Google Git
Sign in
android / platform / external / selinux / android-cts-6.0_r21 / . / secilc / docs / CIL_Reference_Guide.xml
blob: e089079feba5c3e53bc9511979c370f51c8fbd59 [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[ <!ENTITY policy_config_statements SYSTEM "cil_policy_config_statements.xml">
<!ENTITY container_statements SYSTEM "cil_container_statements.xml">
<!ENTITY call_macro_statements SYSTEM "cil_call_macro_statements.xml">
<!ENTITY default_object_statements SYSTEM "cil_default_object_statements.xml">
<!ENTITY user_statements SYSTEM "cil_user_statements.xml">
<!ENTITY role_statements SYSTEM "cil_role_statements.xml">
<!ENTITY type_statements SYSTEM "cil_type_statements.xml">
<!ENTITY class_and_permission_statements SYSTEM "cil_class_and_permission_statements.xml">
<!ENTITY access_vector_rules SYSTEM "cil_access_vector_rules.xml">
<!ENTITY conditional_statements SYSTEM "cil_conditional_statements.xml">
<!ENTITY constraint_statements SYSTEM "cil_constraint_statements.xml">
<!ENTITY mls_labeling_statements SYSTEM "cil_mls_labeling_statements.xml">
<!ENTITY context_statement SYSTEM "cil_context_statement.xml">
<!ENTITY sid_statements SYSTEM "cil_sid_statements.xml">
<!ENTITY file_labeling_statements SYSTEM "cil_file_labeling_statements.xml">
<!ENTITY network_labeling_statements SYSTEM "cil_network_labeling_statements.xml">
<!ENTITY xen_statements SYSTEM "cil_xen_statements.xml">
<!-- This is to load in the latest example policy.cil file -->
<!ENTITY policy_cil SYSTEM "../test/policy.cil">
]>
<article lang="en_GB">
<articleinfo>
<title>Common Interface Language (CIL) Reference Guide</title>
</articleinfo>
<sect1>
<title>CIL Information</title>
<orderedlist>
<listitem><para>Not all possible alternate statement permutations are shown, however there should be enough variation to work out any other valid formats. There is also an example <filename>policy.cil</filename> file shown in the <link linkend="example_policy">Appendix</link>.</para></listitem>
<listitem><para>The MLS components on contexts and user statements must be declared even if the policy does not support MCS/MLS. </para></listitem>
<listitem><para>The CIL compiler will not build a policy unless it also has as a minimum: one <literal><link linkend="allow">allow</link></literal> rule, one <literal><link linkend="sid">sid</link></literal>, <literal><link linkend="sidorder">sidorder</link></literal> and <literal><link linkend="sidcontext">sidcontext</link></literal> statement. </para></listitem>
<listitem><para>The role <literal>object_r</literal> must be explicitly associated to contexts used for labeling objects. The original <emphasis role="bold"><literal>checkpolicy</literal></emphasis><literal>(8)</literal> and <emphasis role="bold"><literal>checkmodule</literal></emphasis><literal>(8)</literal> compilers did this by default - CIL does not.</para></listitem>
<listitem><para>Be aware that CIL allows <literal><link linkend="class">class</link></literal> statements to be declared in a namespace, however the policy author needs to note that applications (and the kernel) generally reference a class by its well known class identifier (e.g. <literal>zygote</literal>) however if declared in a namespace (e.g. <literal>(block zygote (class zygote (...)))</literal> or <literal>(block zygote (class class (...)))</literal>) it would be prefixed with that namespace (e.g. <literal>zygote.zygote</literal> or <literal>zygote.class</literal>). Unless the application / kernel code was updated the class would never be resolved, therefore it is recommended that classes are declared in the global namespace.</para></listitem>
<listitem><para>Where possible use <literal><link linkend="typeattribute">typeattribute</link></literal>'s when defining source/target <literal><link linkend="allow">allow</link></literal> rules instead of multiple <literal>allow</literal> rules with individual <literal><link linkend="type">type</link></literal>'s. This will lead to the generation of much smaller kernel policy files.</para></listitem>
<listitem><para>The <ulink url="http://github.com/SELinuxProject/cil/wiki"></ulink> site explains the language however some of the statement definitions are dated.</para></listitem>
</orderedlist>
<sect2>
<title>Declarations</title>
<para>Declarations may be named or anonymous and have three different forms:</para>
<orderedlist>
<listitem><para>Named declarations - These create new objects that introduce a name or identifier, for example:</para>
<para><literal>(type process)</literal> - creates a <literal>type</literal> with an identifier of <literal>process</literal>.</para>
<para><literal>(typeattribute domain)</literal> - creates a <literal>typeattribute</literal> with an identifier of <literal>domain</literal>.</para>
<para><literal>(class file (read write))</literal> - creates a <literal>class</literal> with an identifier of <literal>file</literal> that has <literal>read</literal> and <literal>write</literal> permissions associated to it.</para>
<para>The list of declaration type statement keywords are:</para>
<simplelist type="inline">
<member><literal><link linkend="block">block</link></literal></member>
<member><literal><link linkend="optional">optional</link></literal></member>
<member><literal><link linkend="common">common</link></literal></member>
<member><literal><link linkend="class">class</link></literal></member>
<member><literal><link linkend="classmap">classmap</link></literal></member>
<member><literal><link linkend="classmapping">classmapping</link></literal></member>
<member><literal><link linkend="sid">sid</link></literal></member>
<member><literal><link linkend="user">user</link></literal></member>
<member><literal><link linkend="role">role</link></literal></member>
<member><literal><link linkend="roleattribute">roleattribute</link></literal></member>
<member><literal><link linkend="type">type</link></literal></member>
<member><literal><link linkend="classpermission">classpermission</link></literal></member>
<member><literal><link linkend="classpermissionset">classpermissionset</link></literal></member>
<member><literal><link linkend="typeattribute">typeattribute</link></literal></member>
<member><literal><link linkend="typealias">typealias</link></literal></member>
<member><literal><link linkend="tunable">tunable</link></literal></member>
<member><literal><link linkend="sensitivity">sensitivity</link></literal></member>
<member><literal><link linkend="sensitivityalias">sensitivityalias</link></literal></member>
<member><literal><link linkend="category">category</link></literal></member>
<member><literal><link linkend="categoryalias">categoryalias</link></literal></member>
<member><literal><link linkend="categoryset">categoryset</link></literal></member>
<member><literal><link linkend="level">level</link></literal></member>
<member><literal><link linkend="levelrange">levelrange</link></literal></member>
<member><literal><link linkend="context">context</link></literal></member>
<member><literal><link linkend="ipaddr">ipaddr</link></literal></member>
<member><literal><link linkend="macro">macro</link></literal></member>
<member><literal><link linkend="policycap">policycap</link></literal></member>
</simplelist>
</listitem>
<listitem><para>Explicit anonymous declarations - These are currently restricted to IP addesses where they can be declared directly in statements by enclosing them within parentheses e.g. <literal>(127.0.0.1)</literal> or <literal>(::1)</literal>. See the <link linkend="network_labeling">Network Labeling Statements</link> section for examples.</para></listitem>
<listitem><para>Anonymous declarations - These have been previously declared and the object already exists, therefore they may be referenced by their name or identifier within statements. For example the following declare all the components required to specify a context:</para>
<programlisting><![CDATA[
(sensitivity s0)
(category c0)
(role object_r)
(block unconfined
(user user)
(type object)
)]]>
</programlisting>
<simpara>now a <literal><link linkend="portcon">portcon</link></literal> statement can be defined that uses these individual components to build a context as follows:</simpara>
<programlisting><![CDATA[(portcon udp 12345 (unconfined.user object_r unconfined.object ((s0) (s0(c0)))))]]></programlisting>
</listitem>
</orderedlist>
</sect2>
<sect2>
<title>Definitions</title>
<para>Statements that build on the objects, for example:</para>
<itemizedlist mark="none">
<listitem><para><literal>(typeattributeset domain (process))</literal> - Adds the <literal>type</literal> '<literal>process</literal>' to the <literal>typeattribute</literal> '<literal>domain</literal>'.</para></listitem>
<listitem><para><literal>(allow domain process (file (read write))))</literal> - Adds an <literal>allow</literal> rule referencing <literal>domain</literal>, <literal>process</literal> and the <literal>file class</literal>.</para></listitem>
</itemizedlist>
<para>Definitions may be repeated many times throughout the policy. Duplicates will resolve to a single definition during compilation.</para>
</sect2>
<sect2>
<title>Symbol Character Set</title>
<para>Symbols (any string not enclosed in double quotes) must only contain alphanumeric <literal>[a-z A-Z] [0-9]</literal> characters plus the following special characters: <literal>\.@=/-_$%@+!|&amp;^:</literal></para>
<para>However symbols are checked for any specific character set limitations, for example:</para>
<itemizedlist>
<listitem><para>Names or identifiers must start with an alpa character <literal>[a-z A-Z]</literal>, the remainder may be alphanumeric <literal>[a-z A-Z] [0-9]</literal> characters plus underscore <literal>[_]</literal> or hyphen <literal>[-]</literal>.</para></listitem>
<listitem><para>IP addresses must conform to IPv4 or IPv6 format.</para></listitem>
<listitem><para>Memory, ports, irqs must be numeric <literal>[0-9]</literal>.</para></listitem>
</itemizedlist>
</sect2>
<sect2>
<title>String Character Set</title>
<para>Strings are enclosed within double quotes (e.g. <literal>"This is a string"</literal>), and may contain any character except the double quote (").</para>
</sect2>
<sect2>
<title>Comments</title>
<para>Comments start with a semicolon '<literal>;</literal>' and end when a new line is started.</para>
</sect2>
<sect2>
<title>Namespaces</title>
<para>CIL supports namespaces via containers such as the <literal>block</literal> statement. When a block is resolved to form the parent / child relationship a dot '<literal>.</literal>' is used, for example the following <literal>allow</literal> rule:</para>
<programlisting><![CDATA[
(block example_ns
(type process)
(type object)
(class file (open read write getattr))
(allow process object (file (open read getattr)))
)]]>
</programlisting>
<para>will resolve to the following kernel policy language statement:</para>
<programlisting><![CDATA[allow example_ns.process example_ns.object : example_ns.file { open read getattr };]]></programlisting>
</sect2>
<sect2>
<title>Global Namespace</title>
<para>CIL has a global namespace that is always present. Any symbol that is declared outside a container is in the global namespace. To reference a symbol in global namespace, the symbol should be prefixed with a dot '<literal>.</literal>' as shown in the following example:</para>
<programlisting><![CDATA[
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; This example has three namespace 'tmpfs' types declared:
; 1) Global .tmpfs
; 2) file.tmpfs
; 3) other_ns.tmpfs
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; This type is the global tmpfs:
(type tmpfs)
(block file
; file namespace tmpfs
(type tmpfs)
(class file (open read write getattr))
; This rule will reference the local namespace for src and tgt:
(allow tmpfs tmpfs (file (open)))
; Resulting policy rule:
; allow file.tmpfs file.tmpfs : file.file open;
; This rule will reference the local namespace for src and global for tgt:
(allow tmpfs .tmpfs (file (read)))
; Resulting policy rule:
; allow file.tmpfs tmpfs : file.file read;
; This rule will reference the global namespace for src and tgt:
(allow .tmpfs .tmpfs (file (write)))
; Resulting policy rule:
; allow tmpfs tmpfs : file.file write;
; This rule will reference the other_ns namespace for src and
; local namespace for tgt:
(allow other_ns.tmpfs tmpfs (file (getattr)))
; Resulting policy rule:
; allow other_ns.tmpfs file.tmpfs : file.file getattr;
)
(block other_ns
(type tmpfs)
)]]>
</programlisting>
<para>Should the symbol not be prefixed with a dot, the current namespace would be searched first and then the global namespace (provided there is not a symbol of that name in the current namespace).</para>
</sect2>
<sect2>
<title>Expressions</title>
<para>Expressions may occur in the following CIL statements:
<simplelist type="inline">
<member><literal><link linkend="booleanif">booleanif</link></literal></member>
<member><literal><link linkend="tunableif">tunableif</link></literal></member>
<member><literal><link linkend="classpermissionset">classpermissionset</link></literal></member>
<member><literal><link linkend="typeattributeset">typeattributeset</link></literal></member>
<member><literal><link linkend="roleattributeset">roleattributeset</link></literal></member>
<member><literal><link linkend="categoryset">categoryset</link></literal></member>
<member><literal><link linkend="constrain">constrain</link></literal></member>
<member><literal><link linkend="mlsconstrain">mlsconstrain</link></literal></member>
<member><literal><link linkend="validatetrans">validatetrans</link></literal></member>
<member><literal><link linkend="validatetrans">validatetrans</link></literal></member>
</simplelist></para>
<para>CIL expressions use the <ulink url="http://www.cs.man.ac.uk/~pjj/cs212/fix.html">prefix</ulink> or Polish notation and may be nested (note that the kernel policy language uses postfix or reverse Polish notation). The syntax is as follows, where the parenthesis are part of the syntax:</para>
<programlisting><![CDATA[
expr_set = (name ... | expr ...)
expr = (expr_key expr_set ...)
expr_key = and | or | xor | not | all | eq | neq | dom | domby | incomp | range]]>
</programlisting>
<para>The number of <literal>expr_set</literal>'s in an <literal>expr</literal> is dependent on the statement type (there are four different classes as defined below) that also influence the valid <literal>expr_key</literal> entries (e.g. <literal>dom</literal>, <literal>domby</literal>, <literal>incomp</literal> are only allowed in constraint statements).</para>
<informaltable frame="all">
<tgroup cols="5"><tbody>
<row>
<entry valign="bottom"><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para/>
<para/>
<para/>
<para><emphasis role="bold">expr_key</emphasis></para>
</entry>
<entry valign="top" align="center"><?dbhtml bgcolor="lightgreen" ?><?dbfo bgcolor="lightgreen" ?><?dblatex bgcolor="green" ?>
<para><emphasis role="bold">classpermissionset</emphasis></para>
<para><emphasis role="bold">roleattributeset</emphasis></para>
<para><emphasis role="bold">typeattributeset</emphasis></para>
</entry>
<entry valign="top" align="center"><?dbhtml bgcolor="lightgreen" ?><?dbfo bgcolor="lightgreen" ?><?dblatex bgcolor="green" ?>
<para><emphasis role="bold">categoryset</emphasis></para>
</entry>
<entry valign="top" align="center"><?dbhtml bgcolor="lightgreen" ?><?dbfo bgcolor="lightgreen" ?><?dblatex bgcolor="green" ?>
<para><emphasis role="bold">booleanif</emphasis></para>
<para><emphasis role="bold">tunableif</emphasis></para>
</entry>
<entry valign="top" align="center"><?dbhtml bgcolor="lightgreen" ?><?dbfo bgcolor="lightgreen" ?><?dblatex bgcolor="green" ?>
<para><emphasis role="bold">constrain</emphasis></para>
<para><emphasis role="bold">mlsconstrain</emphasis></para>
<para><emphasis role="bold">validatetrans</emphasis></para>
<para><emphasis role="bold">mlsvalidatetrans</emphasis></para>
</entry>
</row>
<row>
<entry><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para><emphasis role="bold"><literal>dom</literal></emphasis></para>
</entry>
<entry>
<para/>
</entry>
<entry>
<para/>
</entry>
<entry>
<para/>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
</row>
<row>
<entry><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para><emphasis role="bold"><literal>domby</literal></emphasis></para>
</entry>
<entry>
<para/>
</entry>
<entry>
<para/>
</entry>
<entry>
<para/>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
</row>
<row>
<entry><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para><emphasis role="bold"><literal>incomp</literal></emphasis></para>
</entry>
<entry>
<para/>
</entry>
<entry>
<para/>
</entry>
<entry>
<para/>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
</row>
<row>
<entry><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para><emphasis role="bold"><literal>eq</literal></emphasis></para>
</entry>
<entry>
<para/>
</entry>
<entry>
<para/>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
</row>
<row>
<entry><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para><emphasis role="bold"><literal>ne</literal></emphasis></para>
</entry>
<entry>
<para/>
</entry>
<entry>
<para/>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
</row>
<row>
<entry><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para><emphasis role="bold"><literal>and</literal></emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
</row>
<row>
<entry><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para><emphasis role="bold"><literal>or</literal></emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
</row>
<row>
<entry><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para><emphasis role="bold"><literal>not</literal></emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
</row>
<row>
<entry><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para><emphasis role="bold"><literal>xor</literal></emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry>
<para/>
</entry>
</row>
<row>
<entry><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para><emphasis role="bold"><literal>all</literal></emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry>
<para/>
</entry>
<entry>
<para/>
</entry>
</row>
<row>
<entry><?dbhtml bgcolor="orange" ?><?dbfo bgcolor="orange" ?><?dblatex bgcolor="orange" ?>
<para><emphasis role="bold"><literal>range</literal></emphasis></para>
</entry>
<entry>
<para/>
</entry>
<entry align="center"><?dbhtml bgcolor="lightgray" ?><?dbfo bgcolor="lightgray" ?><?dblatex bgcolor="lightgray" ?>
<para><emphasis role="bold">X</emphasis></para>
</entry>
<entry>
<para/>
</entry>
<entry>
<para/>
</entry>
</row>
</tbody></tgroup>
</informaltable>
<orderedlist>
<listitem>
<para>The <literal><link linkend="classpermissionset">classpermissionset</link></literal>,
<literal><link linkend="roleattributeset">roleattributeset</link></literal> and <literal><link linkend="typeattributeset">typeattributeset</link></literal> statements allow <literal>expr_set</literal> to mix names and <literal>expr</literal>s with <literal>expr_key</literal> values of: <literal>and</literal>, <literal>or</literal>, <literal>xor</literal>, <literal>not</literal>, <literal>all</literal> as shown in the examples:</para>
<para>This example includes all <literal>fs_type type</literal> entries except <literal>file.usermodehelper</literal> and <literal>file.proc_security</literal> in the associated <literal>typeattribute</literal> identifier <literal>all_fs_type_except_usermodehelper_and_proc_security</literal>:</para>
<programlisting><![CDATA[
(typeattribute all_fs_type_except_usermodehelper_and_proc_security)
(typeattributeset all_fs_type_except_usermodehelper_and_proc_security
(and
(and
fs_type
(not file.usermodehelper)
)
(not file.proc_security)
)
)]]>
</programlisting>
<para>The <literal>cps_1 classpermissionset</literal> identifier includes all permissions except <literal>load_policy</literal> and <literal>setenforce</literal>:</para>
<programlisting><![CDATA[
(class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy))
(classpermission cps_1)
(classpermissionset cps_1 (security (not (load_policy setenforce))))]]>
</programlisting>
<para>This example includes all permissions in the associated <literal>classpermissionset</literal> identifer <literal>security_all_perms</literal>:</para>
<programlisting><![CDATA[
(class security (compute_av compute_create compute_member check_context load_policy
compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot
read_policy)
)
(classpermission security_all_perms)
(classpermissionset security_all_perms (security (all)))]]>
</programlisting>
</listitem>
<listitem>
<para>The <literal><link linkend="categoryset">categoryset</link></literal> statement allows <literal>expr_set</literal> to mix names and <literal>expr_key</literal> values of: <literal>and</literal>, <literal>or</literal>, <literal>not</literal>, <literal>xor</literal>, <literal>all</literal>, <literal>range</literal> as shown in the examples.</para>
<para>Category expressions are also allowed in <literal><link linkend="sensitivitycategory">sensitivitycategory</link></literal>, <literal><link linkend="level">level</link></literal>, and <literal><link linkend="levelrange">levelrange</link></literal> statements.</para>
</listitem>
<listitem>
<para>The <literal><link linkend="booleanif">booleanif</link></literal> and <literal><link linkend="tunableif">tunableif</link></literal> statements only allow an <literal>expr_set</literal> to have one <literal>name</literal> or <literal>expr</literal> with <literal>expr_key</literal> values of <literal>and</literal>, <literal>or</literal>, <literal>xor</literal>, <literal>not</literal>, <literal>eq</literal>, <literal>neq</literal> as shown in the examples:</para>
<programlisting><![CDATA[
(booleanif disableAudio
(false
(allow process device.audio_device (chr_file_set (rw_file_perms)))
)
)]]>
</programlisting>
<programlisting><![CDATA[
(booleanif (and (not disableAudio) (not disableAudioCapture))
(true
(allow process device.audio_capture_device (chr_file_set (rw_file_perms)))
)
)]]>
</programlisting>
</listitem>
<listitem>
<para>The <literal><link linkend="constrain">constrain</link></literal>, <literal><link linkend="mlsconstrain">mlsconstrain</link></literal>, <literal><link linkend="validatetrans">validatetrans</link></literal> and <literal><link linkend="mlsvalidatetrans">mlsvalidatetrans</link></literal> statements only allow an <literal>expr_set</literal> to have one <literal>name</literal> or <literal>expr</literal> with <literal>expr_key</literal> values of <literal>and</literal>, <literal>or</literal>, <literal>not</literal>, <literal>all</literal>, <literal>eq</literal>, <literal>neq</literal>, <literal>dom</literal>, <literal>domby</literal>, <literal>incomp</literal>. When <literal>expr_key</literal> is <literal>dom</literal>, <literal>domby</literal> or <literal>incomp</literal>, it must be followed by a string (e.g. <literal>h1</literal>, <literal>l2</literal>) and another string or a set of <literal>name</literal>s. The following examples show CIL constraint statements and their policy language equivalents:</para>
<programlisting><![CDATA[
; Process transition: Require equivalence unless the subject is trusted.
(mlsconstrain (process (transition dyntransition))
(or (and (eq h1 h2) (eq l1 l2)) (eq t1 mlstrustedsubject)))
; The equivalent policy language mlsconstrain statememt is:
;mlsconstrain process { transition dyntransition }
; ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);]]>
</programlisting>
<programlisting><![CDATA[
; Process read operations: No read up unless trusted.
(mlsconstrain (process (getsched getsession getpgid getcap getattr ptrace share))
(or (dom l1 l2) (eq t1 mlstrustedsubject)))
; The equivalent policy language mlsconstrain statememt is:
;mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
; (l1 dom l2 or t1 == mlstrustedsubject);]]>
</programlisting>
</listitem>
</orderedlist>
</sect2>
<sect2 id="name">
<title>Name String</title>
<para>Used to define <literal><link linkend="macro">macro</link></literal> statement parameter string types:</para>
<programlisting><![CDATA[
(call macro1("__kmsg__"))
(macro macro1 ((string ARG1))
(typetransition audit.process device.device chr_file ARG1 device.klog_device)
)]]>
</programlisting>
<para>Alternatively:</para>
<programlisting><![CDATA[
(call macro1("__kmsg__"))
(macro macro1 ((name ARG1))
(typetransition audit.process device.device chr_file ARG1 device.klog_device)
)]]>
</programlisting>
</sect2>
<sect2>
<title>self</title>
<para>The <literal>self</literal> keyword may be used as the target in AVC rule statements, and means that the target is the same as the source as shown in the following example:.</para>
<programlisting><![CDATA[(allow unconfined.process self (file (read write)))]]></programlisting>
</sect2>
</sect1>
&policy_config_statements;
&container_statements;
&call_macro_statements;
&default_object_statements;
&user_statements;
&role_statements;
&type_statements;
&class_and_permission_statements;
&access_vector_rules;
&conditional_statements;
&constraint_statements;
&mls_labeling_statements;
&context_statement;
&sid_statements;
&file_labeling_statements;
&network_labeling_statements;
&xen_statements;
<!-- This section will copy in the latest example ../test/policy.cil file -->
<appendix id="example_policy">
<title>Example CIL Policy</title>
<para>This is the example <filename>policy.cil</filename> file taken from the CIL compiler source code.</para>
<programlisting>&policy_cil;
</programlisting>
<para/>
</appendix>
</article>