Role-Based Access Control Declarations
As Figure 6-15 shows, there are four types of RBAC declarations:
Role type declarations
Role dominance declarations
Role transition declarations
Role allow declarations
Figure 6-15. RBAC declarations (rbac_decl)
Role Type Declarations
A role type declaration specifies the set of
domains for which a role is
authorized. They have the form shown in Figure 6-16.
identifier specifies the role and the
names specifies the authorized domain or
Figure 6-16. Role type declaration (role_type_def)
Role type declarations typically appear in type enforcement files, where they specify
the roles that are authorized to enter the domains defined by the TE
files. For instance, the
ping.te file contains
the following role-type declarations:
role sysadm_r types ping_t; role system_r types ping_t;
The first declaration authorizes the
to enter the
ping_t domain. The second declaration
system_r role to do likewise.
Role Dominance Declarations
Role dominance declarations can be used to specify a hierarchy among roles. However, existing implementations of SELinux policies do not specify role hierarchies.
Role Transition Declarations
At one time, role transition rules ...