Role-Based Access Control Declarations
As Figure 6-15 shows, there are four types of RBAC declarations:
-
role_type_def Role type declarations
-
role_dominance Role dominance declarations
-
roletrans_def Role transition declarations
-
role_allow_def Role allow declarations
Figure 6-15. RBAC declarations (rbac_decl)
Role Type Declarations
A role type declaration specifies the set of
domains for which a role is
authorized. They have the form shown in Figure 6-16.
The symbol identifier specifies the role and the
symbol names specifies the authorized domain or
domains.
Figure 6-16. Role type declaration (role_type_def)
Role type declarations typically appear in type enforcement files, where they specify
the roles that are authorized to enter the domains defined by the TE
files. For instance, the
ping.te file contains
the following role-type declarations:
role sysadm_r types ping_t; role system_r types ping_t;
The first declaration authorizes the sysadm_r role
to enter the ping_t domain. The second declaration
authorizes the system_r role to do likewise.
Role Dominance Declarations
Role dominance declarations can be used to specify a hierarchy among roles. However, existing implementations of SELinux policies do not specify role hierarchies.
Role Transition Declarations
At one time, role transition rules ...
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
