role exec process msg_filter.role)
)
Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent.
Notes:
It is not possible to bind the parent role to more than one child role.
While this is added to the binary policy, it is not enforced by the SELinux kernel services.
Statement definition:
(rolebounds parent_role_id child_role_id)
Where:
Example:
In this example the role test cannot have greater privileges than unconfined.role:
(role test)
(unconfined
(role role)
(rolebounds role .test)
)