Skip to content

Latest commit

 

History

History
237 lines (164 loc) · 6.23 KB

conditional_statements.md

File metadata and controls

237 lines (164 loc) · 6.23 KB

Conditional Policy Statements

Conditional policies consist of a bool statement that defines a condition as true or false, with a supporting if / else construct that specifies what rules are valid under the condition as shown in the example below:

bool allow_daemons_use_tty true;

if (allow_daemons_use_tty) {
    # Rules if condition is true;
} else {
    # Rules if condition is false;
}

Table 3 in the 'Kernel Policy Language' section shows what policy statements or rules are valid within the if / else construct under the "Conditional Statements" column.

The bool statement default value can be changed when a policy is active by using the setsebool(3) command as follows:

# This command will set the allow_daemons_use_tty bool to false,
# however it will only remain false until the next system
# re-boot where it will then revert back to its default state
# (in the above case, this would be true).

setsebool allow_daemons_use_tty false

# This command will set the allow_daemons_use_tty bool to false,
# and because the -P option is used (for persistent), the value
# will remain across system re-boots. Note however that all
# other pending bool values will become persistent across
# re-boots as well (see setsebool(8) man page).

setsebool -P allow_daemons_use_tty false

The getsebool(3) command can be used to query the current bool statement value as follows:

# This command will list all bool values in the active policy:
getsebool -a

# This command will show the current allow_daemons_use_tty bool
# value in the active policy:

getsebool allow_daemons_use_tty

bool

The bool statement is used to specify a boolean identifier and its initial state (true or false) that can then be used with the if statement to form a 'conditional policy' as described in the Types of SELinux Policy section.

The statement definition is:

bool bool_id default_value;

Where:

bool

The bool keyword.

bool_id

The boolean identifier.

default_value

Either true or false.

The statement is valid in:

Policy Type

Monolithic Policy Base Policy Module Policy
Yes Yes Yes

Conditional Policy Statements

if Statement optional Statement require Statement
No Yes Yes

Examples:

# Using the bool statement to allow unconfined executables to
# make their memory heap executable or not. As the value is
# false, then by default they cannot make their heap executable.

bool allow_execheap false;

# Using the bool statement to allow unconfined executables to
# make their stack executable or not. As the value is true,
# then by default their stacks are executable.

bool allow_execstack true;

if

The if statement is used to form a 'conditional block' of statements and rules that are enforced depending on whether one or more boolean identifiers evaluate to TRUE or FALSE. An if / else construct is also supported.

The only statements and rules allowed within the if / else construct are:

allow, auditallow, auditdeny, dontaudit, type_member, type_transition (except file_name_transition), type_change and require.

The statement definition is:

if (conditional_expression) { true_list } [ else { false_list } ]

Where:

if

The if keyword.

conditional_expression

One or more bool_name identifiers that have been previously defined by the bool Statement. Multiple identifiers must be separated by the following logical operators: &&, ¦¦, ^, !, ==, !=. The conditional_expression is enclosed in brackets '()'.

true_list

A list of rules enclosed within braces '{}' that will be executed when the conditional_expression is 'true'. Valid statements and rules are highlighted within each language definition statement.

else

Optional else keyword.

false_list

A list of rules enclosed within braces '{}' that will be executed when the optional else keyword is present and the conditional_expression is false. Valid statements and rules are highlighted within each language definition statement.

The statement is valid in:

Policy Type

Monolithic Policy Base Policy Module Policy
Yes Yes Yes

Conditional Policy Statements

if Statement optional Statement require Statement
No Yes No

Examples:

# An example showing a boolean and supporting if statement.
bool allow_execmem false;

# The bool allow_execmem is FALSE therefore the allow statement is not executed:

if (allow_execmem) {
    allow sysadm_t self:process execmem;

}

# An example showing two booleans and a supporting if statement.

bool allow_execmem false;
bool allow_execstack true;

# The bool allow_execmem is FALSE and allow_execstack is TRUE
# therefore the allow statement is not executed:

if (allow_execmem && allow_execstack) {
    allow sysadm_t self:process execstack;

}

# An example of an IF - ELSE statement where the bool statement
# is FALSE, therefore the ELSE statements will be executed.
#

bool read_untrusted_content false;

if (read_untrusted_content) {
    allow sysadm_t { sysadm_untrusted_content_t sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };
.....

} else {
    dontaudit sysadm_t { sysadm_untrusted_content_t
    sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl };
    ...
}

[ PREV ] [ TOP ] [ NEXT ]