1User Statements 2=============== 3 4user 5---- 6 7Declares an SELinux user identifier in the current namespace. 8 9**Statement definition:** 10 11```secil 12 (user user_id) 13``` 14 15**Where:** 16 17<table> 18<colgroup> 19<col width="25%" /> 20<col width="75%" /> 21</colgroup> 22<tbody> 23<tr class="odd"> 24<td align="left"><p><code>user</code></p></td> 25<td align="left"><p>The <code>user</code> keyword.</p></td> 26</tr> 27<tr class="even"> 28<td align="left"><p><code>user_id</code></p></td> 29<td align="left"><p>The SELinux <code>user</code> identifier.</p></td> 30</tr> 31</tbody> 32</table> 33 34**Example:** 35 36This will declare an SELinux user as `unconfined.user`: 37 38```secil 39 (block unconfined 40 (user user) 41 ) 42``` 43 44userrole 45-------- 46 47Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`role`](cil_role_statements.md#role) identifier. 48 49**Statement definition:** 50 51```secil 52 (userrole user_id role_id) 53``` 54 55**Where:** 56 57<table> 58<colgroup> 59<col width="25%" /> 60<col width="75%" /> 61</colgroup> 62<tbody> 63<tr class="odd"> 64<td align="left"><p><code>userrole</code></p></td> 65<td align="left"><p>The <code>userrole</code> keyword.</p></td> 66</tr> 67<tr class="even"> 68<td align="left"><p><code>user_id</code></p></td> 69<td align="left"><p>A previously declared SELinux <code>user</code> or <code>userattribute</code> identifier.</p></td> 70</tr> 71<tr class="odd"> 72<td align="left"><p><code>role_id</code></p></td> 73<td align="left"><p>A previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td> 74</tr> 75</tbody> 76</table> 77 78**Example:** 79 80This example will associate `unconfined.user` to `unconfined.role`: 81 82```secil 83 (block unconfined 84 (user user) 85 (role role) 86 (userrole user role) 87 ) 88``` 89 90userattribute 91------------- 92 93Declares a user attribute identifier in the current namespace. The identifier may have zero or more [`user`](cil_user_statements.md#user) and [`userattribute`](cil_user_statements.md#userattribute) identifiers associated to it via the [`userattributeset`](cil_user_statements.md#userattributeset) statement. 94 95**Statement definition:** 96 97```secil 98 (userattribute userattribute_id) 99``` 100 101**Where:** 102 103<table> 104<colgroup> 105<col width="25%" /> 106<col width="75%" /> 107</colgroup> 108<tbody> 109<tr class="odd"> 110<td align="left"><p><code>userattribute</code></p></td> 111<td align="left"><p>The <code>userattribute</code> keyword.</p></td> 112</tr> 113<tr class="even"> 114<td align="left"><p><code>userattribute_id</code></p></td> 115<td align="left"><p>The <code>userattribute</code> identifier.</p></td> 116</tr> 117</tbody> 118</table> 119 120**Example:** 121 122This example will declare a user attribute `users.user_holder` that will have an empty set: 123 124```secil 125 (block users 126 (userattribute user_holder) 127 ) 128``` 129 130userattributeset 131---------------- 132 133Allows the association of one or more previously declared [`user`](cil_user_statements.md#user) or [`userattribute`](cil_user_statements.md#userattribute) identifiers to a [`userattribute`](cil_user_statements.md#userattribute) identifier. Expressions may be used to refine the associations as shown in the examples. 134 135**Statement definition:** 136 137```secil 138 (userattributeset userattribute_id (user_id ... | expr ...)) 139``` 140 141**Where:** 142 143<table> 144<colgroup> 145<col width="25%" /> 146<col width="75%" /> 147</colgroup> 148<tbody> 149<tr class="odd"> 150<td align="left"><p><code>userattributeset</code></p></td> 151<td align="left"><p>The <code>userattributeset</code> keyword.</p></td> 152</tr> 153<tr class="even"> 154<td align="left"><p><code>userattribute_id</code></p></td> 155<td align="left"><p>A single previously declared <code>userattribute</code> identifier.</p></td> 156</tr> 157<tr class="odd"> 158<td align="left"><p><code>user_id</code></p></td> 159<td align="left"><p>Zero or more previously declared <code>user</code> or <code>userattribute</code> identifiers.</p> 160<p>Note that there must be at least one <code>user_id</code> or <code>expr</code> parameter declared.</p></td> 161</tr> 162<tr class="even"> 163<td align="left"><p><code>expr</code></p></td> 164<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 165<p><code> (and (user_id ...) (user_id ...))</code></p> 166<p><code> (or (user_id ...) (user_id ...))</code></p> 167<p><code> (xor (user_id ...) (user_id ...))</code></p> 168<p><code> (not (user_id ...))</code></p> 169<p><code> (all)</code></p></td> 170</tr> 171</tbody> 172</table> 173 174**Example:** 175 176This example will declare three users and two user attributes, then associate all the users to them as shown: 177 178```secil 179 (block users 180 (user user_1) 181 (user user_2) 182 (user user_3) 183 184 (userattribute user_holder) 185 (userattributeset user_holder (user_1 user_2 user_3)) 186 187 (userattribute user_holder_all) 188 (userattributeset user_holder_all (all)) 189 ) 190``` 191 192userlevel 193--------- 194 195Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`level`](cil_mls_labeling_statements.md#level) identifier. The [`level`](cil_mls_labeling_statements.md#level) may be named or anonymous. 196 197**Statement definition:** 198 199```secil 200 (userlevel user_id level_id) 201``` 202 203**Where:** 204 205<table> 206<colgroup> 207<col width="25%" /> 208<col width="75%" /> 209</colgroup> 210<tbody> 211<tr class="odd"> 212<td align="left"><p><code>userlevel</code></p></td> 213<td align="left"><p>The <code>userlevel</code> keyword.</p></td> 214</tr> 215<tr class="even"> 216<td align="left"><p><code>user_id</code></p></td> 217<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 218</tr> 219<tr class="odd"> 220<td align="left"><p><code>level_id</code></p></td> 221<td align="left"><p>A previously declared <code>level</code> identifier. This may consist of a single <code>sensitivity</code> with zero or more mixed named and anonymous <code>category</code>'s as discussed in the <code>level</code> statement.</p></td> 222</tr> 223</tbody> 224</table> 225 226**Example:** 227 228This example will associate `unconfined.user` with a named [`level`](cil_mls_labeling_statements.md#level) of `systemlow`: 229 230```secil 231 (sensitivity s0) 232 (level systemlow (s0)) 233 234 (block unconfined 235 (user user) 236 (userlevel user systemlow) 237 ; An anonymous example: 238 ;(userlevel user (s0)) 239 ) 240``` 241 242userrange 243--------- 244 245Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`levelrange`](cil_mls_labeling_statements.md#levelrange) identifier. The [`levelrange`](cil_mls_labeling_statements.md#levelrange) may be named or anonymous. 246 247**Statement definition:** 248 249```secil 250 (userrange user_id levelrange_id) 251``` 252 253**Where:** 254 255<table> 256<colgroup> 257<col width="25%" /> 258<col width="75%" /> 259</colgroup> 260<tbody> 261<tr class="odd"> 262<td align="left"><p><code>userrange</code></p></td> 263<td align="left"><p>The <code>userrange</code> keyword.</p></td> 264</tr> 265<tr class="even"> 266<td align="left"><p><code>user_id</code></p></td> 267<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 268</tr> 269<tr class="odd"> 270<td align="left"><p><code>levelrange_id</code></p></td> 271<td align="left"><p>A previously declared <code>levelrange</code> identifier. This may be formed by named or anonymous components as discussed in the <code>levelrange</code> statement and shown in the examples.</p></td> 272</tr> 273</tbody> 274</table> 275 276**Example:** 277 278This example will associate `unconfined.user` with a named [`levelrange`](cil_mls_labeling_statements.md#levelrange) of `low_high`, other anonymous examples are also shown: 279 280```secil 281 (category c0) 282 (category c1) 283 (categoryorder (c0 c1)) 284 (sensitivity s0) 285 (sensitivity s1) 286 (sensitivityorder (s0 s1)) 287 (sensitivitycategory s0 (c0 c1)) 288 (level systemLow (s0)) 289 (level systemHigh (s0 (c0 c1))) 290 (levelrange low_high (systemLow systemHigh)) 291 292 (block unconfined 293 (user user) 294 (role role) 295 (userrole user role) 296 ; Named example: 297 (userrange user low_high) 298 ; Anonymous examples: 299 ;(userrange user (systemLow systemHigh)) 300 ;(userrange user (systemLow (s0 (c0 c1)))) 301 ;(userrange user ((s0) (s0 (c0 c1)))) 302 ) 303``` 304 305userbounds 306---------- 307 308Defines a hierarchical relationship between users where the child user cannot have more privileges than the parent. 309 310Notes: 311 312- It is not possible to bind the parent to more than one child. 313 314- While this is added to the binary policy, it is not enforced by the SELinux kernel services. 315 316**Statement definition:** 317 318```secil 319 (userbounds parent_user_id child_user_id) 320``` 321 322**Where:** 323 324<table> 325<colgroup> 326<col width="25%" /> 327<col width="75%" /> 328</colgroup> 329<tbody> 330<tr class="odd"> 331<td align="left"><p><code>userbounds</code></p></td> 332<td align="left"><p>The <code>userbounds</code> keyword.</p></td> 333</tr> 334<tr class="even"> 335<td align="left"><p><code>parent_user_id</code></p></td> 336<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 337</tr> 338<tr class="odd"> 339<td align="left"><p><code>child_user_id</code></p></td> 340<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 341</tr> 342</tbody> 343</table> 344 345**Example:** 346 347The user `test` cannot have greater privileges than `unconfined.user`: 348 349```secil 350 (user test) 351 352 (unconfined 353 (user user) 354 (userbounds user .test) 355 ) 356``` 357 358userprefix 359---------- 360 361Declare a user prefix that will be replaced by the file labeling utilities described at [http://selinuxproject.org/page/PolicyStoreConfigurationFiles](http://selinuxproject.org/page/PolicyStoreConfigurationFiles#file_contexts.template_File) that details the `file_contexts` entries. 362 363**Statement definition:** 364 365```secil 366 (userprefix user_id prefix) 367``` 368 369**Where:** 370 371<table> 372<colgroup> 373<col width="25%" /> 374<col width="75%" /> 375</colgroup> 376<tbody> 377<tr class="odd"> 378<td align="left"><p><code>userprefix</code></p></td> 379<td align="left"><p>The <code>userprefix</code> keyword.</p></td> 380</tr> 381<tr class="even"> 382<td align="left"><p><code>user_id</code></p></td> 383<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 384</tr> 385<tr class="odd"> 386<td align="left"><p><code>prefix</code></p></td> 387<td align="left"><p>The string to be used by the file labeling utilities.</p></td> 388</tr> 389</tbody> 390</table> 391 392**Example:** 393 394This example will associate `unconfined.admin` user with a prefix of "[`user`](cil_user_statements.md#user)": 395 396```secil 397 (block unconfined 398 (user admin) 399 (userprefix admin user) 400 ) 401``` 402 403selinuxuser 404----------- 405 406Associates a GNU/Linux user to a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared MLS [`userrange`](cil_user_statements.md#userrange). Note that the [`userrange`](cil_user_statements.md#userrange) is required even if the policy is non-MCS/MLS. 407 408**Statement definition:** 409 410```secil 411 (selinuxuser user_name user_id userrange_id) 412``` 413 414**Where:** 415 416<table> 417<colgroup> 418<col width="25%" /> 419<col width="75%" /> 420</colgroup> 421<tbody> 422<tr class="odd"> 423<td align="left"><p><code>selinuxuser</code></p></td> 424<td align="left"><p>The <code>selinuxuser</code> keyword.</p></td> 425</tr> 426<tr class="even"> 427<td align="left"><p><code>user_name</code></p></td> 428<td align="left"><p>A string representing the GNU/Linux user name</p></td> 429</tr> 430<tr class="odd"> 431<td align="left"><p><code>user_id</code></p></td> 432<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 433</tr> 434<tr class="even"> 435<td align="left"><p><code>userrange_id</code></p></td> 436<td align="left"><p>A previously declared <code>userrange</code> identifier that has been associated to the <code>user</code> identifier. This may be formed by named or anonymous components as discussed in the <code>userrange</code> statement and shown in the examples.</p></td> 437</tr> 438</tbody> 439</table> 440 441**Example:** 442 443This example will associate `unconfined.admin` user with a GNU / Linux user "`admin_1`": 444 445```secil 446 (block unconfined 447 (user admin) 448 (selinuxuser admin_1 admin low_low) 449 ) 450``` 451 452selinuxuserdefault 453------------------ 454 455Declares the default SELinux user. Only one [`selinuxuserdefault`](cil_user_statements.md#selinuxuserdefault) statement is allowed in the policy. Note that the [`userrange`](cil_user_statements.md#userrange) identifier is required even if the policy is non-MCS/MLS. 456 457**Statement definition:** 458 459```secil 460 (selinuxuserdefault user_id userrange_id) 461``` 462 463**Where:** 464 465<table> 466<colgroup> 467<col width="25%" /> 468<col width="75%" /> 469</colgroup> 470<tbody> 471<tr class="odd"> 472<td align="left"><p><code>selinuxuserdefault</code></p></td> 473<td align="left"><p>The <code>selinuxuserdefault</code> keyword.</p></td> 474</tr> 475<tr class="even"> 476<td align="left"><p><code>user_id</code></p></td> 477<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 478</tr> 479<tr class="odd"> 480<td align="left"><p><code>userrange_id</code></p></td> 481<td align="left"><p>A previously declared <code>userrange</code> identifier that has been associated to the <code>user</code> identifier. This may be formed by named or anonymous components as discussed in the <code>userrange</code> statement and shown in the examples.</p></td> 482</tr> 483</tbody> 484</table> 485 486**Example:** 487 488This example will define the `unconfined.user` as the default SELinux user: 489 490```secil 491 (block unconfined 492 (user user) 493 (selinuxuserdefault user low_low) 494 ) 495``` 496