1*2d543d20SAndroid Build Coastguard WorkerUser Statements 2*2d543d20SAndroid Build Coastguard Worker=============== 3*2d543d20SAndroid Build Coastguard Worker 4*2d543d20SAndroid Build Coastguard Workeruser 5*2d543d20SAndroid Build Coastguard Worker---- 6*2d543d20SAndroid Build Coastguard Worker 7*2d543d20SAndroid Build Coastguard WorkerDeclares an SELinux user identifier in the current namespace. 8*2d543d20SAndroid Build Coastguard Worker 9*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 10*2d543d20SAndroid Build Coastguard Worker 11*2d543d20SAndroid Build Coastguard Worker```secil 12*2d543d20SAndroid Build Coastguard Worker (user user_id) 13*2d543d20SAndroid Build Coastguard Worker``` 14*2d543d20SAndroid Build Coastguard Worker 15*2d543d20SAndroid Build Coastguard Worker**Where:** 16*2d543d20SAndroid Build Coastguard Worker 17*2d543d20SAndroid Build Coastguard Worker<table> 18*2d543d20SAndroid Build Coastguard Worker<colgroup> 19*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 20*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 21*2d543d20SAndroid Build Coastguard Worker</colgroup> 22*2d543d20SAndroid Build Coastguard Worker<tbody> 23*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 24*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>user</code></p></td> 25*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>user</code> keyword.</p></td> 26*2d543d20SAndroid Build Coastguard Worker</tr> 27*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 28*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>user_id</code></p></td> 29*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The SELinux <code>user</code> identifier.</p></td> 30*2d543d20SAndroid Build Coastguard Worker</tr> 31*2d543d20SAndroid Build Coastguard Worker</tbody> 32*2d543d20SAndroid Build Coastguard Worker</table> 33*2d543d20SAndroid Build Coastguard Worker 34*2d543d20SAndroid Build Coastguard Worker**Example:** 35*2d543d20SAndroid Build Coastguard Worker 36*2d543d20SAndroid Build Coastguard WorkerThis will declare an SELinux user as `unconfined.user`: 37*2d543d20SAndroid Build Coastguard Worker 38*2d543d20SAndroid Build Coastguard Worker```secil 39*2d543d20SAndroid Build Coastguard Worker (block unconfined 40*2d543d20SAndroid Build Coastguard Worker (user user) 41*2d543d20SAndroid Build Coastguard Worker ) 42*2d543d20SAndroid Build Coastguard Worker``` 43*2d543d20SAndroid Build Coastguard Worker 44*2d543d20SAndroid Build Coastguard Workeruserrole 45*2d543d20SAndroid Build Coastguard Worker-------- 46*2d543d20SAndroid Build Coastguard Worker 47*2d543d20SAndroid Build Coastguard WorkerAssociates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`role`](cil_role_statements.md#role) identifier. 48*2d543d20SAndroid Build Coastguard Worker 49*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 50*2d543d20SAndroid Build Coastguard Worker 51*2d543d20SAndroid Build Coastguard Worker```secil 52*2d543d20SAndroid Build Coastguard Worker (userrole user_id role_id) 53*2d543d20SAndroid Build Coastguard Worker``` 54*2d543d20SAndroid Build Coastguard Worker 55*2d543d20SAndroid Build Coastguard Worker**Where:** 56*2d543d20SAndroid Build Coastguard Worker 57*2d543d20SAndroid Build Coastguard Worker<table> 58*2d543d20SAndroid Build Coastguard Worker<colgroup> 59*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 60*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 61*2d543d20SAndroid Build Coastguard Worker</colgroup> 62*2d543d20SAndroid Build Coastguard Worker<tbody> 63*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 64*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>userrole</code></p></td> 65*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>userrole</code> keyword.</p></td> 66*2d543d20SAndroid Build Coastguard Worker</tr> 67*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 68*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>user_id</code></p></td> 69*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared SELinux <code>user</code> or <code>userattribute</code> identifier.</p></td> 70*2d543d20SAndroid Build Coastguard Worker</tr> 71*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 72*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>role_id</code></p></td> 73*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td> 74*2d543d20SAndroid Build Coastguard Worker</tr> 75*2d543d20SAndroid Build Coastguard Worker</tbody> 76*2d543d20SAndroid Build Coastguard Worker</table> 77*2d543d20SAndroid Build Coastguard Worker 78*2d543d20SAndroid Build Coastguard Worker**Example:** 79*2d543d20SAndroid Build Coastguard Worker 80*2d543d20SAndroid Build Coastguard WorkerThis example will associate `unconfined.user` to `unconfined.role`: 81*2d543d20SAndroid Build Coastguard Worker 82*2d543d20SAndroid Build Coastguard Worker```secil 83*2d543d20SAndroid Build Coastguard Worker (block unconfined 84*2d543d20SAndroid Build Coastguard Worker (user user) 85*2d543d20SAndroid Build Coastguard Worker (role role) 86*2d543d20SAndroid Build Coastguard Worker (userrole user role) 87*2d543d20SAndroid Build Coastguard Worker ) 88*2d543d20SAndroid Build Coastguard Worker``` 89*2d543d20SAndroid Build Coastguard Worker 90*2d543d20SAndroid Build Coastguard Workeruserattribute 91*2d543d20SAndroid Build Coastguard Worker------------- 92*2d543d20SAndroid Build Coastguard Worker 93*2d543d20SAndroid Build Coastguard WorkerDeclares a user attribute identifier in the current namespace. The identifier may have zero or more [`user`](cil_user_statements.md#user) and [`userattribute`](cil_user_statements.md#userattribute) identifiers associated to it via the [`userattributeset`](cil_user_statements.md#userattributeset) statement. 94*2d543d20SAndroid Build Coastguard Worker 95*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 96*2d543d20SAndroid Build Coastguard Worker 97*2d543d20SAndroid Build Coastguard Worker```secil 98*2d543d20SAndroid Build Coastguard Worker (userattribute userattribute_id) 99*2d543d20SAndroid Build Coastguard Worker``` 100*2d543d20SAndroid Build Coastguard Worker 101*2d543d20SAndroid Build Coastguard Worker**Where:** 102*2d543d20SAndroid Build Coastguard Worker 103*2d543d20SAndroid Build Coastguard Worker<table> 104*2d543d20SAndroid Build Coastguard Worker<colgroup> 105*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 106*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 107*2d543d20SAndroid Build Coastguard Worker</colgroup> 108*2d543d20SAndroid Build Coastguard Worker<tbody> 109*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 110*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>userattribute</code></p></td> 111*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>userattribute</code> keyword.</p></td> 112*2d543d20SAndroid Build Coastguard Worker</tr> 113*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 114*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>userattribute_id</code></p></td> 115*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>userattribute</code> identifier.</p></td> 116*2d543d20SAndroid Build Coastguard Worker</tr> 117*2d543d20SAndroid Build Coastguard Worker</tbody> 118*2d543d20SAndroid Build Coastguard Worker</table> 119*2d543d20SAndroid Build Coastguard Worker 120*2d543d20SAndroid Build Coastguard Worker**Example:** 121*2d543d20SAndroid Build Coastguard Worker 122*2d543d20SAndroid Build Coastguard WorkerThis example will declare a user attribute `users.user_holder` that will have an empty set: 123*2d543d20SAndroid Build Coastguard Worker 124*2d543d20SAndroid Build Coastguard Worker```secil 125*2d543d20SAndroid Build Coastguard Worker (block users 126*2d543d20SAndroid Build Coastguard Worker (userattribute user_holder) 127*2d543d20SAndroid Build Coastguard Worker ) 128*2d543d20SAndroid Build Coastguard Worker``` 129*2d543d20SAndroid Build Coastguard Worker 130*2d543d20SAndroid Build Coastguard Workeruserattributeset 131*2d543d20SAndroid Build Coastguard Worker---------------- 132*2d543d20SAndroid Build Coastguard Worker 133*2d543d20SAndroid Build Coastguard WorkerAllows the association of one or more previously declared [`user`](cil_user_statements.md#user) or [`userattribute`](cil_user_statements.md#userattribute) identifiers to a [`userattribute`](cil_user_statements.md#userattribute) identifier. Expressions may be used to refine the associations as shown in the examples. 134*2d543d20SAndroid Build Coastguard Worker 135*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 136*2d543d20SAndroid Build Coastguard Worker 137*2d543d20SAndroid Build Coastguard Worker```secil 138*2d543d20SAndroid Build Coastguard Worker (userattributeset userattribute_id (user_id ... | expr ...)) 139*2d543d20SAndroid Build Coastguard Worker``` 140*2d543d20SAndroid Build Coastguard Worker 141*2d543d20SAndroid Build Coastguard Worker**Where:** 142*2d543d20SAndroid Build Coastguard Worker 143*2d543d20SAndroid Build Coastguard Worker<table> 144*2d543d20SAndroid Build Coastguard Worker<colgroup> 145*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 146*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 147*2d543d20SAndroid Build Coastguard Worker</colgroup> 148*2d543d20SAndroid Build Coastguard Worker<tbody> 149*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 150*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>userattributeset</code></p></td> 151*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>userattributeset</code> keyword.</p></td> 152*2d543d20SAndroid Build Coastguard Worker</tr> 153*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 154*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>userattribute_id</code></p></td> 155*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A single previously declared <code>userattribute</code> identifier.</p></td> 156*2d543d20SAndroid Build Coastguard Worker</tr> 157*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 158*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>user_id</code></p></td> 159*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>Zero or more previously declared <code>user</code> or <code>userattribute</code> identifiers.</p> 160*2d543d20SAndroid Build Coastguard Worker<p>Note that there must be at least one <code>user_id</code> or <code>expr</code> parameter declared.</p></td> 161*2d543d20SAndroid Build Coastguard Worker</tr> 162*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 163*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>expr</code></p></td> 164*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 165*2d543d20SAndroid Build Coastguard Worker<p><code> (and (user_id ...) (user_id ...))</code></p> 166*2d543d20SAndroid Build Coastguard Worker<p><code> (or (user_id ...) (user_id ...))</code></p> 167*2d543d20SAndroid Build Coastguard Worker<p><code> (xor (user_id ...) (user_id ...))</code></p> 168*2d543d20SAndroid Build Coastguard Worker<p><code> (not (user_id ...))</code></p> 169*2d543d20SAndroid Build Coastguard Worker<p><code> (all)</code></p></td> 170*2d543d20SAndroid Build Coastguard Worker</tr> 171*2d543d20SAndroid Build Coastguard Worker</tbody> 172*2d543d20SAndroid Build Coastguard Worker</table> 173*2d543d20SAndroid Build Coastguard Worker 174*2d543d20SAndroid Build Coastguard Worker**Example:** 175*2d543d20SAndroid Build Coastguard Worker 176*2d543d20SAndroid Build Coastguard WorkerThis example will declare three users and two user attributes, then associate all the users to them as shown: 177*2d543d20SAndroid Build Coastguard Worker 178*2d543d20SAndroid Build Coastguard Worker```secil 179*2d543d20SAndroid Build Coastguard Worker (block users 180*2d543d20SAndroid Build Coastguard Worker (user user_1) 181*2d543d20SAndroid Build Coastguard Worker (user user_2) 182*2d543d20SAndroid Build Coastguard Worker (user user_3) 183*2d543d20SAndroid Build Coastguard Worker 184*2d543d20SAndroid Build Coastguard Worker (userattribute user_holder) 185*2d543d20SAndroid Build Coastguard Worker (userattributeset user_holder (user_1 user_2 user_3)) 186*2d543d20SAndroid Build Coastguard Worker 187*2d543d20SAndroid Build Coastguard Worker (userattribute user_holder_all) 188*2d543d20SAndroid Build Coastguard Worker (userattributeset user_holder_all (all)) 189*2d543d20SAndroid Build Coastguard Worker ) 190*2d543d20SAndroid Build Coastguard Worker``` 191*2d543d20SAndroid Build Coastguard Worker 192*2d543d20SAndroid Build Coastguard Workeruserlevel 193*2d543d20SAndroid Build Coastguard Worker--------- 194*2d543d20SAndroid Build Coastguard Worker 195*2d543d20SAndroid Build Coastguard WorkerAssociates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`level`](cil_mls_labeling_statements.md#level) identifier. The [`level`](cil_mls_labeling_statements.md#level) may be named or anonymous. 196*2d543d20SAndroid Build Coastguard Worker 197*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 198*2d543d20SAndroid Build Coastguard Worker 199*2d543d20SAndroid Build Coastguard Worker```secil 200*2d543d20SAndroid Build Coastguard Worker (userlevel user_id level_id) 201*2d543d20SAndroid Build Coastguard Worker``` 202*2d543d20SAndroid Build Coastguard Worker 203*2d543d20SAndroid Build Coastguard Worker**Where:** 204*2d543d20SAndroid Build Coastguard Worker 205*2d543d20SAndroid Build Coastguard Worker<table> 206*2d543d20SAndroid Build Coastguard Worker<colgroup> 207*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 208*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 209*2d543d20SAndroid Build Coastguard Worker</colgroup> 210*2d543d20SAndroid Build Coastguard Worker<tbody> 211*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 212*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>userlevel</code></p></td> 213*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>userlevel</code> keyword.</p></td> 214*2d543d20SAndroid Build Coastguard Worker</tr> 215*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 216*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>user_id</code></p></td> 217*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 218*2d543d20SAndroid Build Coastguard Worker</tr> 219*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 220*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>level_id</code></p></td> 221*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared <code>level</code> identifier. This may consist of a single <code>sensitivity</code> with zero or more mixed named and anonymous <code>category</code>'s as discussed in the <code>level</code> statement.</p></td> 222*2d543d20SAndroid Build Coastguard Worker</tr> 223*2d543d20SAndroid Build Coastguard Worker</tbody> 224*2d543d20SAndroid Build Coastguard Worker</table> 225*2d543d20SAndroid Build Coastguard Worker 226*2d543d20SAndroid Build Coastguard Worker**Example:** 227*2d543d20SAndroid Build Coastguard Worker 228*2d543d20SAndroid Build Coastguard WorkerThis example will associate `unconfined.user` with a named [`level`](cil_mls_labeling_statements.md#level) of `systemlow`: 229*2d543d20SAndroid Build Coastguard Worker 230*2d543d20SAndroid Build Coastguard Worker```secil 231*2d543d20SAndroid Build Coastguard Worker (sensitivity s0) 232*2d543d20SAndroid Build Coastguard Worker (level systemlow (s0)) 233*2d543d20SAndroid Build Coastguard Worker 234*2d543d20SAndroid Build Coastguard Worker (block unconfined 235*2d543d20SAndroid Build Coastguard Worker (user user) 236*2d543d20SAndroid Build Coastguard Worker (userlevel user systemlow) 237*2d543d20SAndroid Build Coastguard Worker ; An anonymous example: 238*2d543d20SAndroid Build Coastguard Worker ;(userlevel user (s0)) 239*2d543d20SAndroid Build Coastguard Worker ) 240*2d543d20SAndroid Build Coastguard Worker``` 241*2d543d20SAndroid Build Coastguard Worker 242*2d543d20SAndroid Build Coastguard Workeruserrange 243*2d543d20SAndroid Build Coastguard Worker--------- 244*2d543d20SAndroid Build Coastguard Worker 245*2d543d20SAndroid Build Coastguard WorkerAssociates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`levelrange`](cil_mls_labeling_statements.md#levelrange) identifier. The [`levelrange`](cil_mls_labeling_statements.md#levelrange) may be named or anonymous. 246*2d543d20SAndroid Build Coastguard Worker 247*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 248*2d543d20SAndroid Build Coastguard Worker 249*2d543d20SAndroid Build Coastguard Worker```secil 250*2d543d20SAndroid Build Coastguard Worker (userrange user_id levelrange_id) 251*2d543d20SAndroid Build Coastguard Worker``` 252*2d543d20SAndroid Build Coastguard Worker 253*2d543d20SAndroid Build Coastguard Worker**Where:** 254*2d543d20SAndroid Build Coastguard Worker 255*2d543d20SAndroid Build Coastguard Worker<table> 256*2d543d20SAndroid Build Coastguard Worker<colgroup> 257*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 258*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 259*2d543d20SAndroid Build Coastguard Worker</colgroup> 260*2d543d20SAndroid Build Coastguard Worker<tbody> 261*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 262*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>userrange</code></p></td> 263*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>userrange</code> keyword.</p></td> 264*2d543d20SAndroid Build Coastguard Worker</tr> 265*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 266*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>user_id</code></p></td> 267*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 268*2d543d20SAndroid Build Coastguard Worker</tr> 269*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 270*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>levelrange_id</code></p></td> 271*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared <code>levelrange</code> identifier. This may be formed by named or anonymous components as discussed in the <code>levelrange</code> statement and shown in the examples.</p></td> 272*2d543d20SAndroid Build Coastguard Worker</tr> 273*2d543d20SAndroid Build Coastguard Worker</tbody> 274*2d543d20SAndroid Build Coastguard Worker</table> 275*2d543d20SAndroid Build Coastguard Worker 276*2d543d20SAndroid Build Coastguard Worker**Example:** 277*2d543d20SAndroid Build Coastguard Worker 278*2d543d20SAndroid Build Coastguard WorkerThis example will associate `unconfined.user` with a named [`levelrange`](cil_mls_labeling_statements.md#levelrange) of `low_high`, other anonymous examples are also shown: 279*2d543d20SAndroid Build Coastguard Worker 280*2d543d20SAndroid Build Coastguard Worker```secil 281*2d543d20SAndroid Build Coastguard Worker (category c0) 282*2d543d20SAndroid Build Coastguard Worker (category c1) 283*2d543d20SAndroid Build Coastguard Worker (categoryorder (c0 c1)) 284*2d543d20SAndroid Build Coastguard Worker (sensitivity s0) 285*2d543d20SAndroid Build Coastguard Worker (sensitivity s1) 286*2d543d20SAndroid Build Coastguard Worker (sensitivityorder (s0 s1)) 287*2d543d20SAndroid Build Coastguard Worker (sensitivitycategory s0 (c0 c1)) 288*2d543d20SAndroid Build Coastguard Worker (level systemLow (s0)) 289*2d543d20SAndroid Build Coastguard Worker (level systemHigh (s0 (c0 c1))) 290*2d543d20SAndroid Build Coastguard Worker (levelrange low_high (systemLow systemHigh)) 291*2d543d20SAndroid Build Coastguard Worker 292*2d543d20SAndroid Build Coastguard Worker (block unconfined 293*2d543d20SAndroid Build Coastguard Worker (user user) 294*2d543d20SAndroid Build Coastguard Worker (role role) 295*2d543d20SAndroid Build Coastguard Worker (userrole user role) 296*2d543d20SAndroid Build Coastguard Worker ; Named example: 297*2d543d20SAndroid Build Coastguard Worker (userrange user low_high) 298*2d543d20SAndroid Build Coastguard Worker ; Anonymous examples: 299*2d543d20SAndroid Build Coastguard Worker ;(userrange user (systemLow systemHigh)) 300*2d543d20SAndroid Build Coastguard Worker ;(userrange user (systemLow (s0 (c0 c1)))) 301*2d543d20SAndroid Build Coastguard Worker ;(userrange user ((s0) (s0 (c0 c1)))) 302*2d543d20SAndroid Build Coastguard Worker ) 303*2d543d20SAndroid Build Coastguard Worker``` 304*2d543d20SAndroid Build Coastguard Worker 305*2d543d20SAndroid Build Coastguard Workeruserbounds 306*2d543d20SAndroid Build Coastguard Worker---------- 307*2d543d20SAndroid Build Coastguard Worker 308*2d543d20SAndroid Build Coastguard WorkerDefines a hierarchical relationship between users where the child user cannot have more privileges than the parent. 309*2d543d20SAndroid Build Coastguard Worker 310*2d543d20SAndroid Build Coastguard WorkerNotes: 311*2d543d20SAndroid Build Coastguard Worker 312*2d543d20SAndroid Build Coastguard Worker- It is not possible to bind the parent to more than one child. 313*2d543d20SAndroid Build Coastguard Worker 314*2d543d20SAndroid Build Coastguard Worker- While this is added to the binary policy, it is not enforced by the SELinux kernel services. 315*2d543d20SAndroid Build Coastguard Worker 316*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 317*2d543d20SAndroid Build Coastguard Worker 318*2d543d20SAndroid Build Coastguard Worker```secil 319*2d543d20SAndroid Build Coastguard Worker (userbounds parent_user_id child_user_id) 320*2d543d20SAndroid Build Coastguard Worker``` 321*2d543d20SAndroid Build Coastguard Worker 322*2d543d20SAndroid Build Coastguard Worker**Where:** 323*2d543d20SAndroid Build Coastguard Worker 324*2d543d20SAndroid Build Coastguard Worker<table> 325*2d543d20SAndroid Build Coastguard Worker<colgroup> 326*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 327*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 328*2d543d20SAndroid Build Coastguard Worker</colgroup> 329*2d543d20SAndroid Build Coastguard Worker<tbody> 330*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 331*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>userbounds</code></p></td> 332*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>userbounds</code> keyword.</p></td> 333*2d543d20SAndroid Build Coastguard Worker</tr> 334*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 335*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>parent_user_id</code></p></td> 336*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 337*2d543d20SAndroid Build Coastguard Worker</tr> 338*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 339*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>child_user_id</code></p></td> 340*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 341*2d543d20SAndroid Build Coastguard Worker</tr> 342*2d543d20SAndroid Build Coastguard Worker</tbody> 343*2d543d20SAndroid Build Coastguard Worker</table> 344*2d543d20SAndroid Build Coastguard Worker 345*2d543d20SAndroid Build Coastguard Worker**Example:** 346*2d543d20SAndroid Build Coastguard Worker 347*2d543d20SAndroid Build Coastguard WorkerThe user `test` cannot have greater privileges than `unconfined.user`: 348*2d543d20SAndroid Build Coastguard Worker 349*2d543d20SAndroid Build Coastguard Worker```secil 350*2d543d20SAndroid Build Coastguard Worker (user test) 351*2d543d20SAndroid Build Coastguard Worker 352*2d543d20SAndroid Build Coastguard Worker (unconfined 353*2d543d20SAndroid Build Coastguard Worker (user user) 354*2d543d20SAndroid Build Coastguard Worker (userbounds user .test) 355*2d543d20SAndroid Build Coastguard Worker ) 356*2d543d20SAndroid Build Coastguard Worker``` 357*2d543d20SAndroid Build Coastguard Worker 358*2d543d20SAndroid Build Coastguard Workeruserprefix 359*2d543d20SAndroid Build Coastguard Worker---------- 360*2d543d20SAndroid Build Coastguard Worker 361*2d543d20SAndroid Build Coastguard WorkerDeclare a user prefix that will be replaced by the file labeling utilities described at [http://selinuxproject.org/page/PolicyStoreConfigurationFiles](http://selinuxproject.org/page/PolicyStoreConfigurationFiles#file_contexts.template_File) that details the `file_contexts` entries. 362*2d543d20SAndroid Build Coastguard Worker 363*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 364*2d543d20SAndroid Build Coastguard Worker 365*2d543d20SAndroid Build Coastguard Worker```secil 366*2d543d20SAndroid Build Coastguard Worker (userprefix user_id prefix) 367*2d543d20SAndroid Build Coastguard Worker``` 368*2d543d20SAndroid Build Coastguard Worker 369*2d543d20SAndroid Build Coastguard Worker**Where:** 370*2d543d20SAndroid Build Coastguard Worker 371*2d543d20SAndroid Build Coastguard Worker<table> 372*2d543d20SAndroid Build Coastguard Worker<colgroup> 373*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 374*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 375*2d543d20SAndroid Build Coastguard Worker</colgroup> 376*2d543d20SAndroid Build Coastguard Worker<tbody> 377*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 378*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>userprefix</code></p></td> 379*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>userprefix</code> keyword.</p></td> 380*2d543d20SAndroid Build Coastguard Worker</tr> 381*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 382*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>user_id</code></p></td> 383*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 384*2d543d20SAndroid Build Coastguard Worker</tr> 385*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 386*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>prefix</code></p></td> 387*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The string to be used by the file labeling utilities.</p></td> 388*2d543d20SAndroid Build Coastguard Worker</tr> 389*2d543d20SAndroid Build Coastguard Worker</tbody> 390*2d543d20SAndroid Build Coastguard Worker</table> 391*2d543d20SAndroid Build Coastguard Worker 392*2d543d20SAndroid Build Coastguard Worker**Example:** 393*2d543d20SAndroid Build Coastguard Worker 394*2d543d20SAndroid Build Coastguard WorkerThis example will associate `unconfined.admin` user with a prefix of "[`user`](cil_user_statements.md#user)": 395*2d543d20SAndroid Build Coastguard Worker 396*2d543d20SAndroid Build Coastguard Worker```secil 397*2d543d20SAndroid Build Coastguard Worker (block unconfined 398*2d543d20SAndroid Build Coastguard Worker (user admin) 399*2d543d20SAndroid Build Coastguard Worker (userprefix admin user) 400*2d543d20SAndroid Build Coastguard Worker ) 401*2d543d20SAndroid Build Coastguard Worker``` 402*2d543d20SAndroid Build Coastguard Worker 403*2d543d20SAndroid Build Coastguard Workerselinuxuser 404*2d543d20SAndroid Build Coastguard Worker----------- 405*2d543d20SAndroid Build Coastguard Worker 406*2d543d20SAndroid Build Coastguard WorkerAssociates a GNU/Linux user to a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared MLS [`userrange`](cil_user_statements.md#userrange). Note that the [`userrange`](cil_user_statements.md#userrange) is required even if the policy is non-MCS/MLS. 407*2d543d20SAndroid Build Coastguard Worker 408*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 409*2d543d20SAndroid Build Coastguard Worker 410*2d543d20SAndroid Build Coastguard Worker```secil 411*2d543d20SAndroid Build Coastguard Worker (selinuxuser user_name user_id userrange_id) 412*2d543d20SAndroid Build Coastguard Worker``` 413*2d543d20SAndroid Build Coastguard Worker 414*2d543d20SAndroid Build Coastguard Worker**Where:** 415*2d543d20SAndroid Build Coastguard Worker 416*2d543d20SAndroid Build Coastguard Worker<table> 417*2d543d20SAndroid Build Coastguard Worker<colgroup> 418*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 419*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 420*2d543d20SAndroid Build Coastguard Worker</colgroup> 421*2d543d20SAndroid Build Coastguard Worker<tbody> 422*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 423*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>selinuxuser</code></p></td> 424*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>selinuxuser</code> keyword.</p></td> 425*2d543d20SAndroid Build Coastguard Worker</tr> 426*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 427*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>user_name</code></p></td> 428*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A string representing the GNU/Linux user name</p></td> 429*2d543d20SAndroid Build Coastguard Worker</tr> 430*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 431*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>user_id</code></p></td> 432*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 433*2d543d20SAndroid Build Coastguard Worker</tr> 434*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 435*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>userrange_id</code></p></td> 436*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared <code>userrange</code> identifier that has been associated to the <code>user</code> identifier. This may be formed by named or anonymous components as discussed in the <code>userrange</code> statement and shown in the examples.</p></td> 437*2d543d20SAndroid Build Coastguard Worker</tr> 438*2d543d20SAndroid Build Coastguard Worker</tbody> 439*2d543d20SAndroid Build Coastguard Worker</table> 440*2d543d20SAndroid Build Coastguard Worker 441*2d543d20SAndroid Build Coastguard Worker**Example:** 442*2d543d20SAndroid Build Coastguard Worker 443*2d543d20SAndroid Build Coastguard WorkerThis example will associate `unconfined.admin` user with a GNU / Linux user "`admin_1`": 444*2d543d20SAndroid Build Coastguard Worker 445*2d543d20SAndroid Build Coastguard Worker```secil 446*2d543d20SAndroid Build Coastguard Worker (block unconfined 447*2d543d20SAndroid Build Coastguard Worker (user admin) 448*2d543d20SAndroid Build Coastguard Worker (selinuxuser admin_1 admin low_low) 449*2d543d20SAndroid Build Coastguard Worker ) 450*2d543d20SAndroid Build Coastguard Worker``` 451*2d543d20SAndroid Build Coastguard Worker 452*2d543d20SAndroid Build Coastguard Workerselinuxuserdefault 453*2d543d20SAndroid Build Coastguard Worker------------------ 454*2d543d20SAndroid Build Coastguard Worker 455*2d543d20SAndroid Build Coastguard WorkerDeclares the default SELinux user. Only one [`selinuxuserdefault`](cil_user_statements.md#selinuxuserdefault) statement is allowed in the policy. Note that the [`userrange`](cil_user_statements.md#userrange) identifier is required even if the policy is non-MCS/MLS. 456*2d543d20SAndroid Build Coastguard Worker 457*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 458*2d543d20SAndroid Build Coastguard Worker 459*2d543d20SAndroid Build Coastguard Worker```secil 460*2d543d20SAndroid Build Coastguard Worker (selinuxuserdefault user_id userrange_id) 461*2d543d20SAndroid Build Coastguard Worker``` 462*2d543d20SAndroid Build Coastguard Worker 463*2d543d20SAndroid Build Coastguard Worker**Where:** 464*2d543d20SAndroid Build Coastguard Worker 465*2d543d20SAndroid Build Coastguard Worker<table> 466*2d543d20SAndroid Build Coastguard Worker<colgroup> 467*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 468*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 469*2d543d20SAndroid Build Coastguard Worker</colgroup> 470*2d543d20SAndroid Build Coastguard Worker<tbody> 471*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 472*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>selinuxuserdefault</code></p></td> 473*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>selinuxuserdefault</code> keyword.</p></td> 474*2d543d20SAndroid Build Coastguard Worker</tr> 475*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 476*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>user_id</code></p></td> 477*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 478*2d543d20SAndroid Build Coastguard Worker</tr> 479*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 480*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>userrange_id</code></p></td> 481*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared <code>userrange</code> identifier that has been associated to the <code>user</code> identifier. This may be formed by named or anonymous components as discussed in the <code>userrange</code> statement and shown in the examples.</p></td> 482*2d543d20SAndroid Build Coastguard Worker</tr> 483*2d543d20SAndroid Build Coastguard Worker</tbody> 484*2d543d20SAndroid Build Coastguard Worker</table> 485*2d543d20SAndroid Build Coastguard Worker 486*2d543d20SAndroid Build Coastguard Worker**Example:** 487*2d543d20SAndroid Build Coastguard Worker 488*2d543d20SAndroid Build Coastguard WorkerThis example will define the `unconfined.user` as the default SELinux user: 489*2d543d20SAndroid Build Coastguard Worker 490*2d543d20SAndroid Build Coastguard Worker```secil 491*2d543d20SAndroid Build Coastguard Worker (block unconfined 492*2d543d20SAndroid Build Coastguard Worker (user user) 493*2d543d20SAndroid Build Coastguard Worker (selinuxuserdefault user low_low) 494*2d543d20SAndroid Build Coastguard Worker ) 495*2d543d20SAndroid Build Coastguard Worker``` 496