Role-Based Access Control Declarations
As Figure 6-15 shows, there are four types of RBAC declarations:
-
role_type_def
Role type declarations
-
role_dominance
Role dominance declarations
-
roletrans_def
Role transition declarations
-
role_allow_def
Role allow declarations
Figure 6-15. RBAC declarations (rbac_decl)
Role Type Declarations
A role type declaration specifies the set of
domains for which a role is
authorized. They have the form shown in Figure 6-16.
The symbol identifier
specifies the role and the
symbol names
specifies the authorized domain or
domains.
Figure 6-16. Role type declaration (role_type_def)
Role type declarations typically appear in type enforcement files, where they specify
the roles that are authorized to enter the domains defined by the TE
files. For instance, the
ping.te
file contains
the following role-type declarations:
role sysadm_r types ping_t; role system_r types ping_t;
The first declaration authorizes the sysadm_r
role
to enter the ping_t
domain. The second declaration
authorizes the system_r
role to do likewise.
Role Dominance Declarations
Role dominance declarations can be used to specify a hierarchy among roles. However, existing implementations of SELinux policies do not specify role hierarchies.
Role Transition Declarations
At one time, role transition rules ...
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.