Difference between revisions of "ConditionalStatements"
(New page: = Conditional Policy Statements = Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rule...) |
|||
Line 1: | Line 1: | ||
= Conditional Policy Statements = | = Conditional Policy Statements = | ||
Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rules are valid under the condition as shown in the example below: | Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rules are valid under the condition as shown in the example below: | ||
− | |||
<pre> | <pre> | ||
Line 7: | Line 6: | ||
if (allow_daemons_use_tty) { | if (allow_daemons_use_tty) { | ||
− | + | # Rules if condition is true; | |
− | + | } else { | |
− | + | # Rules if condition is false; | |
− | + | ||
} | } | ||
</pre> | </pre> | ||
+ | Table 3 in the [[PolicyLanguage#Kernel_Policy_Language | Kernel Policy Language]] section shows what policy statements or rules are valid within the if / else construct under the "Conditional Statements" column. | ||
The bool statement default value can be changed when a policy is active by using the setsebool command as follows: | The bool statement default value can be changed when a policy is active by using the setsebool command as follows: | ||
<pre> | <pre> | ||
− | + | # This command will set the allow_daemons_use_tty bool to false, | |
− | + | # however it will only remain false until the next system | |
− | + | # re-boot where it will then revert back to its default state | |
− | + | # (in the above case, this would be true). | |
setsebool allow_daemons_use_tty false | setsebool allow_daemons_use_tty false | ||
</pre> | </pre> | ||
− | |||
<pre> | <pre> | ||
− | + | # This command will set the allow_daemons_use_tty bool to false, | |
− | + | # and because the -P option is used (for persistent), the value | |
− | + | # will remain across system re-boots. Note however that all | |
− | + | # other pending bool values will become persistent across | |
− | + | # re-boots as well (see setsebool(8) man page). | |
setsebool -P allow_daemons_use_tty false | setsebool -P allow_daemons_use_tty false | ||
Line 37: | Line 35: | ||
The getsebool command can be used to query the current bool statement value as follows: | The getsebool command can be used to query the current bool statement value as follows: | ||
<pre> | <pre> | ||
− | + | # This command will list all bool values in the active policy: | |
getsebool -a | getsebool -a | ||
</pre> | </pre> | ||
− | |||
<pre> | <pre> | ||
− | + | # This command will show the current allow_daemons_use_tty bool | |
− | + | # value in the active policy: | |
getsebool allow_daemons_use_tty | getsebool allow_daemons_use_tty | ||
</pre> | </pre> | ||
− | + | == bool == | |
− | == bool | + | The bool statement is used to specify a boolean identifier and its initial state (true or false) that can then be used with the <tt>[[#if | if]]</tt> statement to form a 'conditional policy' as described in the [[NB_PolicyType#Conditional_Policy | Conditional Policy]] section. |
− | The bool statement is used to specify a boolean identifier and its initial state (true or false) that can then be used with the if | + | |
'''The statement definition is:''' | '''The statement definition is:''' | ||
Line 57: | Line 53: | ||
bool bool_id default_value; | bool bool_id default_value; | ||
</pre> | </pre> | ||
− | |||
'''Where:''' | '''Where:''' | ||
− | {|border="1" | + | |
− | |bool | + | {| border="1" |
− | |The bool keyword. | + | | bool |
+ | | The bool keyword. | ||
|- | |- | ||
− | |bool_id | + | | bool_id |
− | |The boolean identifier. | + | | The boolean identifier. |
|- | |- | ||
− | |default_value | + | | default_value |
− | |Either true or false. | + | | Either true or false. |
|} | |} | ||
Line 76: | Line 72: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | |
+ | {| border="1" | ||
|<center>'''Monolithic Policy'''</center> | |<center>'''Monolithic Policy'''</center> | ||
|<center>'''Base Policy'''</center> | |<center>'''Base Policy'''</center> | ||
Line 82: | Line 79: | ||
|- | |- | ||
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
|- | |- | ||
− | |<center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | |<center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | |<center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | |<center>No</center> | + | | <center>'''No'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
|} | |} | ||
Line 101: | Line 98: | ||
'''Examples:''' | '''Examples:''' | ||
<pre> | <pre> | ||
− | + | # Using the bool statement to allow unconfined executables to | |
− | + | # make their memory heap executable or not. As the value is | |
− | + | # false, then by default they cannot make their heap executable. | |
bool allow_execheap false; | bool allow_execheap false; | ||
</pre> | </pre> | ||
− | |||
<pre> | <pre> | ||
− | + | # Using the bool statement to allow unconfined executables to | |
− | + | # make their stack executable or not. As the value is true, | |
− | + | # then by default their stacks are executable. | |
bool allow_execstack true; | bool allow_execstack true; | ||
</pre> | </pre> | ||
− | + | == if == | |
− | == if | + | The if statement is used to form a 'conditional block' of statements and rules that are enforced depending on whether one or more boolean identifiers (defined by the <tt>[[#bool | bool]]</tt> statement) evaluate to TRUE or FALSE. An if / else construct is also supported. |
− | The if statement is used to form a 'conditional block' of statements and rules that are enforced depending on whether one or more boolean identifiers (defined by the bool | + | |
The only statements and rules allowed within the if / else construct are: | The only statements and rules allowed within the if / else construct are: | ||
− | allow, auditallow, auditdeny, dontaudit, type_member, type_transition, type_change and require. | + | <tt>allow</tt>, <tt>auditallow</tt>, <tt>auditdeny</tt>, <tt>dontaudit</tt>, <tt>type_member</tt>, <tt>type_transition</tt>, <tt>type_change</tt> and <tt>require</tt>. |
− | + | ||
'''The statement definition is:''' | '''The statement definition is:''' | ||
<pre> | <pre> | ||
− | + | if (conditional_expression) { true_list } [ else { false_list } ] | |
</pre> | </pre> | ||
+ | '''Where:''' | ||
− | + | {| border="1" | |
− | {|border="1" | + | | if |
− | |if | + | | The if keyword. |
− | |The if keyword. | + | |
|- | |- | ||
− | |conditional_expression | + | | conditional_expression |
− | |One or more bool_name identifiers that have been previously defined by the bool | + | | One or more bool_name identifiers that have been previously defined by the <tt>[[#bool | bool]]</tt> statement. Multiple identifiers must be separated by the following logical operators: &&, ¦¦, ^, !, ==, !=. |
The conditional_expression is enclosed in brackets (). | The conditional_expression is enclosed in brackets (). | ||
|- | |- | ||
− | |true_list | + | | true_list |
− | |A list of rules enclosed within braces '{}' that will be executed when the conditional_expression is 'true'. | + | | A list of rules enclosed within braces '{}' that will be executed when the conditional_expression is 'true'. |
Valid statements and rules are highlighted within each language definition statement. | Valid statements and rules are highlighted within each language definition statement. | ||
|- | |- | ||
− | |else | + | | else |
− | |Optional else keyword. | + | | Optional else keyword. |
|- | |- | ||
− | |false_list | + | | false_list |
− | |A list of rules enclosed within braces '{}' that will be executed when the optional 'else' keyword is present and the conditional_expression is 'false'. | + | | A list of rules enclosed within braces '{}' that will be executed when the optional 'else' keyword is present and the conditional_expression is 'false'. |
Valid statements and rules are highlighted within each language definition statement. | Valid statements and rules are highlighted within each language definition statement. | ||
Line 162: | Line 156: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | |
+ | {| border="1" | ||
|<center>'''Monolithic Policy'''</center> | |<center>'''Monolithic Policy'''</center> | ||
|<center>'''Base Policy'''</center> | |<center>'''Base Policy'''</center> | ||
Line 168: | Line 163: | ||
|- | |- | ||
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
|- | |- | ||
− | |<center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | |<center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | |<center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | |<center>No | + | | <center>'''No'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 187: | Line 182: | ||
'''Examples:''' | '''Examples:''' | ||
<pre> | <pre> | ||
− | + | # An example showing a boolean and supporting if statement. | |
bool allow_execmem false; | bool allow_execmem false; | ||
− | + | # The bool allow_execmem is FALSE therefore the allow statement | |
− | + | # is not executed: | |
− | + | ||
if (allow_execmem) { | if (allow_execmem) { | ||
− | + | allow sysadm_t self:process execmem; | |
} | } | ||
</pre> | </pre> | ||
− | |||
<pre> | <pre> | ||
− | + | # An example showing two booleans and a supporting if statement. | |
bool allow_execmem false; | bool allow_execmem false; | ||
bool allow_execstack true; | bool allow_execstack true; | ||
− | + | # The bool allow_execmem is FALSE and allow_execstack is TRUE | |
− | + | # therefore the allow statement is not executed: | |
if (allow_execmem && allow_execstack) { | if (allow_execmem && allow_execstack) { | ||
− | + | allow sysadm_t self:process execstack; | |
} | } | ||
</pre> | </pre> | ||
− | |||
<pre> | <pre> | ||
− | + | # An example of an IF - ELSE statement where the bool statement | |
− | + | # is FALSE, therefore the ELSE statements will be executed. | |
− | + | # | |
− | + | ||
bool read_untrusted_content false; | bool read_untrusted_content false; | ||
if (read_untrusted_content) { | if (read_untrusted_content) { | ||
− | + | allow sysadm_t { sysadm_untrusted_content_t | |
− | + | sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl }; | |
− | + | ..... | |
− | + | } else { | |
− | + | dontaudit sysadm_t { sysadm_untrusted_content_t | |
− | + | sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl }; | |
− | + | ... | |
− | + | ||
} | } | ||
</pre> | </pre> | ||
+ | |||
+ | |||
+ | |||
+ | {| style="width: 100%;" border="0" | ||
+ | |- | ||
+ | | [[ObjectClassStatements | '''Previous''']] | ||
+ | | <center>[[NewUsers | '''Home''']]</center> | ||
+ | | <center>[[ConstraintStatements | '''Next''']]</center> | ||
+ | |} | ||
+ | |||
+ | |||
+ | ---- | ||
+ | <references/> | ||
+ | |||
+ | [[Category:Notebook]] |
Latest revision as of 13:43, 13 December 2014
Conditional Policy Statements
Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rules are valid under the condition as shown in the example below:
bool allow_daemons_use_tty true; if (allow_daemons_use_tty) { # Rules if condition is true; } else { # Rules if condition is false; }
Table 3 in the Kernel Policy Language section shows what policy statements or rules are valid within the if / else construct under the "Conditional Statements" column.
The bool statement default value can be changed when a policy is active by using the setsebool command as follows:
# This command will set the allow_daemons_use_tty bool to false, # however it will only remain false until the next system # re-boot where it will then revert back to its default state # (in the above case, this would be true). setsebool allow_daemons_use_tty false
# This command will set the allow_daemons_use_tty bool to false, # and because the -P option is used (for persistent), the value # will remain across system re-boots. Note however that all # other pending bool values will become persistent across # re-boots as well (see setsebool(8) man page). setsebool -P allow_daemons_use_tty false
The getsebool command can be used to query the current bool statement value as follows:
# This command will list all bool values in the active policy: getsebool -a
# This command will show the current allow_daemons_use_tty bool # value in the active policy: getsebool allow_daemons_use_tty
bool
The bool statement is used to specify a boolean identifier and its initial state (true or false) that can then be used with the if statement to form a 'conditional policy' as described in the Conditional Policy section.
The statement definition is:
bool bool_id default_value;
Where:
bool | The bool keyword. |
bool_id | The boolean identifier. |
default_value | Either true or false. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Examples:
# Using the bool statement to allow unconfined executables to # make their memory heap executable or not. As the value is # false, then by default they cannot make their heap executable. bool allow_execheap false;
# Using the bool statement to allow unconfined executables to # make their stack executable or not. As the value is true, # then by default their stacks are executable. bool allow_execstack true;
if
The if statement is used to form a 'conditional block' of statements and rules that are enforced depending on whether one or more boolean identifiers (defined by the bool statement) evaluate to TRUE or FALSE. An if / else construct is also supported.
The only statements and rules allowed within the if / else construct are:
allow, auditallow, auditdeny, dontaudit, type_member, type_transition, type_change and require.
The statement definition is:
if (conditional_expression) { true_list } [ else { false_list } ]
Where:
if | The if keyword. |
conditional_expression | One or more bool_name identifiers that have been previously defined by the bool statement. Multiple identifiers must be separated by the following logical operators: &&, ¦¦, ^, !, ==, !=.
The conditional_expression is enclosed in brackets (). |
true_list | A list of rules enclosed within braces '{}' that will be executed when the conditional_expression is 'true'.
Valid statements and rules are highlighted within each language definition statement. |
else | Optional else keyword. |
false_list | A list of rules enclosed within braces '{}' that will be executed when the optional 'else' keyword is present and the conditional_expression is 'false'.
Valid statements and rules are highlighted within each language definition statement. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Examples:
# An example showing a boolean and supporting if statement. bool allow_execmem false; # The bool allow_execmem is FALSE therefore the allow statement # is not executed: if (allow_execmem) { allow sysadm_t self:process execmem; }
# An example showing two booleans and a supporting if statement. bool allow_execmem false; bool allow_execstack true; # The bool allow_execmem is FALSE and allow_execstack is TRUE # therefore the allow statement is not executed: if (allow_execmem && allow_execstack) { allow sysadm_t self:process execstack; }
# An example of an IF - ELSE statement where the bool statement # is FALSE, therefore the ELSE statements will be executed. # bool read_untrusted_content false; if (read_untrusted_content) { allow sysadm_t { sysadm_untrusted_content_t sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl }; ..... } else { dontaudit sysadm_t { sysadm_untrusted_content_t sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl }; ... }
Previous | |
|