next up previous contents
Next: MLS configuration Up: Policy Configuration Language Previous: TE configuration   Contents

RBAC configuration

The rbac file contains the configuration information for the role-based access control (RBAC) policy. Although roles could be implemented directly using TE domains, this policy provides an additional layer of abstraction for grouping TE domains into roles and for expressing a role hierarchy. Roles are only relevant for processes. Files are labeled with a generic object_r role.

Figure: Role declarations
\begin{figure}\begin{center}
\begin{footnotesize}
\begin{verbatim}role system_...
...sysadm_r types sysadm_t;\end{verbatim}\end{footnotesize}\end{center}\end{figure}

The RBAC configuration contains four kinds of statements: role declarations, role transition rules, role allow rules, and role dominance definitions. A role declaration specifies a name for the role and a set of types that may be associated with that role. This limits the set of types that may be entered by a process in the role. The generic object_r role may be associated with any type, since object roles are not relevant to the policy.

Sample role declarations are shown in Figure 5. The first declaration defines a system_r role for system processes such as init and getty. The second declaration defines a user_r role for ordinary users. The third declaration defines a sysadm_r role for system administrators.

Figure: Role transition rules
\begin{figure}\begin{center}
\begin{footnotesize}
\begin{verbatim}role_transit...
...untrusted_exec_t user_r;\end{verbatim}\end{footnotesize}\end{center}\end{figure}

A role transition rule specifies the default role of a transformed process based on its prior role and the type of the program executable. If no rule is specified, then the default role of a process is the same as its role prior to the execve call. Sample role transition rules are shown in Figure 6. The first rule specifies that when a system process executes the login program executable, the transformed process should be assigned the login_r role by default. The second rule specifies that when a system administrator executes an untrusted executable, the transformed process should be assigned the user_r role.

Figure: Role allow rules
\begin{figure}\begin{center}
\begin{footnotesize}
\begin{verbatim}allow system...
...allow system_r secadm_r;\end{verbatim}\end{footnotesize}\end{center}\end{figure}

A role allow rule specifies allowable transitions between roles on an execve. If no rule is specified, then the change in roles will not be permitted. Additional controls over role transitions based on the type of the process may be specified through the constraints file, as discussed in Section 3.4.5. Sample role allow rules are shown in Figure 7. The first rule grants processes in the system_r role the permission to transition to the user_r role. The second and third rules provide similar permissions to the sysadm_r and secadm_r roles.

A role dominance definition specifies a hierarchy among a set of roles. A role automatically inherits any types that can be associated with any role it dominates in the hierarchy. As discussed in Section 3.4.5, this dominance relationship may also be used to define constraints on specific permissions. Role dominance definitions are not currently used in the sample policy configuration.


next up previous contents
Next: MLS configuration Up: Policy Configuration Language Previous: TE configuration   Contents