Role-Based Access Control Declarations

As Figure 6-15 shows, there are four types of RBAC declarations:


Role type declarations


Role dominance declarations


Role transition declarations


Role allow declarations

RBAC declarations (rbac_decl)

Figure 6-15. RBAC declarations (rbac_decl)

Role Type Declarations

A role type declaration specifies the set of domains for which a role is authorized. They have the form shown in Figure 6-16. The symbol identifier specifies the role and the symbol names specifies the authorized domain or domains.

Role type declaration (role_type_def)

Figure 6-16. Role type declaration (role_type_def)

Role type declarations typically appear in type enforcement files, where they specify the roles that are authorized to enter the domains defined by the TE files. For instance, the ping.te file contains the following role-type declarations:

role sysadm_r types ping_t;
role system_r types ping_t;

The first declaration authorizes the sysadm_r role to enter the ping_t domain. The second declaration authorizes the system_r role to do likewise.

Role Dominance Declarations

Role dominance declarations can be used to specify a hierarchy among roles. However, existing implementations of SELinux policies do not specify role hierarchies.

Role Transition Declarations

At one time, role transition rules ...

Get SELinux now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.