1User Statements 2=============== 3 4user 5---- 6 7Declares an SELinux user identifier in the current namespace. 8 9**Statement definition:** 10 11 (user user_id) 12 13**Where:** 14 15<table> 16<colgroup> 17<col width="25%" /> 18<col width="75%" /> 19</colgroup> 20<tbody> 21<tr class="odd"> 22<td align="left"><p><code>user</code></p></td> 23<td align="left"><p>The <code>user</code> keyword.</p></td> 24</tr> 25<tr class="even"> 26<td align="left"><p><code>user_id</code></p></td> 27<td align="left"><p>The SELinux <code>user</code> identifier.</p></td> 28</tr> 29</tbody> 30</table> 31 32**Example:** 33 34This will declare an SELinux user as `unconfined.user`: 35 36 (block unconfined 37 (user user) 38 ) 39 40userrole 41-------- 42 43Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`role`](cil_role_statements.md#role) identifier. 44 45**Statement definition:** 46 47 (userrole user_id role_id) 48 49**Where:** 50 51<table> 52<colgroup> 53<col width="25%" /> 54<col width="75%" /> 55</colgroup> 56<tbody> 57<tr class="odd"> 58<td align="left"><p><code>userrole</code></p></td> 59<td align="left"><p>The <code>userrole</code> keyword.</p></td> 60</tr> 61<tr class="even"> 62<td align="left"><p><code>user_id</code></p></td> 63<td align="left"><p>A previously declared SELinux <code>user</code> or <code>userattribute</code> identifier.</p></td> 64</tr> 65<tr class="odd"> 66<td align="left"><p><code>role_id</code></p></td> 67<td align="left"><p>A previously declared <code>role</code> or <code>roleattribute</code> identifier.</p></td> 68</tr> 69</tbody> 70</table> 71 72**Example:** 73 74This example will associate `unconfined.user` to `unconfined.role`: 75 76 (block unconfined 77 (user user) 78 (role role) 79 (userrole user role) 80 ) 81 82userattribute 83------------- 84 85Declares a user attribute identifier in the current namespace. The identifier may have zero or more [`user`](cil_user_statements.md#user) and [`userattribute`](cil_user_statements.md#userattribute) identifiers associated to it via the [`userattributeset`](cil_user_statements.md#userattributeset) statement. 86 87**Statement definition:** 88 89 (userattribute userattribute_id) 90 91**Where:** 92 93<table> 94<colgroup> 95<col width="25%" /> 96<col width="75%" /> 97</colgroup> 98<tbody> 99<tr class="odd"> 100<td align="left"><p><code>userattribute</code></p></td> 101<td align="left"><p>The <code>userattribute</code> keyword.</p></td> 102</tr> 103<tr class="even"> 104<td align="left"><p><code>userattribute_id</code></p></td> 105<td align="left"><p>The <code>userattribute</code> identifier.</p></td> 106</tr> 107</tbody> 108</table> 109 110**Example:** 111 112This example will declare a user attribute `users.user_holder` that will have an empty set: 113 114 (block users 115 (userattribute user_holder) 116 ) 117 118userattributeset 119---------------- 120 121Allows the association of one or more previously declared [`user`](cil_user_statements.md#user) or [`userattribute`](cil_user_statements.md#userattribute) identifiers to a [`userattribute`](cil_user_statements.md#userattribute) identifier. Expressions may be used to refine the associations as shown in the examples. 122 123**Statement definition:** 124 125 (userattributeset userattribute_id (user_id ... | expr ...)) 126 127**Where:** 128 129<table> 130<colgroup> 131<col width="25%" /> 132<col width="75%" /> 133</colgroup> 134<tbody> 135<tr class="odd"> 136<td align="left"><p><code>userattributeset</code></p></td> 137<td align="left"><p>The <code>userattributeset</code> keyword.</p></td> 138</tr> 139<tr class="even"> 140<td align="left"><p><code>userattribute_id</code></p></td> 141<td align="left"><p>A single previously declared <code>userattribute</code> identifier.</p></td> 142</tr> 143<tr class="odd"> 144<td align="left"><p><code>user_id</code></p></td> 145<td align="left"><p>Zero or more previously declared <code>user</code> or <code>userattribute</code> identifiers.</p> 146<p>Note that there must be at least one <code>user_id</code> or <code>expr</code> parameter declared.</p></td> 147</tr> 148<tr class="even"> 149<td align="left"><p><code>expr</code></p></td> 150<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 151<p><code> (and (user_id ...) (user_id ...))</code></p> 152<p><code> (or (user_id ...) (user_id ...))</code></p> 153<p><code> (xor (user_id ...) (user_id ...))</code></p> 154<p><code> (not (user_id ...))</code></p> 155<p><code> (all)</code></p></td> 156</tr> 157</tbody> 158</table> 159 160**Example:** 161 162This example will declare three users and two user attributes, then associate all the users to them as shown: 163 164 (block users 165 (user user_1) 166 (user user_2) 167 (user user_3) 168 169 (userattribute user_holder) 170 (userattributeset user_holder (user_1 user_2 user_3)) 171 172 (userattribute user_holder_all) 173 (userattributeset user_holder_all (all)) 174 ) 175 176userlevel 177--------- 178 179Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`level`](cil_mls_labeling_statements.md#level) identifier. The [`level`](cil_mls_labeling_statements.md#level) may be named or anonymous. 180 181**Statement definition:** 182 183 (userlevel user_id level_id) 184 185**Where:** 186 187<table> 188<colgroup> 189<col width="25%" /> 190<col width="75%" /> 191</colgroup> 192<tbody> 193<tr class="odd"> 194<td align="left"><p><code>userlevel</code></p></td> 195<td align="left"><p>The <code>userlevel</code> keyword.</p></td> 196</tr> 197<tr class="even"> 198<td align="left"><p><code>user_id</code></p></td> 199<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 200</tr> 201<tr class="odd"> 202<td align="left"><p><code>level_id</code></p></td> 203<td align="left"><p>A previously declared <code>level</code> identifier. This may consist of a single <code>sensitivity</code> with zero or more mixed named and anonymous <code>category</code>'s as discussed in the <code>level</code> statement.</p></td> 204</tr> 205</tbody> 206</table> 207 208**Example:** 209 210This example will associate `unconfined.user` with a named [`level`](cil_mls_labeling_statements.md#level) of `systemlow`: 211 212 (sensitivity s0) 213 (level systemlow (s0)) 214 215 (block unconfined 216 (user user) 217 (userlevel user systemlow) 218 ; An anonymous example: 219 ;(userlevel user (s0)) 220 ) 221 222userrange 223--------- 224 225Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`levelrange`](cil_mls_labeling_statements.md#levelrange) identifier. The [`levelrange`](cil_mls_labeling_statements.md#levelrange) may be named or anonymous. 226 227**Statement definition:** 228 229 (userrange user_id levelrange_id) 230 231**Where:** 232 233<table> 234<colgroup> 235<col width="25%" /> 236<col width="75%" /> 237</colgroup> 238<tbody> 239<tr class="odd"> 240<td align="left"><p><code>userrange</code></p></td> 241<td align="left"><p>The <code>userrange</code> keyword.</p></td> 242</tr> 243<tr class="even"> 244<td align="left"><p><code>user_id</code></p></td> 245<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 246</tr> 247<tr class="odd"> 248<td align="left"><p><code>levelrange_id</code></p></td> 249<td align="left"><p>A previously declared <code>levelrange</code> identifier. This may be formed by named or anonymous components as discussed in the <code>levelrange</code> statement and shown in the examples.</p></td> 250</tr> 251</tbody> 252</table> 253 254**Example:** 255 256This example will associate `unconfined.user` with a named [`levelrange`](cil_mls_labeling_statements.md#levelrange) of `low_high`, other anonymous examples are also shown: 257 258 (category c0) 259 (category c1) 260 (categoryorder (c0 c1)) 261 (sensitivity s0) 262 (sensitivity s1) 263 (dominance (s0 s1)) 264 (sensitivitycategory s0 (c0 c1)) 265 (level systemLow (s0)) 266 (level systemHigh (s0 (c0 c1))) 267 (levelrange low_high (systemLow systemHigh)) 268 269 (block unconfined 270 (user user) 271 (role role) 272 (userrole user role) 273 ; Named example: 274 (userrange user low_high) 275 ; Anonymous examples: 276 ;(userrange user (systemLow systemHigh)) 277 ;(userrange user (systemLow (s0 (c0 c1)))) 278 ;(userrange user ((s0) (s0 (c0 c1)))) 279 ) 280 281userbounds 282---------- 283 284Defines a hierarchical relationship between users where the child user cannot have more privileges than the parent. 285 286Notes: 287 288- It is not possible to bind the parent to more than one child. 289 290- While this is added to the binary policy, it is not enforced by the SELinux kernel services. 291 292**Statement definition:** 293 294 (userbounds parent_user_id child_user_id) 295 296**Where:** 297 298<table> 299<colgroup> 300<col width="25%" /> 301<col width="75%" /> 302</colgroup> 303<tbody> 304<tr class="odd"> 305<td align="left"><p><code>userbounds</code></p></td> 306<td align="left"><p>The <code>userbounds</code> keyword.</p></td> 307</tr> 308<tr class="even"> 309<td align="left"><p><code>parent_user_id</code></p></td> 310<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 311</tr> 312<tr class="odd"> 313<td align="left"><p><code>child_user_id</code></p></td> 314<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 315</tr> 316</tbody> 317</table> 318 319**Example:** 320 321The user `test` cannot have greater privileges than `unconfined.user`: 322 323 (user test) 324 325 (unconfined 326 (user user) 327 (userbounds user .test) 328 ) 329 330userprefix 331---------- 332 333Declare a user prefix that will be replaced by the file labeling utilities described at [http://selinuxproject.org/page/PolicyStoreConfigurationFiles](http://selinuxproject.org/page/PolicyStoreConfigurationFiles#file_contexts.template_File) that details the `file_contexts` entries. 334 335**Statement definition:** 336 337 (userprefix user_id prefix) 338 339**Where:** 340 341<table> 342<colgroup> 343<col width="25%" /> 344<col width="75%" /> 345</colgroup> 346<tbody> 347<tr class="odd"> 348<td align="left"><p><code>userprefix</code></p></td> 349<td align="left"><p>The <code>userprefix</code> keyword.</p></td> 350</tr> 351<tr class="even"> 352<td align="left"><p><code>user_id</code></p></td> 353<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 354</tr> 355<tr class="odd"> 356<td align="left"><p><code>prefix</code></p></td> 357<td align="left"><p>The string to be used by the file labeling utilities.</p></td> 358</tr> 359</tbody> 360</table> 361 362**Example:** 363 364This example will associate `unconfined.admin` user with a prefix of "[`user`](cil_user_statements.md#user)": 365 366 (block unconfined 367 (user admin 368 (userprefix admin user) 369 ) 370 371selinuxuser 372----------- 373 374Associates a GNU/Linux user to a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared MLS [`userrange`](cil_user_statements.md#userrange). Note that the [`userrange`](cil_user_statements.md#userrange) is required even if the policy is non-MCS/MLS. 375 376**Statement definition:** 377 378 (selinuxuser user_name user_id userrange_id) 379 380**Where:** 381 382<table> 383<colgroup> 384<col width="25%" /> 385<col width="75%" /> 386</colgroup> 387<tbody> 388<tr class="odd"> 389<td align="left"><p><code>selinuxuser</code></p></td> 390<td align="left"><p>The <code>selinuxuser</code> keyword.</p></td> 391</tr> 392<tr class="even"> 393<td align="left"><p><code>user_name</code></p></td> 394<td align="left"><p>A string representing the GNU/Linux user name</p></td> 395</tr> 396<tr class="odd"> 397<td align="left"><p><code>user_id</code></p></td> 398<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 399</tr> 400<tr class="even"> 401<td align="left"><p><code>userrange_id</code></p></td> 402<td align="left"><p>A previously declared <code>userrange</code> identifier that has been associated to the <code>user</code> identifier. This may be formed by named or anonymous components as discussed in the <code>userrange</code> statement and shown in the examples.</p></td> 403</tr> 404</tbody> 405</table> 406 407**Example:** 408 409This example will associate `unconfined.admin` user with a GNU / Linux user "`admin_1`": 410 411 (block unconfined 412 (user admin) 413 (selinuxuser admin_1 admin low_low) 414 ) 415 416selinuxuserdefault 417------------------ 418 419Declares the default SELinux user. Only one [`selinuxuserdefault`](cil_user_statements.md#selinuxuserdefault) statement is allowed in the policy. Note that the [`userrange`](cil_user_statements.md#userrange) identifier is required even if the policy is non-MCS/MLS. 420 421**Statement definition:** 422 423 (selinuxuserdefault user_id userrange_id) 424 425**Where:** 426 427<table> 428<colgroup> 429<col width="25%" /> 430<col width="75%" /> 431</colgroup> 432<tbody> 433<tr class="odd"> 434<td align="left"><p><code>selinuxuserdefault</code></p></td> 435<td align="left"><p>The <code>selinuxuserdefault</code> keyword.</p></td> 436</tr> 437<tr class="even"> 438<td align="left"><p><code>user_id</code></p></td> 439<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td> 440</tr> 441<tr class="odd"> 442<td align="left"><p><code>userrange_id</code></p></td> 443<td align="left"><p>A previously declared <code>userrange</code> identifier that has been associated to the <code>user</code> identifier. This may be formed by named or anonymous components as discussed in the <code>userrange</code> statement and shown in the examples.</p></td> 444</tr> 445</tbody> 446</table> 447 448**Example:** 449 450This example will define the `unconfined.user` as the default SELinux user: 451 452 (block unconfined 453 (user user) 454 (selinuxuserdefault user low_low) 455 ) 456